Privacy Policy

Hidden Design Champion – Nils Enders-Brenner

Last updated: April 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws and regulations is:

Nils Enders-Brenner
Hidden Design Champion
Luswiese 6
82327 Tutzing
Germany
Email: business@designernils.com
Website: www.hiddendesignchampion.com

2. Overview of Data Processing

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data on this website and in connection with the services offered by Hidden Design Champion.

Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR), such as name, email address, IP address, or usage behavior on this website.

The following overview summarizes the categories of data processed:

  • Master data: Last name, first name, company name, address
  • Contact data: Email address
  • Content data: Text inputs, messages, project descriptions
  • Usage data: Pages visited, access times, browser type, operating system
  • Meta / communication data: IP addresses, device identifiers, connection data
  • Contract data: Subject matter of contract, duration, customer category

3. Legal Bases for Data Processing

Personal data is always processed on the basis of a legal ground pursuant to Art. 6 GDPR. The following legal bases apply in connection with this website and the services offered:

  • Art. 6(1)(a) GDPR – Consent of the data subject (e.g., for Google Analytics, newsletter)
  • Art. 6(1)(b) GDPR – Performance of a contract or pre-contractual measures (e.g., responding to contact inquiries, project execution)
  • Art. 6(1)(c) GDPR – Compliance with a legal obligation (e.g., statutory retention requirements under tax law)
  • Art. 6(1)(f) GDPR – Legitimate interests of the controller or a third party (e.g., website security, server log files)

4. Hosting and Technical Operation of the Website

4.1 Hosting Provider

This website is hosted by the following provider:

IONOS SE
Elgendorfer Str. 57
56410 Montabaur
Germany
www.ionos.de

A data processing agreement pursuant to Art. 28 GDPR has been concluded with the hosting provider.

The hosting provider processes the following data on our behalf based on our legitimate interest in the secure, fast, and efficient provision of this website (Art. 6(1)(f) GDPR): connection data, IP addresses, metadata and communication data, contract data, contact data, content data, and data transmitted via this website.

5. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the address bar of your browser switches from "http://" to "https://" and by the lock icon in your browser bar.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

6. Server Log Files

The hosting provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits. These include:

  • Browser type and version
  • Operating system used
  • Referrer URL (previously visited page)
  • Hostname of the accessing device
  • Time of the server request
  • IP address (in truncated/anonymized form)

This data is not merged with other data sources.

Legal basis: Processing is carried out on the basis of Art. 6(1)(f) GDPR. The legitimate interest lies in ensuring technically error-free and optimized website operation as well as in the security and integrity of the system.

Retention period: Server log files are stored for a maximum of 7 days and then deleted. Data whose further retention is necessary for evidentiary purposes will be retained until the final resolution of the respective incident.

7. Contact by Email

When you contact us by email (business@designernils.com), the data you provide — at minimum your email address and the content of your message — will be stored for the purpose of processing your inquiry and for any follow-up questions.

Categories of data processed: Contact data, content data, communication data

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries)

Retention period: Data will be deleted once it is no longer needed for the purpose for which it was collected. This is generally the case when the respective communication with you has been concluded. Communication is considered concluded when the circumstances indicate that the matter in question has been fully resolved. Statutory retention obligations (e.g., § 147 German Fiscal Code (AO), § 257 German Commercial Code (HGB)) remain unaffected.

8. Contact Form

This website offers the option to submit inquiries via a contact form (provided by the WordPress plugin Fluent Forms). The following data is collected:

  • Name (required)
  • Email address (required)
  • Company name (if provided)
  • Message content / project description (required)

The data submitted via the contact form is used exclusively for processing your inquiry and — if a contract is concluded — for carrying out the project.

Plugin provider (data processor): WPManageNinja LLC, 2093 Philadelphia Pike #1578, Claymont, DE 19703, USA. A data processing agreement has been concluded with the provider.

Legal basis: Art. 6(1)(b) GDPR; alternatively Art. 6(1)(f) GDPR

Retention period: Form submissions will be deleted after the inquiry has been processed and any applicable statutory retention periods have expired. Submissions without further business activity will be deleted after no more than 6 months.

9. Google Analytics

9.1 Nature and Purpose of Processing

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies and similar technologies to analyze user behavior on this website and generate statistical reports. The information collected about your use of this website (including your truncated IP address) is generally transmitted to and stored on a Google server in the United States.

The current version, Google Analytics 4 (GA4), anonymizes IP addresses by default. A full IP address is not stored; the final digits are set to zero prior to storage.

9.2 Purpose of Data Processing

Google Analytics is used to analyze how this website is used in order to continuously improve our offering and provide visitors with an optimized user experience.

9.3 Data Transfers to Third Countries

Google processes data in the United States. The US is currently considered a safe third country under the EU-US Data Privacy Framework (adequacy decision of the European Commission dated July 10, 2023), provided Google has joined the framework. Please verify Google's current participation at: https://www.dataprivacyframework.gov/

9.4 Legal Basis

Google Analytics is used exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR. Google Analytics is only activated after your active consent via our cookie consent banner. No data processing takes place without your consent.

9.5 Right to Withdraw / Opt-Out

You may withdraw your consent at any time with effect for the future by:

  • Adjusting your cookie settings via the tarteaucitron panel (icon at the bottom left of this page),
  • Installing the Google browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout,
  • Deleting all cookies in your browser and revisiting the cookie consent banner.

9.6 Data Processing Agreement

A data processing agreement pursuant to Art. 28 GDPR has been concluded with Google. For more information about Google's privacy practices, visit: https://policies.google.com/privacy

Retention period: The retention period for user-related data in Google Analytics has been set to 14 months (as configured in the Google Analytics account settings).

10. Google Fonts (Self-Hosted)

This website uses web fonts provided by Google (Google Fonts). The fonts have been downloaded and stored on the website operator's own server and are delivered from there. No connection to Google LLC servers is established. No personal data is transmitted to Google.

11. Cookies and Consent Management

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They are used to store information that can be retrieved on subsequent visits. Cookies can be set both by the website operator (first-party cookies) and by third parties.

11.2 Types of Cookies

We distinguish between:

  • Technically necessary cookies: These cookies are strictly required for the operation of the website. They enable basic functions such as page navigation and access to secure areas. No consent is required for these cookies (Art. 6(1)(f) GDPR).
  • Analytics / statistics cookies: These cookies allow us to analyze visitor behavior on the website. They are only set after your explicit consent.
  • Marketing cookies: Not currently used on this website.

11.3 Consent

Upon your first visit to the website, a cookie consent banner is displayed, provided by the open-source solution tarteaucitron.js. Non-necessary cookies are only set after your active consent. Since tarteaucitron.js is operated as a self-hosted JavaScript library, no data is transmitted to third parties through the consent tool itself. You may withdraw or adjust your consent at any time via the tarteaucitron panel (icon at the bottom left of this page).

Legal basis for necessary cookies: Art. 6(1)(f) GDPR
Legal basis for non-necessary cookies: Art. 6(1)(a) GDPR

11.4 Browser Settings

You may delete or disable cookies at any time through your browser settings. Please note that disabling cookies may limit the functionality of this website. For information on managing cookies, please refer to your browser's help documentation.

12. Zoom – Video Conferencing

For video conferences and online meetings, I use Zoom, a service provided by Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA.

Data processed when using Zoom:

  • Name (user profile / display name)
  • Email address
  • Profile picture (if available)
  • Connection and device data (IP address, MAC address, device type, operating system)
  • Audio/video data (during the meeting)
  • Chat messages (if used)
  • Meeting metadata (topic, date, time, duration, participant list)

Subtitle function: In the course of my professional communication, I use Zoom's automatic subtitle/transcription function (Live Captions). Please note that spoken content from meetings is processed as part of this feature.

Legal basis: Art. 6(1)(b) GDPR (initiation/performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient project communication)

Data transfers to third countries: Zoom is a US-based company. Data transfers are carried out on the basis of standard contractual clauses (Art. 46 GDPR) and, where applicable, the EU-US Data Privacy Framework. For more information, visit: https://explore.zoom.us/de/privacy/

Data processing agreement: A data processing agreement has been concluded with Zoom.

Notice to participants: The use of Zoom meetings is additionally subject to Zoom's own privacy policy. It is recommended to use Zoom only after reviewing Zoom's privacy policy.

13. Social Media Profiles

13.1 General

I maintain profiles on social networks. When you visit these profile pages, data is processed by the respective platforms. For data processing by social networks, I am jointly responsible with the platform operators pursuant to Art. 26 GDPR to the extent that I actively publish content. Otherwise, the platform operators bear sole responsibility for data processing.

For further information, please refer to the linked privacy policies of the respective platforms.

13.2 LinkedIn

Operator: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

I maintain a presence on LinkedIn. When you visit my LinkedIn profile, LinkedIn processes data in accordance with its privacy policy. Statistical information about page visitors may be collected via so-called Insight Tags.

Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-out: https://www.linkedin.com/psettings/guest-controls

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public presence and business development)

13.3 X (formerly Twitter)

Operator: X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA

When you visit my X profile, X Corp. processes data in accordance with its privacy policy.

Privacy policy: https://twitter.com/de/privacy
Opt-out: https://twitter.com/settings/account/personalization

Legal basis: Art. 6(1)(f) GDPR

13.4 Substack

Operator: Substack Inc., 548 Market Street PMB 72296, San Francisco, CA 94104, USA

I operate a newsletter/blog on the Substack platform. When you visit my Substack publication or sign up for the newsletter, Substack Inc. processes your data in accordance with its privacy policy.

Privacy policy: https://substack.com/privacy

Legal basis: Art. 6(1)(a) GDPR (consent upon newsletter sign-up); Art. 6(1)(f) GDPR (legitimate interest for public publication)

14. Newsletter and Email Marketing

14.1 Nature and Purpose

This website and external platforms offer the option to subscribe to a newsletter. I use the service SendFox for newsletter delivery.

14.2 SendFox

Provider: Sumo Group Inc. (SendFox), 3600 N. Capital of Texas Highway, Bldg B, Suite 390, Austin, TX 78746, USA

The following data is collected upon newsletter sign-up:

  • Email address (required)
  • Name (if requested in the form)
  • IP address and time of sign-up (for documentation of consent)

14.3 Double Opt-In and Documentation of Consent

Newsletter sign-up uses a double opt-in process: after entering your email address, you will receive a confirmation email with an activation link. Your email address will only be added to the mailing list after you click this link. This process serves as proof that the sign-up was actually made by you.

For documentation of consent, I store: the time of sign-up, the time of confirmation, and the IP address used (Art. 7(1) GDPR).

14.4 Legal Basis

Art. 6(1)(a) GDPR (consent)

14.5 Right to Withdraw

You may withdraw your consent to the storage of your data and its use for newsletter delivery at any time, in particular via the unsubscribe link in any newsletter email or by sending an informal message to business@designernils.com.

14.6 Data Transfers to Third Countries

SendFox is a US-based company. Data transfers are carried out on the basis of standard contractual clauses (Art. 46 GDPR) and/or the EU-US Data Privacy Framework. A data processing agreement has been concluded with SendFox.

Retention period: Your data will be stored for as long as your newsletter subscription is active. After withdrawal of consent or unsubscription, your data will be blocked for newsletter delivery and deleted upon expiration of any applicable statutory retention periods.

15. Data Processing Agreements (Art. 28 GDPR)

I engage external service providers (data processors) who process personal data on my behalf. Data processing agreements pursuant to Art. 28 GDPR have been concluded with all data processors to ensure that data is processed only on documented instructions and in compliance with applicable data protection requirements.

Data processors engaged include in particular:

Service ProviderPurposeLocation
IONOS SEWeb hostingGermany
Google Ireland LimitedWeb analytics (Google Analytics)Ireland / USA
Zoom Video Communications, Inc.Video conferencingUSA
Sumo Group Inc. (SendFox)Email marketingUSA
WPManageNinja LLC (Fluent Forms)Contact formUSA

16. Rights of Data Subjects

As a data subject, you have the following rights under the GDPR:

16.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed. If so, you have the right to access that personal data and to receive further information pursuant to Art. 15(1) GDPR.

16.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate correction of inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to request the completion of incomplete personal data.

16.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of personal data concerning you, provided one of the grounds listed in Art. 17(1) GDPR applies and the processing is not necessary for one of the purposes listed in Art. 17(3) GDPR.

16.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions set out in Art. 18(1) GDPR is met, e.g., if you contest the accuracy of your data or have objected to processing.

16.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, provided that the processing is based on consent (Art. 6(1)(a) GDPR) or a contract (Art. 6(1)(b) GDPR) and is carried out by automated means.

16.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) GDPR.

If you object, I will no longer process the personal data in question unless I can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Objection to direct marketing: Where personal data is processed for direct marketing purposes, you have the right to object to such processing at any time. If you object to processing for direct marketing purposes, the personal data will no longer be processed for those purposes.

16.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw consent to the processing of personal data at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

17. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with jurisdiction over my business is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
(Bavarian State Office for Data Protection Supervision)
Promenade 18
91522 Ansbach
Germany
Website: www.lda.bayern.de

18. Retention Periods and Deletion Deadlines

Personal data is only stored for as long as necessary for the respective processing purpose. Storage beyond this period may occur where statutory retention obligations apply.

The following retention periods apply in detail:

Data CategoryRetention PeriodLegal Basis
Server log files7 daysArt. 6(1)(f) GDPR
Contact inquiries (email)Until conclusion of processing, max. 3 years after last communicationArt. 6(1)(b)/(f) GDPR
Contact form data6 months without further business activity; otherwise until project completionArt. 6(1)(b) GDPR
Contract data / invoices10 years (§ 147 AO, § 257 HGB)Art. 6(1)(c) GDPR
Newsletter subscribersUntil unsubscription + expiration of statutory periodsArt. 6(1)(a) GDPR
Google Analytics data14 months (as configured in GA account settings)Art. 6(1)(a) GDPR
Zoom metadataUp to 30 days at ZoomArt. 6(1)(b) GDPR

19. No Obligation to Provide Data

The provision of personal data is — except where required by law — neither legally nor contractually mandated. You are not obligated to provide personal data. However, failure to provide certain data may mean that contacting us or the provision of services is not possible.

20. Automated Decision-Making and Profiling

This website does not engage in automated decision-making or profiling within the meaning of Art. 22 GDPR.

21. Exercising Your Rights / Contact

To exercise your rights (access, rectification, erasure, restriction, data portability, objection, withdrawal of consent), please contact:

Nils Enders-Brenner
Email: business@designernils.com

I will respond to inquiries by email as a rule within 30 days. For complex requests or a large number of requests, this period may be extended by a further two months; in such cases, I will inform you of the extension and the reason for it.

Note on communication: For disability-related reasons, phone contact is not possible. Please use the email channel exclusively. Inquiries will be acknowledged within 1–2 business days.

22. Changes to This Privacy Policy

This Privacy Policy is current as of April 2026. Changes in law, court decisions, or technical developments may require this Privacy Policy to be updated. The current version is always available at https://www.hiddendesignchampion.com/datenschutz.

Prepared in accordance with the requirements of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the German Federal Data Protection Act (BDSG), and the German Telecommunications and Digital Services Data Protection Act (TDDDG).