Privacy policy
Last updated: 10 May 2026
We take the protection of your personal data seriously. This policy informs you about which data we collect on konvel.de, how we use it and what rights you have. The basis is the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
The controller responsible for data processing on this website within the meaning of Art. 4 No. 7 GDPR is: Konvel, owner: Matt Barlow Musterstraße 1, 00000 Musterstadt Germany Email: hello@konvel.de
For data protection enquiries please contact hello@konvel.de.
2. Server log files and hosting
When you visit our website, our hosting provider automatically collects technical information transmitted by your browser (server log files). This includes: IP address (anonymised), date and time of the request, content of the request (specific page), access status, transferred data volume, referrer URL, browser type and operating system.
Processing serves to provide the website, ensure stability and security, and defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest).
Server log files are deleted or anonymised after 30 days at the latest.
3. Contact form and configurator
If you send an enquiry via the contact form, the configurator or the lead-capture form, we process the data you provide for the purpose of handling your request and any follow-up enquiries.
Categories of data processed:
- Name and salutation
- Email address
- Phone number (optional)
- Postal code
- Model and configuration details (cladding, glazing, options)
- Budget and timeframe
- Purchase intent and preferred timeline
- Submitted marketing parameters (e.g. Google Click ID, referrer), where allowed
Legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient enquiry handling).
Enquiry data is stored for up to 24 months after the last contact. If a contract results, the statutory retention periods under commercial and tax law apply (typically 6 or 10 years).
4. Cookies and consent
We use technically necessary cookies that are required for operation of the website. Cookies and scripts requiring consent (e.g. web analytics, embedded videos) are only loaded after your active consent in the consent banner.
Consent manager (Klaro)
We use the open-source tool Klaro to manage your consents. Klaro stores your selection in a local cookie on your device. No data is transmitted to third parties.
You can change or withdraw your consent at any time via the “Cookie settings” link in the footer. Legal basis: Art. 6(1)(a) GDPR and § 25(1) TTDSG.
5. Bot protection (Cloudflare Turnstile)
To protect our configurator from automated requests we use Cloudflare Turnstile (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA). Turnstile checks whether the request comes from a real person without showing a classic CAPTCHA.
Processed data includes technical device and browser signals as well as the IP address. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against spam and abuse).
Cloudflare is certified under the EU-US Data Privacy Framework. Further information at https://www.cloudflare.com/privacypolicy/.
6. Database and storage
We store enquiry data in a Postgres database operated by Neon, Inc. (processor). Data is hosted in a region inside the European Union.
Legal basis: Art. 6(1)(b) and (f) GDPR. A data processing agreement under Art. 28 GDPR is in place.
7. Transactional email (Resend)
For sending confirmation and notification emails related to website enquiries we use Resend, Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA).
Processed data includes recipient email address, email content and delivery metadata. Legal basis: Art. 6(1)(b) GDPR. A data processing agreement is in place.
Resend offers EU-compliant Standard Contractual Clauses; further information at https://resend.com/legal/privacy-policy.
8. Web analytics
We use the following analytics services solely on the basis of your consent under Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw consent at any time.
Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processed data: shortened IP address, device and browser information, page views and interactions. IP anonymisation is enabled. Transfer to third countries (in particular the US) may occur; Google is certified under the EU-US Data Privacy Framework.
PostHog
Provider: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. We use the EU hosting region (Frankfurt). Pseudonymous usage data is processed for product analytics. A data processing agreement is in place.
Microsoft Clarity
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Clarity creates aggregated heatmaps and pseudonymous session recordings to improve the user experience. Transfer to the US may occur; Microsoft is certified under the EU-US Data Privacy Framework.
9. Embedded YouTube videos
On the episode pages of our build series we embed videos from YouTube (Google Ireland Limited). Videos are only loaded after your consent and use the extended privacy mode (“no-cookie”).
On playback, YouTube processes technical data (IP address, device information, session IDs). Legal basis: Art. 6(1)(a) GDPR. Further information: https://policies.google.com/privacy.
10. Fonts
We use the typefaces Fraunces and Inter via Next.js next/font/google. Font files are bundled at build time and served from our own server (Vercel). No connection is made to Google servers when the page is loaded.
11. International data transfers
Some of our processors are located outside the EU/EEA or use sub-processors there (in particular in the US). Where a transfer takes place, it is based on an adequacy decision (EU-US Data Privacy Framework) or on Standard Contractual Clauses under Art. 46(2)(c) GDPR.
12. Retention period
We store personal data only as long as necessary for the relevant purpose or as required by statutory retention obligations (in particular § 257 HGB, § 147 AO). Data is then deleted or anonymised.
13. Your rights
You have the following rights with respect to the personal data concerning you:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw consent with effect for the future (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise these rights please send a message to hello@konvel.de.
14. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestraße 2-4, 40213 Düsseldorf, https://www.ldi.nrw.de/.
15. Changes to this policy
We update this privacy policy as legal frameworks or our processing activities change. The current version is available on this page; the date of the last update is shown above.