Privacy Policy
Last updated: May 2026
1. Controller
The controller responsible for the processing of personal data on this website is:
QUANDEL STAUDT Design GmbH
Schleusenstraße 17
60327 Frankfurt am Main
Germany
Phone: +49 (0) 69 24 27 77-51
Email: info@quandelstaudt.com
Represented by the managing directors:
Marcel Staudt, Dipl. Designer
Matthias Neuer, Dipl. Designer
2. General information on data processing
We process personal data only to the extent necessary to operate our website, communicate with you, respond to enquiries, send our newsletter, present our content, and analyse or optimise our website.
Depending on the purpose, processing is based on Art. 6(1)(a) GDPR if you have given consent, Art. 6(1)(b) GDPR if processing is necessary for pre-contractual or contractual purposes, Art. 6(1)(c) GDPR if we are subject to a legal obligation, or Art. 6(1)(f) GDPR based on our legitimate interests.
3. Hosting, technical operation and server log files
Our website is hosted on servers operated by Hetzner in Germany or within the European Union. The website uses Payload CMS and a MongoDB database operated in Docker containers on our server.
When you access our website, technical access data may be processed. This may include your IP address, date and time of access, requested URL, referrer URL, browser and device information, HTTP status code and transferred data volume. This data is processed to provide the website, ensure stability and security, analyse errors and prevent misuse.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable operation of the website. Logs are stored only as long as necessary for technical and security purposes and, where possible, deleted no later than after 14 days.
4. Backups and system security
To ensure technical operation and restore systems in the event of errors, we create backups and snapshots. These backups may contain personal data if such data is stored in the backed-up systems. Backups are protected and used only for restoration, security and error analysis. The legal basis is Art. 6(1)(f) GDPR.
5. Cookies and consent management
Our website uses technically necessary cookies. These may include session cookies for the Payload CMS admin area. On the public website, the language version is currently stored in the URL and not in a separate language cookie.
In addition, we use analytics, marketing and external media services only where consent is required and you have given such consent via our consent banner. You can change or withdraw your consent at any time with effect for the future. The legal basis is Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR and, where required, Section 25 TDDDG.
6. Contact by form or email
If you contact us using the contact form or by email, we process the data you provide, in particular your name, email address and message. The enquiry is stored in our CMS and may be sent as a notification to info@quandelstaudt.com. We use Resend to send technical emails.
The legal basis is Art. 6(1)(b) GDPR where your enquiry relates to pre-contractual or contractual communication, and otherwise Art. 6(1)(f) GDPR. We store enquiries only for as long as necessary to process the enquiry and any follow-up questions, unless statutory retention obligations apply.
7. Newsletter
You can subscribe to our newsletter on our website. For this purpose, we process your email address, language or website language version, registration and confirmation times, double opt-in status and technical verification data such as IP address, user agent, token hash and status information where required to document consent and prevent misuse.
Newsletter registration uses a double opt-in process. Confirmation emails are sent via Resend. Marketing newsletters are sent via Mailchimp, which may process data outside the European Union on the basis of appropriate safeguards. The legal basis for sending the newsletter is your consent pursuant to Art. 6(1)(a) GDPR. Documentation of the subscription is based on Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR.
You can unsubscribe from the newsletter at any time using the unsubscribe link included in each newsletter. After unsubscribing, your email address will be removed from the active mailing list or added to a suppression list where necessary to prevent further mailings.
8. Google Tag Manager, Google Analytics 4 and Google Ads
We use Google Tag Manager to technically manage analytics and marketing services. Google Analytics 4 and Google Ads Conversion Tracking may be integrated via Google Tag Manager. These services are used only on the basis of your consent. The legal basis is Art. 6(1)(a) GDPR and, where required, Section 25 TDDDG. Integration is carried out via a consent management tool and Google Consent Mode v2.
9. Google Search Console
We use Google Search Console to monitor and optimise the technical visibility of our website in Google Search. Google Search Console is not used to identify individual visitors on our website. The legal basis is Art. 6(1)(f) GDPR.
10. Videos, maps and external media content
We embed videos, maps and external media content on our website. In this context, personal data such as IP address, device and browser information and usage data may be transmitted to external providers. YouTube, Vimeo and Mapbox content is loaded only after consent or active enabling of the content. We use Mux Video to play our own video content where required for technical delivery.
11. Local fonts and local assets
Our fonts are provided locally. We do not load Google Fonts or other external font providers from third-party servers. Our own JavaScript, CSS, image and media files are generally delivered locally or via our own server infrastructure, unless external services are expressly mentioned in this Privacy Policy.
12. Social media links
Our website contains links to our profiles on external platforms, including LinkedIn, Instagram, Behance, Xing, Facebook and X. These are simple links. No data is transmitted to these platforms merely by visiting our website. If you click such a link, the respective platform provider is responsible for any subsequent data processing.
13. Presentation of employees, clients and project partners
On our website, we present our team, projects and agency work. In this context, personal data of employees, clients, project partners or testimonials may be processed, in particular names, roles, portraits, interview content and professional contact data. This presentation is based on consent, approval or another suitable legal basis.
14. Development, deployment and technical service providers
For development, version control, deployment and technical operation, we use services including GitHub, GitHub Actions and Coolify. Personal data of website users is generally not intentionally processed there, but processing may occur in exceptional cases if personal data is included in technical logs, error messages, configuration data or backups. The legal basis is Art. 6(1)(f) GDPR.
15. Recipients and international data transfers
In connection with the operation of our website, personal data may be transferred to technical service providers. Where service providers process personal data on our behalf, we conclude data processing agreements pursuant to Art. 28 GDPR. Where data is processed outside the European Union or the European Economic Area, this is done only on the basis of an adequacy decision or appropriate safeguards, in particular EU Standard Contractual Clauses, where required.
16. Retention period
We store personal data only for as long as necessary for the respective purposes. Thereafter, the data is deleted unless statutory retention obligations, documentation obligations or legitimate interests require further storage.
17. Your rights
Subject to the GDPR, you have the right of access, rectification, erasure, restriction of processing, data portability and objection to certain processing activities. Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. To exercise your rights, you can contact us at info@quandelstaudt.com.
You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is in particular: The Hessian Commissioner for Data Protection and Freedom of Information, Wilhelmstraße 7, 65185 Wiesbaden, email: poststelle@datenschutz.hessen.de.
18. No automated decision-making
We do not use automated decision-making, including profiling within the meaning of Art. 22 GDPR, that produces legal effects concerning you or similarly significantly affects you.
19. Updates to this Privacy Policy
We update this Privacy Policy if our website, the services we use or legal requirements change.