Privacy Policy
Last updated: May 2026
1. Controller
The controller responsible for the processing of personal data on this website is:
QUANDEL STAUDT Design GmbH
Schleusenstraße 17
60327 Frankfurt am Main
Germany
Phone: +49 (0) 69 24 27 77-51
Email: info@quandelstaudt.com
Represented by the managing directors:
Marcel Staudt, Dipl. Designer
Matthias Neuer, Dipl. Designer
2. General information on data processing
We process personal data only to the extent necessary to operate our website, communicate with you, respond to enquiries, send our newsletter, present our content, and analyse or optimise our website.
Depending on the purpose, processing is based on Art. 6(1)(a) GDPR if you have given consent, Art. 6(1)(b) GDPR if processing is necessary for pre-contractual or contractual purposes, Art. 6(1)(c) GDPR if we are subject to a legal obligation, or Art. 6(1)(f) GDPR based on our legitimate interests.
3. Hosting, technical operation and server log files
Our website is hosted on servers operated by Hetzner in Germany or within the European Union. The website uses Payload CMS and a MongoDB database operated in Docker containers on our server.
When you access our website, technical access data may be processed. This may include your IP address, date and time of access, requested URL, referrer URL, browser and device information, HTTP status code and transferred data volume. This data is processed to provide the website, ensure stability and security, analyse errors and prevent misuse.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable operation of the website.
Server, proxy and application logs are stored only as long as necessary for technical and security purposes. Logs are deleted or overwritten through automatic log rotation; where possible, log data is deleted no later than after 14 days.
4. Backups and system security
To ensure technical operation and restore systems in the event of errors, we create backups and snapshots. These backups may contain personal data if such data is stored in the backed-up systems. Backups are protected and used only for restoration, security and error analysis.
We use technical and organisational measures to protect personal data. These include HTTPS encryption, firewall rules, restricted database access within the Docker network, two-factor authentication for central services and regular updates.
The legal basis is Art. 6(1)(f) GDPR.
5. Cookies and consent management
Our website uses technically necessary cookies. These include, in particular, a cookie for storing the language preference, such as NEXT_LOCALE. Session cookies may also be used for the Payload CMS admin area.
In addition, we use analytics, marketing and external media services only where consent is required and you have given such consent via our consent banner. You can change or withdraw your consent at any time with effect for the future.
We use a consent management tool to manage and document consent. This may involve processing a consent ID, timestamp, selected categories and services, language, banner version and technical information. Processing is carried out to obtain and document consent.
The legal basis is Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR and, where required, Section 25 TDDDG.
6. Contact by form or email
If you contact us using the contact form, we process the data you provide:
- name
- email address
- message
The enquiry is stored in our CMS and also sent as a notification to info@quandelstaudt.com. We use Resend to send technical emails.
If you contact us by email, we process the data you provide in order to handle your enquiry.
The legal basis is Art. 6(1)(b) GDPR where your enquiry relates to pre-contractual or contractual communication, and otherwise Art. 6(1)(f) GDPR. Our legitimate interest lies in handling and responding to your enquiry.
We store enquiries only for as long as necessary to process the enquiry and any follow-up questions. If the enquiry results in a contractual relationship or business-relevant correspondence, we store the data in accordance with statutory retention obligations. Enquiries that are no longer required are deleted regularly.
7. Newsletter
You can subscribe to our newsletter on our website. For this purpose, we process in particular:
- email address
- language or website language version
- time of registration
- double opt-in status
- time of confirmation
- technical verification data such as IP address, user agent, token hash and status information, where required to document consent and prevent misuse
Newsletter registration uses a double opt-in process. After registration, you will receive an email asking you to confirm your subscription. This confirmation email is sent via Resend. The sender address may be newsletter@mail.quandelstaudt.com.
Marketing newsletters are sent via Mailchimp. Your newsletter data is transferred to and processed by Mailchimp. Mailchimp may also process data outside the European Union. We use Mailchimp on the basis of a data processing agreement and appropriate safeguards for international data transfers.
The legal basis for sending the newsletter is your consent pursuant to Art. 6(1)(a) GDPR. Documentation of the subscription is based on Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Our legitimate interest lies in proving that consent was properly obtained.
You can unsubscribe from the newsletter at any time using the unsubscribe link included in each newsletter. After unsubscribing, your email address will be removed from the active mailing list or added to a suppression list where necessary to prevent further mailings. Verification data may be stored for an appropriate period where required to document consent and defend against potential claims. Unconfirmed registrations are deleted after the confirmation link expires or after a short period.
Mailchimp may process statistical data in connection with newsletter delivery, such as delivery and open rates. We currently do not use click tracking. If we use click tracking in the future, we will update this notice accordingly.
8. Google Tag Manager, Google Analytics 4 and Google Ads
We use Google Tag Manager to technically manage analytics and marketing services. Google Analytics 4 and Google Ads Conversion Tracking may be integrated via Google Tag Manager.
We use Google Analytics 4 to analyse the use of our website. This may include information about page views, interactions, technical device and browser data, and approximate location information. Google Signals is currently not activated.
We use Google Ads Conversion Tracking to measure whether users perform certain actions after interacting with an ad, in particular submitting the contact form, clicking an email address or clicking a telephone number. We currently do not use remarketing or retargeting.
Google Analytics 4 and Google Ads are used only on the basis of your consent. The legal basis is Art. 6(1)(a) GDPR and, where required, Section 25 TDDDG. Integration is carried out via a consent management tool and Google Consent Mode v2.
Google may also process personal data in the United States. For international transfers, Google relies on appropriate safeguards under the GDPR.
9. Google Search Console
We use Google Search Console to monitor and optimise the technical visibility of our website in Google Search. This provides us with aggregated information about how our website appears and is found in Google Search.
Google Search Console is not used to identify individual visitors on our website. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the technical optimisation and visibility of our website.
10. Videos, maps and external media content
We embed videos, maps and external media content on our website. In this context, personal data such as IP address, device and browser information and usage data may be transmitted to external providers.
YouTube and Vimeo
We embed videos from YouTube and Vimeo. These contents are loaded only after you have given consent or actively enabled the content. Only then is a connection to the servers of the respective provider established.
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and, where required, Section 25 TDDDG.
Mux Video
We use Mux Video to play our own video content. Mux is used for the technical provision and delivery of video streams. In this context, IP address, device and browser information, video usage data and technical log data may be processed.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the stable, performant and user-friendly provision of video content. Where consent is required for specific functions, processing is based on Art. 6(1)(a) GDPR.
Where videos are delivered locally, no data is transmitted to Mux.
Mapbox
We use Mapbox to display interactive maps. Mapbox is loaded only after you have given consent or actively enabled the map. In this context, IP address, location or map usage data, device and browser information may be processed.
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and, where required, Section 25 TDDDG.
11. Local fonts and local assets
Our fonts are provided locally. We do not load Google Fonts or other external font providers from third-party servers. Our own JavaScript, CSS, image and media files are generally delivered locally or via our own server infrastructure, unless external services are expressly mentioned in this Privacy Policy.
12. Social media links
Our website contains links to our profiles on external platforms, including LinkedIn, Instagram, Behance, Xing, Facebook and X. These are simple links. No data is transmitted to these platforms merely by visiting our website.
If you click such a link, you leave our website. The respective platform provider is responsible for any subsequent data processing.
13. Presentation of employees, clients and project partners
On our website, we present our team, projects and agency work. In this context, personal data of employees may be processed, in particular name, position, short bio, portrait, interview content and professional email address. Employees may also appear in photos or videos on the website.
This presentation is based on an appropriate legal basis, in particular consent or, where permissible, legitimate interests. Consent may be withdrawn at any time with effect for the future.
Where we display personal information relating to clients, project partners or testimonials on the website, this is also based on corresponding consent, approval or another suitable legal basis. Affected individuals may contact us at any time with questions regarding the display or removal of their information.
14. Development, deployment and technical service providers
For development, version control, deployment and technical operation, we use services including GitHub, GitHub Actions and Coolify. These services are used to manage and provide our website. Personal data of website users is generally not intentionally processed there. However, processing may occur in exceptional cases if personal data is included in technical logs, error messages, configuration data or backups.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and efficient operation of our website.
15. Recipients and international data transfers
In connection with the operation of our website, personal data may be transferred to technical service providers. These include hosting, email, newsletter, analytics, media, map, development and deployment service providers.
Where service providers process personal data on our behalf, we conclude data processing agreements pursuant to Art. 28 GDPR. Where data is processed outside the European Union or the European Economic Area, this is done only on the basis of an adequacy decision or appropriate safeguards, in particular EU Standard Contractual Clauses, where required.
16. Retention period
We store personal data only for as long as necessary for the respective purposes. Thereafter, the data is deleted unless statutory retention obligations, documentation obligations or legitimate interests require further storage.
17. Your rights
Subject to the GDPR, you have the right of access, rectification, erasure, restriction of processing, data portability and objection to certain processing activities. Where processing is based on your consent, you may withdraw that consent at any time with effect for the future.
To exercise your rights, you can contact us at any time:
info@quandelstaudt.com
You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is in particular:
The Hessian Commissioner for Data Protection and Freedom of Information
Wilhelmstraße 7
65185 Wiesbaden
Email: poststelle@datenschutz.hessen.de
18. No automated decision-making
We do not use automated decision-making, including profiling within the meaning of Art. 22 GDPR, that produces legal effects concerning you or similarly significantly affects you.
19. Updates to this Privacy Policy
We update this Privacy Policy if our website, the services we use or legal requirements change.