Privacy Notice
Datenschutzerklärung gemäß DSGVO Art. 13 (English-language version for our international audience)
1. Controller (Verantwortlicher)
The controller responsible for processing personal data on this site is:
Langenhagen Audio GmbH
Frankfurter Tor 810243 Berlin
Germany
Email: hello@langenhagen-audio.com
Full provider details, including the Geschäftsführer responsible per § 18 (2) MStV, are listed on our Imprint.
2. Purposes of Processing & Legal Bases
We process your personal data only for the purposes described below and only on the legal bases listed.
a) Visiting this website
When you load this site, your browser automatically transmits technical information (IP address, user agent, referrer, requested URL, timestamp) to our hosting provider (see Processors below). This data is processed for the purpose of delivering and securing the site.
Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in operating a secure, performant marketing website.
b) Contact form submission
Submitting the contact form processes your name, email address, and message so we can respond to your inquiry. The submission is relayed via authenticated SMTP through our Google Workspace mailbox at hello@langenhagen-audio.com (see Processors below). Cloudflare Turnstile verifies that the submission did not come from an automated bot. Upstash provides per-IP rate limiting (≤ 5 submissions per hour, with the IP stored as a SHA-256 hash that expires after 1 hour) to protect the form from abuse.
Legal basis: Art. 6 (1) (b) GDPR — performance of pre-contractual measures at your request, plus Art. 6 (1) (f) GDPR — legitimate interest in defending against spam and abuse.
3. Processors
We engage the following processors under Art. 28 GDPR. Each processor has signed a Data Processing Agreement with us. Where a processor is established in a third country (United States), we rely on the EU-US Data Privacy Framework (DPF) certification combined with Standard Contractual Clauses (SCCs) for the lawful basis of transfer (Art. 46 GDPR). The current DPF participants list is published at https://www.dataprivacyframework.gov.
| Processor | Purpose | Legal Basis | Retention | Third country |
|---|---|---|---|---|
| Vercel Inc. 440 N Barranca Ave #4133 Covina, CA 91723, USA Privacy Policy · DPA | Hosting and Server Action runtime for this website. | Art. 6 (1) (f) GDPR | For the operational period of the contract; server-edge request logs ≤ 30 days under Vercel's default policy. | USA — SCCs + DPF certified. |
| Google Ireland Limited (Google Workspace) Gordon House, Barrow Street Dublin 4, Ireland Privacy Policy · DPA | SMTP relay and mailbox for contact-form submissions to hello@langenhagen-audio.com. Submission content is sent through Google Workspace via authenticated SMTP and delivered to the same Google-hosted mailbox we use for normal correspondence. | Art. 6 (1) (b) and 6 (1) (f) GDPR | Mailbox content retained per our internal mail-retention practice; SMTP transit logs at Google per Workspace defaults. | EU (Ireland data controller) with Google sub-processors globally — covered by Google's Workspace DPA + SCCs. |
| Cloudflare, Inc. (Turnstile) 101 Townsend St San Francisco, CA 94107, USA Privacy Policy · DPA | Bot / CAPTCHA verification on the contact form (Cloudflare Turnstile widget). The widget may set a brief session cookie during the verification challenge; no persistent client-side storage is used by this site. | Art. 6 (1) (f) GDPR | Verification tokens are session-scoped and discarded after server-side verification. | USA — SCCs + DPF certified. |
| Upstash, Inc. 1209 Mountain Road Pl NE, Suite N Albuquerque, NM 87110, USA Privacy Policy · DPA | IP-based rate limiting on contact-form submissions (sliding window: 5 submissions per hour). Stores a SHA-256 hash of the submitter's IP plus a counter; raw IP is never persisted. Hash entries expire after 1 hour (Redis TTL). | Art. 6 (1) (f) GDPR | 1 hour (Redis TTL). | USA — SCCs + DPF certified. |
All four processors hold current SCCs and EU-US Data Privacy Framework certification as of the date of this notice. We review their certification status at least annually.
4. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR). The competent authority for our establishment is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 21910969 Berlin
Email: mailbox@datenschutz-berlin.de
Web: https://www.datenschutz-berlin.de/
5. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15) — you may request confirmation of whether we process data about you and a copy of that data (Auskunft).
- Right to rectification (Art. 16) — you may request correction of inaccurate data (Berichtigung).
- Right to erasure (Art. 17) — you may request deletion under certain circumstances (Löschung / right to be forgotten).
- Right to restriction of processing (Art. 18) — you may request restriction under certain circumstances (Einschränkung).
- Right to data portability (Art. 20) — you may request your data in a structured, commonly used, machine-readable format (Datenübertragbarkeit).
- Right to object (Art. 21) — you may object to processing based on legitimate interest at any time (Widerspruch).
- Right to withdraw consent (Art. 7 (3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint (Art. 77) — at the supervisory authority listed above (Beschwerde).
To exercise any of these rights, please contact us at hello@langenhagen-audio.com.
6. Retention Period
We retain contact-form messages in our inbox for a maximum of 12 months after the conversation has concluded, unless an active engagement requires longer retention (Art. 6 (1) (f) GDPR — operational interest). Messages older than 12 months and not part of an active inquiry are deleted.
Server-edge request logs at our hosting provider (Vercel) are retained for ≤ 30 days under Vercel's default policy. SMTP transit logs at Google Workspace and the corresponding mailbox content are retained according to Google's Workspace defaults and our internal mail-retention practice.
7. Cookies and Client-Side Storage
This site does not use cookies, localStorage, sessionStorage, or any other form of client-side tracking. There are no tracking pixels and no analytics. You will not see a cookie consent banner because there is nothing to consent to.
The only client-side state on this site is React component memory (e.g. the contact form's in-progress text), which lives only for the duration of the page view and is discarded when the tab is closed.
On contact-form submission, Cloudflare Turnstile may set a brief session cookie and a short-lived bot-verification challenge token in browser memory; both are discarded after server-side verification and are not used for tracking. Separately, our server hashes the submitter's IP address (SHA-256, salt-free) and stores that hash plus a per-IP counter at Upstash for ≤ 1 hour to enforce rate limiting. The raw IP never leaves the request edge; the hash is opaque and cannot be reversed without already knowing the IP.
8. Changes to This Notice
This Privacy Notice may be updated to reflect changes in our processing activities, our processors, or applicable law. The current version always lives at /privacy on this site. Material changes will be highlighted in this section.
Last updated: 2026-05-01