Privacy Policy

Introduction and Overview

We have prepared this Privacy Policy (version 19.08.2025-313042701) to explain, in accordance with the EU General Data Protection Regulation (GDPR) 2016/679 and applicable national laws, which personal data (short: data) we, as controllers — and processors we engage (e.g., providers) — process or will process in the future, and what lawful options you have. All terms used are to be understood as gender-neutral.

In short: We inform you comprehensively about the data we process about you.

Privacy policies usually sound highly technical and use legal jargon. This Privacy Policy is intended to describe the most important points as simply and transparently as possible. Where it helps clarity, technical terms are explained in reader-friendly language, links to further information are provided, and graphics are used. We inform you in clear and plain language that we process personal data only where there is a corresponding legal basis within our business activities. That’s not possible if the explanations are kept overly short, vague, or purely legal-technical, as is often the case online when it comes to privacy. We hope you find the following explanations interesting and informative — and maybe discover something you didn’t know before.

If you still have questions, please contact the responsible party listed below or in the imprint (Impressum), follow the links provided, or consult third-party sources. Our contact details are also available in the imprint.

Scope

This Privacy Policy applies to all personal data processed by our company and to all personal data processed by companies we engage as processors. By personal data we mean information as defined in Art. 4 No. 1 GDPR, such as a person’s name, e-mail address and postal address. The processing of personal data enables us to provide and bill our services and products, online and offline. The scope of this Privacy Policy includes:

• all online presences (websites, online shops) that we operate
• social media accounts and e-mail communication
• mobile apps for smartphones and other devices

In short: This Privacy Policy covers all areas where personal data is processed in a structured way within the company via the channels listed above. If we enter into legal relationships with you outside these channels, we will inform you separately if necessary.

Legal Bases

In the following Privacy Policy we give you transparent information about the legal principles and rules — i.e., the legal bases under the GDPR — that allow us to process personal data.

With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can read this GDPR online on EUR-Lex at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We process your data only if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example is storing the data you enter in a contact form.
2. Contract (Article 6(1)(b) GDPR): We process your data to perform a contract with you or to take steps at your request prior to entering into a contract. For example, when concluding a purchase contract we need certain personal data in advance.
3. Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting, and these usually contain personal data.
4. Legitimate interests (Article 6(1)(f) GDPR): Where we have legitimate interests that do not unduly infringe your fundamental rights, we may process personal data. For example, certain data processing is necessary to operate our website securely and economically; this is a legitimate interest.

Other bases such as public interest or the exercise of official authority, or processing to protect vital interests, generally do not apply to us. If such a legal basis should be relevant, it will be indicated at the appropriate section.

In addition to the EU regulation, national laws also apply:

• In Austria this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (the Data Protection Act, short: DSG).
• In Germany the applicable law is the Federal Data Protection Act (short: BDSG).

If further regional or national laws apply, we will inform you in the relevant sections below.

Contact Details of the Controller

If you have questions about data protection or the processing of personal data, you can contact the controller pursuant to Article 4(7) GDPR at the following address:
hubikes GmbH
Hubert Folwarczny
Schulstraße 33, 71155 Altdorf, Germany

E-mail: info@hubikes.com

Phone: 0151 – 17276569

Imprint: https://max2h.com/impressum

Storage Duration

As a general rule, we store personal data only as long as it is strictly necessary to provide our services and products. This means we delete personal data as soon as the reason for processing no longer applies. In some cases, we are legally obliged to retain certain data after the original purpose has ceased, for example for accounting purposes.

If you request deletion of your data or withdraw consent to data processing, the data will be deleted as quickly as possible provided there is no legal obligation to retain it.

Information about specific retention periods for particular processing activities is provided further below where available.

Rights under the GDPR

Pursuant to Articles 13 and 14 GDPR, we inform you about the rights you have to ensure fair and transparent data processing:

• Under Article 15 GDPR you have the right to obtain confirmation as to whether we process personal data about you. If we do, you have the right to receive a copy of that data and to be informed of:
  • the purposes of the processing;
  • the categories of personal data processed;
  • who receives the data and, if data is transferred to third countries, how security is ensured;
  • how long the data will be stored;
  • the existence of the right to rectification, erasure, restriction of processing and the right to object;
  • that you can lodge a complaint with a supervisory authority (links to such authorities are given below);
  • the origin of the data, if it was not collected from you directly;
  • whether profiling takes place, i.e. automated processing to create a personal profile.
• Under Article 16 GDPR you have the right to rectification of inaccurate data.
• Under Article 17 GDPR you have the right to erasure (“right to be forgotten”).
• Under Article 18 GDPR you have the right to restriction of processing; i.e., we may only store the data but not further process it.
• Under Article 20 GDPR you have the right to data portability — we will provide your data in a common, machine-readable format upon request.
• Under Article 21 GDPR you have the right to object, which may require a change in processing:
  • If processing is based on Article 6(1)(e) (public interest/exercise of public authority) or Article 6(1)(f) (legitimate interests), you may object to the processing. We will assess the objection as soon as possible.
  • If data is used for direct marketing, you may object at any time and we will stop using your data for direct marketing purposes.
  • If data is used for profiling, you may object at any time and we will cease profiling for those purposes.
• Under Article 22 GDPR you may, in certain cases, have the right not to be subject to a decision based solely on automated processing (including profiling).
• Under Article 77 GDPR you have the right to lodge a complaint with a supervisory authority if you believe your rights under data protection law have been infringed.

In short: You have rights — don’t hesitate to contact the responsible person listed above!

If you believe that processing of your data violates data protection law, you can file a complaint with a supervisory authority. In Austria the authority is the Data Protection Authority (Datenschutzbehörde) at https://www.dsb.gv.at/. In Germany each federal state has its own data protection officer. For general information you can consult the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The local supervisory authority responsible for our company is:

Baden-Württemberg Data Protection Authority

State Commissioner for Data Protection: Prof. Dr. Tobias Keber
Address: Lautenschlagerstraße 20, 70173 Stuttgart
Phone: 07 11/61 55 41-0
E-mail: poststelle@lfdi.bwl.de

Website: https://www.baden-wuerttemberg.datenschutz.de/

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. We do this to make it as difficult as possible for third parties to derive personal information from our data.

Article 25 GDPR refers to “data protection by design and by default,” meaning that both software (e.g., forms) and hardware (e.g., server room access) should be designed with security in mind and appropriate measures put in place. Where necessary we describe concrete measures further below.

TLS Encryption with HTTPS

TLS, encryption and HTTPS are technical terms. We use HTTPS (Hypertext Transfer Protocol Secure) to securely transfer data over the internet.

This means that the entire transmission of data from your browser to our web server is secured — no one can “listen in.”

This adds an additional layer of security and fulfills the principle of data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure internet transmission, we protect confidential data.

You can recognize this protection by the small padlock icon in the browser’s address bar and the use of the https scheme in the website address.

If you want to learn more about encryption, we recommend searching for “Hypertext Transfer Protocol Secure wiki” for good further reading.

Cookies

What are cookies?

Our website uses HTTP cookies to store user-specific data. Below we explain what cookies are and why they are used so you understand this Privacy Policy better.

When you browse the internet you use a browser — e.g., Chrome, Safari, Firefox, Internet Explorer or Microsoft Edge. Most websites store small text files in your browser called cookies.

Cookies are useful helpers and almost all websites use them. More precisely these are HTTP cookies. An HTTP cookie is a small file stored by our website on your device. Cookie files are kept in your browser’s cookie storage. A cookie consists of a name and a value and may include additional attributes.

Cookies can store user data such as chosen language or personal site preferences. When you revisit our site, your browser sends the cookie data back to the site so it can present your preferred settings. Some browsers keep each cookie in a separate file, others (like Firefox) store all cookies in a single file.

The graphic below illustrates a possible interaction between a web browser and a web server: the browser requests a website and receives a cookie that the browser will send again on subsequent page requests.

There are both first-party cookies and third-party cookies. First-party cookies are set by our site; third-party cookies are set by partner sites (e.g., Google Analytics). Each cookie must be evaluated individually because they store different data and have different lifetimes. Cookies are not programs and do not contain viruses or malware and cannot access other information on your PC.

Example cookie data:

Name: _ga
Value: GA1.2.1326744211.152313042701-9
Purpose: Distinguish website visitors
Expiry: after 2 years

Minimum cookie support a browser should provide:

• At least 4096 bytes per cookie
• At least 50 cookies per domain
• At least 3000 cookies in total

Types of cookies

Which cookies we use depends on the services we employ and is explained further below. Here is a quick overview of cookie types.

There are four common categories:

Essential cookies
These are necessary for basic website functionality. For example, they keep items in a shopping cart even if a user navigates away and returns later.

Functional cookies
These collect info about user behavior and whether errors occur. They also help measure load times and site behavior across browsers.

Preference cookies
These improve user experience by storing preferences like location, text size or form inputs.

Advertising cookies
Also called targeting cookies — they deliver tailored advertising. Useful but sometimes intrusive.

On first visit you are usually asked which cookie categories you allow; your choice is then stored in a cookie.

For technical documentation, see https://datatracker.ietf.org/doc/html/rfc6265 (IETF “HTTP State Management Mechanism”).

Purpose of cookie processing

Purpose depends on each cookie. Details are given further below or by the software vendor that sets the cookie.

Which data are processed?

Cookies can store many different kinds of data. We will inform you in the following sections about the data processed or stored for the specific services we use.

Cookie retention

Retention depends on each cookie and is specified further below. Some cookies are deleted within an hour, others can persist for years.

You can control retention yourself — you can delete cookies anytime via your browser (see “Right to object” below). Cookies based on consent will be deleted after you withdraw consent, without affecting the legality of storage prior to withdrawal.

How to opt out / delete cookies

You decide which cookies you want. You can delete, disable or selectively allow cookies regardless of the service or site. For example, you can block third-party cookies but allow others.

To see which cookies your browser stores or to change settings, use your browser’s cookie management options:

Chrome: Delete, enable and manage cookies

Safari: Manage cookies and website data

Firefox: Delete cookies

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete and manage cookies

If you don’t want any cookies at all, you can configure your browser to always ask before a cookie is set. Procedures vary by browser — search for “disable cookies Chrome” or similar if you need guidance.

Legal basis

Since 2009 “cookie guidelines” require consent (Article 6(1)(a) GDPR) for cookie storage. EU member states implemented these differently. In Austria the guideline was implemented in § 165(3) of the Telecommunications Act (2021). Germany addressed the directive mainly in § 15(3) of the Telemedia Act (TMG), which was replaced in May 2024 by the Digital Services Act (DDG).

For strictly necessary cookies (even without consent) there can be legitimate interests (Article 6(1)(f) GDPR), most often economic in nature — e.g., providing a functional user experience.

Non-essential cookies are used only with your consent. The legal basis for these is Art. 6(1)(a) GDPR.

Further details on cookie usage by specific software are provided in the sections below.

Website Builder Systems — Introduction

What are website builder systems?

We use a website builder system for our website. A builder is a form of content management system (CMS) that allows site operators to build a website without programming knowledge. Using such a system may involve the collection, storage and processing of personal data. This section provides general information about data processing by builder systems; see the provider’s privacy policy for specifics.

Why do we use a website builder?

The biggest advantage is ease of use. We want a clear, simple and maintainable website that we can operate without external help. A builder provides many useful features that let us shape our site and offer a pleasant user experience.

What data does a builder system store?

Exact data depends on the provider. Typically technical usage info (OS, browser, screen resolution, language settings, hosting provider, date/time) and tracking data (clickstream, heatmaps) may be processed. Contact data (email, phone if provided), IP and location data can also be stored. See the provider’s privacy policy for details.

How long and where is the data stored?

Retention details depend on the builder provider and are specified in their privacy policy. As a rule we only process personal data as long as necessary to provide our services. The provider may store data according to their own rules beyond our control.

Right to object

You always have the right to access, correct and delete your personal data. If you have questions, contact the provider of the website builder. Cookie-based provider functions can be managed or deleted in your browser settings. Note that disabling cookies may affect website functionality.

Legal basis

We have a legitimate interest in using a website builder to optimize our online service and present it efficiently (Art. 6(1)(f) GDPR). We use the builder only to the extent you have given consent for tracking-related functions (Art. 6(1)(a) GDPR).

For further details see the provider’s privacy policy.

WordPress.com Privacy Policy

What is WordPress?

We use the WordPress.com content management system provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

WordPress is a widely used CMS that helps us present content (text, audio, video). Using WordPress can involve processing personal data — primarily technical data (OS, browser, screen resolution, hosting provider), but also personal data such as IP addresses, location or contact data.

Why do we use WordPress?

We’re not full-time programmers, but we want a powerful, attractive site we can manage ourselves. WordPress lets us operate and maintain the site without deep technical skills. If we need technical help we have specialists for HTML, PHP, CSS, etc.

What data does WordPress process?

Non-personal data: technical usage info like browser activity, clickstream, session heatmaps, and system details.
Personal data: contact details (email, phone if provided), IP address and geographic location. WordPress may use cookies to collect behavioral data (pages visited, time on page, bounce rate, preferences). WordPress may also use pixel tags/web beacons for identification and targeted advertising.

How long and where is the data stored?

Retention depends on data type and settings. Automattic typically deletes webserver logs containing IP and technical data after 30 days. Deleted content remains in the trash for 30 days; backups and caches may persist until removed. Data is stored on Automattic’s servers in the USA.

How can I delete or prevent data storage?

You have the right to access, update, delete or restrict processing of your personal data and to lodge a complaint with a supervisory authority. You can manage or delete cookies in your browser (see “Cookies” section).

Legal basis

If you consent to WordPress usage, that consent is the legal basis (Art. 6(1)(a) GDPR). We also have a legitimate interest in using WordPress to present our online service (Art. 6(1)(f) GDPR). Automattic participates in the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) to ensure an adequate level of protection for data transferred to the USA. See https://automattic.com/privacy/ for more.

Web Analytics — Introduction

What is web analytics?

We use software to analyze visitor behavior (web analytics). The analytics provider stores, manages and processes data. These analyses help us understand user behavior and test content (A/B testing), and may create user profiles stored in cookies.

Why do we run web analytics?

We want to offer the best web experience in our sector. Analytics help us understand visitor demographics, peak times, popular content and overall site performance so we can improve the service and target marketing more effectively.

Which data are processed?

Depends on the tool. Generally: pages viewed, clicks, timestamps, browser, device type, and possibly location if permitted. IP addresses are treated as personal data and are usually pseudonymized. Typically no direct personal identifiers (name, email) are collected for analytics; data is stored pseudonymously.

Retention varies by provider — some cookies last minutes, others years.

Retention period

We inform you further below where we have specific information. Generally we store personal data only as long as necessary for the service; statutory requirements (e.g., accounting) may require longer retention.

Right to object

You may withdraw consent to cookies and third-party tracking at any time, via our cookie management tool or other opt-out functions, or via your browser settings.

Legal basis

Web analytics requires your consent, obtained via our cookie popup (Art. 6(1)(a) GDPR). We also have a legitimate interest in analyzing website behavior for technical and economic improvement (Art. 6(1)(f) GDPR), but we only use tools where consent has been given for tracking functions.

See the analytics tool’s privacy policy for precise processing details.

Google Analytics Privacy Statement

What is Google Analytics?

We use Google Analytics 4 (GA4) provided by Google Inc. For the EU, Google Ireland Limited is responsible. Google Analytics collects data about your interactions. By combining cookies, device IDs and login data, cross-device identification is possible if allowed, enabling cross-platform analysis.

Events (e.g., clicking a link) are recorded in cookies and sent to GA4. The reports help us tailor the website and services. GA4 uses an event-based model and includes machine learning to model missing data and forecast trends.

A tracking code is embedded in our website; it logs events you perform. Data is sent to Google servers and stored there.

Google provides us with reports such as:

• Audience reports
• Advertising reports
• Acquisition reports
• Behavior reports
• Conversion reports
• Real-time reports

GA4 features include event-based data, advanced analysis, predictive modeling and cross-platform tracking (if you consent).

Why we use Google Analytics

The tool helps us improve the website, understand visitors, optimize marketing, and boost conversions.

Which data does Google Analytics store?

GA4 creates a random ID associated with a browser cookie to identify users pseudo-anonymously. Data linked to this ID is stored in the configured property. Depending on settings, cross-platform tracking can be enabled via cookies, app instance IDs and user IDs. Google states that GA4 does not store full IP addresses; IPs are used to derive location data and then deleted. GA4 uses fewer cookies than older versions but still sets some.

Example GA cookies:
Name: _ga — Purpose: distinguish users — Expiry: 2 years
Name: _gid — Purpose: distinguish users — Expiry: 24 hours
Name: _gat_gtag_UA_<property-id> — Purpose: throttling request rate — Expiry: 1 minute

This list may change as Google updates cookie usage. GA4 also offers controls for retention and data collection.

Types of data GA may collect (examples):

• Heatmaps: areas users click
• Session duration: time spent on site
• Bounce rate: users viewing a single page then leaving
• Account creation: sign-ups and purchases
• Location: derived from IP prior to deletion
• Technical info: browser, ISP, screen resolution
• Referrer: which site or ad led the visitor here

Where and how long are GA data stored?

Google’s data centers are worldwide: https://datacenters.google/

Retention depends on the property settings. GA4 offers retention options such as:

• 2 months
• 14 months (default)
• 26 months
• Manual deletion only

Data may be kept longer if you revisit the site within the retention period, which resets the timer. Aggregated reports are retained independently of individual user data.

How to delete or prevent GA data collection

Under EU law you can request access, correction or deletion of your data. A browser add-on to disable GA JavaScript (analytics.js, gtag.js) is available at https://tools.google.com/dlpage/gaoptout?hl=de. This add-on prevents data collection by GA. You can also manage cookies in your browser as described in the “Cookies” section.

Legal basis

GA requires your consent via our cookie popup (Art. 6(1)(a) GDPR). We also have a legitimate interest in analyzing user behavior to improve the site (Art. 6(1)(f) GDPR) but only process analytics where consent is granted.

Google processes data in the USA. Google participates in the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) to ensure compliant data transfer. See the Commission text at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en. Google Ads Data Processing Terms are available at https://business.safety.google/intl/de/adsprocessorterms/.

For more on Google’s policies see https://policies.google.com/privacy?hl=de.

Google Analytics Demographics and Interests Reports

We have enabled advertising features in Google Analytics. Demographics and interests reports include age, gender and interests to help us better understand our users without identifying individuals. Learn more at https://support.google.com/analytics/answer/3450482?hl=de_AT&utm_id=ad.

You can manage ad personalization in your Google account settings at https://adssettings.google.com/authenticated.

Google Analytics in Consent Mode

Depending on your consent, Google Analytics processes data in Consent Mode. You can choose whether to allow GA cookies. If you do not consent, only aggregated measurements are recorded so that data cannot be assigned to individual users and no profiling is performed. You may also consent only to statistical measurement, in which case no personal data is used for advertising.

Google Analytics IP Anonymization

We have implemented IP anonymization for Google Analytics on this site. This masks IPs before storage/processing arrives in Google’s network, which helps comply with local data protection recommendations. See https://support.google.com/analytics/answer/2763052?hl=de.

Google Analytics without cookies

We use Google Analytics but do not set cookies in your browser. Without cookies, no personal profiling cookies are stored; GA can still perform certain measurements, but data is only stored on Google servers and your privacy is better protected.

All texts are protected by copyright.

Source: Privacy Policy created with the Privacy Policy Generator for Germany by AdSimple