Privacy Policy

Pixel Font:On

Preamble

The protection of your personal data is of great importance to us. In this Privacy Policy, we provide you with transparent information about the type, scope, purpose, duration, and legal basis for the processing of personal data within the framework of our website.

I. Controller

Christian Strunk Leopoldstraße 3A 10317 Berlin Germany

Phone: +49 176 32536789 Email: legal@christianstrunk.com

Contact for data protection inquiries: legal@christianstrunk.com

II. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You can request information about your data stored by us
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR): You can object to the processing of your data
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw any consent given at any time with effect for the future

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your data.

Competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219, 10969 Berlin https://www.datenschutz-berlin.de

III. Hosting and Technical Infrastructure

Vercel Inc. (USA)

Provider: Vercel Inc. 440 N Barranca Ave #4133 Covina, CA 91723, USA

Purpose: Provision and operation of our website, including Content Delivery Network (CDN)

Processed data:

  • IP address (processed for geolocation at city/country level, not stored in full)
  • Date and time of access
  • Pages accessed and data transferred
  • Browser type and version
  • Operating system
  • Referrer URL (previous website)
  • Hostname of the accessing computer

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technically flawless and optimized operation of the website)

Balancing of interests: Our legitimate interest lies in the stable and secure operation of our website as well as in the fast delivery of content worldwide. Without hosting infrastructure, we cannot offer our services. Your interests are protected by minimizing data processing (geolocation only at city/country level, short retention period) and choosing a DPF-certified provider.

Special feature of IP processing: Vercel initially processes your IP address to determine city and country (no precise location determination). For analytics purposes, a hash value is created from request data, not the full IP address. Session data is automatically deleted after 24 hours.

Data processing agreement: Vercel acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Terms of Service.

Retention period: Log data is automatically deleted after 7 days

Data transfer to third country (USA): Vercel is certified under the EU-US Data Privacy Framework (DPF). The transfer is based on the adequacy decision of the EU Commission for the DPF.

Further information: https://vercel.com/legal/privacy-policy

United Domains AG (Germany)

Provider: united-domains AG Gautinger Str. 10 82319 Starnberg, Germany

Purpose: Domain registration and DNS management

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the website under its own domain)

Balancing of interests: Domain registration is technically essential to make our website accessible under a memorable name. Without domain management, a professional web presence is not possible. Data processing is limited to what is technically necessary.

Data processing agreement: United Domains acts as a processor pursuant to Art. 28 GDPR.

Further information: https://www.united-domains.de/datenschutz/

Ghost CMS (Blog)

Provider: Ghost Foundation 24 Raffles Place, #10-05 Singapore 048621

Purpose: Content management system for blog articles

Technical implementation: Ghost CMS is used as a headless CMS. Blog content is retrieved server-side via the Ghost Content API. No direct connection is established between your browser and the Ghost servers. No cookies or tracking scripts from Ghost are loaded on our website.

Processed data:

  • None (server-side integration only)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient content management)

Further information: https://ghost.org/privacy/

IV. Cookies and Tracking Technologies

Cookie Consent Management

Our website uses cookies. Cookies are small text files that are stored on your device and contain certain information.

Cookie banner: When you first visit our website, a cookie banner is displayed. You can grant or deny your consent for analytics cookies there.

Consent cookie:

  • Name: cookie_consent
  • Content: accepted or rejected
  • Retention period: 180 days (6 months)
  • Purpose: Storage of your cookie preferences
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in user-friendly cookie management)

Essential Cookies (always active, no consent required)

The following cookies are strictly necessary for the technical operation of the website:

Cookie type Purpose Legal basis
Session cookies Maintaining connection during your visit Art. 6(1)(f) GDPR
CSRF tokens Protection against cross-site request forgery attacks Art. 6(1)(f) GDPR
Load balancing Technical distribution of requests (by Vercel) Art. 6(1)(f) GDPR

Analytics Cookies (with consent only)

Google Analytics 4 (GA4)

Provider: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

Purpose: Statistical analysis of website usage, optimization of our offering

Processed data:

  • Anonymized IP address (no storage of complete IP addresses)
  • Page views and dwell time
  • Referrer pages
  • Device and browser information
  • Pseudonymized user ID

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner)

Retention period: GA4 data is automatically deleted after 14 months

Data transfer to USA: Google is certified under the EU-US Data Privacy Framework (DPF). The transfer is based on the adequacy decision of the EU Commission for the DPF.

Withdrawal: You can withdraw your consent at any time via the cookie settings or install a browser add-on: https://tools.google.com/dlpage/gaoptout

Data processing agreement: Google acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Google Ads Data Processing Terms.

Further information: https://policies.google.com/privacy

Microsoft Clarity

Provider: Microsoft Corporation One Microsoft Way Redmond, WA 98052, USA

Purpose: Behavioral analytics to understand how users interact with our website through heatmaps, session recordings, and usage statistics. This helps us improve user experience and website design.

Processed data:

  • Anonymized IP address
  • Mouse movements, clicks, and scrolls (heatmaps)
  • Session recordings (anonymized, sensitive data automatically masked)
  • Page views and navigation behavior
  • Device and browser information
  • Pseudonymized user identifier

Data minimization: Clarity automatically masks sensitive content such as form inputs and personal information in session recordings. No keystroke logging is performed on password fields.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner)

Retention period: Clarity data is retained for 30 days

Data transfer to USA: Microsoft is certified under the EU-US Data Privacy Framework (DPF). The transfer is based on the adequacy decision of the EU Commission for the DPF.

Withdrawal: You can withdraw your consent at any time via the cookie settings (click "Cookies" in the footer). When consent is withdrawn, Clarity will not be loaded and no further data will be collected.

Data processing agreement: Microsoft acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Microsoft Online Services Terms.

Further information: https://clarity.microsoft.com/terms

YouTube Video Embeds (in enhanced privacy mode)

Provider: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

Purpose: Embedding and display of video content

Processed data:

  • IP address (only during video playback)
  • Information about videos played
  • Interactions (play, pause, etc.)

Special feature – Enhanced privacy mode: We use YouTube in enhanced privacy mode (youtube-nocookie.com). In this mode, cookies and tracking mechanisms are only activated when you actually play a video. No data is transferred to YouTube when merely loading the page.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the multimedia presentation of our content). Your interest is protected by the privacy-friendly embedding, as data transfer only occurs after your active interaction.

Data transfer to USA: Google is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy

V. Contact and Communication

Contact Form

When you use our contact form, the following data is processed:

Processed data:

  • Name
  • Email address
  • Message content
  • Time of inquiry

Data flow:

  1. Your data is processed via Make.com (s.r.o., Czech Republic)
  2. Storage in Google Spreadsheets and Airtable (see below)
  3. Forwarding by email via Gmail (Google Workspace)

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures at your request)

Retention period: Your contact inquiry will be stored until it has been fully processed, then retained for a further 6 months for documentation purposes and subsequently deleted (unless there are statutory retention obligations).

Google reCAPTCHA

To protect against spam and abuse, we use Google reCAPTCHA.

Provider: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

Purpose: Distinguishing between human users and automated bots

Processed data:

  • IP address
  • Mouse movements and click behavior
  • Referrer URL
  • Browser and device information
  • Date and time of visit

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against spam and abuse)

Balancing of interests: Our legitimate interest lies in protecting our website and systems from automated abuse, spam, and fraud attempts. Without this protection, our contact forms would be dysfunctional. Your interests are protected by choosing an established, DPF-certified provider.

Data processing agreement: Google acts as a processor pursuant to Art. 28 GDPR.

Data transfer to USA: Google is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy

VI. Booking System and Appointments

Google Calendar Appointment Scheduling

For appointment booking, we use Google Calendar Appointment Scheduling.

Provider: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

Processed data:

  • First name
  • Last name
  • Email address
  • Selected appointment (date, time)

Integration: The booking widget is directly embedded in our website (iframe). When loading the page with the booking form, a connection to Google servers is established, even if you have not yet made a booking.

Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures at your request)

Retention period: Your booking data is stored in our Google Workspace calendar and retained for a further 12 months after the appointment for documentation purposes.

Data processing agreement: Google acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Google Workspace agreement.

Data transfer to USA: Google is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy

Stripe (Payment Processing)

We use Stripe for payment processing.

Provider: Stripe Payments Europe Ltd. 1 Grand Canal Street Lower Grand Canal Dock, Dublin, Ireland

Purpose: Secure processing of payment transactions

Processed data:

  • Name
  • Email address
  • Payment data (credit card, SEPA, etc.)
  • Billing address
  • Transaction data

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Retention period: Payment data is stored for the duration of statutory retention obligations (10 years according to German Commercial Code).

Data processing agreement: Stripe Payments Europe Ltd. acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Stripe Data Processing Addendum.

Data transfer to USA: Stripe Payments Europe Ltd. (Ireland) is our contractual partner. The technical payment infrastructure (e.g., fraud detection, payment processing) may include US servers. Stripe is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://stripe.com/privacy

VII. Newsletter and Email Marketing

MailerLite

We use MailerLite for sending our newsletter.

Provider: UAB "MailerLite" J. Basanavičiaus g. 15 LT-03108 Vilnius, Lithuania

Purpose: Sending newsletters with information about our coaching services

Processed data:

  • Email address
  • First and last name (optional)
  • Time of registration
  • Opening and click behavior (anonymized)

Registration procedure (double opt-in): After your registration, you will receive a confirmation email. You will only be added to the newsletter distribution list after clicking the confirmation link.

Legal basis: Art. 6(1)(a) GDPR (consent through double opt-in)

Withdrawal: You can withdraw your consent at any time:

Retention period: Your data will be stored until you unsubscribe from the newsletter.

Data processing agreement: MailerLite acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the MailerLite Terms of Service.

Further information: https://www.mailerlite.com/legal/privacy-policy

VIII. Internal Data Management

Google Spreadsheets (Google Workspace)

Provider: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland

Purpose: Management of customer data, bookings, and business processes

Processed data:

  • Contact details (name, email, phone)
  • Booking information
  • Communication history

Recipients: The data is only accessible to the controller (Christian Strunk) and any commissioned processors (Google, Airtable).

Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures and contract performance for existing coaching clients)

Retention period: Customer data is stored for the duration of the business relationship and for a further 3 years after its end for documentation purposes and to fulfill statutory retention obligations.

Data processing agreement: Google acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Google Workspace agreement.

Data transfer to USA: Google is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://policies.google.com/privacy

Airtable

Provider: Airtable, Inc. 799 Market Street, 8th Floor San Francisco, CA 94103, USA

Purpose: Management of customer data, bookings, and business processes

Processed data:

  • Contact details (name, email, phone)
  • Booking information
  • Communication history

Recipients: The data is only accessible to the controller (Christian Strunk) and any commissioned processors (Google, Airtable).

Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures and contract performance for existing coaching clients)

Retention period: Customer data is stored for the duration of the business relationship and for a further 3 years after its end for documentation purposes and to fulfill statutory retention obligations.

Data processing agreement: Airtable acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Airtable Data Processing Addendum.

Data transfer to USA: The transfer is based on Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR. Airtable is certified under the EU-US Data Privacy Framework (DPF).

Further information: https://www.airtable.com/privacy

Make.com (Automation)

Provider: Make.com s.r.o. Klimentská 46 110 00 Praha 1, Czech Republic

Purpose: Automation of business processes (e.g., forwarding contact form data)

Processed data:

  • All data processed through automated processes (e.g., contact form entries)

Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in efficient process automation)

Data processing agreement: Make.com acts as a processor pursuant to Art. 28 GDPR. Data processing is governed by the Make.com Terms of Service.

Data transfer to USA: Make.com processes data primarily in the EU (data centers in Germany/Czech Republic). For certain integrations, data may be transferred to the USA. The transfer is based on Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR.

Further information: https://www.make.com/en/privacy-notice

IX. Social Media and External Links

Social Media Links

Our website contains links to the following social media platforms:

  • Twitter/X (X Corp., USA)
  • YouTube (Google Ireland Limited)
  • LinkedIn (LinkedIn Ireland Unlimited Company)
  • Spotify (Spotify AB, Sweden)

Important notice: These are pure links without direct integration. When you click on these links, you will be redirected to the respective external platform. No social media plugins or buttons are integrated that would already transfer data when loading our website.

The processing of data on the linked platforms is subject to the privacy policies of the respective providers.

X. Data Security

We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons.

Technical measures:

  • SSL/TLS encryption for the entire website
  • Regular security updates
  • Access restrictions to backend systems
  • Encrypted data transfer for all third-party services

XI. Currency and Changes to this Privacy Policy

This Privacy Policy is currently valid and has the status: December 4, 2025

Due to the further development of our website or due to changed legal or regulatory requirements, it may become necessary to change this Privacy Policy. The current Privacy Policy can be accessed on our website at any time.

Play The Product Game

START GAME