Privacy Notice

1. Data Protection at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on data protection, please refer to our privacy policy listed below this text.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. Their contact details can be found in the "Data Controller" section of this privacy policy.

How do we collect your data?
Your data is collected automatically when you visit the website through our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of page access). This data collection occurs automatically as soon as you enter this website.

What do we use your data for?
The data is collected to ensure error-free provision of the website and to ensure system security.

What rights do you have regarding your data?
You have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge at any time. You also have the right to request correction or deletion of this data. You also have the right to request restriction of processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

2. General Information and Mandatory Information

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We point out that data transmission over the internet (e.g., communication by email) may have security vulnerabilities. Complete protection of data from access by third parties is not possible.

3. Data Controller

Growing Forward GmbH
Bernabeistraße 2
80639 München (Munich)
Germany
Phone: +49 (0) 15734101338
Email: [email protected]
Managing Director: Marvin Burmester

Authorized representative: Marvin Burmester

The data controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g., names, email addresses, etc.).

4. Data Protection Officer

Growing Forward GmbH has not appointed a Data Protection Officer as the legal requirements for this do not apply. For data protection questions, please contact us directly using the contact details provided above.

5. Storage Duration

Unless a more specific storage period is mentioned within this privacy policy, your personal data will remain with us until the purpose for data processing ceases to exist. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will occur after these reasons cease to exist.

6. General Information on Legal Bases for Data Processing

If you have consented to data processing, we process your personal data based on Article 6(1)(a) GDPR or Article 9(2)(a) GDPR if special categories of data according to Article 9(1) GDPR are processed.

If your data is required for contract fulfillment or for carrying out pre-contractual measures, we process your data based on Article 6(1)(b) GDPR.

Furthermore, we process your data if this is necessary to fulfill a legal obligation, based on Article 6(1)(c) GDPR.

Data processing may also be based on our legitimate interest according to Article 6(1)(f) GDPR. Information about the relevant legal bases in each individual case is provided in the following paragraphs of this privacy policy.

7. Data Processing When Visiting Our Website

Automatically Collected Data

When you visit our website, information is automatically sent to our website server by your web browser and stored in log files (server log files). This includes:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the retrieved file
• Website from which access occurred (referrer URL)
• Browser used and, if applicable, the operating system of your computer and the name of your access provider

Purpose of Processing: This data is processed to enable the delivery of the website, to permanently ensure system security and stability, and to optimize the administration of the network infrastructure.

Legal Basis: Processing is carried out pursuant to Article 6(1)(f) GDPR based on our legitimate interest in the proper provision and secure operation of our website.

Retention Period: This data is automatically deleted after 4 hours, unless it is needed longer for security purposes. In this case, deletion occurs after 90 days.

8. Hosting and Content Delivery Network (Cloudflare)

Our website is hosted by Cloudflare Germany GmbH, Rosental 7, 80331 München, Germany. Cloudflare is our data processor pursuant to Article 28 GDPR.

Processed Data

When visiting our website, Cloudflare automatically processes:

• IP addresses of website visitors
• Technical connection data (timestamps, browser information, requested pages)
• Server access logs and system information

Purpose of Processing

• Website delivery and performance optimization
• Security protection and DDoS defense
• Content distribution and caching
• Traffic analysis for system improvements

Legal Basis: Article 6(1)(f) GDPR - legitimate interest in the secure and functional operation of technical systems.

International Data Transfer

Cloudflare also processes data in the USA. The protection of your data is ensured by the following measures:

• EU-US Data Privacy Framework (DPF): Cloudflare is certified under the DPF
• Standard Contractual Clauses (SCCs): Additional protection through EU Commission Decision 2021/914
• Supplementary Measures: Technical and organizational protective measures

Notice on Data Transfer to the USA: We point out that no data protection level comparable to that of the EU can be guaranteed in the USA. For example, US companies are obligated to release personal data to security authorities without you as the data subject being able to take legal action against this. It therefore cannot be excluded that US authorities (e.g., intelligence services) process, evaluate, and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities.

Data Processing Agreement: A data processing agreement (DPA) exists with Cloudflare pursuant to Article 28 GDPR. This is a contract required by data protection law that ensures Cloudflare processes personal data of our website visitors only according to our instructions and in compliance with the GDPR.

9. SSL/TLS Encryption

This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the browser's address line changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL/TLS encryption is activated, data you transmit to us cannot be read by third parties.

10. Cookies

Our website uses no cookies. No files are stored on or retrieved from your device.

11. Contact

We currently do not offer direct contact forms or email contact through the website. Should you contact us by email or otherwise, the personal data you provide will be used exclusively to process your inquiry.

Legal Basis: Processing is carried out based on Article 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary for carrying out pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling inquiries directed to us (Article 6(1)(f) GDPR).

Storage Duration: The data you send to us will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage ceases to exist (e.g., after completion of processing your inquiry). Mandatory legal provisions – especially statutory retention periods – remain unaffected.

12. Your Rights as a Data Subject

You have the following rights regarding your personal data:

Right of Access (Article 15 GDPR)

You have the right to obtain information about the personal data we process concerning you.

Right to Rectification (Article 16 GDPR)

You have the right to demand immediate correction of inaccurate personal data.

Right to Erasure (Article 17 GDPR)

You have the right to demand immediate deletion of your personal data, provided one of the statutory grounds applies.

Right to Restriction of Processing (Article 18 GDPR)

You have the right to demand restriction of processing when certain conditions are met.

Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.

Right to Object (Article 21 GDPR)

You have the right to object at any time to the processing of your personal data when processing is based on Article 6(1)(f) GDPR (legitimate interests).

RIGHT TO OBJECT TO DATA COLLECTION IN SPECIAL CASES AND TO DIRECT MARKETING (ARTICLE 21 GDPR)

If data processing is carried out based on Article 6(1)(e) or (f) GDPR, you have the right at any time to object to the processing of your personal data for reasons arising from your particular situation; this also applies to profiling based on these provisions. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims (objection according to Article 21(1) GDPR).

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent already given at any time. The lawfulness of data processing carried out until revocation remains unaffected by the revocation.

Objection to Advertising Emails

The use of contact data published as part of the legal notice obligation to send unsolicited advertising and information materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in case of unsolicited sending of advertising information, such as through spam emails.

Right to Lodge a Complaint with the Competent Supervisory Authority

In case of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the member state of their habitual residence, workplace, or the place of the alleged violation. This right to lodge a complaint exists without prejudice to other administrative or judicial remedies.

Competent Supervisory Authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany, Phone: +49 (0) 981 180093-0, Email: [email protected]

13. Data Security

We implement technical and organizational measures to protect your personal data from loss, manipulation, and unauthorized access. Our security measures are continuously improved in accordance with technological developments.

14. Changes to the Privacy Policy

We reserve the right to modify this privacy policy to adapt it to changed legal situations or when changes are made to our services and data processing. The current privacy policy can always be found on this website.

Last Updated: August 2025