1. General Information
The protection of your personal data is of great importance to SCHUHEN Consulting GmbH. We want you to know what data we collect, when we collect it, and how we use it. Your data is protected in accordance with applicable law.
2. Controller / Data Protection Contact
The controller responsible for data processing on this website is:
SCHUHEN Consulting GmbHChristian Schuhen
Herrnangerweg 6B
85778 Haimhausen (Germany)
Phone: 08133 / 439 8858
E-Mail:
datenschutz@schuhen-consulting.de
3. Your Rights as a Data Subject
You have the following rights with regard to your personal data:
– Right to information
– Right of access
– Right to rectification or erasure
– Right to restriction of processing
– Right to object to processing
– Right to data portability
4. Data Processing in Detail
4.1 Hosting and Server Provision
This website is hosted in Germany by ALL-INKL.COM – Neue Medien Münnich, René Münnich, Hauptstraße 68, 02742 Friedersdorf. We have a data processing agreement (DPA) with the host pursuant to Art. 28 GDPR. No data is transferred to third countries. When the website is accessed, the host's web server temporarily stores technical access data in log files (timestamp, requested resource, HTTP status code, IP address, user agent). This data serves operational security, error analysis and protection against attacks. The provider deletes it after 90 days. We do not transfer these log files to our own server for analysis or archival purposes. The data is not combined with other data sources. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in a stable, secure web service).
4.2 Contact Form
If you send us a message via the contact form, the data you provide (name, email, optionally telephone and organisation, message) is used solely to process your enquiry and forwarded to our internal email address via an encrypted SMTP connection (TLS). We do not share this data with third parties.
No conversion tracking takes place on this website; neither a Google Tag, a conversion script nor Ads cookies are embedded. No form data is transmitted to Google or any other provider.
Legal basis is Art. 6(1)(b) GDPR (performance of pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing your enquiry). The data is deleted once the enquiry has been processed, unless statutory retention obligations apply.
4.3 Newsletter (Double Opt-In and Record-Keeping)
We offer a newsletter service on our website. If you wish to subscribe, we use a double opt-in procedure: after entering your email address you receive a confirmation email. Your subscription is activated only after you confirm the link contained in that email.
The following data is stored: email address, language preference (DE/EN), subscription timestamp, confirmation timestamp and a technical confirmation token. This information also serves as proof of consent. No further personal data is collected.
Legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time — either via the unsubscribe link in any newsletter email or by emailing info@schuhen-consulting.de. After withdrawal, the data required for newsletter delivery is deleted immediately; consent records may be retained longer for evidentiary purposes where this is necessary to defend against legal claims (Art. 6(1)(f) GDPR). No tracking of open or click rates takes place.
4.4 Cookie-Free Visitor Statistics, Abuse Detection and Technical Logs
We operate our website without cookies, without external tracking pixels, without Google Tag Manager and without Google Analytics. For reach measurement and technical quality assurance we exclusively use self-hosted procedures on our server in Germany.
For the statistical recording of page views we generate a short-lived pseudonymous visitor fingerprint. It is computed using SHA-256 from the IP address, the user agent, a 12-hour time window and a secret salt, and is truncated to 16 characters. The IP address and user agent are not stored in the statistics in plain text. We store page views with the pseudonymous fingerprint, the requested page, the language setting (DE/EN) and a timestamp. The fingerprint table used for deduplication is deleted after 13 hours. We retain individual page-view records for a maximum of 13 months; thereafter they are deleted or aggregated into non-personal statistics (daily aggregates without fingerprint). Aggregated statistics may be retained indefinitely.
If a blog article is sent to a third party via our website, we technically process the recipient email address you enter to deliver the article; it is briefly processed in plain text during delivery. Subsequently, for abuse detection, we do not store the recipient address in plain text but rather a salted SHA-256 hash of the recipient email address (truncated to 16 characters) and a SHA-256 hash of the IP address of the sender. These log entries serve solely to detect and prevent misuse of the send function, in particular spam dispatch. They are automatically deleted after 30 days.
We also maintain technical error and security logs, e.g. for PHP errors, JavaScript errors, slow requests and 404 errors. IP addresses and email addresses are removed or overwritten before persistent storage. These logs are deleted after 30 days, unless longer storage is required in an individual case to investigate a security incident.
To detect automated access we classify requests based on the user agent, e.g. as search-engine bot, AI bot or SEO tool. We store the bot name, category, requested page and timestamp, but no IP address. This data is deleted after 30 days.
The legal basis for these processing activities is Art. 6(1)(f) GDPR. Our legitimate interest lies in the statistical evaluation of the use of our website, ensuring technical stability, preventing misuse and IT security. The hash procedures described are pseudonymous, not anonymous; they significantly reduce the risk of re-identification but do not exclude it entirely.
4.5 JavaScript Verification and Form Protection
To improve the data quality of our visitor statistics and to protect against automated or abusive access we use a JavaScript-based verification. When the page is loaded, the browser sends a technical ping to our server after a short delay, provided JavaScript is executed. We use the pseudonymous fingerprint already generated for the visitor statistics for this purpose. The ping merely sets a flag in the existing page-view record indicating that the page view was most likely performed by a real browser. No additional personal data is collected, no cookies are set, no data is transmitted to third parties, and no additional browser characteristics (e.g. canvas, fonts, screen resolution, time zone, local storage) are read.
To protect forms we additionally use technical safeguards such as CSRF tokens, HMAC-signed JavaScript tokens, honeypot fields, time gates and rate limits. For rate limits a salted hash of the IP address may be processed briefly. The data stored for these purposes is deleted after 1 to 2 hours, depending on the mechanism.
Notice under Section 25 TDDDG: Insofar as information is stored on or read from your device — for example via strictly necessary session cookies or JavaScript tokens — this is done solely to the extent absolutely necessary to provide the service you have explicitly requested (e.g. submitting a form). Consent is not required for this under Section 25(2)(2) TDDDG.
Legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in IT security, protection against spam and abuse, and ensuring reliable technical statistics.
5. Data Security
Communication between your browser and this server is encrypted end-to-end (HTTPS / TLS). Access to internal systems is limited on a role-based basis and protected by a two-stage login-protection architecture. Operating systems and applications are updated regularly, and backups are in place. Access to the administration panel is restricted to a single administrator; all administrative actions are logged.
6. Storage Period
Unless otherwise specified in the detailed descriptions under Section 4, we process and store your personal data for as long as is necessary to fulfil our contractual and statutory obligations. Specific retention periods for the individual processing activities can be found in Section 4. Individual page-view records of our cookie-free visitor statistics are deleted after a maximum of 13 months or transferred to non-personal daily aggregates. Your personal data is deleted or blocked when it is no longer required to fulfil contractual or statutory obligations, you have exercised your right to deletion, all mutual claims have been settled and no other statutory retention obligations or legal grounds for storage exist.
7. Currency and Changes to This Privacy Policy
We reserve the right to amend this privacy policy from time to time to reflect changes in legal or technical conditions. The current version is always available on this page.
