Privacy policy
Information pursuant to Art. 13/14 GDPR. Last updated: June 2026. The German version is legally binding.
1. Controller
Nokkela-IT-Concept GmbH (in formation), Lucas-Cranach-Straße 14, 96317 Kronach, Germany, phone: +49-151-56092554, email: [email protected].
2. Hosting
This website is operated on servers in data centres in Germany and Finland. When you access the site, technically necessary server log data (IP address, date/time, requested resource, user agent) is processed on the basis of Art. 6(1)(f) GDPR (secure, fault-free operation). Logs are deleted after 7 days.
3. No external services / no tracking
This website loads no external fonts, maps, analytics or tracking services. No marketing or analytics cookies are set. The contact form uses only a technically necessary session cookie (CSRF protection).
4. Contact & quote form
When you contact us via the form, we process the data you provide (name, email, optionally company/phone, topic and message) to handle your request. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or (a) (consent). Data is deleted once it is no longer required and no statutory retention periods apply.
To prevent spam we use a honeypot field, a timing check and a technical rate limit. Your IP address is processed briefly (shortened) for this purpose (Art. 6(1)(f) GDPR).
5. Recipients and processors
Your data is not passed to third parties unless required to fulfil a contract or by law. Where we use service providers as processors – in particular Cloudflare to protect and deliver the website (see section 8) – this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR. For any further processing relationships (e.g. hosting, email) we likewise conclude the agreements required under Art. 28 GDPR.
6. Your rights as a data subject
Under the GDPR you have the following rights. To exercise them, an informal message to the contact address in section 1 is sufficient:
- Access (Art. 15) – to the data processed about you.
- Rectification (Art. 16) – of inaccurate or incomplete data.
- Erasure (Art. 17) – unless retention obligations apply.
- Restriction of processing (Art. 18).
- Data portability (Art. 20) – in a structured, commonly used, machine-readable format.
- Objection (Art. 21) – to processing based on legitimate interests.
- Withdrawal of consent (Art. 7(3)) – with effect for the future.
- Complaint (Art. 77) – with a data protection supervisory authority; for us this is the Bavarian State Office for Data Protection Supervision (BayLDA), Ansbach.
7. TLS encryption
For security reasons this site uses TLS encryption, recognisable by "https://" in the address bar.
8. Website protection (Cloudflare)
To protect our websites against attacks (e.g. DDoS) and to ensure reliable delivery, we use Cloudflare (Cloudflare, Inc.) as an upstream reverse proxy. In doing so, technically necessary connection data (including the IP address) is processed. For users in Europe, we have explicitly disabled tracking by Cloudflare. The legal basis is Art. 6(1)(f) GDPR (security and reliable provision). Our IT services themselves are provided directly, without the Cloudflare proxy, for maximum transparency.
9. Definitions
The terms used follow Art. 4 GDPR. "Personal data" means any information relating to an identified or identifiable natural person ("data subject"). "Processing" means any operation performed on personal data (e.g. collection, storage, use, erasure). The "controller" determines the purposes and means of processing; a "processor" processes data on our behalf. No automated decision-making or profiling takes place on these sites.
10. Legal bases for processing
We process personal data on the following legal bases of the GDPR:
- Consent (Art. 6(1)(a)) – you have consented to processing for one or more specific purposes.
- Contract / pre-contractual measures (Art. 6(1)(b)) – processing is necessary to perform a contract or to respond to your request.
- Legal obligation (Art. 6(1)(c)) – e.g. commercial or tax retention obligations.
- Legitimate interests (Art. 6(1)(f)) – e.g. secure, fault-free operation and protection against misuse, unless your interests prevail.
11. International data transfers
Your data is processed primarily within the EU/EEA (servers in Germany and Finland). Where, as part of the Cloudflare protection (see section 8), processing is carried out by a company based in a third country (USA), this only takes place in accordance with legal requirements – in particular on the basis of an adequacy decision (EU-US Data Privacy Framework, Art. 45 GDPR) or EU standard contractual clauses (Art. 46(2)(c) GDPR). For European users, tracking by Cloudflare is disabled.
12. Technical and organisational measures
Taking into account the state of the art, we implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk (Art. 32 GDPR). These include safeguarding confidentiality, integrity and availability, end-to-end TLS/SSL encryption of data transmission (see section 7), access controls, and the principle of data protection by design and by default (Art. 25 GDPR).
13. Storage period and erasure
We erase personal data as soon as the underlying purpose no longer applies, consent is withdrawn or no other legal basis exists. Server log data is deleted after 7 days. Enquiries submitted via the contact form are deleted once they are no longer required for processing. Statutory retention obligations remain unaffected (in particular 6 years under § 257 HGB or 10 years under § 147 AO); for their duration, processing is restricted.
14. Changes to this privacy policy
We reserve the right to amend this privacy policy so that it always complies with current legal requirements or reflects changes to our services. The version then in force applies to any subsequent visit.