Skip to content
Data protection structurally embedded in the code: software engineering workstation
Legal information

Privacy notice

As of 16 May 2026 Reading time is being calculated

Introduction

With this privacy notice we inform you about the processing of personal data ("data") when you visit and use this website and in the context of our online presences on social networks (collectively, "online offering"). The processing of client data in the course of legal advice and representation is not the subject of this notice; we provide separate information on this in the course of the engagement.

The terms used are not gender-specific.

Controller

INN.LAW®
Peter Poleacov, attorney-at-law
Am Kaldenberg 3A
40489 Düsseldorf
Germany
Email: [email protected]
Legal notice: https://www.inn.law/en/legal-notice

Relevant legal bases

The following is an overview of the legal bases of the EU General Data Protection Regulation ("GDPR") on which we process personal data. Please note that, in addition to the GDPR, national data protection rules may apply in your or our country of residence or domicile. If, in addition, more specific legal bases apply in an individual case, we will inform you of these in the privacy notice.

  • Consent (Article 6(1)(a) GDPR): The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the GDPR, national data protection rules in Germany apply. These include, in particular, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Among other things, the BDSG contains specific rules on the right of access, on the right to erasure, on the right to object, on the processing of special categories of personal data, on processing for other purposes and on transfer as well as automated decision-making in individual cases, including profiling. State data protection laws of the individual German federal states may also apply.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data through control of physical and electronic access to the data, as well as of access to, input, transfer, securing of availability, and separation. We have also established procedures to ensure the exercise of data subjects' rights, the erasure of data, and responses to threats to data. We also take the protection of personal data into account already during the development and selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default.

TLS encryption (https): To protect the data you transmit via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Data backup: To ensure availability and protect against data loss, we carry out regular, encrypted data backups.

Attorney-client confidentiality

As attorneys, we are subject to the special duty of professional confidentiality under Section 43a BRAO. All client data is processed under strict confidentiality. The transmission of client data to processors only takes place after they have been bound to confidentiality and in accordance with the rules of professional conduct.

Transfer of personal data

In the course of our processing of personal data, the data may be transferred to other entities, companies, legally separate organizational units, or persons, or disclosed to them. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that protect your data with the recipients of your data.

Data processing in third countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this only takes place in accordance with the legal requirements.

Subject to express consent or transfer required by contract or by law, we only process or have data processed in third countries with a recognized level of data protection, on the basis of contractual obligations through so-called standard contractual clauses of the EU Commission, where certifications or binding internal data protection rules are in place (Articles 44 to 49 GDPR; information page of the EU Commission: commission.europa.eu).

Erasure of data

The data processed by us is erased in accordance with the legal requirements as soon as the consents on the basis of which it was processed are withdrawn or other permissions cease to apply (for example, if the purpose of the processing has ceased to apply or the data is no longer required for the purpose). To the extent the data is not erased because it is required for other and legally permitted purposes, its processing will be limited to those purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that has to be retained for commercial or tax law reasons, or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

In the context of our privacy notice, we may inform users of further information on the erasure and on the storage of data specific to the particular processing operations.

Use of cookies

By "cookies" we mean here any technique that stores information on your device or reads information from it, including the browser's local and session storage.

This website does not set its own cookies and no analytics or marketing cookies. The only data stored locally are strictly necessary settings that you trigger yourself: the chosen appearance (light or dark), the language selection, the dismissal of the notice bar, and a one-time session marker for the language preset. Our hosting and security provider Cloudflare may set technically necessary security cookies (for example "__cf_bm" for bot and abuse defense); these are not used to track across websites or sessions. The local storage described and these security cookies are exempt from consent under Section 25(2) no. 2 TDDDG because they are strictly necessary for a function you have expressly requested or for the security of the service; the related processing, where personal, is based on Article 6(1)(f) GDPR. Any reach measurement is performed exclusively cookie-free; see "Web analytics, monitoring, and optimization". Consent and a cookie banner are therefore not required.

Provision of the online offering and web hosting

We process the data of users in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary in order to transmit the content and functions of our online services to the user's browser or end device.

Types of data processed: Usage data, meta/communication data, content data.
Data subjects: Users.
Purposes: Provision of our online offering and usability, information-technology infrastructure, security measures, content delivery network (CDN).
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". The server log files may include the address and name of the websites and files accessed, date and time of access, data volumes transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited site), and, as a rule, IP addresses and the requesting provider. Log file information is stored for a maximum of 30 days and then erased or anonymized. Data whose further retention is necessary for evidentiary purposes is exempt from erasure until the respective incident has been finally clarified.

Email dispatch and hosting: The web-hosting services we use also include the dispatch, receipt, and storage of emails. For these purposes, the addresses of the recipients and senders as well as further information regarding email dispatch (for example, the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but (unless a so-called end-to-end encryption procedure is used) not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of emails between the sender and receipt on our server.

Cloudflare: Web hosting and content delivery network (Cloudflare Pages). Service provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: cloudflare.com; privacy policy: cloudflare.com/privacypolicy; data processing agreement: cloudflare.com/cloudflare-customer-dpa; standard contractual clauses: cloudflare.com/cloudflare-customer-scc.

Local fonts: Fonts are served exclusively from our own server; no external font services (such as Google Fonts) are integrated.

Contact and inquiry management

When you contact us (for example, by contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Types of data processed: Contact data, content data, usage data, meta/communication data.
Data subjects: Communication partners.
Purposes: Contact requests and communication, management and reply to inquiries, feedback, provision of our online offering and usability.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR); performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR). Erasure of data: contact inquiries are erased after 3 years unless a mandate relationship develops. For mandates, the statutory retention periods under the BRAO apply.

Video conferencing (webinars and video calls)

For webinars and video calls we use the browser-based video conferencing of mailbox.org (mailbox.org Meet). We process the data required to participate, in particular the displayed name, audio and video data during the session, and technical connection data. No recording takes place unless this is expressly announced.

Types of data processed: Master data, contact data, content data, meta/communication data.
Data subjects: Participants.
Purposes: Conducting the event, communication.
Legal bases: Performance of a contract and pre-contractual inquiries (Article 6(1)(b) GDPR); legitimate interests (Article 6(1)(f) GDPR).

mailbox.org Meet: Video conferencing service. Service provider: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany. Processing within the European Union, no third-country transfer. Website: mailbox.org; privacy policy: mailbox.org/en/privacy.

Newsletter and electronic notifications

We send newsletters, emails, and other electronic notifications ("newsletter") only with the consent of the recipients or on the basis of a legal permission. To the extent the content of the newsletter is specifically described in the context of registration for the newsletter, that description is decisive for the consent of the users. Beyond that, our newsletters contain information about our services and us.

To register for our newsletters, it is generally sufficient if you provide your email address and your name, so that we can address you personally in the newsletter. However, we may ask you to provide additional information if this is necessary for the purposes of the newsletter.

Double opt-in procedure: Registration for our newsletter is carried out in a so-called double opt-in procedure. That is, after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with other people's email addresses. Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored at the dispatch service provider are also logged.

Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before we erase them, in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for erasure is possible at any time, provided that the existence of a previous consent is confirmed at the same time. In the case of obligations to observe objections permanently, we reserve the right to store the email address solely for this purpose in a block list ("blocklist").

The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper conduct. To the extent we commission a service provider with the dispatch of emails, this takes place on the basis of our legitimate interests in an efficient and secure dispatch system.

Contents: We inform you about contract-law topics as well as about us, our services, products, promotions, and offers.

Types of data processed: Master data, contact data, meta/communication data.
Data subjects: Communication partners.
Purposes: Direct marketing.
Legal bases: Consent (Article 6(1)(a) GDPR).

Opt-out option: You can cancel the receipt of our newsletter at any time, i.e., withdraw your consents or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options listed above for this purpose, preferably email.

No performance measurement: We do not measure open or click rates, do not use tracking pixels (web beacons), and do not create recipient profiles. No analysis of individual reading behavior takes place.

Loops: Email services. Service provider: Astrodon Corporation, 9450 SW Gemini Dr PMB 22902, Beaverton, OR 97008-7105, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: loops.so; privacy policy: loops.so/privacy.

Web analytics, monitoring, and optimization

Web analytics (also referred to as "reach measurement") serves to evaluate our online offering. With it, we can, for example, recognize the extent to which our online offering is being used. We can also understand which areas need to be optimized.

Among other things, we collect the website(s) visited (page URL), the websites via which visitors access our online offering (HTTP referrer), the browser used, the computer system used, the device type, and information on the country, region, and city from which access takes place.

Types of data processed: Usage data, meta/communication data.
Data subjects: Users.
Purposes: Reach measurement.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

Cloudflare Web Analytics: Reach measurement via our hosting provider. According to the provider, it operates cookie-free and without client-side storage or reading of information on the device; no cookies are set, no cross-site tracking, no profiling, IP addresses are not stored. Collected in aggregate: page views, referrer sources, approximate origin (country), and device type. Service provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Basis for third-country transfers: adequacy decision EU-US Data Privacy Framework (Article 45 GDPR), supplemented by standard contractual clauses of the EU Commission (Article 46(2)(c) GDPR). Website: cloudflare.com/web-analytics; privacy policy: cloudflare.com/privacypolicy.

Presence on social networks (social media)

We maintain online presences within social networks and, in this context, process users' data in order to communicate with the users active there or to provide information about us.

Please note that users' data may be processed outside the area of the European Union in this context. This may lead to risks for users, for example because it may make it more difficult to enforce users' rights.

Furthermore, users' data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on usage behavior and the resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the networks that are presumably consistent with the interests of users. For these purposes, cookies are generally stored on users' computers in which usage behavior and the interests of the users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by the users (in particular, if the users are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the objection options (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for access and the assertion of data subjects' rights, we note that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can directly take corresponding measures and provide information. If you nevertheless need help, you can contact us.

Types of data processed: Contact data, content data, usage data, meta/communication data.
Data subjects: Users.
Purposes: Contact requests and communication, feedback, marketing.
Legal bases: Legitimate interests (Article 6(1)(f) GDPR).

LinkedIn: Social network. Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland. Website: linkedin.com; privacy policy: linkedin.com/legal/privacy-policy; opt-out: linkedin.com/psettings/guest-controls/retargeting-opt-out.

XING: Social network. Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Website: xing.com.

Amendment and update of the privacy notice

We ask you to inform yourself regularly about the content of our privacy notice. We adjust the privacy notice as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require any cooperation on your part (for example, consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy notice, please note that the addresses may change over time and please check the information before making contact.

Rights of data subjects

As a data subject, you have various rights under the GDPR, in particular under Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling to the extent it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consents granted at any time.
  • Right of access: You have the right to request confirmation as to whether the data in question is being processed and to obtain access to that data as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of the data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and to restriction of processing: You have the right, in accordance with the legal requirements, to request that data concerning you be erased without undue delay, or, in the alternative, to request a restriction of the processing of the data in accordance with the legal requirements.
  • Right to data portability: You have the right, in accordance with the legal requirements, to receive data concerning you which you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.
  • Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the member state in which you habitually reside, the supervisory authority of your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR.

Supervisory authority competent for us:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Germany