Privacy Policy

myBytes GmbH · Am Kaiserkai 69, 20457 Hamburg · compliance@mybytes.com
Last updated: May 2026 · Applies to: mybytes.com and all subpages

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

myBytes GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
Email: compliance@mybytes.com
Commercial register: HRB 197538 (Amtsgericht Hamburg)
Managing directors: Guido Winger, Mariusz Pianowski

2. Principles of Data Processing

We process personal data only to the extent permitted by law or with your consent. The legal bases are:

  • Art. 6(1)(a) GDPR – Consent (e.g. newsletter sign-up)
  • Art. 6(1)(b) GDPR – Performance of a contract (e.g. consulting inquiries)
  • Art. 6(1)(c) GDPR – Legal obligation
  • Art. 6(1)(f) GDPR – Legitimate interests (e.g. website security, site analytics)

3. Hosting & Infrastructure

3.1 Server Hosting (Hetzner Online)

This website is operated on a dedicated server at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner is a provider based in Germany; the data remains in the EU. When the website is accessed, the following data is automatically stored in the server log:

  • IP address (anonymized after 7 days)
  • Date and time of access
  • Page / URL accessed
  • HTTP status code, volume of data transferred
  • Referrer URL (if transmitted)
  • Browser type and operating system (user agent)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: security, troubleshooting). Retention period: 30 days, followed by automatic deletion.

4. Cookies

This website uses exclusively technically necessary cookies. No tracking, analytics, or marketing cookies are set.

Cookie name Purpose Lifetime Legal basis
XSRF-TOKEN Cross-site request forgery protection (Laravel) Session Art. 6(1)(f) GDPR
mybytes_session PHP session for form processing Session Art. 6(1)(f) GDPR

As we use only necessary cookies, no cookie banner is required under Section 25 TTDSG (German Telecommunications Digital Services Data Protection Act). Consent for functional cookies is not necessary.

5. Website Tracking (Cookieless Fingerprinting)

This website uses a cookieless tracking system that does not store any personal data within the legal meaning and does not require cookie consent.

5.1 How It Works

Our tracking system analyzes anonymous signals of each page view (e.g. anonymized user agent, language setting, time zone) to compute a non-persistent session hash. This hash is not permanently linked to your person and merely enables us to compile aggregated usage statistics (page views, time on page, click paths).

5.2 What Is Collected

  • Pages visited and time on page
  • Clicks and scroll depth
  • Campaign parameters (UTM tags, LinkedIn tracking IDs) – only if contained in the URL
  • Referrer domain (e.g. linkedin.com)
  • Browser type, language setting, time zone (not stored, used only for hash computation)

5.3 What Is NOT Collected

  • IP addresses (not stored)
  • Personal data without your explicit indication
  • Device fingerprint stored permanently

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: analysis of website usage). As no personal data within the meaning of the GDPR is stored, no cookie consent is required.

6. Campaign Tracking (LinkedIn, Google)

If you reach our website via an advertisement, the URL may contain so-called campaign parameters, e.g.:

  • utm_source, utm_medium, utm_campaign – origin information
  • li_fat_id – LinkedIn First-Party Ad Tracking ID
  • gclid – Google Click ID

These parameters are automatically appended to the URL of your clicks by LinkedIn or Google. We store these parameters in anonymized form to measure the success of our campaigns. They are linked to your person only if you simultaneously sign up for our newsletter (in that case with your express consent).

Legal basis: Art. 6(1)(f) GDPR. For LinkedIn's privacy policy, please refer to linkedin.com/legal/privacy-policy.

7. Newsletter and Report Downloads

7.1 Sign-Up and Double Opt-In

You can sign up for our quarterly newsletter "KI in Unternehmen" and/or download our reports. Sign-up takes place via a double opt-in procedure:

  1. You enter your email address and click "Sign up".
  2. We send a confirmation email to the address provided.
  3. Your sign-up only takes effect after you click the confirmation link.

Data stored upon sign-up:

Data category Purpose Retention period
Email addressDelivery of the newsletterUntil unsubscription + 3 years (obligation to provide evidence)
Name (optional)Personalized salutationUntil unsubscription
Timestamp of consentGDPR evidence3 years after unsubscription
IP address at sign-up (hashed)GDPR evidence (Art. 7(1))3 years after unsubscription
Consent text (wording)GDPR evidence3 years after unsubscription
UTM parameters / campaign sourceCampaign performance measurementAnonymized after 12 months

Legal basis: Art. 6(1)(a) GDPR (consent).

7.2 Direct Report Download (Without Sign-Up)

You can also download our reports without signing up for the newsletter. In this case, we store:

  • Timestamp of the download
  • Campaign parameters (UTM, if contained in the URL)
  • Hashed IP address (no identification of individuals possible)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: reach measurement).

7.3 Newsletter Unsubscription (Opt-Out)

You can unsubscribe from the newsletter at any time without giving reasons:

  • Via the link in every email: Every newsletter email contains a unique unsubscribe link.
  • Directly: mybytes.com/newsletter/abmelden (token from email required)
  • By email: compliance@mybytes.com

After unsubscription, your active data is blocked. The consent documentation (email, timestamp) is retained for a further 3 years for legal reasons and then deleted.

7.4 Email Delivery (Mailcow / Own Server)

Emails (confirmations, newsletters) are sent via our own email server (Mailcow) on the Hetzner server. No third-party email services (e.g. Mailchimp, Brevo) are used. Your email address is not passed on to third parties.

8. Contact Form and Consulting Inquiries

When you use our contact forms or consulting inquiries, the data you provide (name, email, message) is processed to handle your inquiry. This data is not used for other purposes (e.g. newsletter) without your consent.

Retention period: 3 years after the communication has concluded, unless a longer statutory retention obligation applies. Legal basis: Art. 6(1)(b) or (f) GDPR.

9. Cloudflare Turnstile (CAPTCHA Protection)

To protect our contact forms and consulting inquiries against spam and automated bot attacks, we use Cloudflare Turnstile. This is a privacy-friendly alternative to conventional CAPTCHAs.

9.1 Provider and Data Processing

Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

When you access a form protected by Turnstile, your browser loads JavaScript code from Cloudflare servers. The following data may be transmitted to Cloudflare in the process:

  • IP address of the visitor (for challenge computation)
  • Browser signals (user agent, language, time zone, screen resolution)
  • Interaction data (mouse movements, keystrokes while loading)
  • Timestamp of the page view

9.2 Specifics of Turnstile

Unlike conventional CAPTCHAs, Cloudflare Turnstile sets no persistent tracking cookies and creates no comprehensive user profiles. The challenge runs largely in the background, without visible puzzles for the user. Temporary session data is used exclusively for verification and is not used for advertising or tracking purposes.

9.3 Third-Country Transfer (USA)

As Cloudflare, Inc. is based in the USA, the data transmission constitutes a transfer to a third country pursuant to Art. 44 et seq. GDPR. Cloudflare has joined the EU–US Data Privacy Framework and ensures an adequate level of data protection through standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

Cloudflare privacy policy: cloudflare.com/privacypolicy

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: protection against spam, abuse, and automated attacks on our forms).

10. External Fonts (Google Fonts)

This website uses Google Fonts. The fonts are loaded from the Google server, whereby your IP address is transmitted to Google. Provider: Google LLC, USA. Privacy policy: policies.google.com/privacy.

Legal basis: Art. 6(1)(f) GDPR. We are in the process of hosting the fonts locally in order to avoid the transmission to Google.

11. Security

Our website uses HTTPS encryption (TLS). Access is automatically monitored by Fail2ban and CrowdSec. Passwords are stored exclusively in hashed form. Regular security updates and backups are performed.

12. Your Rights Under the GDPR

You have the following rights vis-à-vis us as the controller:

Right Content Legal basis
AccessWhich data we have stored about youArt. 15 GDPR
RectificationCorrection of inaccurate dataArt. 16 GDPR
ErasureDeletion of your data ("right to be forgotten")Art. 17 GDPR
RestrictionRestriction of processingArt. 18 GDPR
Data portabilityProvision of your data in a machine-readable formatArt. 20 GDPR
ObjectionObjection to processing based on legitimate interestsArt. 21 GDPR
Withdrawal of consentWithdrawal of consent given (e.g. newsletter)Art. 7(3) GDPR

To exercise your rights, please contact: compliance@mybytes.com

You also have the right to lodge a complaint with the competent data protection supervisory authority:
Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str. 22, 20459 Hamburg · datenschutz.hamburg.de

13. Disclosure of Data to Third Parties

We do not pass on your personal data to third parties, except where:

  • You have expressly consented
  • A legal obligation exists (e.g. duty to provide information to authorities)
  • It is necessary for the performance of a contract (e.g. tax advisor for accounting, subject to a duty of confidentiality)
  • Cloudflare, Inc. (USA) – within the scope of CAPTCHA protection by Cloudflare Turnstile (see Section 9), safeguarded by standard contractual clauses

14. Retention Periods at a Glance

Data category Retention period
Server logs (IP, access)30 days, then automatically deleted
Newsletter data (active)Until unsubscription
Newsletter data (evidence of consent)3 years after unsubscription (statutory obligation to provide evidence)
Contact inquiries3 years after conclusion
Orders / contracts10 years (German Commercial Code (HGB) / Fiscal Code (AO))
Report download logs (anonymized)24 months
Tracking data (anonymized)12 months

15. Changes to This Privacy Policy

We reserve the right to amend this privacy policy in the event of changes to our data processing practices or legal requirements. The current version is always available at mybytes.com/datenschutz. The date of the last update is stated above.