Privacy Policy

Last updated: 13 May 2026

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy set out below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find the operator’s contact details in the section “Information on the Responsible Party” in this privacy policy.

How do we collect your data?

Some data is collected when you provide it to us, for example via a contact form or by booking an appointment through our scheduling tool. Other data is collected automatically or with your consent when you visit the website (primarily technical data such as browser type, operating system, or time of page access).

What do we use your data for?

Some of the data is collected to ensure the error-free provision of the website. Other data, subject to your consent, may be used to analyse user behaviour, perform marketing attribution, and optimise our content. In addition, we use HubSpot as a Customer Relationship Management (CRM) system to manage customer relationships and operate marketing automation.

What rights do you have regarding your data?

You have the right to receive free information about the origin, recipient, and purpose of your stored personal data at any time. You also have the right to request the correction or deletion of this data, and to withdraw any consent you have given. You may also request a restriction of processing under certain circumstances, and have the right to lodge a complaint with the competent supervisory authority.

2. Hosting and Content Management System

This website is delivered in full via the HubSpot CMS Hub platform of HubSpot, Inc. (25 First Street, Cambridge, MA 02141, USA). The European subsidiary is HubSpot Ireland Limited (1 Sir John Rogerson’s Quay, Dublin 2, Ireland).

The data in our HubSpot account is hosted in the AWS data centre in Frankfurt am Main (Germany, EU region). When you visit our website, your browser establishes a connection to HubSpot’s servers, during which technical data (IP address, browser type, page views) is automatically collected and stored in server log files.

The use of HubSpot CMS is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the professional and efficient provision of our website. Where corresponding consent has been obtained, processing is carried out on the basis of Art. 6(1)(a) GDPR in conjunction with §25(1) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, in force since 14 May 2024, successor to TTDSG).

Support and logging data may be transmitted to the United States. HubSpot is certified under the EU-US Data Privacy Framework (DPF) following the European Commission’s adequacy decision of 10 July 2023. EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 apply in addition. A summary of the safeguards in place (Transfer Impact Assessment) is available on request.

Data processing agreement and joint controllership: We have concluded a data processing agreement with HubSpot pursuant to Art. 28 GDPR (HubSpot Data Processing Agreement of 14 April 2026). With regard to the HubSpot tracking pixel and behavioural analytics, HubSpot is additionally a joint controller pursuant to Art. 26 GDPR; the arrangements are set out in Section 10 of the HubSpot DPA. The essential terms of this agreement are available on request. Details: https://legal.hubspot.com/dpa

3. General Information and Mandatory Disclosures

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

We would like to point out that data transmission over the Internet may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

Information on the Responsible Party

The responsible party for data processing on this website is:

Peter Vogel
peppereffect
Provinzialstraße 41
46499 Hamminkeln, Germany
Phone: +49 163 7096754
Email: info@peppereffect.com

The responsible party is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

Data Protection Officer

The appointment of a data protection officer is not currently required for our company pursuant to Art. 37 GDPR or §38 of the German Federal Data Protection Act (BDSG), as the statutory thresholds are not reached. For data protection enquiries, please use the contact details above.

Storage Duration

Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent, your data will be deleted unless we have other legally permissible reasons for storing it (e.g., tax or commercial law retention periods).

General Information on the Legal Basis for Data Processing

Where you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR. In the case of explicit consent to the transfer of personal data to third countries, processing is additionally based on Art. 49(1)(a) GDPR. Where data processing is necessary for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Where processing is necessary to comply with a legal obligation, we rely on Art. 6(1)(c) GDPR. Processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Storing or reading information on the user’s end device is governed by §25(1) TDDDG.

Information on Data Transfers to the USA and Other Third Countries

Our website includes tools from companies based in the United States. Where you consent to the relevant category, your personal data may be transferred to these third countries. We would like to point out that no level of data protection comparable to that of the EU can be guaranteed in these countries.

Where the respective companies are certified under the EU-US Data Privacy Framework (DPF), this constitutes an appropriate basis for the transfer in accordance with the EU Commission’s adequacy decision of 10 July 2023. EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 apply in addition.

We would like to point out that even with adequate safeguards, it cannot be ruled out that US authorities (e.g., intelligence services) may process, evaluate, and permanently store your data on US servers for surveillance purposes. We have no influence over these processing activities.

Withdrawal of Your Consent

Many data processing operations are only possible with your express consent. You may revoke any consent at any time via the “Cookie Settings” link in the footer of this website. On withdrawal, already-placed cookies in the relevant category are removed from your browser. The lawfulness of any processing carried out before the revocation remains unaffected.

Right to Object to Data Collection in Special Cases and to Direct Marketing (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THIS PROCESSING; THIS ALSO APPLIES TO RELATED PROFILING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING.

Right to Lodge a Complaint with the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf, Germany
https://www.ldi.nrw.de/

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the “https://” prefix in your browser’s address bar and the padlock icon.

Information, Deletion, and Correction

You have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of processing, as well as the right to correction or deletion of this data. For this and other data protection enquiries, you may contact us at any time.

4. Data Collection on This Website

Cookies and Consent Management

Our website uses so-called cookies. Cookies are small text files and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device.

Cookies that are strictly necessary for carrying out the electronic communication process, providing certain functions you have requested, or optimising the website (e.g., the cookie that stores your cookie consent preferences) are stored on the basis of §25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR.

All other cookies and comparable technologies are activated only after your express consent via our HubSpot cookie banner (§25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the “Cookie Settings” link in the footer of this website. On withdrawal, already-placed cookies in the relevant category are removed from your browser.

The HubSpot cookie banner separates processing into the following categories:

• Strictly necessary: technically required cookies (session ID, consent storage, security cookies).
• Analytics: audience measurement via Google Analytics 4 and HubSpot behavioural analytics.
• Advertisement: conversion measurement and remarketing (active only if advertising tools are connected).
• Functionality: storage of your language and display preferences.

Before you grant consent, all tools in the Analytics, Advertisement, and Functionality categories on our website are set to “denied” via Google Consent Mode v2 and the HubSpot doNotTrack API, so that no personal analytics data is collected.

Server Log Files

The provider of the pages automatically collects and stores information in server log files that your browser automatically transmits to us:

• browser type and browser version
• operating system used
• referrer URL
• hostname of the accessing computer
• time of the server request
• IP address

This data is not merged with other data sources. Collection is based on Art. 6(1)(f) GDPR. Log data is deleted or anonymised after 14 days.

HubSpot CRM, Marketing Hub, and CMS

We use HubSpot as a CRM system as well as for marketing automation and content management. Provider: HubSpot, Inc. (25 First Street, Cambridge, MA 02141, USA); European subsidiary: HubSpot Ireland Limited (1 Sir John Rogerson’s Quay, Dublin 2, Ireland).

CRM data is hosted in the EU data centre Frankfurt am Main. Specifically, we use the following HubSpot features:

HubSpot Forms: When you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide, are stored in our HubSpot CRM for the purpose of processing the inquiry and for follow-up questions. Legal basis: Art. 6(1)(b) GDPR for contractually motivated inquiries, otherwise Art. 6(1)(f) GDPR or Art. 6(1)(a) GDPR.

HubSpot Meeting Tool: Through our scheduling tool, you can book an appointment with us directly. The data you enter (name, email address, preferred appointment) is stored in the HubSpot CRM.

HubSpot tracking pixel and behavioural analytics: After your consent to the “Analytics” category, HubSpot sets its own cookies (including hubspotutk, __hstc, __hssc) to analyse user behaviour on our website. Before consent is granted, the HubSpot tracker is technically blocked via the doNotTrack API, so that no personal pageviews are processed.

HubSpot marketing automation: Subject to your consent (Art. 6(1)(a) GDPR) or for contractually motivated communication (Art. 6(1)(b) GDPR), we send targeted marketing messages and run workflows in HubSpot.

Data processing agreement and joint controllership: We have concluded a data processing agreement with HubSpot pursuant to Art. 28 GDPR. With regard to the tracking pixel and behavioural analytics, HubSpot is a joint controller pursuant to Art. 26 GDPR (Section 10 of the HubSpot DPA). The essential terms are available on request.

Third-country transfer: Primary storage in Frankfurt; support and logging data may be transmitted to the United States. Legal basis: EU-US Data Privacy Framework and supplementary EU Standard Contractual Clauses.

HubSpot privacy policy: https://legal.hubspot.com/privacy-policy

Attribution Tracking (UTM parameters and click identifiers)

When you reach our website via a campaign link (for example from a newsletter, an advertisement, or a social media post), and you have consented to the “Analytics” category, we capture the UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) along with the click identifiers gclid (Google Ads) and fbclid (Meta).

• Purpose: understanding which marketing channels bring visitors to us and optimising our campaigns.
• Legal basis: consent under Art. 6(1)(a) GDPR and §25(1) TDDDG for first-party cookie storage; legitimate interest under Art. 6(1)(f) GDPR for the subsequent analysis.
• Retention: first-touch cookie 90 days, last-touch cookie one session.
• Recipients: no transmission to third parties. Data is processed solely within our HubSpot contact record.

AI Referrer Detection

We detect whether you arrived from an AI search engine or AI chatbot (in particular ChatGPT, Perplexity, Claude, Gemini, Microsoft Copilot, Google AI Overviews) by inspecting the HTTP referrer.

• Purpose: measuring our reach via AI-powered search systems. The information is used solely for internal reporting and is not fed into automated decisions.
• Legal basis: legitimate interest under Art. 6(1)(f) GDPR for transient analysis. Where the information is persistently stored, consent under Art. 6(1)(a) GDPR and §25(1) TDDDG additionally applies.
• Retention: 90 days in the cookie; if linked to a contact record, included in the contact’s retention period.

HubSpot Custom Behavioural Events

When the “Analytics” category is enabled, we capture behavioural signals such as scroll depth, time on page, internal clicks, and FAQ interactions in order to improve content.

• Purpose: optimisation of content and user experience.
• Legal basis: consent under Art. 6(1)(a) GDPR and §25(1) TDDDG.
• Retention: 90 days.

Lead Scoring

Based on the signals captured under “HubSpot Custom Behavioural Events” and your interactions with our content, HubSpot calculates a lead score. This score serves only to inform our sales team. Any decision affecting you is made by a human. There is no solely automated decision-making within the meaning of Art. 22 GDPR.

You have the right to request information about your current lead score, to request correction, or to object to the processing. Please contact info@peppereffect.com.

Inquiries by Email or Phone

If you contact us by email or phone, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We do not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR).

5. Analytics Tools

Google Analytics 4 with Consent Mode v2

This website uses Google Analytics 4, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), for statistical analysis of website usage. Collection occurs only after your consent to the “Analytics” category.

• Purpose: audience measurement, optimisation of content and user experience.
• Legal basis: consent under Art. 6(1)(a) GDPR and §25(1) TDDDG.
• Retention in GA4: 14 months.
• Reporting identity: device-based only; Google Signals and Google-signed advertising IDs are disabled.
• Redact data: enabled; sensitive URL parameters are filtered before storage.
• Third-country transfer: transmission to Google LLC in the United States on the basis of the EU-US Data Privacy Framework and supplementary EU Standard Contractual Clauses.

Google Consent Mode v2 is implemented on our website. Before you grant consent, all relevant Consent Mode parameters (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage) are set to “denied” and are only changed to “granted” upon consent. Without consent, no cookies are set and no personal data is transmitted to Google.

Data processing agreement: We have concluded a data processing agreement with Google (Google Ads Data Processing Terms).

Provider’s privacy notice: https://policies.google.com/privacy

Google Search Console

We use Google Search Console to analyse the search queries through which our website is found. The data is provided directly by Google and integrated into our reporting tools. No additional cookies are set on your device through this.

6. Plugins and Tools

Google Web Fonts (locally hosted)

This site uses Google Web Fonts for consistent typography. The Google Fonts are served locally through the HubSpot CMS (via the path /_hcms/googlefonts/). No direct connection to Google’s servers takes place; your IP address is not transmitted to Google.

External Libraries (CDN)

This website uses the JavaScript library “AOS” (Animate On Scroll) for scroll animations. This library is loaded via the CDN service unpkg.com, operated by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA). As a result, your IP address is transmitted to Cloudflare.

Use is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the correct display of animations on our website.

Cloudflare privacy information: https://www.cloudflare.com/privacypolicy/

7. Audio and Video Conferences

Zoom

For communication with our clients, we use Zoom. Provider: Zoom Video Communications, Inc. (55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA). If you participate in a Zoom meeting with us, your personal data is processed by Zoom and by us (name, email, phone number, conference metadata, IP address).

Transfer of data to the USA is based on the EU-US Data Privacy Framework; Zoom is certified under the DPF. EU Standard Contractual Clauses apply in addition. We have concluded a data processing agreement with Zoom pursuant to Art. 28 GDPR.

Note on AI features: Zoom offers optional AI-powered features (e.g., “Zoom AI Companion” for meeting summaries). We do not currently use these features actively. Should this change, we will update this privacy policy accordingly.

Zoom privacy details: https://explore.zoom.us/en/privacy/

8. Processing of Customer and Contract Data

We collect, process, and use personal data only insofar as it is necessary for the establishment, content design, or modification of the legal relationship (inventory data). This is done on the basis of Art. 6(1)(b) GDPR. We collect, process, and use personal data about the use of this website (usage data) only insofar as it is necessary to enable the user to use the service or to bill for it.

Customer data collected is deleted after completion of the contract or termination of the business relationship. Statutory retention periods remain unaffected.

9. Categories of Recipients

We share personal data with the following categories of recipients:

• Processors (Art. 28 GDPR): HubSpot Inc., Zoom Video Communications, Cloudflare (in the context of the unpkg.com CDN).
• Joint controllers (Art. 26 GDPR): HubSpot Inc. with regard to the HubSpot tracking pixel and behavioural analytics (Section 10 of the HubSpot DPA); Google Ireland Limited with regard to Google Analytics.

A complete list of our processors and joint controllers is available on request at info@peppereffect.com.

10. Note on the EU AI Act

peppereffect is a digital agency with a focus on AI-powered marketing solutions. For the sake of transparency, we would like to note that no AI systems with which visitors directly interact are used on this website itself. There is no chatbot, no automated decision system, and no AI-based customer communication tool on this website.

Where we use AI-powered tools internally (e.g., to support content creation, lead score calculation, or data analysis within our CRM system), this is always done under human supervision and without solely automated decision-making within the meaning of Art. 22 GDPR that directly affects you as a data subject.

We continuously monitor the requirements of the EU AI Act (Regulation (EU) 2024/1689) and will update this privacy policy as required.

Last updated: 13 May 2026