Skip to content
Data protection structurally embedded in the code: software engineering workstation
Legal information

Privacy notice

Introduction

With this privacy notice we inform you about the processing of personal data (“data”) when you visit and use this website and in the context of our online presences on social networks (collectively, “online offering”). The processing of client data in the course of legal advice and representation is not the subject of this notice; we provide separate information on this in the course of the engagement.

The terms used are not gender-specific.

Controller

INN.LAW®
Peter Poleacov, attorney-at-law
Am Kaldenberg 3A
40489 Düsseldorf
Germany
Email: info@inn.law
Legal notice: https://inn.law/en/legal-notice/

Relevant legal bases

The following is an overview of the legal bases of the EU General Data Protection Regulation (“GDPR”) on which we process personal data. Please note that, in addition to the GDPR, national data protection rules may apply in your or our country of residence or domicile. If, in addition, more specific legal bases apply in an individual case, we will inform you of these in the privacy notice.

  • Consent (Article 6(1)(a) GDPR): The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the GDPR, national data protection rules in Germany apply. These include, in particular, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Among other things, the BDSG contains specific rules on the right of access, on the right to erasure, on the right to object, on the processing of special categories of personal data, on processing for other purposes and on transfer as well as automated decision-making in individual cases, including profiling. State data protection laws of the individual German federal states may also apply.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include safeguarding the confidentiality, integrity, and availability of data through access and authorization controls, as well as procedures for the exercise of data subjects’ rights and the erasure of data. We take the protection of personal data into account already when selecting hardware and software, in accordance with the principle of data protection by design and by default.

TLS encryption (https): To protect the data you transmit via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Data backup: To ensure availability and protect against data loss, we carry out regular, encrypted data backups.

Attorney-client confidentiality

As attorneys, we are subject to the special duty of professional confidentiality under Section 43a BRAO. All client data is processed under strict confidentiality. The transmission of client data to processors only takes place after they have been bound to confidentiality and in accordance with the rules of professional conduct.

Recipients and data processing in third countries

Where we transfer personal data to other entities, this only takes place to the extent necessary, for example to service providers entrusted with IT and hosting tasks, with whom we conclude the data processing agreements required by law.

Where data is processed outside the EU or the EEA in this context, this only takes place on the basis of Articles 44 to 49 GDPR, that is, under an adequacy decision of the EU Commission or appropriate safeguards such as the standard contractual clauses. We state the basis relevant to the respective service in its description (for further information, see the information page of the EU Commission: commission.europa.eu).

Erasure of data

The data processed by us is erased in accordance with the legal requirements as soon as the consents on the basis of which it was processed are withdrawn or other permissions cease to apply (for example, if the purpose of the processing has ceased to apply or the data is no longer required for the purpose). To the extent the data is not erased because it is required for other and legally permitted purposes, its processing will be limited to those purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that has to be retained for commercial or tax law reasons, or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

In the context of our privacy notice, we may inform users of further information on the erasure and on the storage of data specific to the particular processing operations.

Use of cookies

By “cookies” we mean here any technique that stores information on your device or reads information from it, including the browser’s local and session storage.

This website does not set its own cookies and no analytics or marketing cookies. The only data stored locally are strictly necessary settings that you trigger yourself: the chosen appearance (light or dark), the language selection, the dismissal of the notice bar, and a one-time session marker for the language preset. Our hosting and security provider Cloudflare may set technically necessary security cookies (for example “__cf_bm” for bot and abuse defense); these are not used to track across websites or sessions. The local storage described and these security cookies are exempt from consent under Section 25(2) no. 2 TDDDG because they are strictly necessary for a function you have expressly requested or for the security of the service; the related processing, where personal, is based on Article 6(1)(f) GDPR. Any reach measurement is performed exclusively cookie-free; see “Web analytics, monitoring, and optimization”. Consent and a cookie banner are therefore not required.

Provision of the online offering and web hosting

We process the data of users in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary in order to transmit the content and functions of our online services to the user’s browser or end device.

Types of data processed: Usage data, meta/communication data, content data.
Data subjects: Users.
Purposes: Provision of our online offering and usability, information-technology infrastructure, security measures, content delivery network (CDN).
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

Access data and server logs: Our website is provided as a static site via our hosting and CDN provider Cloudflare. When it is accessed, connection data is generated for technical reasons (in particular IP address, date and time, the file accessed, data volume transferred, browser type, operating system, and referrer), which Cloudflare processes as a processor for the delivery, stability, and security of the offering. We do not keep our own server log files with a fixed retention period and have no access to the raw connection logs. Cloudflare does not retain full access logs for retrieval by default; the retention period is governed by Cloudflare’s data protection terms and data processing agreement. Data whose further retention is necessary for evidentiary purposes is exempt from erasure until the respective incident has been clarified.

Email dispatch and hosting: The web-hosting services we use also include the dispatch, receipt, and storage of emails. For these purposes, the addresses of the recipients and senders as well as further information regarding email dispatch (for example, the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but (unless a so-called end-to-end encryption procedure is used) not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of emails between the sender and receipt on our server.

Cloudflare: Web hosting and content delivery network (Cloudflare Pages). Service provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: cloudflare.com; privacy policy: cloudflare.com/privacypolicy; data processing agreement: cloudflare.com/cloudflare-customer-dpa; standard contractual clauses: cloudflare.com/cloudflare-customer-scc.

Local fonts: Fonts are served exclusively from our own server; no external font services (such as Google Fonts) are integrated.

Contact and inquiry management

When you contact us (for example, by email, telephone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Types of data processed: Contact data, content data, usage data, meta/communication data.
Data subjects: Communication partners.
Purposes: Contact requests and communication, management and reply to inquiries, feedback, provision of our online offering and usability.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR); performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR). Erasure of data: contact inquiries are erased after 3 years unless a mandate relationship develops. For mandates, the statutory retention periods under the BRAO apply.

Video conferencing (webinars and video calls)

For webinars and video calls we use the browser-based video conferencing of mailbox.org (mailbox.org Meet). We process the data required to participate, in particular the displayed name, audio and video data during the session, and technical connection data. No recording takes place unless this is expressly announced.

Types of data processed: Master data, contact data, content data, meta/communication data.
Data subjects: Participants.
Purposes: Conducting the event, communication.
Legal bases: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR); legitimate interests (Article 6(1)(f) GDPR).

mailbox.org Meet: Video conferencing service. Service provider: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany. Processing within the European Union, no third-country transfer. Website: mailbox.org; privacy policy: mailbox.org/en/data-protection.

Newsletter and electronic notifications

We send newsletters, emails, and other electronic notifications (“newsletter”) only with the consent of the recipients or on the basis of a legal permission. To the extent the content of the newsletter is specifically described in the context of registration for the newsletter, that description is decisive for the consent of the users. Beyond that, our newsletters contain information about our services and us.

To register for our newsletters, it is generally sufficient if you provide your email address and your name, so that we can address you personally in the newsletter. However, we may ask you to provide additional information if this is necessary for the purposes of the newsletter.

Double opt-in procedure: Registration for our newsletter is carried out in a so-called double opt-in procedure. That is, after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with other people’s email addresses. Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored at the dispatch service provider are also logged.

Protection against automated sign-ups (Cloudflare Turnstile): The sign-up form is protected against automated and abusive input (bots) by Cloudflare Turnstile. To check whether the sign-up is carried out by a human, a token is generated and verified server-side at Cloudflare; in the process, your IP address is transmitted to Cloudflare. In the standard configuration we use, Turnstile does not set cookies and does not create cross-device or cross-site profiles. The processing is strictly necessary for the security of this function you have expressly requested (Section 25(2) no. 2 TDDDG) and is based, where personal, on Article 6(1)(f) GDPR.

Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before we erase them, in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for erasure is possible at any time, provided that the existence of a previous consent is confirmed at the same time. In the case of obligations to observe objections permanently, we reserve the right to store the email address solely for this purpose in a block list (“blocklist”).

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper conduct. To the extent we commission a service provider with the dispatch of emails, this takes place on the basis of our legitimate interests in an efficient and secure dispatch system.

Contents: We inform you about contract-law topics as well as about us, our services, products, promotions, and offers.

Types of data processed: Master data, contact data, meta/communication data.
Data subjects: Communication partners.
Purposes: Direct marketing.
Legal bases: Consent (Article 6(1)(a) GDPR).

Opt-out option: You can cancel the receipt of our newsletter at any time, i.e., withdraw your consents or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options listed above for this purpose, preferably email.

No performance measurement: We do not measure open or click rates, do not use tracking pixels (web beacons), and do not create recipient profiles. No analysis of individual reading behavior takes place.

Loops: Email services. Service provider: Astrodon Corporation, 9450 SW Gemini Dr PMB 22902, Beaverton, OR 97008-7105, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: loops.so; privacy policy: loops.so/privacy.

Cloudflare Turnstile: Protection against bots and abuse during newsletter sign-up. Service provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: cloudflare.com; privacy policy: cloudflare.com/privacypolicy.

Web analytics, monitoring, and optimization

Web analytics (also referred to as “reach measurement”) serves to evaluate our online offering. With it, we can, for example, recognize the extent to which our online offering is being used. We can also understand which areas need to be optimized.

Among other things, we collect the website(s) visited (page URL), the websites via which visitors access our online offering (HTTP referrer), the browser used, the computer system used, the device type, and information on the country, region, and city from which access takes place.

Types of data processed: Usage data, meta/communication data.
Data subjects: Users.
Purposes: Reach measurement.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

Cloudflare Web Analytics: Reach measurement via our hosting provider. According to the provider, it operates cookie-free and without client-side storage or reading of information on the device; no cookies are set, no cross-site tracking, no profiling, IP addresses are not stored. Collected in aggregate: page views, referrer sources, approximate origin (country), and device type. Service provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: cloudflare.com/web-analytics; privacy policy: cloudflare.com/privacypolicy.

Presence on social networks (social media)

We maintain publicly accessible profiles on social networks in order to provide information about our work and to communicate with interested parties. No content, buttons, or scripts of these networks are embedded on our website; therefore, no data is transmitted to the networks when you visit our pages.

If you access our profiles within a network, that network’s provider processes your data under its own responsibility and, in part, under joint responsibility with us (Article 26 GDPR), regularly also outside the EU and for market research and advertising purposes. We have only limited influence on the nature and scope of this processing. Details and objection options can be found in the privacy policy of the respective provider; data subjects’ rights can also be asserted most effectively there. The networks we use are listed in our legal notice.

Types of data processed: Contact data, content data, usage data, meta/communication data.
Data subjects: Users.
Purposes: Communication, public relations.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

Amendment and update of the privacy notice

We ask you to inform yourself regularly about the content of our privacy notice. We adjust the privacy notice as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require any cooperation on your part (for example, consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy notice, please note that the addresses may change over time and please check the information before making contact.

Rights of data subjects

As a data subject, you have various rights under the GDPR, in particular under Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling to the extent it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consents granted at any time.
  • Right of access: You have the right to request confirmation as to whether the data in question is being processed and to obtain access to that data as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of the data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and to restriction of processing: You have the right, in accordance with the legal requirements, to request that data concerning you be erased without undue delay, or, in the alternative, to request a restriction of the processing of the data in accordance with the legal requirements.
  • Right to be informed: You have the right to rectification, erasure, or restriction of processing. If you exercise one of these rights, we will communicate this to all recipients of your data, unless this proves impossible or involves disproportionate effort. You also have the right to be informed about these recipients.
  • Right to data portability: You have the right, in accordance with the legal requirements, to receive data concerning you which you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.
  • Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the member state in which you habitually reside, the supervisory authority of your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR.

Supervisory authority competent for us:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Germany

No automated decision-making: No decision based solely on automated processing, and no profiling within the meaning of Article 22 GDPR, takes place.

As of 6 June 2026