PRIVACY POLICY
waveimpact.com
As of: February 10, 2026
1. Name and contact details of the controller
The responsible party within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is:
waveImpact Inc.
7 Fitger Street
D-28209 Bremen
Represented by: Dr. Valentin J. Mayr (Managing Director)
Phone: 0177/7120314
Email: info@waveimpact.de
Register court: Bremen Local Court, HRB 42134HB
A data protection officer has not been appointed, as the requirements of Section 38 of the Federal Data Protection Act (BDSG) are not met.
2. General information on data processing
We only process our users’ personal data to the extent necessary to provide a functional website and our content and services. Personal data is generally only processed with the user’s consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
3. Hosting
Our website is hosted by Strato AG, Otto-Ostrowski-Str. 7, 10249 Berlin, Germany. The servers are located exclusively in Germany. When you visit our website, the hosting provider automatically collects information in so-called server log files, which your browser automatically transmits. This includes:
- IP address of the requesting computer (will be anonymized by Strato after 7 days at the latest)
- Date and time of access
- Name and URL of the retrieved file
- Amount of data transferred
- Notification of whether the retrieval was successful
- Identification data of the browser and operating system used
- Website from which access is made (referrer URL)
Legal basis: Art. 6 (1) (f) GDPR. Our legitimate interest lies in ensuring the smooth operation of our website and improving our offering. The evaluation does not serve to identify individual users.
Order processing: A data processing agreement pursuant to Art. 28 GDPR has been concluded with Strato AG.
4. SSL/TLS encryption
This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
5. Web analytics with SimpleAnalytics
We use the privacy-friendly analytics service SimpleAnalytics (Simple Analytics B.V., Netherlands) for statistical analysis of the use of our website.
SimpleAnalytics expressly does not collect any personal data. The service works entirely without cookies, without fingerprinting, and without storing IP addresses. Only aggregated usage data is collected, in particular page views, referrer URLs, device types, and approximate location data based on time zones (not based on IP geolocation). It is not possible to assign this data to individual persons at any time.
Since SimpleAnalytics does not process any personal data and does not store or access any information on your device, we believe that consent is not required under Art. 6 (1) (a) GDPR or § 25 (1) TDDDG. Use is based on our legitimate interest in the statistical analysis of usage behavior to improve our website (Article 6(1)(f) GDPR; Section 25(2)(2) TDDDG).
Further information on data protection at SimpleAnalytics can be found at: https://simpleanalytics.com/privacy-policy
6. Contacting us (contact form and email)
6.1 Contact form data
If you wish to use the contact form provided on the website to get in touch with us, we require the data requested in the form in order to respond to your inquiry.
Some data is collected on a voluntary basis only. We use this data exclusively for processing your inquiry and do not pass it on to third parties.
The data entered in the contact form will be processed exclusively on the basis of your consent (Art. 6 (1) (a) GDPR).
You can revoke your consent to the storage of data at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data you provide for the purpose of contacting us will be stored by us until you request us to delete it or until legal deadlines allow or require us to delete it.
CentralStationCRM
This website uses the CRM software CentralStationCRM to store and process your contact details.
The provider is 42he GmbH, Herderstraße 70, 50931 Cologne, Germany.
CentralStationCRM is a service that can be used, among other things, to organize and manage customers. The data you enter for the purpose of contacting us is stored on the servers of CentralStationCRM in Germany.
If you do not want CentralStationCRM to process your data further, you must inform the operator of this website after contacting us.
Data analysis by CentralStationCRM
CentralStationCRM enables us to better organize and respond more quickly to inquiries via our website. CentralStationCRM also allows us to
better group our customers and contacts. This enables us to work in a more targeted manner in sales and marketing.
Legal basis
Data processing is based on your consent (Art. 6 (1) (a) GDPR). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.
Storage period
The data you provide for the purpose of contacting us will be stored by us until it is deleted by us.
For more details, please refer to the CentralStationCRM privacy policy at: https://centralstationcrm.net/www/privacy
Conclusion of a contract for commissioned data processing
We have concluded a contract with CentralStationCRM
in which we oblige CentralStationCRM to protect our customers’ data and not to pass it on to third parties. This contract can be viewed at the following link:
https://centralstationcrm.de/avv
6.2 Analysis tools and advertising
Google reCAPTCHA
We use “Google reCAPTCHA” (hereinafter ‘reCAPTCHA’) on our websites. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
reCAPTCHA is used to check whether the data entered on our websites (e.g., in a contact form) is entered by a human or by an automated program.
To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website.
reCAPTCHA evaluates various information for the analysis (e.g., IP address, length of time the website visitor stays on the website, or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses run completely in the background. Website visitors are not notified that an analysis is taking place.
Data processing is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and spam.
For more information about Google reCAPTCHA and Google’s privacy policy, please refer to the following links:
https://www.google.com/intl/de/policies/privacy/ and
https://www.google.com/recaptcha/intro/android.html.
7. Online appointment booking
On our website, we offer the option of booking a free initial consultation (30 minutes) directly online. We use the WordPress plugin “Simply Schedule Appointments” for this purpose. The plugin is operated directly on our web server (self-hosted); your data is not transmitted to the plugin manufacturer or any other third parties.
The following data is collected when booking an appointment:
- First and last name
- email address
- Desired appointment (date and time)
- If applicable, telephone number and message (if voluntarily provided by you)
This data is stored in the WordPress database on our server at Strato AG (server location: Germany). For scheduling purposes, the booking data is transferred to our calendar (Google Workspace, Google Ireland Ltd., Ireland). Google processes the data exclusively within the EU/EEA. A data processing agreement in accordance with Art. 28 GDPR (Google Workspace Data Processing Amendment) is in place with Google Ireland Ltd.
Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures at the request of the data subject). The appointment is booked at your initiative and serves to prepare for a possible consulting assignment.
Deletion: The booking data will be deleted as soon as the appointment has taken place and any follow-up work has been completed, provided that no further business relationship is established. If a consulting contract is concluded, the data will be stored as part of the customer file in accordance with the statutory retention periods (§§ 147 AO, 257 HGB). If there is no follow-up contact, the data will be deleted after 6 months at the latest.
8. White paper downloads and specialist publications
We offer specialist publications (white papers, checklists, guides) for download on our website. You must provide your email address to download these publications. You can also optionally provide additional information such as your name, company, and position. This information is collected via a form that is delivered and processed directly by our CRM provider CentralStationCRM (42he GmbH, Munich).
Primary purpose: Provision of the requested document.
Legal basis: Art. 6 para. 1 lit. b GDPR (contract initiation – provision of the requested document in exchange for your contact details).
Within the download form, you can optionally give separate consent to:
- a sales follow-up on the topic of the white paper (legal basis: Art. 6(1)(a) GDPR)
- Inclusion in our newsletter distribution list (legal basis: Art. 6(1)(a) GDPR)
These consents are obtained via separate, non-preselected checkboxes. The white paper can also be downloaded without these additional consents (no prohibition of coupling).
Deletion: If you have only requested the white paper and have not given any further consent, your data will be deleted as soon as delivery is complete and no further queries are expected, but no later than after 6 months. If consent has been given for follow-up, the deadlines specified in our retention policy apply (review after 12 months without interaction).
9. Newsletter
9.1 Description and scope of data processing
You can subscribe to a free newsletter on our website. The newsletter provides regular updates on topics related to responsible AI, the EU AI Act, and AI governance.
To subscribe to the newsletter, you only need to provide your email address. Optionally, you can enter your first and last name, your company, and your position so that we can address you personally.
We use the RapidMail service (RapidMail GmbH, Augustinerplatz 2, 79098 Freiburg, Germany) to send our newsletter. RapidMail is a German provider whose servers are located exclusively in Germany. A data processing agreement in accordance with Art. 28 GDPR has been concluded.
9.2 Double opt-in procedure
Registration for our newsletter is carried out using a double opt-in procedure. This means that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent anyone from registering with someone else’s email address. Newsletter registrations are logged in order to be able to verify the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address.
9.3 Legal basis
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with Section 7(2)(3) UWG (German Unfair Competition Act).
9.4 Measuring success
Our newsletter may contain tracking pixels for statistical analysis. These allow us to determine whether a newsletter message has been opened and which links have been clicked on. This data is evaluated exclusively in aggregated form and serves to optimize our newsletter offering. It is only assigned to your person to the extent necessary for delivery and fulfillment of your consent.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in optimizing the newsletter). You can object to the performance measurement by unsubscribing from the newsletter.
9.5 Deregistration
You can revoke your consent at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the unsubscribe link provided in every newsletter email, by sending an email to info@waveimpact.de, or by sending a message using the contact details above.
Deletion: After unsubscribing, your email address will be deleted from the mailing list immediately. The proof of consent (time of registration, time of confirmation, IP address) will be stored for documentation purposes for a period of 3 years after unsubscribing (legitimate interest in the verifiability of the consent previously given in accordance with Art. 6 (1) (f) GDPR in conjunction with the limitation periods of § 7 UWG)..
10. Cookies
Our website only uses cookies that are technically necessary for the operation of the website (e.g., session cookies from the WordPress content management system). These cookies are automatically deleted at the end of your browser session.
We do not use any analysis, tracking, or marketing cookies. In particular, we do not use Google Analytics, Google Fonts, embedded content from video platforms, or any other external services that would set tracking cookies.
Legal basis: Section 25 (2) No. 2 TDDDG (technically necessary cookies are permitted without consent); Art. 6 (1) lit. f GDPR (legitimate interest in the functional operation of the website).
11. Disclosure of data to third parties and transfer to third countries
Your personal data will not be transferred to third parties for purposes other than those listed below.
We will only disclose your personal data to third parties if:
- You have given your express consent (Art. 6 para. 1 lit. a GDPR),
- the transfer is necessary for the establishment, exercise, or defense of legal claims (Art. 6(1)(f) GDPR),
- there is a legal obligation (Art. 6 (1) (c) GDPR), or
- this is necessary for the performance of a contract (Art. 6 para. 1 lit. b GDPR).
We use the following processors to provide our services, with each of whom we have a data processing agreement in accordance with Art. 28 GDPR:
| processor | Function | seat | server location |
| Strato AG, Berlin | web hosting | Germany | Germany |
| 42he GmbH (CentralStationCRM), Munich | CRM system, contact forms | Germany | Germany |
| RapidMail GmbH, Freiburg | newsletter distribution | Germany | Germany |
| sevDesk GmbH, Offenburg | Accounting, invoicing | Germany | Germany |
| Simple Analytics B.V. | Web analytics (cookie-free) | Netherlands (EU) | EU |
| Google Ireland Ltd. (Google Workspace) | Calendar, email, document management. | Ireland (EU) | EU |
Personal data will not be transferred to third countries (countries outside the European Economic Area).
12. Your rights as a data subject
As the data subject, you have the following rights. You can contact us at any time to exercise your rights (see above for contact details):
12.1 Right of access (Art. 15 GDPR)
You have the right to request confirmation from us as to whether we process personal data concerning you. If this is the case, you have the right to obtain information about this personal data and the information specified in detail in Art. 15 GDPR.
12.2 Right to rectification (Art. 16 GDPR)
You have the right to request the immediate correction of inaccurate personal data concerning you and, if necessary, the completion of incomplete data.
12.3 Right to erasure (Art. 17 GDPR)
You have the right to request the deletion of personal data concerning you if one of the reasons specified in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued or if you have revoked your consent.
12.4 Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing if one of the conditions specified in Art. 18 GDPR applies, e.g. if you dispute the accuracy of the data.
12.5 Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another controller, provided that the processing is based on consent or a contract and is carried out using automated means.
12.6 Right to object (Art. 21 GDPR)
Insofar as we process personal data on the basis of our legitimate interest (Art. 6 (1) (f) GDPR), you have the right to object to the processing at any time for reasons arising from your particular situation. If you exercise your right to object, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
If we process your personal data for direct marketing purposes, you have the right to object to the processing at any time without giving reasons. We will then immediately stop processing your data for direct marketing purposes.
12.7 Right to withdraw consent (Art. 7(3) GDPR)
If the processing of your personal data is based on consent, you have the right to revoke this consent at any time. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
12.8 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority responsible for us is:
The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen
1 Arndt Street
27570 Bremerhaven
Phone: 0421/361-2010
Email: office@datenschutz.bremen.de
13. Current status and changes to this privacy policy
This privacy policy is current as of February 10, 2026. Due to the further development of our website or changes in legal or regulatory requirements, it may be necessary to amend this privacy policy. The current privacy policy can be accessed at any time on our website under the heading “Privacy Policy.”