Privacy Policy

Introduction

IdEinstein is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, and protect your information in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable international privacy laws.

Effective Date: December 28, 2024
Last Updated: October 18, 2025
Review Schedule: Updated quarterly and when privacy practices change

1. Data Controller &

As a solo practice based in Germany, IdEinstein is fully compliant with German and EU data protection laws, including GDPR.

2. Personal Data We Collect

2.1 Information You Provide Directly

• Contact Information: Name, email address, phone number, company name, job title
• Project Information: Technical requirements, specifications, project descriptions, engineering challenges
• Communication Records: Messages, consultation requests, support inquiries, meeting notes
• Account Information: User credentials, preferences, dashboard settings (if applicable)
• Payment Information: Billing address, payment method details (processed securely by third parties)

2.2 Information Collected Automatically

• Technical Data: IP address (pseudonymized), browser type, operating system, device information
• Security Data: Basic access logs for security purposes (30-day retention)
• Performance Data: Page load times, error logs, system performance metrics
• Essential Cookies: Session cookies, security cookies, preference cookies ✅ Currently Active
• Analytics Data: Website usage patterns, page views, user behavior (collected with Google Analytics 4 when consent is provided)
• Marketing Tracking: Campaign effectiveness and user engagement metrics (only with explicit consent)

2.3 Special Categories of Data

We do not intentionally collect special categories of personal data (sensitive data) such as health information, political opinions, or biometric data. If such data is inadvertently provided, we will delete it immediately upon discovery.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b)): To provide engineering services, process consultations, and fulfill project requirements
• Legitimate Interests (Art. 6(1)(f)): To improve our services, conduct business analytics, and ensure website security
• Consent (Art. 6(1)(a)): For marketing communications, non-essential cookies, and optional data processing
• Legal Obligations (Art. 6(1)(c)): To comply with tax, accounting, and other legal requirements
• Vital Interests (Art. 6(1)(d)): In rare cases where processing is necessary to protect someone's life

4. How We Use Your Personal Data

4.1 Service Delivery

• Provide engineering and design services
• Process consultation requests and quotations
• Manage project communications and deliverables
• Provide customer support and technical assistance
• Process payments and manage billing

4.2 Business Operations

• Improve our services and website functionality
• Conduct market research and analytics
• Ensure website security and prevent fraud
• Comply with legal and regulatory requirements
• Maintain business records and documentation

4.3 Marketing Communications (With Consent)

• Send newsletters and service announcements
• Provide information about new services and capabilities
• Share relevant industry insights and technical content
• Invite to webinars, events, or educational content

5. Data Sharing and Third-Party Services

5.1 Zoho Corporation (India) - GDPR Compliant

We use Zoho services for business operations:

• Zoho CRM: Contact and lead management
• Zoho Projects: Project tracking and collaboration
• Zoho WorkDrive: Secure document and file management
• Zoho Books: Billing and invoicing

More Information:Zoho Privacy Policy |EU-India Adequacy Decision

5.2 Other Service Providers

• Website Hosting: Vercel (GDPR compliant hosting)
• Analytics: Privacy-focused analytics tools
• Email Services: Secure email providers for communications
• Payment Processing: Secure payment processors (data not stored by us)

5.3 Legal Disclosures

We may disclose your data when required by law, court order, or to protect our legal rights, prevent fraud, or ensure public safety.

6. International Data Transfers

Primary Data Location: European Union (Germany)
Backup Storage: EU-based cloud infrastructure with data residency guarantees

When data is transferred outside the EU, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for transfers to approved countries
• Additional safeguards and encryption for enhanced protection
• Regular compliance assessments of third-party providers

7. Your Privacy Rights

7.1 GDPR Rights (EU Residents)

• Right of Access (Art. 15): Request copies of your personal data
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured format
• Right to Object (Art. 21): Object to processing for marketing or legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time
• Right to Lodge a Complaint: File complaints with supervisory authorities

7.2 CCPA Rights (California Residents)

• Right to Know: What personal information we collect and how it's used
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices

7.3 How to Exercise Your Rights

8. Data Security Measures

We implement comprehensive technical and organizational measures to protect your data:

8.1 Technical Safeguards

• Encryption: All data transmission uses SSL/TLS encryption (minimum TLS 1.2)
• Data Encryption: Personal data encrypted at rest using AES-256
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring
• Regular Updates: Security patches and system updates

8.2 Organizational Measures

• Privacy by Design: Data protection built into all processes
• Staff Training: Regular privacy and security training
• Data Minimization: Collect only necessary data
• Regular Audits: Security assessments and vulnerability testing
• Incident Response: Procedures for data breach notification

8.3 Data Breach Notification

In case of a data breach, we will notify relevant supervisory authorities within 72 hours (GDPR requirement) and affected individuals without undue delay if there is a high risk to their rights and freedoms.

9. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Active Projects: Duration of project plus 7 years (German commercial law requirement)
• Marketing Data: Until consent is withdrawn or 3 years of inactivity
• Website Analytics: 26 months maximum (Google Analytics standard)
• Communication Records: 3 years after last contact
• Legal Requirements: As required by applicable laws (tax records: 10 years)
• Inactive Accounts: Automatically deleted after 3 years of inactivity

After retention periods expire, data is securely deleted or anonymized beyond recovery.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

• Essential Cookies: Required for website functionality, security, and basic operations (no consent needed)
• Analytics Cookies (Google Analytics 4): Help us understand website usage patterns and improve user experience (consent required)
• Preference Cookies: Remember your settings, language preferences, and customization choices
• Marketing Cookies: Used for personalized content and relevant advertising (consent required)

10.2 Cookie Management Options

You can control cookies through multiple methods:

• Cookie Consent Banner: Granular control over different cookie categories
• Preference Center: Manage your cookie settings at any time
• Browser Settings: Block or delete cookies directly in your browser
• Third-party Opt-out: Google Analytics opt-out tools
• Do Not Track: We will respect DNT browser signals

10.3 Cookie Consent Technology

11. Children's Privacy

Our services are not intended for children under 16 years of age (GDPR) or 13 years of age (COPPA). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information immediately and notify parents/guardians if required by law.

12. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. We will:

• Post the updated policy on our website with a new "Last Updated" date
• Notify you of material changes via email (if we have your email address)
• Provide 30 days notice for significant changes affecting your rights
• Maintain previous versions for reference and transparency

13. Supervisory Authority

If you have concerns about our data practices that we cannot resolve, you have the right to lodge a complaint with the relevant supervisory authority:

14.