Privacy

Privacy Policy

Information about the processing of your personal data

Contents

    Last updated: 21 April 2026

    1. Controller

    The controller for data processing on this website is:

    Fluxward Consulting GbR
    represented by the partners David Rofall and Frederic Baltes
    In Gerichhausen 23 A
    41844 Wegberg
    Deutschland
    Phone: +49 151 2349 4304
    Email: hello@fluxward.com

    2. General information

    Legal bases

    Depending on the context, we process personal data based on Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (pre-contractual steps and contract performance), Art. 6(1)(c) GDPR (legal obligation), or Art. 6(1)(f) GDPR (legitimate interests).

    Processor arrangements

    Where external providers process personal data on our behalf, we rely on the required contractual safeguards, including data processing agreements, provider DPAs, or comparable contractual protections where applicable.

    Data protection officer

    No dedicated data protection officer is currently appointed. For privacy-related enquiries, contact us at hello@fluxward.com.

    Your rights

    Subject to the statutory requirements, you have the right of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of previously given consent with effect for the future.

    You also have the right to lodge a complaint with a supervisory authority. For us, this is in particular the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany, https://www.ldi.nrw.de.

    3. Hosting and technical delivery

    Vercel

    This website is delivered via Vercel. The hosting provider processes technically required connection data such as IP address, timestamps, device and browser information, and requested files in order to make the website available and keep the systems secure.

    Legal basis: Art. 6(1)(f) GDPR.
    More information: https://vercel.com/legal/privacy-policy

    4. Cookies, local storage, and third-party content

    No Fluxward-managed tracking cookies

    We do not currently use our own tracking or marketing cookies. More detail about local storage and consent logic is available on our Cookie and Consent Notice page.

    Local browser storage

    We store two technical preferences locally in your browser:

    • the selected light or dark display mode
    • whether you already dismissed the privacy notice

    These values stay in the browser and are not used as first-party tracking data on our servers.

    Legal basis: § 25(2) TDDDG and Art. 6(1)(f) GDPR.

    Microsoft Outlook Bookings

    The Microsoft Bookings calendar on the contact page is only loaded after an active user click on "Load calendar". We do not auto-load the external calendar beforehand.

    After activation, Microsoft may set its own cookies or similar technologies and process technical data. If you then book a slot, Microsoft processes the booking details as part of the scheduling flow.

    Legal basis for loading the embedded calendar: Art. 6(1)(a) GDPR together with § 25(1) TDDDG.
    Legal basis for scheduling: Art. 6(1)(b) GDPR.
    More information: https://www.microsoft.com/en-us/privacy/privacystatement

    5. Communication and lead flows

    Contact form

    If you contact us through the contact form, we process in particular your name, email address, optional company, message, selected quick action, and technical metadata such as IP address, user agent, and timestamps.

    The submission is stored in Supabase. To prevent abuse, we also use a honeypot field and server-side rate limiting via Upstash Redis. The rate limit logic derives a hashed fingerprint from the client IP.

    Confirmation emails and internal notifications are currently sent via Resend. AI-based pre-processing is not currently active in the public contact flow.

    Legal basis: Art. 6(1)(a) GDPR for the submitted request, Art. 6(1)(b) GDPR for pre-contractual communication, and Art. 6(1)(f) GDPR for abuse prevention and efficient handling.
    Recipients: Supabase, Upstash, Resend.

    AI Readiness Check

    When you complete the AI Readiness Check, we process your questionnaire answers, contact data, and technical metadata. The input is stored in Supabase and evaluated via the Anthropic API to generate a personalised assessment.

    Delivery of the assessment and internal notifications currently runs via Resend. Operational follow-up drafts may additionally use Microsoft 365 or Microsoft Graph if that workflow is enabled in our environment.

    Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(b) GDPR.
    Recipients: Supabase, Anthropic, Resend, and depending on configuration, Microsoft 365 / Microsoft Graph.

    Webinar registrations and replay access

    If you register for a webinar or replay access, we process your name, email address, optional company, selected format, session context, registration timestamp, and the generated access link.

    Registration data is stored in Supabase. Access and organisational emails may be sent through Microsoft Graph and Microsoft 365.

    Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(b) GDPR.

    Workshops

    The current public default path for workshops is contact-first and based on individual coordination. If you contact us about a workshop, the contact form section above applies.

    If Fluxward explicitly enables online reservation for selected workshop dates, we additionally process company name, contact person, email address, optional phone number, attendee details, selected slot, and technical payment or status data. Payment data itself is processed on Stripe-hosted pages; we mainly receive transaction and reference data.

    Legal basis: Art. 6(1)(b) GDPR.
    Recipients when online reservation is enabled: Supabase, Stripe, and potentially Microsoft Graph for confirmations.

    6. Services used on the site

    Supabase

    We use Supabase as a database and backend platform for contact submissions, AI check data, webinar registrations, internal offer and session management, and, where enabled, workshop reservations.

    More information: https://supabase.com/privacy

    Upstash Redis

    We use Upstash for server-side rate limiting and abuse prevention on form routes.

    Resend

    We currently use Resend for confirmation and notification emails in the contact and AI check flows.

    More information: https://resend.com/legal/privacy-policy

    Anthropic

    We use Anthropic to generate the AI-assisted assessment for the AI Readiness Check.

    Microsoft 365 and Microsoft Graph

    We use Microsoft for appointment scheduling through Bookings, business email communication, and selected automated communication flows such as webinar or workshop notifications and operational follow-up drafts.

    Stripe

    Stripe is only relevant if we explicitly enable online reservation with a deposit for selected workshop slots.

    More information: https://stripe.com/privacy

    7. Internal admin area

    The website also contains protected internal admin routes for authorised users. In that context, we process email addresses, authentication data, session information, and technical metadata in order to secure access to internal offer, session, and registration data.

    Legal basis: Art. 6(1)(f) GDPR and Art. 32 GDPR.

    8. Third-country transfers

    Some of the providers we use may process personal data outside the EU or EEA, or such processing cannot be fully excluded. Where that is the case, we look to the provider's contractual and organisational safeguards, such as SCCs, DPAs, or recognised certification mechanisms.

    This can affect in particular Vercel, Microsoft, Supabase, Upstash, Resend, Anthropic, and, where enabled, Stripe.

    9. Storage periods

    We generally store personal data only for as long as necessary for the relevant purpose or as required by law.

    • Contact submissions, webinar registrations, and similar communication data are stored for as long as handling, follow-up communication, or business documentation requires.
    • AI check data is stored for as long as the assessment and any related follow-up requires.
    • Offer, contract, invoice, and payment data may be subject to longer statutory retention duties.

    We do not currently rely on one central hard-coded deletion job for every website flow. Instead, we review stored data operationally and delete it when the purpose ends and no statutory retention duty blocks deletion.

    10. Automated decisions

    We do not make solely automated decisions with legal or similarly significant effects within the meaning of Art. 22 GDPR. AI-assisted assessments, especially in the AI Readiness Check, are used as guidance and decision support only.

    11. Changes to this Privacy Policy

    We update this Privacy Policy when website functions, providers, or legal requirements change in a material way. The version published on this page is the current version.