Effective Date: April 1, 2024

1. INTRODUCTION AND SCOPE
We, Xentra Consulting, represented by Andreas Romberg, Hamburger Straße 180, 22083 Hamburg, Germany (hereinafter referred to as Xentra, we, or us), take the protection of your personal data seriously.
This Data Privacy Policy explains what personal data we collect from both online (website) and offline (consulting engagements, perception audits, interviews, and more) interactions, how we use, share, and protect this data, and your rights under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
We process personal data in accordance with the GDPR and, where applicable, the BDSG. This policy applies to visitors to our website, clients and prospective clients, business contacts and partners, and participants in perception audits, research, and other consulting activities.
Our website uses an active cookie banner to obtain your consent for cookie usage. By continuing to browse our website without adjusting your cookie settings, you agree to the collection and processing of data in accordance with this policy. You may adjust your cookie preferences at any time via the cookie banner or the Cookie Settings link provided.

2. TYPES OF DATA COLLECTED
Xentra Consulting collects personal data in various ways, both online (through our website) and offline (through consulting engagements, perception audits, interviews, and similar activities). The categories of data we may collect include, but are not limited to, the following:

2.1 Website-Related Data
• Contact Form Data: When you submit inquiries or requests through our website, we collect your name, email address, phone number (optional), and any additional information you voluntarily provide in the message field.
• Log Files: Our server automatically receives and records information from your browser, such as your IP address, browser type, operating system, referring URLs, pages viewed, and access times.
• Cookies and Tracking Technologies: We use first-party and third-party cookies, web beacons, and similar technologies to enhance your user experience and analyze website performance. Details are provided in the Cookies and Tracking section of this policy.

2.2 Consulting Engagement Data
• Client Contact Information: May include business name, postal address, email address, phone number, and other relevant business details necessary for project communication.
• Contract and Billing Information: We issue invoices directly and typically receive payments via wire transfer or bank transfer. Banking details, billing addresses, and VAT ID numbers may be collected for invoicing and contractual purposes.
• Project-Specific Details: Depending on the scope of the consulting engagement, we may collect documentation, strategic plans, or other proprietary business information you share to facilitate our services.

2.3 Perception Audits and Research Data
• Interview and Survey Responses: During perception audits (for example, interviews with employees, stakeholders, or external parties), we collect qualitative and quantitative data, such as feedback, opinions, and experiences relating to the client’s organization.
• Recordings and Transcripts: With appropriate consent, we may record audio or video interviews. The resulting recordings, transcripts, and summaries are considered confidential research data (see our AGB for details on Intellectual Property and Confidentiality).
• Analysis and Insights: We compile and analyze data to generate aggregated or anonymized findings. These findings do not reveal the identity of individual respondents unless otherwise agreed or legally required.

2.4 Communication and Correspondence
We collect and store emails or other messages sent to us (for example, via LinkedIn or instant messaging) to respond to inquiries, follow up on engagements, and keep records of client interactions.

2.5 Special Categories of Personal Data
We do not seek to collect or process special categories of personal data (such as health information, political opinions, religious beliefs, or biometric data). Should there be a need to process such data, we will obtain explicit consent or ensure another valid legal basis under the GDPR.

3. LEGAL BASIS FOR PROCESSING
We process personal data in accordance with the GDPR and, where applicable, the BDSG. The relevant legal bases under Article 6(1) GDPR include:

• Performance of a Contract (Article 6(1)(b) GDPR): Data processing is necessary to enter into or fulfill our contractual obligations (for example, consulting services, perception audits, or invoicing).
• Legitimate Interests (Article 6(1)(f) GDPR): We process data to pursue our legitimate interests, such as internal administration, service improvement, website security, or marketing and outreach (for example, contacting potential customers and sending marketing communications, as permitted by law). We ensure that your interests or fundamental rights do not override our legitimate interests, and you may opt out of marketing communications at any time.
• Consent (Article 6(1)(a) GDPR): Where you actively provide consent (for example, by agreeing to participate in audio or video-recorded interviews or opting in to certain cookies), we process your personal data on this basis. You have the right to withdraw consent at any time with future effect.
• Legal Obligations (Article 6(1)(c) GDPR): We may process your data to comply with legal obligations under European Union or Member State law (for example, tax or accounting requirements).
• Protection of Vital Interests (Article 6(1)(d) GDPR): In rare cases, we may process personal data to protect your vital interests or those of another individual (for example, a medical emergency during an on-site consultation).

4. SHARING OF DATA
We treat your personal data confidentially and do not sell or rent it to third parties. However, we may share data with the following categories of recipients when necessary:

• Service Providers and Sub-Processors:
– Hosting and marketing platform (HubSpot) for our website and marketing functionalities.
– AI-based analysis and transcription tools, preferably hosted on private servers in the EEA, for perception audits and related activities.
– Future vendors for marketing, sales automation, or data processing, subject to contractual obligations to process data only on our behalf and in accordance with this policy.
• Confidentiality of Research Data:
Raw interview data, transcripts, or confidential research findings are only disclosed to third parties if strictly necessary for data processing under confidentiality agreements. Raw data remains the exclusive property of Xentra Consulting as outlined in our AGB.
• Legal or Regulatory Requirements:
We may disclose personal data when required by law or in response to lawful requests by public authorities (for example, tax and finance regulations, or protecting our rights and safety).
• Business Transactions:
In the event of a sale, merger, or reorganization of all or part of our business, personal data relevant to the transaction may be transferred to the acquiring entity or its advisors under suitable confidentiality measures.
• International Data Transfers:
We strive to store and process personal data within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure an adequate level of data protection through standard contractual clauses or other lawful transfer mechanisms.
• Client-Requested Disclosures:
Where a client requests the disclosure of certain project findings to designated third parties, we will do so only with explicit instructions and subject to confidentiality obligations.

5. DATA RETENTION
We retain personal data only for as long as it is necessary to fulfill the purpose for which it was collected or to comply with legal requirements.

• Contractual Data:
Information related to consulting engagements, perception audits, and invoicing is retained for the duration of the contract and in accordance with applicable commercial and tax regulations (typically 6–10 years under German law).
• Interview and Research Data:
Audio or video recordings, transcripts, and related findings are retained for as long as needed to complete the consulting project and provide deliverables. After project completion, data may be stored if required for legal documentation or future follow-up projects. If it is no longer needed or if the client requests deletion (and no other legal basis applies), we will delete or anonymize it.
• Website-Related Data:
Log files are typically stored for 14 to 90 days for security and troubleshooting. Cookies are retained according to their type and your preferences; session cookies expire when you close your browser, while persistent cookies remain until their defined expiry or manual deletion.
• Marketing Communications:
Data used for marketing is retained until you opt out or until it is no longer needed for its original purpose.

6. YOUR RIGHTS UNDER THE GDPR
Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Article 15 GDPR):
Request confirmation of whether we process your personal data and obtain a copy and relevant details of how and why we use it.
• Right to Rectification (Article 16 GDPR):
Request the correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17 GDPR):
Also known as the right to be forgotten, request deletion if data is no longer needed or if processing is unlawful. This right may be limited by legal obligations.
• Right to Restrict Processing (Article 18 GDPR):
Request restriction of processing if you contest the accuracy of data or object to our processing.
• Right to Data Portability (Article 20 GDPR):
Where processing is based on consent or contract and carried out by automated means, request to receive personal data in a structured, machine-readable format and transmit it to another controller.
• Right to Object (Article 21 GDPR):
Object to processing based on our legitimate interests, unless we demonstrate compelling legitimate grounds or need the data for legal claims.
• Right to Withdraw Consent (Article 7(3) GDPR):
If processing is based on consent, withdraw it at any time with future effect.
• Right to Lodge a Complaint (Article 77 GDPR):
File a complaint with a supervisory authority if you believe your rights have been violated.

7. SECURITY MEASURES
We use technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These include:

• Secure hosting with platforms such as HubSpot, which provide GDPR-compliant infrastructure
• Cloud storage via Microsoft 365 Business, offering encryption at rest and in transit, role-based access controls, and robust authentication methods
• VPN usage for remote access to ensure encrypted connections
• Access control and authorization, limiting data access to authorized personnel with a legitimate need
• Periodic training and guidance for staff to ensure responsible data handling

8. COOKIES AND TRACKING TECHNOLOGIES
Our website uses cookies and similar tracking technologies for user experience, analytics, and marketing:

• Types of Cookies
– Essential: Necessary for site functionality.
– Analytics: Help us understand user behavior to improve the site.
– Marketing/Advertising: Track browsing habits for more relevant ads or measuring campaign effectiveness.
• Cookie Consent
An active cookie banner appears on our site. By continuing without changing settings, you consent to our use of cookies as described here. You may adjust cookie preferences through your browser or via our Cookie Settings link.
• Third-Party Analytics and Tools
We use HubSpot, which may collect page views, form submissions, and navigation data. Other tools may be introduced in the future, in compliance with the GDPR, and we will update this policy as needed.
• Legal Basis
Essential cookies rely on our legitimate interest (Article 6(1)(f) GDPR) in providing a functional website. Analytics and marketing cookies are based on your consent (Article 6(1)(a) GDPR), which you may withdraw at any time.

9. CONTACT INFORMATION
If you have questions, concerns, or wish to exercise your rights regarding the processing of your personal data, please contact us:
Xentra Consulting
Andreas Romberg
Hamburger Straße 180
22083 Hamburg
Deutschland
Email: info@xentraconsulting.com

10. CHANGES TO THIS DATA PRIVACY POLICY
We reserve the right to update or modify this Data Privacy Policy at any time to reflect changes in our data practices or legal obligations. The Effective Date at the top of this policy indicates when the latest revisions were made. We encourage you to review this policy periodically to stay informed about how we protect your personal data.

FINAL SUMMARY
By using our website or engaging our consulting services, you acknowledge that you have read and understood this Data Privacy Policy and that you agree to the collection, use, and sharing of your personal data as described here. If you do not agree with any aspect of this policy, please discontinue using our website or services and contact us to address your concerns.