Privacy Policy

1. Controller (Art. 4(7) GDPR)

PITANT UG (haftungsbeschränkt)

Geschwister-Scholl-Straße 12

91058 Erlangen, Germany

Email: info@pitant.de

Web: https://pitant.de

2. Data Protection Officer

Ali Khademolhosseini (internal DPO)

Address: as above

Email: info@pitant.de

3. Definitions and Legal Bases

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Germany’s TTDSG (Telecommunications Telemedia Data Protection Act).

Legal bases (Art. 6(1) GDPR; TTDSG):

Consent (Art. 6(1)(a) GDPR; § 25(1) TTDSG for setting/reading non-essential cookies).
Contract / Pre-contractual (Art. 6(1)(b) GDPR).
Legal obligation (Art. 6(1)(c) GDPR).
Legitimate interests (Art. 6(1)(f) GDPR; § 25(2) TTDSG for strictly necessary storage).

4. Categories of Data We Process

Master/contact data: name, company, email, phone (if provided).
Content data: messages, form entries.
Usage/meta/communication data: IP address, device and browser information, access times, pages viewed, referrer URL, server log files.
(Optional) Newsletter data: email address, opt-in records, analytics (only if used and consented).

5. Sources of Data

You (e.g., via forms or email).
Automatically when visiting the Website (logs, cookies/similar technologies).
Processors/service providers (hosting, analytics) acting on our instructions.

6. Purposes of Processing

Providing, operating, and securing the Website.
Communicating and handling enquiries.
Reach measurement/analytics (only with consent).
Fulfilling legal obligations (e.g., retention).

7. Hosting & Infrastructure

7.1 Backend Hosting (Contabo)

We operate server-side components with Contabo GmbH (Germany/EU). Server log files (e.g., IP address, date/time, requested resources, user agent, referrer, status/error codes) are processed to ensure availability and security.

Legal bases: Art. 6(1)(f) GDPR (operation/security); Art. 28 GDPR (processing on our behalf).

Log retention: 14 days (deletion/anonymisation thereafter unless required as evidence).

7.2 Frontend Hosting / CDN (Vercel)

Our frontend is delivered by Vercel Inc. Technical access data (especially IP address, request headers, access/error logs) may be processed for delivery, performance, and security. Third-country transfers (e.g., to the USA) can occur and are based on Standard Contractual Clauses (Art. 46 GDPR) plus additional safeguards (TLS, data minimisation, restricted retention).

Legal bases: Art. 6(1)(f) GDPR (operation/security); Art. 28 GDPR.

8. Server Log Files

Each access to our Website is recorded in server logs for stability, troubleshooting, and abuse prevention.

Legal basis: Art. 6(1)(f) GDPR.

Retention: see Section 7.

9. Cookies & Similar Technologies (TTDSG)

We use cookies and similar technologies (e.g., local/session storage, pixels).

Strictly necessary (no consent required, § 25(2) TTDSG): session/security features, consent state storage.
Preferences, Analytics, Marketing (consent required, § 25(1) TTDSG): set only if you consent.

Consent Management: You can choose categories in our banner. Your choices are stored and can be changed or revoked at any time via “Cookie settings” on the Website.

Example table (adjust if different in your setup):

Category	Name/Type	Provider	Purpose	Retention
Necessary	Consent store (cookie/storage)	PITANT	Stores your consent choices	persistent
Analytics	`_ga`, `_ga_*` (cookies)	Google	Distinguish users/sessions (GA4)	up to 24 mo.
Tag Manager	– (no own cookies)	Google	Load/manage other tags (GTM)	–

10. Tag Management & Web Analytics

10.1 Google Tag Manager (GTM)

We use Google Tag Manager (Google Ireland Limited) to manage Website tags. GTM itself does not set its own cookies, but it may trigger the loading of other tags that collect data independently — only after consent.

Legal basis: Art. 6(1)(a) GDPR; § 25(1) TTDSG.

10.2 Google Analytics 4 (GA4)

With your consent, we use Google Analytics 4 (Google Ireland Limited; transfers to Google LLC/USA possible). GA4 processes pseudonymous usage data; IPs are anonymised/shortened by GA4.

Purposes: reach measurement, usage analysis, improving our offering.

Legal basis: Art. 6(1)(a) GDPR; § 25(1) TTDSG.

Data retention (events): 14 months (configurable).

Withdrawal: at any time via “Cookie settings”.

Additional opt-out: https://tools.google.com/dlpage/gaoptout

Marketing tags (only if used): Google Ads Remarketing, Meta (Facebook) Pixel, etc., are activated only if you grant consent to the respective category. If not used, this processing does not occur.

11. Contacting Us

When you contact us by email or via forms, we process your details to handle and respond to your request.

Legal bases: Art. 6(1)(b) GDPR (pre-/contractual), Art. 6(1)(f) GDPR (general communication).

Retention: 12 months after completion of the request; longer where legally required.

12. Recipients, Processors & Third-Country Transfers

Recipient categories / processors:

Contabo GmbH (backend hosting) — processing agreement (Art. 28 GDPR), EU location.
Vercel Inc. (frontend/CDN) — processing agreement (Art. 28 GDPR); third-country transfers based on SCC (Art. 46 GDPR).
Google Ireland Limited (GTM/GA4) — processing agreement; transfers to Google LLC/USA based on SCC (Art. 46 GDPR).

We have data processing agreements (DPAs) in place with all processors. For third-country transfers, we apply supplementary safeguards (encryption, minimisation).

13. Storage Periods & Deletion

We delete or anonymise data once the purpose ceases and no legal retention obligations apply. Typical periods:

Requests/communications: up to 12 months,
Server logs: up to 14 days,
Analytics (GA4): up to 14 months (configurable).

14. Security of Processing (Art. 32 GDPR)

We implement appropriate technical and organisational measures (e.g., TLS/HTTPS encryption, access controls, system hardening/updates, backups, need-to-know permissions, logging) to protect your data.

15. Obligation to Provide Data

Certain data may be required to use particular features (mandatory fields are indicated). Without such data, use may be limited.

16. No Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

17. Your Rights (Art. 12–22 GDPR)

Subject to legal conditions, you have the right to:

Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18),
Data portability (Art. 20),
Object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21),
Withdraw consent at any time (Art. 7(3)) with effect for the future.

Objection to direct marketing: You may object at any time to processing for direct marketing; this also applies to related profiling (Art. 21(2) GDPR).

18. Supervisory Authority

You may lodge a complaint with a supervisory authority. For Bavaria (Germany):

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA),

Promenade 18, 91522 Ansbach, Germany,

https://www.lda.bayern.de

19. Changes to this Privacy Policy

We will update this Privacy Policy when our processing or the legal requirements change. The current version is available at https://pitant.de/datenschutz.