Privacy Notice

1. Controller

The controller responsible for the data processing described in this privacy notice is:

Tobias Grawinkel (nuuminds)
Driesener Straße 8 B
D-10439 Berlin

This notice applies to my website, public smart audits, contact requests, and the signed-in areas of the nuuminds platform.

2. Legal Bases, Purposes, and Retention

I only process personal data where an appropriate legal basis exists. Depending on the activity, I rely in particular on:

• Art. 6(1)(b) GDPR for contractual or pre-contractual matters, for example when you request a public offer, want to book an appointment, or use features in the signed-in area.
• Art. 6(1)(a) GDPR for processing that requires your explicit consent, in particular Matomo analytics and optional marketing consent.
• Art. 6(1)(f) GDPR for secure and stable operation, abuse prevention, support, documentation, and the establishment, exercise, or defense of legal claims.
• Section 25 TDDDG for storing information on, or accessing information from, your device where this is relevant under German law.

Retention

Unless a more specific retention period is stated below, I only store personal data for as long as it is necessary for the respective purpose. After that, I delete it unless statutory retention duties or overriding legitimate interests require further storage.

Your Rights

Subject to the applicable legal requirements, you have in particular the following rights:

• access to the personal data stored about you
• rectification of inaccurate data or completion of incomplete data
• erasure or restriction of processing where the legal requirements are met
• data portability where processing is based on consent or contract and carried out by automated means
• withdrawal of consent with effect for the future
• objection to processing based on Art. 6(1)(f) GDPR
• the right to lodge a complaint with a data protection supervisory authority

If you have any questions about your rights or about a specific processing activity, please contact me using the contact details above.

3. Website and Public Offers

Technical Provision of the Website

When you access the website, I process technically necessary connection and server data, in particular your IP address, date and time of access, requested URL, referrer, browser type, and operating system. This processing is necessary to deliver the website, ensure security, analyze errors, and defend against abuse.

I use Google Firebase for hosting and backend services. Cloud Functions in this project run in the europe-west3 region; however, according to Firebase's official documentation, service data may still be processed on global Google infrastructure.

More information: Firebase Privacy & Security.

Necessary Cookies and Browser Storage

I only use storage technologies that are actually needed for consent handling, display preferences, and certain UI features. In particular, this includes:

• Consent storage: "cookieBannerDisplayed", "essentialCookiesAccepted", "analyticalCookiesAccepted", and "consentId" so that I can store and document your cookie choice.
• Theme setting: the "theme" cookie and "localStorage.theme" so your display mode is preserved.
• Session storage:"sessionStorage" for session-only UI helpers, for example during first sign-in or hash navigation.

When you make a choice in the cookie banner, I document it server-side with a consent ID, the selected categories, a timestamp, and the page on which the choice was made. Consent cookies are currently set for 60 days, the theme cookie for up to one year. localStorage remains until you change or delete the setting; sessionStorage ends with the browser session. Server-side consent logs are stored for up to 365 days.

The legal basis is Section 25(2) TDDDG for the necessary storage operations on your device and Art. 6(1)(f) GDPR for the server-side documentation of your choice.

Audience Measurement with Matomo

I only use Matomo for audience measurement if you explicitly consent to analytics in the cookie banner. The Matomo instance is self-hosted; I use ALL-INKL.COM for the infrastructure of that instance.

Matomo is configured not to set tracking cookies. Even so, this is not fully anonymous measurement, only a more data-minimizing form of analytics. The legal basis is therefore your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

More information: BfDI Informationen zu Matomo and ALL-INKL.COM.

Contact and Communication

If you contact me via form, email, or telephone, I process the information you provide, in particular your name, company, email address, telephone number, subject, and message, in order to handle your request and, where necessary, follow up on it.

For messages sent through website functionality, I use Resend as the email delivery provider. The legal basis is Art. 6(1)(b) GDPR where your request relates to a service, offer, or contract, otherwise Art. 6(1)(f) GDPR.

I store communication data for as long as this is necessary to handle your request and for as long as statutory retention duties apply. More information: Resend Privacy Policy.

Free Smart Audits

For public smart audits such as the AI Readiness Check, I process the answers you provide as well as the information entered in the result form. This includes in particular:

• your answers to the audit questions and the resulting scores and stages
• name, company, and business email address
• the status of your confirmation in the final step and any optional marketing consent
• pseudonymized technical data for abuse prevention, in particular IP-based rate-limit information

After submission, you receive an individual result link by email. The link remains valid for 90 days. The underlying lead-magnet data is configured for automatic deletion after 365 days.

The legal basis is Art. 6(1)(b) GDPR where you use the audit as a service requested by you, and Art. 6(1)(f) GDPR for abuse prevention and technical quality assurance. Any optional marketing consent is based on Art. 6(1)(a) GDPR.

External Appointment Booking

If you click a booking link, you are redirected to an external Google Calendar booking page. No connection to Google Calendar is established before you click the link.

If you book from a smart-audit result page, I additionally pass the parameters `stage`, `score`, and a shortened result identifier (`auditId`) so I can prepare for the conversation. These values are not anonymous; they are only pseudonymized.

The legal basis is Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR. Any further processing on Google's page is governed by Google's privacy policy. Current booking link: https://calendar.app.google/FNGWARTDFE3pEovP9.

4. Platform and Customer Access

B2B Access and Account Data

The signed-in area is intended for users of customer companies. The master data required to create and manage an account is typically provided to me by your company or by an authorized contact person.

• name, business email address, and company affiliation
• role, access rights, and enabled modules
• usage, learning, or participation information within booked services
• optional profile data and uploaded media such as avatar or company logo

Depending on the contractual setup, this processing is based on Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR. If your access is provided through your company, your company may also provide additional privacy information for parts of the related processing.

I generally store account data for the duration of the access and the underlying business relationship; statutory retention duties remain unaffected.

Sign-in, Security, and Abuse Prevention

Sign-in works via a one-time code (OTP) sent to the business email address. For this I use Firebase Authentication and Resend.

To defend against abuse, I process pseudonymized IP-based rate-limit information, technically necessary request buckets, and security-relevant authentication logs. Short-term rate-limit data is generally deleted automatically within one hour. Security-relevant authentication audit logs are stored for up to 365 days.

According to Firebase's official documentation, Firebase Authentication is operated exclusively from US data centers. The legal basis is Art. 6(1)(b) GDPR for handling the sign-in itself and Art. 6(1)(f) GDPR for IT security and abuse prevention. More information: Firebase Privacy & Security and Resend Privacy Policy.

Support in the Signed-In Area

In the signed-in area, you can submit support requests. In that context, I process your account contact data, the chosen category, an optional area, your message, where applicable severity or importance, the current page, and a reduced device hint (browser / operating system) in order to answer your request and understand technical issues.

Support requests are delivered by email via Resend to my support inbox. The legal basis is Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR. I store support messages for as long as this is necessary for handling, documentation, or compliance with legal or contractual obligations.

Media, Files, and Video Playback

I use Bunny.net for files, images, and videos. When media is accessed, Bunny processes connection data in particular, such as IP address, time of access, and technical device or browser information; for uploads, the files you transmit are processed as well.

Bunny operates as a media and CDN provider with global infrastructure and subprocessors. For that reason, processing may also take place outside the EU/EEA. The legal basis is Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR. More information: Bunny.net Privacy Policy and Bunny.net Subprocessors.

5. Recipients and International Transfers

Depending on the activity, I use external service providers and platforms. Recipients may in particular include:

• Google Firebase:for hosting, Firestore, Cloud Functions, and Authentication. According to Firebase's official documentation, service data may be processed on global Google infrastructure; Firebase Authentication is operated exclusively from US data centers. More information: Firebase Privacy & Security and Firebase Data Processing Terms.
• Resend: for OTP codes, result emails, and contact or support messages. At minimum, email addresses, technical delivery metadata, and message contents are processed. More information: Resend Privacy Policy and Resend DPA.
• Bunny.net: for media and video delivery. Depending on the delivery path, processing may involve global CDN structures and subprocessors. More information: Bunny.net Privacy Policy and Bunny.net Subprocessors.
• ALL-INKL.COM: as the infrastructure provider for the self-hosted Matomo instance. More information: All-Inkl Privacy Information.
• Google Calendar:only if you click an external booking link. Any further processing on Google's page is governed by Google's privacy policy: Google Privacy Policy.

I reduce transferred data to what is necessary for the respective purpose. Where providers rely on global infrastructure or third-country processing, I orient myself to the contractual and organizational privacy safeguards made available by those providers.

6. Social Media and External Profiles

This website does not use embedded social plugins or like buttons. It only contains external links to my profiles or contact channels on LinkedIn, Instagram, X, and WhatsApp.

If you click such a link or visit one of my profiles directly, the respective provider processes your data under its own responsibility. I may only receive publicly visible interactions or aggregated statistics there.

The legal basis for my presence on these platforms is Art. 6(1)(f) GDPR. If you do not want WhatsApp to process data about you, please use email or telephone instead.

• LinkedIn: Privacy Policy
• Instagram: Privacy Policy
• X: Privacy Policy
• WhatsApp: Privacy Policy