Privacy Policy

Last updated: March 2026

This Privacy Policy explains what types of personal data we process, for what purposes, and to what extent. It applies to all personal data processing carried out by Studio Parlez — including in connection with our website, online services, and external online presences such as our social media profiles (collectively referred to as the "online offering"). The terms used in this policy are not gender-specific.

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Studio Parlez
Speckmeier & Qarizada GbR
Kurfürstenstr. 15
80799 München
Germany
E-Mail: hello@studioparlez.com

2. Overview of Processing Activities

The following types of personal data are processed on this website:

  • Master data (e.g. name, contact details)
  • Contact data (e.g. email addresses)
  • Content data (e.g. form submissions, messages)
  • Usage data (e.g. pages visited, time spent, browser type)
  • Meta, communication and process data (e.g. IP addresses, timestamps)
  • Log data (e.g. server access logs)

Categories of persons affected: website visitors, people who contact us.

Purposes of processing: provision of the online offering, responding to inquiries, spam protection, analytics (where consent is given), security, social media presence.

3. Legal Bases

We process personal data on the following legal bases under the GDPR:

  • Consent (Art. 6(1)(a) GDPR) — where you have given us explicit consent to a specific processing purpose (e.g. analytics cookies). You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Pre-contractual measures and contract performance (Art. 6(1)(b) GDPR) — where processing is necessary to respond to your inquiry or fulfil a contract with you.
  • Legitimate interests (Art. 6(1)(f) GDPR) — where processing is necessary for our or a third party's legitimate interests, provided these are not overridden by your fundamental rights. Our legitimate interests include the secure and efficient operation of this website.
  • Legal obligation (Art. 6(1)(c) GDPR) — where processing is required by law (e.g. retention obligations under German commercial and tax law).

In addition to the GDPR, German national data protection law applies — in particular the Federal Data Protection Act (BDSG), which contains specific rules on rights of access, erasure, objection, and automated decision-making.

4. Security Measures

We implement appropriate technical and organisational measures to protect personal data against accidental or intentional manipulation, loss, destruction, or unauthorised access. These measures include securing the confidentiality, integrity, and availability of data through physical and electronic access controls, input monitoring, transmission security, and data separation.

This website uses SSL/TLS encryption. An encrypted connection is indicated by the "https://" prefix in your browser's address bar. We also take data protection into account during the development and selection of hardware, software, and processes (privacy by design and privacy by default).

Our security measures are continuously reviewed and updated in line with the state of the art.

5. International Data Transfers

Some of the service providers we use are based outside the European Union (EU) or European Economic Area (EEA), in particular in the United States. Where we transfer personal data to third countries, we do so only in compliance with applicable law — in particular on the basis of:

  • An adequacy decision by the European Commission (Art. 45 GDPR), or
  • Appropriate safeguards such as Standard Contractual Clauses (Art. 46(2)(c) GDPR), or
  • Certification under the EU-US Data Privacy Framework (DPF), where applicable.

The EU-US Data Privacy Framework (adequacy decision of 10 July 2023) recognises the data protection level of certified US companies as adequate. Where we use DPF-certified providers, we note this in the relevant sections below. A list of certified companies is available at dataprivacyframework.gov.

6. Data Retention and Deletion

We delete personal data as soon as the purpose for which it was collected no longer applies and no legal retention obligations require continued storage. Where data must be retained due to statutory obligations, processing is restricted to the purposes that justify retention.

The following statutory retention periods apply under German law:

  • 10 years — accounting records, annual financial statements, inventories, and related working documents (§ 147 AO, § 257 HGB).
  • 6 years — business letters received and sent, and other documents relevant for taxation (§ 147 AO, § 257 HGB).
  • 3 years — data required to handle potential warranty or liability claims, based on the standard limitation period under §§ 195, 199 BGB.

Where multiple retention periods apply to the same data, the longest period is decisive.

7. Hosting — Vercel

This website is hosted by Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA. When you visit our website, Vercel processes technical access data on our behalf as a data processor — including IP addresses, browser type, and access timestamps (see Section 8 below). Vercel is certified under the EU-US Data Privacy Framework (DPF).

For more information, see Vercel's Privacy Policy.

8. Data Collected When Visiting This Website

When you access this website, your browser automatically transmits technical information to our server. This includes:

  • IP address of the requesting device
  • Date and time of the request
  • URL of the page accessed
  • Referrer URL (page visited before)
  • Browser type and version
  • Operating system
  • HTTP status code and amount of data transferred

This data is processed by Vercel as our hosting provider and is necessary for the technical delivery of the website. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating a reliable and secure website). Server log data is retained for a maximum of 30 days and then deleted or anonymised, unless further retention is required for evidence purposes.

9. Cookies

Cookies are small text files stored on your device by your browser. We use cookies in accordance with applicable law. Where required, we obtain your prior consent before setting cookies. Technically necessary cookies — those required to deliver the service you have requested — do not require consent.

We distinguish between the following types of cookies:

  • Session cookies — deleted when you close your browser or end your session.
  • Persistent cookies — remain stored on your device after the session ends, for a period of up to 2 years unless otherwise stated.

You can configure your browser to reject or delete cookies at any time. Note that disabling certain cookies may impair the functionality of this website. You can also manage your consent preferences at any time via the "Cookie Settings" link in the footer.

Legal basis: Art. 6(1)(a) GDPR (consent) for non-essential cookies; Art. 6(1)(f) GDPR (legitimate interest) for technically necessary cookies.

10. Consent Management — Klaro

This website uses Klaro, a self-hosted open-source consent management tool, to manage your cookie preferences. Klaro stores your consent decisions locally in your browser (via a cookie named klaro). This cookie contains no personal data and is technically necessary to remember your choices. No data is transmitted to any third-party Klaro server.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to document consent) and Art. 6(1)(f) GDPR (legitimate interest in operating a functional consent mechanism).

11. Contact Form

When you submit an inquiry via our contact form, we collect the following data:

  • Name
  • Email address
  • Website URL
  • Budget range (optional)
  • Services of interest
  • Project description (optional)
  • Date of submission

This data is processed for the purpose of responding to your inquiry and evaluating a potential collaboration. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures at your request) and Art. 6(1)(f) GDPR (our legitimate interest in managing business inquiries).

Your submission is transmitted to us via Resend (Resend Inc., USA) for email delivery, and stored in Airtable (Formagrid Inc., 799 Market Street, San Francisco, CA 94103, USA) as our CRM. Both services act as processors on our behalf under data processing agreements. Data transfers to the US are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

Where no business relationship results from an inquiry, contact data is deleted within 24 months of the last contact. Where a business relationship is established, applicable commercial and tax retention periods apply (see Section 6).

12. Spam Protection — Cloudflare Turnstile

Our contact form uses Cloudflare Turnstile, a bot protection service by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Turnstile analyses interaction patterns to determine whether a submission originates from a human or an automated bot. It may set technically necessary cookies and process your IP address and browser characteristics. No data is shared with advertisers.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in protecting this website from spam and abuse). Technically necessary cookies are exempt from consent requirements. See Cloudflare's Privacy Policy.

13. Analytics — Microsoft Clarity

This website uses Microsoft Clarity, a behaviour analytics service by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Clarity records anonymised session data including mouse movements, clicks, and scroll behaviour to help us understand how visitors use the website. Clarity may also generate heatmaps of page activity.

Clarity sets cookies and processes data including your anonymised IP address, browser type, device type, and on-site behaviour. Microsoft is certified under the EU-US Data Privacy Framework (DPF).

Legal basis: your consent (Art. 6(1)(a) GDPR), which you can grant or withdraw at any time via the cookie banner or "Cookie Settings" in the footer. If you do not consent, Clarity will not be loaded. See Microsoft's Privacy Statement.

14. Blog

This website features a blog. Blog content is published and managed via our content management system (Sanity, see Section 15). When you read a blog post, the general website access data described in Section 8 is processed. We do not operate a comment function on our blog — no additional personal data from readers is collected or stored beyond standard server logs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing and operating the online offering).

15. Content Management — Sanity

This website uses Sanity (Sanity AS, Stenersgata 8, 0184 Oslo, Norway) as a headless content management system (CMS) to manage and deliver blog and case study content. Sanity processes content data on our behalf on servers within the EU/EEA. No personal data of website visitors is stored in or transmitted to Sanity.

For more information, see Sanity's Privacy Policy.

16. Shopify Theme Detector — Notion

Our Shopify theme detection tool (/tool) logs usage data for internal analytics purposes via the Notion API (Notion Labs Inc., 2300 Harrison Street, San Francisco, CA 94110, USA). The data logged may include the website URL submitted for analysis and a timestamp. No personal data you provide (such as name or email) is transmitted to Notion as part of this tool.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in monitoring usage of our tool). Data transfers to the US are based on Standard Contractual Clauses.

17. External APIs

This website makes a server-side request to Open-Meteo (open-meteo.com) to display the current temperature in Munich in the footer. This request is made from our server — no personal data from visitors is transmitted to Open-Meteo.

18. Third-Party Scripts and Fonts

This website may load scripts or resources from third-party servers (e.g. Cloudflare Turnstile, as described in Section 12). When such resources are loaded, the respective provider receives your IP address, as this is technically required to deliver the resource to your browser. We use such services only where necessary and have contractual data protection agreements in place where required.

Fonts used on this website are served from our own server — no data is transmitted to third-party font providers such as Google Fonts.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website functionality).

19. Social Media Presences

We maintain public profiles on the following social media platforms:

  • Instagram (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland) — Privacy Policy. Basis for US transfers: Data Privacy Framework (DPF).
  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) — Privacy Policy. Basis for US transfers: Data Privacy Framework (DPF).

When you visit our social media profiles, data is processed by the respective platform operator under their own terms. As operators of social media pages, we may be jointly responsible with the platform operator for certain data processing — in particular for the "Page Insights" (statistics) function on LinkedIn. We have entered into a joint controller agreement with LinkedIn Ireland for this purpose ("Page Insights Joint Controller Addendum"), which specifies the security measures LinkedIn must apply and confirms that LinkedIn will fulfil data subject rights on behalf of both parties. Our joint controllership is limited to the collection of data and its transfer to LinkedIn Ireland — further processing by LinkedIn (including transfer to LinkedIn Corporation in the US) is solely LinkedIn's responsibility.

We have no control over the data collected by these platforms beyond our joint responsibility as described above. We recommend reviewing the platforms' privacy policies. Data subject rights (access, erasure, objection) can be exercised most effectively directly with the respective platform.

Legal basis: Art. 6(1)(f) GDPR (our legitimate interest in public communication and business development).

20. Links to Third-Party Websites

Our website may contain links to external websites. We have no control over the content or data protection practices of those websites and accept no responsibility for them. Please review the privacy policy of any third-party website you visit.

21. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right to object (Art. 21 GDPR) — You have the right to object at any time to the processing of your personal data on the basis of Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defence of legal claims. Where processing is for direct marketing purposes, you may object at any time and we will stop immediately.
  • Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right of access (Art. 15 GDPR) — You may request confirmation of whether we process personal data about you, and if so, receive a copy and further information.
  • Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate or completion of incomplete personal data.
  • Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data, subject to applicable retention obligations.
  • Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict processing of your data under certain conditions.
  • Right to data portability (Art. 20 GDPR) — You may request your data in a structured, commonly used, machine-readable format, or ask that it be transmitted to another controller.

To exercise any of these rights, contact us at hello@studioparlez.com. We will respond within one month.

22. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority at any time — in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. The competent supervisory authority for Studio Parlez is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
www.lda.bayern.de

23. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our processing practices or applicable law. The date at the top of this page indicates when it was last revised. We encourage you to review this page periodically.