Privacy Policy
Last modified at Feb 26, 2026
1. General Information and Data Controller
The following policy provides an overview of how we process your personal data when you visit our website. Personal data is any information with which you could be personally identified.
Data Controller
The party responsible for data processing on this website is:
Creativestyle GmbH
Erika-Mann-Straße 25, 80636 München, Germany
Phone: +49 89 5480 7604
Email: info@creativestyle.de
Managing Director: Jaromir Fojcik
HRB 177904, Amtsgericht München
VAT ID: DE263642998
Business hours: Mon–Fri, 9:00 AM – 5:00 PM (CET)
Group Data Protection Officer (DPO)
Creativestyle GmbH is a subsidiary of Smile. The Group Data Protection Officer can be contacted at:
SMILE – Group DPO
163 Quai du Docteur Dervaux, 92600 Asnières-sur-Seine, France
Email: dpo@smile.fr
Note: The Group DPO handles data protection inquiries at the group level. For direct requests regarding processing activities on this website, please contact us at privacy@creativestyle.de.
Our Commitment to Digital Sovereignty
At Creativestyle, we are committed to digital sovereignty and user privacy. Our strategic goal is to prioritize European and Open Source solutions for our digital infrastructure. Where specialized services do not yet fully meet our "European-only" criteria, we ensure maximum GDPR compliance and are actively exploring migration paths.
2. Consent Management (Usercentrics)
We use the consent management platform Usercentrics (Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany) to manage your preferences regarding cookies and tracking technologies.
Purpose | Obtaining and documenting legally required consent for data processing activities on this website. |
Legal basis | Art. 6(1)(c) GDPR – Legal obligation to obtain and document consent. |
Data processed | Consent data (date, time, settings), anonymized IP address, device and browser information. |
Retention | Consent records are retained for 3 years (standard statutory period for compliance documentation), or until you withdraw consent and request deletion. |
DPA | A Data Processing Agreement has been concluded with Usercentrics GmbH. |
Third country transfer | None – Usercentrics GmbH is headquartered in Germany (EU). |
3. Hosting and Infrastructure
Upsun / Platform.sh
Our website is hosted on the cloud platform Upsun.com (operated by Platform.sh SAS).
Purpose | Secure and scalable provisioning of our website. |
Legal basis | Art. 6(1)(f) GDPR – Legitimate interest in operating a secure and functional website. |
Data processed | Server log files (IP address, browser type, date/time of access, pages visited, referrer URL). Log files are automatically deleted after 7 days. |
Data location | Primarily EU-based data centers. |
DPA | A Data Processing Agreement (DPA) has been concluded with Platform.sh SAS. |
Third country transfer | None anticipated; data is processed within the EU/EEA. |
Storyblok (Content Management System)
We use Storyblok (Storyblok GmbH, Hauptplatz 12, 4020 Linz, Austria) as our headless Content Management System for content delivery.
Purpose | Delivery and management of website content. |
Legal basis | Art. 6(1)(f) GDPR – Legitimate interest in reliable content delivery. |
Data processed | IP addresses (technical necessity for content delivery). Storyblok anonymizes IP addresses where possible. |
Data location | Our Storyblok space is configured with EU-based servers (AWS Frankfurt, Germany). Content is delivered globally via Amazon CloudFront CDN; CDN nodes may be located outside the EU. |
DPA | A public Data Processing Agreement is available at storyblok.com/legal/dpa and is incorporated into Storyblok's Terms of Service. |
Third country transfer | Possible via CDN sub-processors located outside the EU/EEA. Storyblok uses Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework for such transfers. |
4. Analytics and User Behavior
Matomo (Web Analytics)
We use Matomo, an open-source web analytics platform, self-hosted on our own servers within the EU/EEA.
Purpose | Reach measurement and website optimization. |
Legal basis | Art. 6(1)(a) GDPR – Your consent (obtained via our consent management platform). If configured for fully cookieless tracking without personal identifiers, Art. 6(1)(f) GDPR may apply. |
Data processed | Anonymized IP address (last octet removed), pages visited, time of visit, browser type, operating system, referrer URL. No data is shared with third parties. |
Cookies | Matomo sets a first-party tracking cookie (pk_id, pk_ses). You can opt out of tracking at any time via our cookie consent banner. |
Retention | Raw visit data is retained for 13 months, then automatically deleted. |
Third country transfer | None – Matomo is self-hosted on our EU infrastructure. |
Note: If Matomo is operated in cookieless mode (using only anonymized data), no consent is required and processing is based solely on legitimate interest. We will update this policy accordingly if we switch operating modes.
Hotjar (Behavior Analytics)
We use Hotjar (Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 3155, Malta) to better understand how users interact with our website.
Purpose | Qualitative analysis of user behavior via heatmaps, session recordings, and scroll maps. |
Legal basis | Art. 6(1)(a) GDPR – Your explicit consent (obtained via our consent management platform). Hotjar is only activated after consent is given. |
Data processed | Anonymized IP address, device screen size, device type, browser information, geographic location (country level only). Data is stored in a pseudonymized user profile. Hotjar automatically suppresses keystrokes and sensitive form fields. |
Cookies | Hotjar sets cookies to identify returning visitors (e.g., hjSession, hjid). You can opt out via our cookie banner or at hotjar.com/policies/do-not-track/. |
Retention | Session data is retained for 365 days by default. You can request deletion of your data via Hotjar's visitor lookup tool. |
DPA | A Data Processing Agreement is available at hotjar.com/legal/support/dpa/ and is incorporated into Hotjar's Terms of Service. |
Third country transfer | Hotjar Ltd. is registered in Malta (EU). Data is stored within the EEA. Sub-processors outside the EU/EEA are bound by Standard Contractual Clauses (SCCs). |
5. Marketing and CRM
HubSpot
We use HubSpot (HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA) for our marketing activities, including our CRM system, contact forms, and email marketing.
Purpose | Managing customer relationships, processing inquiries, and sending newsletters (only with your consent). |
Legal basis | Art. 6(1)(a) GDPR – Consent for marketing communications. Art. 6(1)(b) GDPR – Pre-contractual measures (for inquiry processing). |
Data processed | Name, email address, phone number, company, IP address, browser information, interaction history (emails opened, links clicked). |
Cookies | HubSpot sets tracking cookies (e.g., __hs_cookie_cat_pref, hubspotutk) only after consent has been obtained. |
Retention | CRM contact data is retained for the duration of the business relationship, plus 3 years. You may request deletion at any time. |
DPA | A Data Processing Agreement has been concluded with HubSpot, Inc. |
Third country transfer | HubSpot is a US-based provider. Data may be transferred to the USA. Safeguards: EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (HubSpot is a certified participant). Further information: legal.hubspot.com/privacy-policy. |
LinkedIn Ads & Google Ads Tracking
We use conversion tracking and remarketing pixels from LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) and Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
Purpose | Measuring the effectiveness of our advertising campaigns and displaying targeted advertisements (remarketing) to users who have previously visited our website. |
Legal basis | Art. 6(1)(a) GDPR – Your explicit consent (obtained via Usercentrics). These services are only activated after consent is given. |
Data processed | Hashed email address (if provided), IP address, browser information, pages visited, conversion events. Data is used to create pseudonymized audience segments. |
Cookies | Tracking cookies are set only after consent. You may withdraw consent at any time via our cookie banner. |
Third country transfer | Google and LinkedIn may transfer data to the USA. Safeguards: EU Standard Contractual Clauses (SCCs). Google is certified under the EU-US Data Privacy Framework. |
6. Appointment Booking (Google Workspace)
To schedule meetings and calls with our team, we use Google Calendar as part of Google Workspace (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
Purpose | Managing appointments and communication with leads and clients. |
Legal basis | Art. 6(1)(b) GDPR – Pre-contractual or contractual measures. Art. 6(1)(f) GDPR – Legitimate interest in efficient appointment management. |
Data processed | Name, email address, phone number, meeting topic, and any information you share in connection with the appointment. |
Retention | Calendar entries are retained for the duration of the business relationship and deleted thereafter, unless a legal retention obligation applies (e.g., 6 or 10 years for commercial/tax records under German law, HGB/AO). |
DPA | A Data Processing Agreement (Google Workspace DPA) has been concluded with Google Ireland Limited. |
Third country transfer | Google Ireland Limited is the data processor for EU customers. Processing may involve Google's infrastructure globally; Google is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for transfers outside the EU/EEA. |
7. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies. Cookies are small text files stored in your browser that enable us to recognize your browser on subsequent visits.
Essential cookies: Required for the website to function properly (e.g., session cookies, consent preferences). These do not require consent under Art. 6(1)(f) GDPR.
Analytics and marketing cookies: Only set after you have given your explicit consent via our Usercentrics consent banner. You may withdraw consent at any time by clicking the "Cookie Settings" link in the footer of our website.
You can also manage cookies at any time through your browser settings. Note that disabling certain cookies may affect the functionality of this website.
8. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data.
These rights can be exercised at any time by contacting us at privacy@creativestyle.de
Art. 15 GDPR – Right of access: You may request confirmation of whether we process your personal data and, if so, to receive a copy of that data.
Art. 16 GDPR – Right to rectification: You may request correction of inaccurate or incomplete personal data.
Art. 17 GDPR – Right to erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to legal retention obligations.
Art. 18 GDPR – Right to restriction of processing: You may request that we restrict the processing of your data in certain circumstances.
Art. 20 GDPR – Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
Art. 7(3) GDPR – Right to withdraw consent: You may withdraw any consent you have given at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Art. 21 GDPR – Right to object: You have the right to object, at any time and on grounds relating to your particular situation, to the processing of your personal data where such processing is based on Art. 6(1)(e) or (f) GDPR (legitimate interests), including profiling. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. As Creativestyle GmbH is based in Munich, Bavaria, the competent supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
Website: www.lda.bayern.de | Phone: +49 981 180093-0
9. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you. Marketing tools (LinkedIn Ads, Google Ads, HubSpot) may create pseudonymized audience segments for ad targeting, but these do not result in automated individual decisions.
10. Data Security
This website uses SSL/TLS encryption for all data transmission (indicated by "https://" in your browser's address bar). We implement appropriate technical and organizational measures (TOMs) to protect your personal data against unauthorized access, loss, or manipulation, in accordance with Art. 32 GDPR. Our hosting providers are contractually bound to equivalent security standards.
11. Obligation to Provide Personal Data
The provision of personal data is generally voluntary. However, for certain services (e.g., submitting a contact form or booking an appointment), providing certain data fields is necessary to process your request. Required fields are marked accordingly. If you choose not to provide the required data, we may not be able to respond to your inquiry or provide the requested service.
12. Updates to This Privacy Policy
We reserve the right to update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or the services we use. We will notify you of material changes by posting a prominent notice on our website. The date of the most recent revision is indicated at the top of this document.
If you have any questions about this Privacy Policy, please contact us at: privacy@creativestyle.de