Skip to main content

Privacy Policy

In case of conflict, the German version of this privacy policy prevails.

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Simon Maximilian Heistermann
operating as Heistermann Solutions

Email: simon@heistermann-solutions.de

2. Data Protection Officer

We are not legally required to appoint a data protection officer. For data protection inquiries, please contact us at the address above.

3. Data Collection

3.1 Contact Form

When you use our contact form, we collect the following data:

  • Name
  • Email address
  • Company (optional)
  • Desired service
  • Message

3.2 Project Configurator

When you use our project configurator, we additionally collect information about project type, budget, timeline, and project description. This data is used exclusively for creating an individual proposal and is stored together with your contact details.

3.3 Call Booking (Cal.com)

For booking consultation calls, we embed the calendar service of Cal.com Inc. (251 Little Falls Drive, Wilmington, DE 19808, USA). The calendar embed is treated as external content and is only loaded after your explicit consent (two-click solution): on the contact page you first see a placeholder with a notice. Only when you actively click "Load Cal.com calendar" will a connection to Cal.com's servers be established. No data is transmitted to Cal.com until you grant this consent.

Once you have granted consent, your IP address, technical connection data (browser, device, operating system) and the booking data you enter (name, email address, preferred time, optional message) are transmitted to Cal.com when you use the calendar. Processing takes place on the basis of your consent pursuant to Art. 6(1)(a) GDPR and - once a consultation is actually booked - additionally on the basis of Art. 6(1)(b) GDPR (pre-contractual measures). You can withdraw your consent at any time by reloading the page or ending your browser session. For more information, see the Cal.com Privacy Policy at https://cal.com/privacy.

3.4 Technical Data (Server Logs)

When you visit our website, the following technical data is automatically collected:

  • IP address
  • Browser type and version
  • Operating system
  • Referrer URL
  • Timestamp of access

3.5 Email Contact

If you contact us by email, your email address, message content, and any attachments will be stored and processed for the purpose of handling your request. We will not share this data without your consent.

3.6 Web Analytics and Performance Measurement (Vercel)

This website uses Vercel Web Analytics and Vercel Speed Insights, two cookieless analytics and performance services from our hosting provider Vercel Inc. (440 N Barranca Avenue #4133, Covina, CA 91723, USA). Both services operate without cookies and without fingerprinting, collecting only aggregated and anonymized data.

To distinguish individual visits without identifying persons, Vercel generates a daily rotating hash from IP address and user agent. This hash is not stored, no profiles of individual visitors are built, and the data is not used for marketing purposes.

The following data is collected:

  • Anonymized, aggregated page views
  • Device and browser type (e.g. mobile/desktop, Chrome/Safari)
  • Referrer domain (which website you visited before ours)
  • Approximate country-level geographic region
  • Core Web Vitals measurements (load time, interactivity, layout stability)

The legal basis is our legitimate interest under Art. 6(1)(f) GDPR in needs-based design, optimization, and economic operation of our website. Because no cookies or comparable technologies are stored on or read from your device, no consent under § 25(1) TTDSG is required.

You can object to this processing at any time by contacting simon@heistermann-solutions.de. More information: https://vercel.com/legal/privacy-policy

3.7 Lead Magnet Signup (Double Opt-In)

On the free checklist page you can enter your email address to receive the material. Consent is obtained via double opt-in: after entering your email and accepting the privacy policy and terms, you receive a confirmation email with a link. Only after clicking that link does your signup become active and the checklist is ready to download.

We collect and store the following: your email address, the selected language (de/en), a randomly generated confirmation token, your browser's user-agent (for bot protection), the versions of the privacy policy and terms you accepted, and the timestamps of signup and confirmation. No IP address is stored for this process.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 7(2)(3) UWG. Consent covers the double-opt-in confirmation email, a single welcome email with the download link, and the checklist itself. No further newsletter or other promotional use takes place.

You can withdraw your consent at any time with effect for the future - either via the unsubscribe link in the confirmation email or by informal notice to simon@heistermann-solutions.de. After withdrawal, your email address is deleted or anonymized. Unconfirmed signups are automatically deleted after 30 days; confirmed signups are deleted no later than 12 months after signup.

The confirmation and delivery emails are sent via our processor Resend Inc. (see section 5). Your signup data is stored with our processor Supabase (see section 5).

4. Purposes and Legal Basis

We process your personal data for the following purposes and on the following legal bases:

PurposeLegal Basis
Contact form / Project configuratorArt. 6(1)(b) GDPR (performance of pre-contractual measures)
Call booking via Cal.comArt. 6(1)(b) GDPR (performance of pre-contractual measures)
Server logs (technical data)Art. 6(1)(f) GDPR (legitimate interest in website security and stability)
Email communicationArt. 6(1)(b) GDPR (contract performance / pre-contractual measures)
Web analytics and performance measurement (Vercel Web Analytics, Vercel Speed Insights)Art. 6(1)(f) GDPR (legitimate interest in needs-based design and optimization of the website)
Lead magnet signup (double opt-in, checklist delivery)Art. 6(1)(a) GDPR (consent)

5. Processors and Third-Party Services

We use the following processors:

Vercel Inc.

USA (EU data processing, DPF certified)

Website hosting, cookieless web analytics (Vercel Web Analytics) and performance measurement (Vercel Speed Insights)

IP address (hashed, not stored), aggregated and anonymized page views, device/browser type, referrer domain, Core Web Vitals measurements

Supabase Inc.

USA (EU servers, SOC 2 Type II)

Database and backend for contact inquiries

Contact form data, project configurator data

Cal.com Inc.

USA (DPF certified)

Appointment booking system

Name, email address, appointment details

Resend Inc.

USA (DPF certified)

Email delivery (notifications for contact inquiries, double-opt-in and confirmation emails for lead magnets)

Email address, name, message content

6. International Transfers

Some of our processors are based in the United States (Vercel, Supabase, Cal.com, Resend, Google). Data transfers to the USA are carried out on the basis of the EU-U.S. Data Privacy Framework (DPF) pursuant to Art. 45 GDPR or on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Google LLC is certified under the EU-U.S. Data Privacy Framework. All providers maintain appropriate data protection safeguards.

7. Cookies and Storage Technologies

This website does not set tracking cookies and does not use cross-device fingerprinting technologies. Our web analytics (Vercel Web Analytics and Vercel Speed Insights) operate fully cookieless. No consent banner is shown because no storage or read operations under § 25(1) TTDSG take place.

Functional Session Storage (sessionStorage)

For individual features of the website we use your browser's session storage. These entries only exist until you close the browser tab, are not transmitted to our servers, and are strictly necessary under § 25(2)(2) TTDSG because you explicitly requested the respective service:

  • hs-cal-consent - Confirmation that you consented to loading the Cal.com calendar (per browser session)
  • hs-exit-shown - Flag that the exit-intent overlay was already shown in this session
  • hs-leadmagnet-submitted - Flag that you completed the lead-magnet signup in this session (prevents re-pitching via the exit-intent overlay)

You can delete sessionStorage entries at any time via your browser's developer tools or settings.

8. Retention Periods

We store personal data only as long as necessary for the respective purpose or as required by statutory retention obligations:

DataDuration
Contact form data12 months after completion of the inquiry
Server logsApprox. 30 days
Cal.com bookingsAccording to Cal.com's retention policies
Business correspondence6 years (§ 257 HGB)
Invoices and tax-relevant documents10 years (§ 147 AO)
Vercel Web Analytics data (aggregated, anonymous)Maximum 12 months (Vercel default)
Vercel Speed Insights measurementsMaximum 12 months (Vercel default)
Lead magnet signups (unconfirmed)30 days from signup, then deleted automatically
Lead magnet signups (confirmed)Until consent is withdrawn, but no longer than 12 months from signup (deleted automatically)

9. Your Rights

Under applicable data protection laws, you have the following rights:

  • Right of access to your stored personal data (Art. 15 GDPR)
  • Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
  • Right to erasure of your data (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, please contact: simon@heistermann-solutions.de

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf
https://www.ldi.nrw.de

11. SSL/TLS Encryption

This website uses SSL/TLS encryption for security purposes and to protect the transmission of confidential content, such as inquiries you send to us. You can recognize an encrypted connection by the "https://" prefix in your browser's address bar and the lock icon.

12. Changes to This Policy

We reserve the right to update this privacy policy to reflect changes in our data processing practices or legal requirements. The current version is always available on this page.

13. Severability

Should any provision of this privacy policy be or become invalid, the validity of the remaining provisions shall not be affected.

Last updated: 23 April 2026

ImprintTerms and Conditions