Insights
Close
Events
Podcasts
Articles

Privacy Policy

Privacy Notice

With this Privacy Notice, we inform you about the processing of personal data when you use our website, as well as about our presences on social networks.

The protection of your personal data is of great importance to us. We process your data exclusively within the scope of the applicable data protection laws, in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG).

1. Controller

Strichpunkt Identity GmbH represented by Philipp Brune Krefelder Straße 32 70376 Stuttgart

2. Data Protection Officer

If you have any questions regarding our data protection measures, the processing of your data or the exercise of your data subject rights, you can contact us and our Data Protection Officer as follows:

External Data Protection Officer

ePrivacy GmbH represented by Prof. Dr. Christoph Bauer Burchardstraße 14 20095 Hamburg

For all questions and concerns relating to your data, please contact us at: datenschutz@sp.design

If you wish to communicate directly with our Data Protection Officer, for example because your concern is particularly sensitive, please contact the Data Protection Officer by post, as communication by email may always involve security vulnerabilities. Please state in your request that your matter relates to Strichpunkt – Agentur für visuelle Kommunikation GmbH.

3. Categories of Personal Data

We process, in particular, the following categories of personal data:

  • Contact details, e.g. first and last name, address, email address, telephone number
  • Communication data, e.g. correspondence with us
  • Usage data, e.g. information about the use of our website
  • Protocol data / log files, e.g. IP address, date and time of access, browser type
  • Online identifiers, e.g. cookie IDs, device identifiers or comparable identifiers

4. Purposes of Processing

We process personal data in particular for the following purposes:

  • to provide and technically deliver our website
  • to communicate with you
  • to initiate and perform contracts
  • to process enquiries
  • for reach measurement and statistical analysis, where a legal basis exists for this
  • for marketing and communication purposes, where a legal basis exists for this
  • for IT security and to prevent misuse

5. Legal Bases

Unless otherwise stated in individual cases, we base the processing of your personal data on the following legal bases:

  • Art. 6(1)(a) GDPR, where you have given your consent
  • Art. 6(1)(b) GDPR, where processing is necessary for the initiation or performance of a contract
  • Art. 6(1)(c) GDPR, where processing is necessary for compliance with a legal obligation
  • Art. 6(1)(f) GDPR, where processing is necessary for the purposes of our legitimate interests and where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject

Where information is accessed on terminal equipment or stored on terminal equipment, the legal basis is additionally governed by Section 25 TDDDG.

6. Legitimate Interests

Where we process data on the basis of Art. 6(1)(f) GDPR, we pursue, in particular, the following legitimate interests:

  • ensuring the stability and security of our website
  • improving our online offering and our services
  • traceability of communication processes
  • preventing misuse and IT security incidents
  • internal administrative and organisational purposes

7. Requirement or Obligation to Provide Data

Unless expressly stated otherwise, the provision of personal data is neither legally nor contractually required. However, without certain information, we may not be able to provide individual services, or may only be able to provide them incompletely, or may be unable to process enquiries.

8. Retention Period

We store personal data only for as long as this is necessary for the respective purposes or for as long as statutory retention obligations apply.

  • Data processed on the basis of consent is generally stored until consent is withdrawn, unless another legal basis applies.
  • Contract-related data is stored for the duration of the contractual relationship and beyond that within the scope of statutory retention periods.
  • Data that we process on the basis of legitimate interests is stored until the processing purpose ceases to apply or until a justified objection is raised, unless compelling legitimate grounds for the processing prevail.

9. Use of Cookies and Similar Technologies

9.1 General Information

Our website uses cookies and similar technologies. Cookies are small text files that are stored on your terminal device and may contain information. In addition, comparable technologies may be used, such as local storage, pixels, tags or scripts.

These technologies are used to technically provide our website, store settings, make content and functions user-friendly and — where you have given your consent — carry out reach measurement and analysis.

9.2 Categories

We use, in particular, the following categories of cookies and similar technologies:

Technically necessary cookies

These are necessary to provide the website and its basic functions.

Preference cookies

These enable settings such as language or region to be stored.

Analytics and statistics cookies

These help us evaluate the use of our website and improve our offering.

Marketing and third-party cookies

These may be used to measure content or campaigns, embed external media or enable interest-based communication.

9.3 Legal Bases

The storage of information on your terminal device or access to information already stored on your terminal device generally takes place only with your consent pursuant to Section 25(1) TDDDG.

Consent is not required where the storage or access is strictly necessary in order for us to provide a digital service expressly requested by you; in this case, the use is based on Section 25(2) TDDDG.

Where personal data is processed in connection with cookies or similar technologies, this is carried out — depending on the individual case — on the basis of:

  • Art. 6(1)(a) GDPR for processing based on consent
  • Art. 6(1)(f) GDPR for technically necessary processing and legitimate interests in the secure and functional provision of our online offering

9.4 Consent Management

We use a consent management tool to manage your consents. When you first visit our website, you can choose whether and to what extent you consent to the use of cookies and similar technologies that require consent.

You may withdraw or adjust your consent at any time with effect for the future via the cookie settings on our website.

9.5 Retention Period

Cookies are stored either as session cookies only for the duration of your session and are deleted after you close your browser, or as persistent cookies for a specified period of time. The specific storage period of the respective cookies used can be found in the settings of our consent management tool.

9.6 Browser Settings

You can configure your browser so that you are informed when cookies are set, so that cookies are permitted only in individual cases, so that cookies are generally rejected, or so that cookies are automatically deleted when you close your browser.

Please note that the functionality of our website may be limited if technically necessary cookies are disabled.

9.7 Cookie List

The cookies actually used, the respective providers, purposes and retention periods can be found in the settings of our consent management tool and in the cookie list provided there in its current version.

10. Data Recipients / Service Providers

We use external service providers who support us in operating our website and our processes. These service providers process personal data only as processors acting on our instructions or — where required under data protection law — as independent controllers.

10.1 Hosting – Vercel

We use Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA, to host and deliver our website. A data processing agreement pursuant to Article 28 of the GDPR is in place.

In the context of hosting, technical usage data (including IP address, date and time of access, URL accessed, referrer, user agent), server log files, and content data are processed, insofar as these are generated when accessing the website or using forms.

Vercel operates a global edge network; requests are generally processed at the nearest edge location, while server-side functions are executed in selected regions within the European Union. However, a transfer to the U.S. cannot be ruled out; in this regard, the provisions under Section 16 apply.

In addition, we use the “Vercel Blob” service for the temporary caching of application documents (see Section 13). Files are stored there in a non-public repository and are automatically deleted upon completion of the transfer to Personio or after 24 hours at the latest.

Processing is based on Article 6(1)(f) of the GDPR due to our legitimate interest in the secure, high-performance, and scalable provision of our online services.

10.2 Consent-Management – Osano

We use a consent management platform provided by Osano, Inc., 3800 North Lamar Blvd, Suite 200, Austin, Texas 78756, USA, to manage consents.

In this context, your consent decision, timestamps, device/browser information and IP address may be processed in particular, insofar as this is necessary for the provision and documentation of consent management.

The processing is carried out to comply with legal obligations and to document consents and is based — depending on the specific configuration — on Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR and, where applicable, Section 25(2) TDDDG, insofar as the technical use of the tool is necessary for this purpose.

10.3 Content-Management – Sanity

We use the headless CMS from Sanity.io (Sanity AS, Bryggegata 7, 0250 Oslo, Norway) to manage and deliver content on our website. When accessing media content (images, files), a connection may be established to the Sanity asset servers (cdn.sanity.io), during which your IP address and technical browser information, in particular, are processed.

As an EEA member state, Norway is treated as equivalent to the EU under data protection law; data is not regularly transferred to a third country in this context.

Processing is based on Article 6(1)(f) of the GDPR due to our legitimate interest in the efficient maintenance and provision of our website’s content.

11. Analytics and Tag Management Services

11.1 Google Analytics

If you have given your consent, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics enables us to analyze and statistically evaluate usage behavior on our website on a pseudonymous basis. In particular, the following data is processed: pages visited, events and interactions, technical characteristics of the browser and the end device (device type, operating system, screen resolution, language setting), approximate geographic origin (at the city/region level, derived from the IP address), and pseudonymous identifiers (client ID, session ID).

IP addresses are truncated or anonymized during transmission; it is not possible for us to identify individuals via the IP address. The data retention period for event data in GA4 is set to 14 months; after that, the data is automatically deleted. “Google Signals” and features for ad personalization are disabled.

Data is transferred to the United States; in this regard, the provisions under Section 16 apply.

Processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You may revoke your consent at any time with future effect via the cookie settings.

11.2 Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tag management system that can be used to manage and trigger website tags and code snippets. From a data protection perspective, the relevant factor is which specific services are integrated via Google Tag Manager.

Where Google Tag Manager is used as technically necessary, processing is carried out on the basis of Art. 6(1)(f) GDPR and — where required — Section 25(2) TDDDG. Where services requiring consent are loaded via Google Tag Manager, such services are used exclusively on the basis of your consent.

11.3 Google Ads / Remarketing

If you have given your consent, we use online advertising and remarketing features provided by Google Ireland Limited (see above), which involve the domain doubleclick.net. Cookies or similar technologies may be used to display interest-based advertising on third-party websites based on your previous usage behavior, as well as to measure the effectiveness of our advertising campaigns.

In particular, pseudonymous identifiers, IP addresses, pages visited, and events, as well as technical browser and device information, are processed.

Processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. Data may be transferred to the United States; in this regard, the provisions under Section 16 apply.

11.4 SalesViewer

Provided you have given your consent, we use technology from SalesViewer GmbH, Hugo-Junkers-Straße 9, 44795 Bochum, on our website to analyze visitor traffic. SalesViewer enables us to draw conclusions about visiting companies (not individual natural persons) based on publicly available information. To do this, a JavaScript-based code is used that allows for the collection of company-related data and the corresponding analysis. In particular, the following data is processed: IP address, technical browser and device information, as well as information about browsing behavior on our website.

Processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

You may revoke your consent at any time with future effect via the cookie settings. Further information can be found at https://www.salesviewer.com/de/datenschutz (opens in new tab).

12. Formulare und Marketing-Automation – HubSpot

On our website, we use forms and features provided by HubSpot Ireland Limited, 2nd Floor, 30 North Wall Quay, Dublin 1, D01 R8H7, Ireland (“HubSpot”). The parent company is HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA.

When you fill out a HubSpot form on our website (e.g., to contact us or request information), we process the data you provide (specifically your name, email address, company, and message) to handle your inquiry and—provided you have given separate consent—to communicate with you further.

In addition, HubSpot may be used for audience measurement, content delivery, and to measure the success of our marketing activities. This may involve the use of cookies or similar technologies that process, in particular, a pseudonymous identifier, technical device and browser information, and the IP address.

The legal basis for the processing is Art. 6(1)(b) GDPR, insofar as the processing serves to handle your inquiry or to initiate a contract; Art. 6(1)(f) GDPR based on our legitimate interest in efficient customer communication and measuring marketing success; and—where consent is required – Article 6(1)(a) of the GDPR in conjunction with Section 25(1) of the TDDDG.

Data may be transferred to the United States; in this regard, the provisions under Section 16 apply.

13. Applications – Personio

We use Personio, a service provided by Personio GmbH & Co. KG, Rundfunkplatz 4, 80335 Munich, Germany, to conduct application procedures.

As part of the application process, we process the application data provided by you in order to review your application and carry out the selection process.

The processing is carried out in particular on the basis of Section 26 BDSG and Art. 6(1)(b) GDPR, insofar as the application serves to initiate an employment relationship.

14. Presences on Social Networks

We maintain corporate presences on social networks, in particular on Facebook, Instagram and LinkedIn.

When you visit our presences there, personal data is regularly processed not only by us but also by the respective platform operator. This may also apply if you do not have a profile there or are not logged in.

Where the platform operators provide us with aggregated usage statistics such as “Insights” or “Page Insights”, joint controllership may exist in this respect. The scope of this joint controllership depends on the respective agreements and the actual possibilities of influence.

Important: The withdrawal or adjustment of consents for data processing on the platforms themselves is generally carried out via the respective platform settings and privacy notices of the providers, not via the consent tool on our website, insofar as the visit to the platforms themselves is concerned.

14.1 Facebook and Instagram

The provider of Facebook and Instagram is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Where we receive Insights or comparable aggregated statistics, joint controllership with Meta may exist in this respect. In all other respects, Meta processes personal data as an independent controller in accordance with its own privacy policies.

14.2 LinkedIn

The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Where LinkedIn provides us with “Page Insights”, joint controllership may apply in this respect.

15. Embedded Media – Mux

We embed videos on our website using the streaming service provided by Mux, Inc., 1 Bluxome Street, Suite 400, San Francisco, CA 94107, USA.

When you visit a page with an embedded video, a connection is established with Mux’s servers to deliver the video and the associated player. In particular, your IP address, technical browser and device information, information regarding video playback (e.g., start time, buffering events, playback quality), and pseudonymous identifiers are processed.

The legal basis is Article 6(1)(f) of the GDPR, based on our legitimate interest in high-performance, high-quality video delivery.

To the extent that cookies or comparable technologies are used here that are not strictly necessary, their use is based exclusively on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG.

Data may be transferred to the United States; in this regard, the provisions under Section 16 apply.

16. Transfers to Third Countries

Personal data is transferred to recipients in countries outside the European Economic Area—in particular to the United States—in connection with the services listed above, specifically to:

  • Vercel Inc. (Hosting, USA)
  • Google Ireland Limited / Google LLC (USA – Analytics, Tag Manager, Ads)
  • HubSpot, Inc. (USA – forms, marketing automation)
  • Mux, Inc. (USA – video streaming)
  • Osano, Inc. (USA – consent management)
  • The Rocket Science Group LLC / Intuit Inc.
  • Social media platform operators (Meta Platforms, Inc., LinkedIn Corporation – USA)

The transfer will take place only if the legal requirements are met, in particular if

  • an adequacy decision by the European Commission exists for the third country in question (for the United States, this currently applies only to the extent that the recipient in question is certified under the EU-U. S. Data Privacy Framework),
  • appropriate safeguards, in particular the EU Commission’s standard contractual clauses (Art. 46(2)(c) GDPR), have been agreed upon and, where necessary, supplemented by additional technical and organizational measures, or
  • another legally permissible exception under Art. 49 GDPR applies.

Upon request, we will provide you with a copy of the agreed safeguards. Please contact datenschutz@sp.design for this purpose.

17. Your Rights

Subject to the statutory requirements, you have, in particular, the following rights:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object
  • right to withdraw consent given, with effect for the future
  • right to lodge a complaint with a data protection supervisory authority

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to the processing on grounds relating to your particular situation.

Status of this Privacy Notice

If our processes change, we will update this information accordingly.

This Privacy Notice was last updated on: 27 May 2026