Data Privacy Policy

1. Controller (Art. 4 No. 7 GDPR)

Data controller

Fifth Axis – Christopher Michailov-Lee
Address:
[Street + No.]
818xx Munich, Germany
Email:[email protected]
Telephone: +49 (0)89 xxx xxxx

Fifth Axis is a sole proprietorship registered in Munich. All references to “we”, “our” or “us” below mean Fifth Axis.

Data Protection Officer (DPO): As a micro-enterprise with fewer than 20 employees who regularly process personal data, we are not legally obliged to appoint a DPO (§ 38 BDSG). All privacy inquiries may be directed to the controller details above.

2. Categories of Personal Data We Process

• Context
• Typical data points
• Website & server logs
• IP address, referrer, time stamp, user-agent, requested URL
• Cookies & similar tech
  Pseudonymous identifiers, consent status, analytics metrics (see § 9)
• Contact / inquiry forms
• Name, company, email, phone, message content
• Client onboarding
  Billing address, VAT ID/tax ID, project brief, contract metadata
• Project collaboration
  Drafts, design assets, notes, meeting recordings (if applicable)
• Payment processing
  Invoice data, bank details, transaction IDs
• Marketing (optional)
  Newsletter opt-in data, click-through rates
   

3. Purposes & Legal Bases (Art. 6 GDPR)

Purpose: Legal basis

• Contract initiation & fulfilment - Art. 6 (1)(b) GDPR
• Responding to general inquiries - Art. 6 (1)(f) GDPR – legitimate interest in business communications
• Invoicing & statutory record-keeping - Art. 6 (1)(c) GDPR (German tax & commercial law)
• Web analytics & performance
  • Consent – Art. 6 (1)(a) GDPR + § 25 (1) TTDSGcookieyes.com
  • Security (e.g., log retention, fraud prevention) - Art. 6 (1)(f) GDPR
  • Marketing e-mails - Art. 6 (1)(a) GDPR (double-opt-in; right to withdraw anytime)
• Compliance with legal claims - Art. 6 (1)(f) & Art. 9 (2)(f) GDPR

4. Recipients & Processing in Third Countries

We use vetted service providers (hosting, cloud storage, e-mail, payment, analytics). They act as processors under Art. 28 GDPR and are bound by contractual data-processing agreements (DPAs).

Where providers are located outside the EU/EEA (e.g., in the United States), we rely on one of an adequacy decision under the EU-U.S. Data Privacy Framework (July 10 2023) dataprivacyframework.gov, or
the European Commission’s Standard Contractual Clauses (2021/914/EU) with supplementary safeguards.

5. International Data Transfers & the EU Data Act

From 12 September 2025, the new EU Data Act will impose additional rules on transfers of certain non-personal data. Fifth Axis will assess and, where relevant, adapt its contracts and technical measures to comply before that date. (digital-strategy.ec.europa.euTechGDPR)

6. Retention Periods

• Data set -30 days unless required for incident investigation 
• Retention rule - 30 days unless required for incident investigation
• Server log files - 30 days unless required for incident investigation 
• Contract / invoice data -10 years (§§ 147 AO, 257 HGB)
• Project files - 5 years after final delivery (legitimate interest in reference & defence of claims)
• Marketing opt-in - Until withdrawal or inactivity for 24 months
• Cookies - See Cookie Table (§ 9)

7. Your Rights (Art. 15-22 GDPR)

• Access to your data
• Rectification of inaccuracies
• Erasure (“right to be forgotten”)
• Restriction of processing
• Data portability
• Objection to processing based on Art. 6 (1)(e) or (f) GDPR, incl. direct marketing
• Withdraw consent at any time (affects future processing only)
• Lodge a complaint with a supervisory authority
• Supervisory authority competent for Fifth Axis:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Tel.: +49 981 180093-0
E-Mail: [email protected]

8. Security Measures (Art. 32 GDPR)

• TLS 1.3 encryption for all web traffic
  ISO 27001-certified EU data-centre hosting
• Role-based access & MFA for cloud services
• Regular backups and vulnerability patching
• Confidentiality agreements with staff and freelancers

9. Cookies & Similar Technologies

We use a GDPR- and TTDSG-compliant consent banner. Non-essential cookies load only after opt-in. You can change your preferences at any time via the “Cookie Settings” link in the footer.

Cookie type : Essential (e.g., session ID)
Purpose: Site operation, security
Session / ≤ 24 h
§ 25 (2) TTDSG / Art. 6 (1)(f)
Analytics (e.g., Matomo / GA4 - IP-anonymised)
Audience insights, UX improvement
Lifespan: 13 months
Legal basis:

• Art. 6 (1)(a) GDPR
  Marketing (optional)
  Measure campaign success
  ≤ 6 months
• Art. 6 (1)(a) GDPR
  Marketing (optional)
  Measure campaign success
  ≤ 6 months
• Art. 6 (1)(a) GDPR
  Browser settings allow you to refuse all cookies; essential functions may then be limited.

 
10. Automated Decision-Making / Profiling

We do not use automated decision-making that produces legal effects or similarly significant impacts within the meaning of Art. 22 GDPR, nor do we engage in high-risk AI profiling.

11. Children’s Privacy

Our services target professionals and businesses. We do not knowingly collect data from children under 16. If we learn that a child’s data was provided without parental consent, we will delete it promptly.

12. External Links & Social Media

Our website may link to external sites (e.g., LinkedIn). Once you leave our domain, their own privacy notices apply. Where we maintain social-media pages, the platform operator and Fifth Axis act as joint controllers for page-insights data (Art. 26 GDPR); see the respective platform’s addendum.

13. Updates to This Privacy Policy

This policy was last updated 1 June 2025. Future changes (e.g., due to legal updates like the BDSG amendment currently under parliamentary review) will be published here; significant changes will be announced via the website banner or e-mail.

 
14. Contact

Questions? Reach our privacy contact at [email protected] or by post to the address in § 1.