Body Confidence

Legal

Privacy Policy

The German version is legally authoritative.

Last updated: 30 June 2026

Table of contents

Controller

Elisa Klatt
Fritz-Kirsch-Zeile 15
12459 Berlin
Germany

Email address: hello@body-confidence.me

Overview of processing operations

The following overview summarises the types of data processed, the purposes of their processing, and the data subjects concerned.

Types of data processed

  • Inventory data.
  • Contact data.
  • Usage data.
  • Meta, communication and procedural data.
  • Log data.

Categories of data subjects

  • Service recipients and clients.
  • Communication partners.
  • Users.

Purposes of processing

  • Communication.
  • Security measures.
  • Direct marketing.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights and freedoms of the data subject requiring the protection of personal data do not override those interests.

National data protection provisions in Germany: In addition to the data protection provisions of the GDPR, national data protection provisions apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making in individual cases including profiling. Furthermore, the data protection laws of the individual federal states may apply.

Security measures

In accordance with the legal requirements, and taking into account the state of the art, the cost of implementation, and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, and assurance of the availability and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the erasure of data, and responses to threats to the data. We also take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorised access.

Transfer of personal data

In the course of our processing of personal data, it may happen that the data is transferred to, or disclosed to, other entities, companies, legally independent organisational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are embedded in a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

General information on data retention and erasure

We erase personal data that we process in accordance with the legal provisions as soon as the underlying consents are withdrawn or there are no further legal bases for the processing. This applies in cases where the original purpose of the processing no longer applies or the data is no longer required. Exceptions to this rule apply where statutory obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Where there are several indications of retention periods or erasure deadlines for a piece of data, the longest period is always decisive. Data that is no longer retained for the originally intended purpose but due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain access to that data, as well as further information and a copy of the data in accordance with the legal requirements.
  • Right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to request that data concerning you be erased without delay, or alternatively to request a restriction of the processing of the data.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with the legal requirements.
  • Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Provision of the online offer and web hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, parties involved); log data (e.g. log files concerning logins or the retrieval of data or access times).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices); security measures.
  • Retention and erasure: Erasure in accordance with the information in the section "General information on data retention and erasure".
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing operations, procedures and services:

  • Netlify (hosting and delivery of the website): Our website is provided and delivered via the hosting and content delivery infrastructure of Netlify. When the website is accessed, technically necessary data such as the user's IP address is processed; Service provider: Netlify, Inc., 101 2nd Street, San Francisco, CA 94105, USA; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.netlify.com; Privacy policy: https://www.netlify.com/privacy/. Data processing agreement: A data processing agreement has been concluded. Basis for third-country transfer: As data (in particular server log files containing IP addresses) may also be processed in the USA, the transfer is based on the EU Standard Contractual Clauses (SCC) pursuant to Implementing Decision (EU) 2021/914 as well as – where applicable – the EU-U.S. Data Privacy Framework (DPF).
  • Collection of access data and log files: Access to our online offer is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (in particular in the case of abusive attacks, known as DDoS attacks), and, on the other hand, to ensure the utilisation and stability of the servers; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Erasure of data: Log file information is stored for a maximum of 30 days and then erased or anonymised. Data whose further retention is required for evidentiary purposes is exempt from erasure until the respective incident has been finally clarified.

Newsletter and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter "newsletter") only with the consent of the recipients or on a legal basis. As part of signing up for our waitlist, we collect only your email address and – optionally – the indication of which location or format (Online, Berlin or Tenerife) you are interested in. This information is used to send you relevant and suitable information.

Sign-up via the double opt-in procedure: Registration for our waitlist takes place using the so-called double opt-in procedure. This means that, after signing up, you receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register using someone else's email address. Registrations for the waitlist are logged in order to be able to demonstrate the sign-up process in accordance with the legal requirements. This includes storing the time of registration and confirmation. Changes to your data stored with the email service provider are also logged.

No separate storage: The data entered in the sign-up form is not stored in a database of our own, but is transmitted directly to our email service provider Brevo and processed exclusively there.

Erasure and restriction of processing: We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before erasing them, in order to be able to demonstrate consent previously given. The processing of this data is restricted to the purpose of a potential defence against claims. An individual request for erasure is possible at any time, provided that the former existence of consent is confirmed at the same time.

  • Types of data processed: Contact data (email address); usage data (indication of interest in a location or format: Online, Berlin or Tenerife); meta, communication and procedural data (time of registration and confirmation to demonstrate consent in the double opt-in procedure).
  • Data subjects: Communication partners.
  • Purposes of processing and legitimate interests: Direct marketing (e.g. by email).
  • Legal bases: Consent (Art. 6(1)(a) GDPR).
  • Opt-out option: You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can otherwise use one of the contact options given above, preferably email, for this purpose.

Further information on processing operations, procedures and services:

  • Brevo (sending and management of the waitlist): Sending of emails and newsletters as well as management of our waitlist via the Brevo platform. Service provider: Sendinblue SAS (trading as "Brevo"), 17 rue Salneuve, 75017 Paris, France; Legal bases: Consent (Art. 6(1)(a) GDPR) and legitimate interests in an efficient and secure sending system (Art. 6(1)(f) GDPR); Website: https://www.brevo.com; Privacy policy: https://www.brevo.com/legal/privacypolicy/. Data processing agreement: A data processing agreement has been concluded. Processing takes place on servers within the European Union.
  • Anonymised measurement of open and click rates: Our newsletters allow a statistical evaluation of whether and when they are opened and which links are clicked. For this we use the "anonymous tracking" feature of our email service provider Brevo. Identifying information – in particular the IP address and the email address – is anonymised, and opens and clicks are not assigned to individual recipients. We evaluate only aggregate open and click rates; no personal usage profiles are created and no segmentation based on the behaviour of individual recipients takes place; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Changes and updates

We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and we ask you to check the details before contacting them.

Definitions of terms

In this section you will find an overview of the terms used in this privacy policy. Where the terms are defined by law, their legal definitions apply. The following explanations, however, are primarily intended to aid understanding.

  • Inventory data: Inventory data comprises essential information necessary for the identification and administration of contractual partners, user accounts, profiles and similar associations. This data may include, among other things, personal and demographic information such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between persons and services, facilities or systems by enabling a clear assignment and communication.
  • Content data: Content data comprises information generated in the course of creating, editing and publishing content of all kinds. This category of data may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content but also includes metadata that provides information about the content itself, such as tags, descriptions, author information and publication dates.
  • Contact data: Contact data is essential information that enables communication with persons or organisations. It includes, among other things, telephone numbers, postal addresses and email addresses, as well as means of communication such as social media handles and instant messaging identifiers.
  • Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about the way in which data is processed, transmitted and managed. Metadata, also known as data about data, comprises information that describes the context, origin and structure of other data. Communication data captures the exchange of information between users via various channels, such as email traffic, messages in social networks and chat histories, including the parties involved, time stamps and transmission paths.
  • Usage data: Usage data refers to information that records how users interact with digital products, services or platforms. This data comprises a wide range of information showing how users use applications, which functions they prefer, how long they spend on certain pages and which paths they navigate through an application. Usage data may also include the frequency of use, time stamps of activities, IP addresses, device information and location data.
  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains information such as time stamps, IP addresses, user actions, error messages and other details about the use or operation of a system.
  • Controller: The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" is any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether it is collection, evaluation, storage, transmission or erasure.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke