Privacy Policy

1. Data Controller

Storm Reply GmbH
Bartholomäusweg 26
33334 Gütersloh
Germany

Represented by the Managing Directors: Dr. Thomas Hartmann, Dr. Sven Seiler, Tomislav Zorc, Jens Boonen
Phone: +49 (5241) 50090
Email: unity.storm@reply.de

2. Data Protection Officer

Jörg Woste
Reply Group
Email: dpo.de@reply.de

3. Overview of Data Processing Activities

This website processes personal data through the following services:

Service Purpose Legal Basis
AWS S3 / CloudFront Website hosting and delivery Art. 6(1)(f) GDPR
Google Analytics 4 Web analytics and usage statistics Art. 6(1)(a) GDPR (consent)
DOI Contact Form Contact inquiries with Double Opt-In confirmation Art. 6(1)(b) GDPR (pre-contractual measures)
Microsoft Bookings Appointment scheduling Art. 6(1)(b) GDPR (pre-contractual measures)
Cookie Consent Manager Management of cookie consent Art. 6(1)(c) GDPR (legal obligation)

4. Hosting

This website is hosted on Amazon Web Services (AWS), specifically using Amazon S3 and Amazon CloudFront. Servers are located in the AWS region eu-central-1 (Frankfurt am Main, Germany).

When you access this website, the following data is automatically processed by the hosting provider:

  • IP address of the requesting device
  • Date and time of access
  • Volume of data transferred
  • Referrer URL
  • Browser and operating system used

This data is processed by CloudFront as part of request handling but is not permanently stored in server log files. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of the website).

Data Processor: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place.

5. Cookies and Consent Management

5.1 What Are Cookies?

Cookies are small text files stored on your device. Some cookies are technically necessary for the operation of the website, while others help us analyze and optimize our services.

5.2 Consent Manager

We use a custom cookie consent manager that allows you to grant or decline consent for various cookie categories when you first visit the website. Your decision is stored for 12 months in a cookie on your device. You can change your settings at any time via the "Cookie Settings" link in the website footer.

5.3 Cookie Categories

Strictly Necessary (always active)

  • Consent cookie: Stores your cookie preferences (retention: 12 months)
  • Legal basis: Art. 6(1)(c) GDPR

Analytics (consent required)

  • Google Analytics 4 (see Section 6)
  • Legal basis: Art. 6(1)(a) GDPR (consent)

6. Google Analytics 4

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

GA4 is loaded only after your explicit consent (opt-in). No data is transmitted to Google before you grant consent.

Data processed:

  • Page views and interactions
  • Approximate location (based on anonymized IP)
  • Device information (browser, operating system, screen resolution)
  • Referring website

IP anonymization: GA4 anonymizes IP addresses by default within the EU before any transfer to the USA.

Retention period: Collected data is automatically deleted after 14 months.

Opt-out: You can withdraw your consent at any time via the cookie settings. Additionally, you can install the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout

Data Processor: Google Ireland Limited. A data processing agreement is in place. Data transfer to the USA is based on the EU-US Data Privacy Framework.

7. Contact Form (Double Opt-In)

This website uses a proprietary serverless contact form with a Double Opt-In procedure. Submissions are processed via AWS API Gateway and AWS Lambda. All services run in the AWS region eu-central-1 (Frankfurt am Main, Germany).

Data Processed

  • First name and last name (required)
  • Email address (required)
  • Phone number (optional)
  • Company (optional)
  • Your message (required)
  • IP address and request timestamp
  • Page from which the form was submitted (source_page)

Double Opt-In Procedure

  1. You fill out the contact form and confirm the privacy consent.
  2. Your data is initially stored as an unverified draft and a confirmation email is sent to the email address provided.
  3. Only after clicking the confirmation link in the email is your inquiry stored as confirmed and forwarded to us.
  4. Unconfirmed inquiries are automatically deleted after 48 hours.

Purpose and Legal Basis

Purpose: Processing your inquiry and sending requested information.

Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures at your request).

Retention Period

Confirmed contact inquiries are stored for 12 months and then automatically deleted, unless statutory retention periods require otherwise. The consent record (consent version, timestamp) is retained in a separate, immutable audit storage for accountability purposes pursuant to Art. 7(1) GDPR.

Data Processor: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. Data processing takes place exclusively within the EU.

8. Microsoft Bookings

For appointment scheduling, we use Microsoft Bookings, a service provided by Microsoft Corporation (EU: Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18).

The Microsoft Bookings calendar is embedded as an iframe and loaded only after your explicit consent.

Data processed:

  • Booking data you submit (name, email, preferred time slot)
  • IP address and device information

Purpose: Scheduling consultation appointments.

Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures).

Data Processor: Microsoft Ireland Operations Limited. A DPA is in place. Data processing takes place within the EU (EU Data Boundary).

9. Your Rights

Under the GDPR, you have the following rights:

  • Access (Art. 15 GDPR): Right to obtain information about your stored data
  • Rectification (Art. 16 GDPR): Right to correct inaccurate data
  • Erasure (Art. 17 GDPR): Right to deletion of your data
  • Restriction (Art. 18 GDPR): Right to restrict processing
  • Data portability (Art. 20 GDPR): Right to receive your data in a machine-readable format
  • Objection (Art. 21 GDPR): Right to object to processing based on legitimate interests
  • Withdrawal of consent (Art. 7(3) GDPR): Consent can be withdrawn at any time with effect for the future

To exercise your rights, contact: unity.storm@reply.de or write to the address stated above.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
https://www.ldi.nrw.de

11. Updates to This Privacy Policy

This privacy policy was last updated on 2026-03-12. We reserve the right to update this privacy policy to reflect changes in legal requirements or our data processing activities.