Information pursuant to Articles 13 and 14 GDPR, Section 38 BDSG and Section 25 TDDDG
Privacy Policy
Last updated: May 8, 2026
We take the protection of personal data seriously. This Privacy Policy explains how Olymaris Digital Transformation Agency processes personal data when you visit this website, contact us, use our services or interact with our digital content.
1. Controller
Olymaris Digital Transformation Agency
Owner: Mariam Zamani
Rochlitzer Straße 1, 09217 Burgstädt, Germany
Email: contact@olymaris.com
Phone: +49 (0) 157 382 218 79
We are established in Germany and are therefore subject to the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TDDDG), where applicable. No representative under Article 27 GDPR is required.
2. Data Protection Officer
We have not appointed a Data Protection Officer because, based on our current size and processing activities, we are not legally required to do so under Article 37 GDPR and Section 38 BDSG.
If our processing activities change in a way that creates a legal obligation to appoint a Data Protection Officer, we will appoint one and update this Privacy Policy accordingly. Privacy-related inquiries can be sent to the contact details stated above.
3. Privacy by Design and Default
We apply the principle of data protection by design and by default. This means that we design and operate our website and services so that only personal data necessary for the relevant purpose is processed by default.
Optional external services, including Google Analytics and Google Maps, are not loaded before you have given consent. Where possible, we use placeholders, delayed loading, consent-based activation and data minimization to reduce data transfers to third parties.
4. Processing When Visiting This Website
When you access this website, technical data is automatically processed in order to display the website securely and reliably. This may include:
- IP address
- Date and time of access
- Requested URL and pages visited
- HTTP status code
- Referrer URL
- Browser type and version
- Operating system
- Device information
- Amount of data transferred
Purpose: technical delivery of the website, stability, security, error analysis and prevention of misuse.
Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is the secure and reliable operation of the website.
Retention: server log data is generally deleted after 14 days. Longer storage may occur only if required to investigate security incidents or legal claims.
5. Purposes, Categories of Data and Legal Bases
| Processing activity | Data categories | Purpose | Legal basis |
|---|---|---|---|
| Website operation and security | IP address, browser data, device data, log data | Secure and reliable operation of the website | Article 6(1)(f) GDPR |
| Contact requests | Name, email address, phone number, message content, metadata | Responding to inquiries and communication | Article 6(1)(b) GDPR or Article 6(1)(f) GDPR |
| Offers, projects and contracts | Contact details, project details, contract data, billing data | Preparation, performance and administration of contracts | Article 6(1)(b) GDPR; Article 6(1)(c) GDPR for legal obligations |
| Cookie consent management | Consent choice, time of choice, browser/device information where necessary | Storage and documentation of cookie and consent preferences | Section 25(2) TDDDG; Article 6(1)(f) GDPR |
| Analytics | Usage data, page views, interactions, browser/device data, truncated or processed IP-related data | Improvement of website performance and content | Section 25(1) TDDDG; Article 6(1)(a) GDPR |
| External content such as maps | IP address, browser/device data, interaction data | Display of external content requested by the user | Section 25(1) TDDDG; Article 6(1)(a) GDPR |
6. Contact Requests and Business Communication
If you contact us by email, phone, contact form or another communication channel, we process the information you provide in order to handle your request. This may include your name, email address, phone number, company name, project information and the content of your message.
If your request relates to a potential or existing contract, the legal basis is Article 6(1)(b) GDPR. In other cases, the legal basis is Article 6(1)(f) GDPR. Our legitimate interest is proper business communication and responding to inquiries.
If we receive your contact details from a third party, for example through a referral, we process such data only for the purpose for which it was provided, such as contacting you about a possible business relationship. In such cases, the legal basis is Article 6(1)(f) GDPR, unless another legal basis applies.
Contact requests that do not lead to a contract are generally deleted 6 months after final completion of the request, unless legal retention obligations or legitimate interests require longer storage. If the communication becomes part of a contractual or accounting process, statutory retention periods may apply.
7. Cookies, Local Storage, Session Storage and Consent
We use technically necessary cookies and similar technologies to operate this website, store your cookie choice, remember your language preference and support essential website functions. These technologies are used on the basis of Section 25(2) TDDDG and, where personal data is processed, Article 6(1)(f) GDPR.
Optional cookies and similar technologies, including analytics and external content, are used only with your consent. The legal basis is Section 25(1) TDDDG and Article 6(1)(a) GDPR.
You can withdraw or change your consent at any time with effect for the future through the cookie settings available on this website. More details are available in our Cookie Policy.
8. Google Analytics
We use Google Analytics only if you give consent. Google Analytics is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics helps us understand how visitors use our website, which pages are visited, how users interact with the website and how we can improve our content and services. The following data may be processed: page views, interaction data, approximate location, browser information, device information, referrer information and usage data.
Google Analytics is not loaded before consent is given. If you reject analytics cookies, Google Analytics will not be activated.
Legal basis: Section 25(1) TDDDG and Article 6(1)(a) GDPR.
Retention: Google Analytics cookies may remain for up to 24 months. User-level and event-level data
in Google Analytics are retained for 14 months. Consent records are retained for 12 months.
Google may process data in the United States and other third countries. Further information on international data transfers is provided in Section 12 of this Privacy Policy.
9. Google Maps and External Content
We may embed Google Maps or similar external content on our website. Google Maps is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Maps and other optional external content are not loaded automatically before consent. Instead, we may display a placeholder. If you consent or actively request the external content, your browser may connect to Google servers. In that case, data such as your IP address, browser information, device information and interaction data may be transmitted to Google.
Legal basis: Section 25(1) TDDDG and Article 6(1)(a) GDPR.
Retention by Olymaris: Olymaris does not store Google Maps usage data. Google processes data under
its own responsibility according to Google’s privacy information.
10. Firebase, Firestore and Firebase Storage
We may use Firebase services, including Firestore and Firebase Storage, for technical website functions, form processing, storage of website assets or application-related features. Firebase is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Depending on the relevant function, the following data may be processed: IP address, technical connection data, browser and device information, form data submitted by you, timestamps, security logs and data required for the requested website or application function.
Legal basis: Article 6(1)(b) GDPR where Firebase is used to process contract-related inquiries or requested services; Article 6(1)(f) GDPR where Firebase is required for secure and reliable technical operation; Article 6(1)(a) GDPR where optional functions require consent.
Retention: technical logs are generally retained only as long as required for security and operation. Contact or request data stored through Firebase are generally deleted 6 months after completion of the request unless they become part of a contract, accounting process or legal obligation. Contract and accounting data may be retained for up to 10 years.
Firebase services may process and store data on Google infrastructure worldwide, depending on the specific service and configuration. Further information on international data transfers is provided in Section 12 of this Privacy Policy.
11. Recipients and Processors
We do not sell personal data. Personal data may be disclosed to the following categories of recipients where necessary:
- Hosting and infrastructure providers
- Email and communication providers
- IT service providers and software providers
- Analytics and external content providers, only where consent has been given
- Tax advisors, legal advisors and authorities where legally required
Where service providers process personal data on our behalf, we conclude data processing agreements pursuant to Article 28 GDPR where required.
12. Transfers to Third Countries
Some providers used by this website may process personal data outside the European Union or the European Economic Area. This applies in particular to Google services, including Google Analytics, Google Maps and Firebase.
Google services are generally provided in Europe by Google Ireland Limited. Data may also be processed by Google LLC or other Google companies outside the European Economic Area, including in the United States.
For transfers to the United States, Google LLC is certified under the EU-U.S. Data Privacy Framework. Transfers to certified U.S. organizations may be based on the European Commission’s adequacy decision pursuant to Article 45 GDPR. Where an adequacy decision does not apply, we rely on appropriate safeguards such as EU Standard Contractual Clauses pursuant to Article 46 GDPR where required.
Further information:
Google Privacy Policy:
https://policies.google.com/privacy
Google Data Privacy Framework information:
https://policies.google.com/privacy/frameworks
Firebase privacy information:
https://firebase.google.com/support/privacy
13. Storage Duration
We store personal data only for as long as necessary for the relevant purpose, unless a longer retention period is required by law or justified by legitimate interests.
| Data / processing activity | Retention period |
|---|---|
| Server log data | 14 days, unless longer storage is required for security incidents or legal claims |
| Cookie consent records | 12 months |
| Language preference | 12 months |
| Session storage for interface state | Until the browser session ends |
| Contact requests that do not lead to a contract | 6 months after final completion of the request |
| Project, offer and contract communication | For the duration of the business relationship and up to 3 years after the end of the year in which possible claims arise, unless longer statutory retention applies |
| Invoices, accounting and tax-relevant documents | Up to 10 years according to statutory retention obligations, in particular Section 147 AO and Section 257 HGB |
| Google Analytics cookies | Up to 24 months after consent |
| Google Analytics user-level and event-level data | 14 months |
| Data processed through Firebase for contact or project requests | 6 months after final completion of the request, unless the data becomes contract or accounting data |
14. Your Rights
As a data subject, you have the following rights under the GDPR:
- Right of access under Article 15 GDPR
- Right to rectification under Article 16 GDPR
- Right to erasure under Article 17 GDPR
- Right to restriction of processing under Article 18 GDPR
- Right to data portability under Article 20 GDPR
- Right to object under Article 21 GDPR
- Right to withdraw consent at any time under Article 7(3) GDPR
- Right to lodge a complaint with a supervisory authority under Article 77 GDPR
If processing is based on consent, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
15. Right to Object
Where we process personal data on the basis of Article 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
If personal data is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing. If you object to direct marketing, we will no longer process your data for that purpose.
16. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for us is:
Sächsische Datenschutz- und Transparenzbeauftragte
MaternistraĂźe 17
01067 Dresden, Germany
Phone: +49 351 85471-101
Email: post@sdtb.sachsen.de
Website: https://www.datenschutz.sachsen.de
17. Obligation to Provide Data
You are not legally obliged to provide personal data when visiting this website. However, certain technical data is necessary to display the website and maintain security. If you contact us or request a service, the data required to process your request or perform a contract is necessary for that purpose.
18. Automated Decision-Making and Profiling
We do not use automated decision-making, including profiling, within the meaning of Article 22 GDPR.
19. Data Security
We use appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration or disclosure. These measures include access controls, secure transmission, data minimization and regular review of technical integrations.
20. Updates to This Privacy Policy
We may update this Privacy Policy if legal, technical or organizational changes make this necessary. The current version is always available on this website.
Last updated: May 8, 2026 | Olymaris Digital Transformation Agency