Privacy Policy
myBytes GmbH · Am Kaiserkai 69, 20457 Hamburg · compliance@mybytes.com
Last updated: May 2026 · Applies to: mybytes.com and all subpages
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
myBytes GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
Email: compliance@mybytes.com
Commercial register: HRB 197538 (Amtsgericht Hamburg)
Managing directors: Guido Winger, Mariusz Pianowski
2. Principles of Data Processing
We process personal data only to the extent permitted by law or with your consent. The legal bases are:
- Art. 6(1)(a) GDPR – Consent (e.g. newsletter sign-up)
- Art. 6(1)(b) GDPR – Performance of a contract (e.g. consulting inquiries)
- Art. 6(1)(c) GDPR – Legal obligation
- Art. 6(1)(f) GDPR – Legitimate interests (e.g. website security, site analytics)
3. Hosting & Infrastructure
3.1 Server Hosting (Hetzner Online)
This website is operated on a dedicated server at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner is a provider based in Germany; the data remains in the EU. When the website is accessed, the following data is automatically stored in the server log:
- IP address (anonymized after 7 days)
- Date and time of access
- Page / URL accessed
- HTTP status code, volume of data transferred
- Referrer URL (if transmitted)
- Browser type and operating system (user agent)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: security, troubleshooting). Retention period: 30 days, followed by automatic deletion.
4. Cookies
This website uses exclusively technically necessary cookies. No tracking, analytics, or marketing cookies are set.
| Cookie name | Purpose | Lifetime | Legal basis |
|---|---|---|---|
| XSRF-TOKEN | Cross-site request forgery protection (Laravel) | Session | Art. 6(1)(f) GDPR |
| mybytes_session | PHP session for form processing | Session | Art. 6(1)(f) GDPR |
As we use only necessary cookies, no cookie banner is required under Section 25 TTDSG (German Telecommunications Digital Services Data Protection Act). Consent for functional cookies is not necessary.
5. Website Tracking (Cookieless Fingerprinting)
5.1 How It Works
Our tracking system analyzes anonymous signals of each page view (e.g. anonymized user agent, language setting, time zone) to compute a non-persistent session hash. This hash is not permanently linked to your person and merely enables us to compile aggregated usage statistics (page views, time on page, click paths).
5.2 What Is Collected
- Pages visited and time on page
- Clicks and scroll depth
- Campaign parameters (UTM tags, LinkedIn tracking IDs) – only if contained in the URL
- Referrer domain (e.g. linkedin.com)
- Browser type, language setting, time zone (not stored, used only for hash computation)
5.3 What Is NOT Collected
- IP addresses (not stored)
- Personal data without your explicit indication
- Device fingerprint stored permanently
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: analysis of website usage). As no personal data within the meaning of the GDPR is stored, no cookie consent is required.
6. Campaign Tracking (LinkedIn, Google)
If you reach our website via an advertisement, the URL may contain so-called campaign parameters, e.g.:
utm_source,utm_medium,utm_campaign– origin informationli_fat_id– LinkedIn First-Party Ad Tracking IDgclid– Google Click ID
These parameters are automatically appended to the URL of your clicks by LinkedIn or Google. We store these parameters in anonymized form to measure the success of our campaigns. They are linked to your person only if you simultaneously sign up for our newsletter (in that case with your express consent).
Legal basis: Art. 6(1)(f) GDPR. For LinkedIn's privacy policy, please refer to linkedin.com/legal/privacy-policy.
7. Newsletter and Report Downloads
7.1 Sign-Up and Double Opt-In
You can sign up for our quarterly newsletter "KI in Unternehmen" and/or download our reports. Sign-up takes place via a double opt-in procedure:
- You enter your email address and click "Sign up".
- We send a confirmation email to the address provided.
- Your sign-up only takes effect after you click the confirmation link.
Data stored upon sign-up:
| Data category | Purpose | Retention period |
|---|---|---|
| Email address | Delivery of the newsletter | Until unsubscription + 3 years (obligation to provide evidence) |
| Name (optional) | Personalized salutation | Until unsubscription |
| Timestamp of consent | GDPR evidence | 3 years after unsubscription |
| IP address at sign-up (hashed) | GDPR evidence (Art. 7(1)) | 3 years after unsubscription |
| Consent text (wording) | GDPR evidence | 3 years after unsubscription |
| UTM parameters / campaign source | Campaign performance measurement | Anonymized after 12 months |
Legal basis: Art. 6(1)(a) GDPR (consent).
7.2 Direct Report Download (Without Sign-Up)
You can also download our reports without signing up for the newsletter. In this case, we store:
- Timestamp of the download
- Campaign parameters (UTM, if contained in the URL)
- Hashed IP address (no identification of individuals possible)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: reach measurement).
7.3 Newsletter Unsubscription (Opt-Out)
You can unsubscribe from the newsletter at any time without giving reasons:
- Via the link in every email: Every newsletter email contains a unique unsubscribe link.
- Directly: mybytes.com/newsletter/abmelden (token from email required)
- By email: compliance@mybytes.com
After unsubscription, your active data is blocked. The consent documentation (email, timestamp) is retained for a further 3 years for legal reasons and then deleted.
7.4 Email Delivery (Mailcow / Own Server)
Emails (confirmations, newsletters) are sent via our own email server (Mailcow) on the Hetzner server. No third-party email services (e.g. Mailchimp, Brevo) are used. Your email address is not passed on to third parties.
8. Contact Form and Consulting Inquiries
When you use our contact forms or consulting inquiries, the data you provide (name, email, message) is processed to handle your inquiry. This data is not used for other purposes (e.g. newsletter) without your consent.
Retention period: 3 years after the communication has concluded, unless a longer statutory retention obligation applies. Legal basis: Art. 6(1)(b) or (f) GDPR.
9. Cloudflare Turnstile (CAPTCHA Protection)
To protect our contact forms and consulting inquiries against spam and automated bot attacks, we use Cloudflare Turnstile. This is a privacy-friendly alternative to conventional CAPTCHAs.
9.1 Provider and Data Processing
Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.
When you access a form protected by Turnstile, your browser loads JavaScript code from Cloudflare servers. The following data may be transmitted to Cloudflare in the process:
- IP address of the visitor (for challenge computation)
- Browser signals (user agent, language, time zone, screen resolution)
- Interaction data (mouse movements, keystrokes while loading)
- Timestamp of the page view
9.2 Specifics of Turnstile
Unlike conventional CAPTCHAs, Cloudflare Turnstile sets no persistent tracking cookies and creates no comprehensive user profiles. The challenge runs largely in the background, without visible puzzles for the user. Temporary session data is used exclusively for verification and is not used for advertising or tracking purposes.
9.3 Third-Country Transfer (USA)
As Cloudflare, Inc. is based in the USA, the data transmission constitutes a transfer to a third country pursuant to Art. 44 et seq. GDPR. Cloudflare has joined the EU–US Data Privacy Framework and ensures an adequate level of data protection through standard contractual clauses pursuant to Art. 46(2)(c) GDPR.
Cloudflare privacy policy: cloudflare.com/privacypolicy
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: protection against spam, abuse, and automated attacks on our forms).
10. External Fonts (Google Fonts)
This website uses Google Fonts. The fonts are loaded from the Google server, whereby your IP address is transmitted to Google. Provider: Google LLC, USA. Privacy policy: policies.google.com/privacy.
Legal basis: Art. 6(1)(f) GDPR. We are in the process of hosting the fonts locally in order to avoid the transmission to Google.
11. Security
Our website uses HTTPS encryption (TLS). Access is automatically monitored by Fail2ban and CrowdSec. Passwords are stored exclusively in hashed form. Regular security updates and backups are performed.
12. Your Rights Under the GDPR
You have the following rights vis-à-vis us as the controller:
| Right | Content | Legal basis |
|---|---|---|
| Access | Which data we have stored about you | Art. 15 GDPR |
| Rectification | Correction of inaccurate data | Art. 16 GDPR |
| Erasure | Deletion of your data ("right to be forgotten") | Art. 17 GDPR |
| Restriction | Restriction of processing | Art. 18 GDPR |
| Data portability | Provision of your data in a machine-readable format | Art. 20 GDPR |
| Objection | Objection to processing based on legitimate interests | Art. 21 GDPR |
| Withdrawal of consent | Withdrawal of consent given (e.g. newsletter) | Art. 7(3) GDPR |
To exercise your rights, please contact: compliance@mybytes.com
You also have the right to lodge a complaint with the competent data protection supervisory authority:
Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str. 22, 20459 Hamburg · datenschutz.hamburg.de
13. Disclosure of Data to Third Parties
We do not pass on your personal data to third parties, except where:
- You have expressly consented
- A legal obligation exists (e.g. duty to provide information to authorities)
- It is necessary for the performance of a contract (e.g. tax advisor for accounting, subject to a duty of confidentiality)
- Cloudflare, Inc. (USA) – within the scope of CAPTCHA protection by Cloudflare Turnstile (see Section 9), safeguarded by standard contractual clauses
14. Retention Periods at a Glance
| Data category | Retention period |
|---|---|
| Server logs (IP, access) | 30 days, then automatically deleted |
| Newsletter data (active) | Until unsubscription |
| Newsletter data (evidence of consent) | 3 years after unsubscription (statutory obligation to provide evidence) |
| Contact inquiries | 3 years after conclusion |
| Orders / contracts | 10 years (German Commercial Code (HGB) / Fiscal Code (AO)) |
| Report download logs (anonymized) | 24 months |
| Tracking data (anonymized) | 12 months |
15. Changes to This Privacy Policy
We reserve the right to amend this privacy policy in the event of changes to our data processing practices or legal requirements. The current version is always available at mybytes.com/datenschutz. The date of the last update is stated above.