Wexel Consulting

    Privacy Policy

    Last updated: March 2026

    1. Controller

    The controller responsible for data processing on this website within the meaning of Art. 4 No. 7 GDPR is:

    Andrea Wexel Wexel Consulting Kieselweg 4 22395 Hamburg Germany Email: [email protected]

    No data protection officer has been appointed. Andrea Wexel operates as a sole trader with no employees engaged in automated data processing. The appointment of a data protection officer is not required under Art. 37 GDPR or §38 BDSG.

    2. General principles

    Wexel Consulting takes the protection of your personal data seriously. Personal data is processed only where a legal basis exists under Art. 6 GDPR. This website does not use tracking technologies, advertising networks, analytics services, or third-party scripts beyond the infrastructure services described below. No cookie consent banner is required because no non-essential cookies are set by this website.

    3. Hosting and content delivery (Cloudflare)

    This website is delivered via the content delivery network and security infrastructure of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (European subsidiary: Cloudflare Germany GmbH, Rosental 7, 80331 Munich).

    Cloudflare operates as a reverse proxy for all website traffic. When you visit this website, your connection is routed through Cloudflare's network. In this process, Cloudflare processes the following data in particular: IP address of the visiting device, browser type and version, operating system, referrer URL, pages accessed, date and time of access, and security-relevant request characteristics.

    Cloudflare uses this data to provide the services of DDoS protection, bot management, performance optimisation, and secure delivery of website content. Cloudflare may set technically necessary cookies (in particular __cf_bm for bot management). These cookies are strictly necessary for the security and integrity of the website and do not require consent under §25 Abs. 2 TTDSG.

    A Data Processing Agreement (Art. 28 GDPR) has been concluded with Cloudflare. Data is transferred to the USA. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), which provides an adequate level of data protection pursuant to the European Commission's adequacy decision of July 2023, upheld by the EU General Court in September 2025. Additionally, Standard Contractual Clauses (SCCs) apply.

    Legal basis: Art. 6 Abs. 1 lit. f GDPR — legitimate interest in operating a secure and performant website and protecting against attacks.

    For further information, see Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/ and the DPA at https://www.cloudflare.com/cloudflare-customer-dpa/.

    4. Server log files

    In addition to the data processed by Cloudflare, the web server automatically records so-called server log files with each page access. These contain: IP address of the requesting device, date and time of access, name and URL of the retrieved file, website from which access was made (referrer), browser type and version, and operating system.

    This data is technically necessary for the stable and secure operation of the website. It is not merged with other data sources and is not used to draw conclusions about individual persons.

    Legal basis: Art. 6 Abs. 1 lit. f GDPR — legitimate interest in the security and technical operation of the website.

    Retention period: Log data is deleted automatically after 7 to 30 days at the latest.

    5. Contact form

    This website provides a contact form through which you can send an enquiry. When you use the contact form, the following data is transmitted and stored: name, email address, company (optional), subject, and the content of your message. Additionally, the date and time of transmission and your IP address are recorded.

    This data is processed exclusively for the purpose of processing and responding to your enquiry. It will not be passed on to third parties without your express consent.

    Legal basis: Art. 6 Abs. 1 lit. f GDPR (legitimate interest in responding to business enquiries). Where the enquiry is directed towards initiating a contractual relationship, Art. 6 Abs. 1 lit. b GDPR applies additionally (processing necessary for the performance of pre-contractual measures).

    Retention period: Your data will be deleted as soon as your enquiry has been conclusively processed and there is no legal obligation to retain it. As a general rule, data from business enquiries is retained for up to three years in light of standard commercial limitation periods, unless a longer statutory retention period applies (e.g., six or ten years for commercially relevant correspondence under §§ 238, 257 HGB).

    6. Your rights as a data subject

    You have the following rights under the GDPR with respect to personal data concerning you:

    Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to receive a copy of that data.
    Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate data and the completion of incomplete data.
    Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where other conditions are met.
    Right to restriction of processing (Art. 18 GDPR): You have the right to request that processing be restricted in certain circumstances.
    Right to data portability (Art. 20 GDPR): Where processing is based on consent or a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format.
    Right to object (Art. 21 GDPR): Where processing is based on legitimate interests (Art. 6 Abs. 1 lit. f GDPR), you have the right to object at any time on grounds relating to your particular situation. Processing will then cease unless compelling legitimate grounds for processing can be demonstrated that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

    To exercise any of these rights, please contact: [email protected].

    7. Right to lodge a complaint

    You have the right to lodge a complaint with a supervisory data protection authority at any time (Art. 77 GDPR). The supervisory authority competent for Wexel Consulting is:

    Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI) Ludwig-Erhard-Str. 22, 7. OG 20459 Hamburg Tel.: 040 / 428 54 – 4040 Email: [email protected] Website: https://datenschutz-hamburg.de

    8. No automated decision-making

    This website does not engage in automated decision-making or profiling within the meaning of Art. 22 GDPR.

    9. External links

    This website may contain links to external websites. Wexel Consulting has no control over the content or data processing practices of those external sites and accepts no responsibility for them. Please review the privacy policies of any external sites you visit.