Any collection, use, storage, deletion, or other utilisation (hereinafter “processing”) of data is carried out exclusively for the purpose of providing our services. Our services are designed with the objective of using as little personal data as possible. “Personal data” (hereinafter also referred to as “data”) means any individual information relating to the personal or factual circumstances of an identified or identifiable natural person (the “data subject”).
The following information on data protection describes which types of personal data are processed when accessing our online offering, what happens to these personal data, and how you may, where applicable, object to data processing.
1. General information on data processing on this website
1.1 Data controller
The data controller within the meaning of the EU General Data Protection Regulation (GDPR) is:
Handbook Germany gGmbH
Jägerstraße 76, 10117 Berlin
Register court: Amtsgericht Berlin Charlottenburg HRB 268298
info@hbg.ngo
1.2 Protection of your data
We have implemented technical and organisational measures to ensure that the provisions of the GDPR are complied with both by us and by any external service providers working on our behalf.
If we cooperate with other companies in order to provide our services, such as email or server providers, this takes place only after a comprehensive selection process. As part of this selection process, each service provider is carefully assessed with regard to its suitability in connection with technical and organisational capabilities in data protection. This selection process is documented in writing, and a contract in accordance with Art. 28 (3) GDPR on the processing of personal data on behalf (data processing agreement) is only concluded if the service provider meets the requirements of Art. 28 GDPR.
Your data is stored on specially protected servers. Access is only possible for a few specially authorised persons.
Our website is SSL/TLS encrypted, which you can recognise by the “https://” at the beginning of the URL.
1.3 Deletion of personal data
We process personal data only for as long as necessary. As soon as the purpose of the data processing has been fulfilled, the data will be blocked and deleted in accordance with our internal deletion policy, unless legal provisions prevent deletion.
2. Data processing on this website and creation of log files
2.1 Description and scope of data processing
When you visit our website, our web servers temporarily store every access in a log file. In doing so, the following personal data is collected and stored until it is automatically deleted:
IP address of the requesting computer
- Date and time of access
- Identification data of the browser and operating system used
Website from which access is made (referrer)
Data processing is carried out by our hosting provider: Hetzner Online GmbH.
2.2 Legal basis for data processing
The processing of this data is based on Art. 6 (1) sentence 1 lit. f) GDPR. Our legitimate interest is to make our website accessible to you.
2.3 Purpose of data processing
Data is processed for the purpose of enabling the use of the website (establishing a connection). It serves system security, the technical administration of the network infrastructure, and the optimisation of the internet offering. The IP address is only evaluated in the event of attacks on our or our internet provider’s network infrastructure.
2.4 Duration of data storage
Personal data is deleted as soon as it is no longer required for the purposes stated above. This is the case when you close the website. Deletion at our hosting provider takes place after 4 weeks.
2.5 Possibility of objection by the data subject
The website can only be displayed if the described data is processed. To object to further processing of the data, please contact info@hbg.ngo.
3. Use of Cookies
3.1 Description and scope of data processing
Our website uses cookies. These are stored on your computer when you use our website. Cookies are small text files that are assigned to the browser you use and stored on your hard drive, and through which certain information flows to us or to the party that sets the cookie. Cookies cannot run programs or transmit viruses to your computer. In this way, different data can be transmitted:
Frequency of website visits
- Which functions of the website you use
- Search terms used
- Your cookie settings
Your language setting
When calling up the website, a cookie banner informs you about the use of cookies and refers you to this privacy policy.
3.2 Legal basis for data processing
The legal basis for the processing of data through cookies that do not serve solely the functionality of our website is Art. 6 (1) sentence 1 lit. a) GDPR.
The legal basis for the processing of data through cookies that serve solely the functionality of this website is Art. 6 (1) sentence 1 lit. f) GDPR.
3.3 Purpose of data processing
Our legitimate interest arises from ensuring a smooth connection setup and a comfortable use of our website, as well as from the analysis of system security and stability. Data processing also takes place to enable statistical evaluation of website usage.
3.4 Duration of data storage
There are two types of cookies. Both are used on this website:
Transient cookies (see a)
Persistent cookies (see b)
a) Transient cookies are deleted automatically when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the same session. This allows your computer to be recognised when you return to our website. Session cookies are deleted when you log out or close the browser.
b) Persistent cookies are deleted automatically after a specified period, which may differ depending on the cookie.
3.5 Possibility of objection by the data subject
You have the option at any time to revoke your consent to data processing through cookies that are not solely necessary for the functionality of the website. In addition, we only set such cookies after you have consented to their use via the cookie banner when accessing the website. In this way, you can prevent data processing via cookies on our website.
You can also delete cookies at any time in your browser’s security settings. We would like to point out that you may then not be able to use all the functions of this website. You can also prevent cookies from being set at any time via the corresponding settings in your internet browser.
4. Contact
4.1 Description and scope of data processing
If you contact us (e.g. by email), we process the information you provide (primarily email address, first and last name, as well as your message) in order to handle your enquiry and in case follow-up questions arise.
Your data will not be passed on to third parties without your knowledge or, where applicable, your consent.
4.2 Legal basis for data processing
If data processing is carried out for the performance of pre-contractual measures at your request, or, if you are already our customer, for the performance of the contract, the legal basis for this data processing is Art. 6 (1) sentence 1 lit. b) GDPR.
We only process other personal data if you consent to this (Art. 6 (1) sentence 1 lit. a) GDPR) or if we have a legitimate interest in processing your data (Art. 6 (1) sentence 1 lit. f) GDPR). A legitimate interest, for example, lies in responding to your email.
4.3 Purpose of data processing
We process your data solely to handle your contact request.
4.4 Duration of data storage
Unless specifically stated otherwise, we store personal data only for as long as is necessary to fulfil the respective purposes.
In some cases, the law requires the storage of personal data, for example, in tax or commercial law. In these cases, the data is stored by us only for these legal purposes, but not processed for any other purposes and deleted after expiry of the statutory retention period.
4.5 Possibility of objection by the data subject
You may contact us at any time and object to the further processing of your data. In this case, we can no longer continue communication with you. All personal data that has been processed by us in the course of contacting you will then be deleted, unless legal retention obligations prevent deletion.
5. Trackers and Analytics Tools
In order to continuously improve our website offering, we use the following analytics tools. The respective types of data processed and how to contact the service providers are set out below:
5.1 Matomo
5.1.1 Description and scope of data processing
We use the web analytics service Matomo (formerly PIWIK). Data processing is carried out by:
InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand.
Matomo is based in New Zealand, a third country with an adequate level of data protection as certified by the EU Commission pursuant to Art. 45 (3) GDPR: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32013D0065
Matomo sets a cookie. Please refer to the corresponding passage above for an explanation of cookies. The following data is stored in this context:
Two bytes of the IP address of the accessing system
- The accessed website
- The website from which you accessed the accessed website (referrer)
- The subpages accessed from the website
- The time spent on the website
The frequency of website access
The software runs exclusively on the servers of our website. Your personal data is only stored there. These data are not passed on to third parties.
The software is configured in such a way that IP addresses are not fully stored, but rather 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the accessing computer. For more information on Matomo’s data protection provisions, please refer to the following links:
https://matomo.org/privacy/
https://matomo.org/privacy-policy/
5.1.2 Legal basis for data processing
The legal basis for data processing is your consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR.
5.1.3 Purpose of data processing
The web analytics service Matomo is primarily used to optimise the website and to conduct a cost-benefit analysis. Matomo is further used to enable an analysis of user traffic on the website. It is in our interest to make our website offering clear and user-friendly for you.
5.1.4 Duration of data storage
We process personal data only for as long as necessary. As soon as the purpose of the data processing has been fulfilled, blocking and deletion take place in accordance with our internal deletion policy, unless legal, regulatory, or contractual provisions prevent deletion.
5.1.5 Possibility of objection by the data subject
You have the right to revoke your consent to data processing at any time. Please contact info@hbg.ngo for this purpose. The setting of cookies can also be prevented at any time via the relevant settings in your internet browser. Cookies already set can also be deleted in the browser settings for the future. Please note that preventing the setting of cookies may result in not all functions being fully available. For questions regarding data protection at Matomo, you can contact Matomo at the following email address: privacy@matomo.org
6. Other Third-Party Tools
We also use third-party providers who assist us with the display and functionality of the website. These are listed below:
6.1 Cookiebot
6.1.1 Description and scope of data processing
Cookiebot is used to implement the GDPR and other data protection regulations regarding the use of cookies on our website and the integration of analytics tools based on consent.
If you give your consent via the cookie banner, the following data will be processed:
Your anonymised IP address
- Browser type and version
- URL of the website on which the consent was given
- Date and time of consent
Unique, encrypted key
This data is stored, logged, and documented in the data centre of the Cybot cloud vendor, Microsoft Ireland Operations Ltd., Dublin, Ireland.
Data processing is carried out by: Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.
Further information on data processing can be found at:
https://www.cookiebot.com/de/privacy-policy/
6.1.2 Legal basis for data processing
Data processing is based on Art. 6 (1) sentence 1 lit. c) GDPR.
6.1.3 Purpose of data processing
The purpose corresponds with our legitimate interest in data processing and the legally compliant assurance of the full functionality of our online offering.
6.1.4 Duration of data storage
Data is stored only for as long as is necessary for verification, unless legal regulations require longer retention. Cookiebot deletes your consent after 12 months.
6.1.5 Possibility of objection by the data subject
You can revoke the consents you have given via Cookiebot by deleting the corresponding cookie named “CookieConsent” or “CookieConsentBulkTicket”.
7. Data transfer to a third country
In order to provide our services, we make use of service providers from both the European Economic Area and third countries. To ensure the protection of your personal data even in the event of data transfer to a third country, we conclude specific data processing agreements with each carefully selected service provider. All service providers used by us provide sufficient guarantees to ensure data security through appropriate technical and organisational measures.
Our service providers from third countries are either located in countries that have an adequate level of data protection recognised by the EU Commission (Art. 45 GDPR) or have provided appropriate safeguards (Art. 46 GDPR).
Adequate level of protection: The provider is located in a country whose adequate level of data protection has been recognised by the EU Commission. Further information can be found here:
“Adequacy decisions (europa.eu)”
EU Standard Contractual Clauses: Our provider has agreed to the EU Standard Contractual Clauses to ensure secure data transfer. Further information can be found here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
Binding Corporate Rules: Art. 47 GDPR provides the possibility to ensure data protection for data transfer to a third country through binding internal data protection rules. These are reviewed and approved by the competent supervisory authorities under the consistency mechanism pursuant to Art. 63 GDPR.
Consent: Furthermore, data transfer to a third country without an adequate level of protection only takes place if you have given your consent for this in accordance with Art. 49 (1) lit. a) GDPR or if another exception under Art. 49 GDPR applies to the data transfer.
8. Your Rights
You have the following rights with regard to the personal data concerning you:
8.1 Right to withdraw consent (Art. 7 GDPR)
If you have given consent to the processing of your data, you may withdraw this consent at any time. Such withdrawal shall affect the admissibility of the processing of your personal data after you have declared it to us. The withdrawal may be made verbally (including by telephone) or in writing by post or email.
8.2 Right of access (Art. 15 GDPR)
In the event of a request for access, you must provide sufficient information about your identity and proof that the information pertains to you. The information will include the following:
The purposes for which the personal data is processed;
- The categories of personal data which are processed;
- The recipients or categories of recipients to whom your personal data has been or will be disclosed;
- The planned duration of storage of your personal data or, if specific information is not possible, the criteria used to determine the storage period;
- The existence of a right to rectification or deletion of your personal data, a right to restriction of processing by the data controller, or a right to object to such processing;
- The existence of a right to lodge a complaint with a supervisory authority;
- All available information about the origin of the data if the personal data is not collected from the data subject;
The existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
8.3 Right to rectification or deletion (Art. 16, 17 GDPR)
You have the right to request the rectification and/or completion of your personal data if the data processed by us is incorrect or incomplete. The data controller must rectify the data without undue delay.
Furthermore, you may request the deletion of your personal data if one of the following reasons applies:
The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which the processing was based pursuant to Art. 6 (1) sentence 1 lit. a) or Art. 9 (2) lit. a) GDPR, and there is no other legal basis for the processing.
- You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
- Your personal data has been unlawfully processed.
- The deletion of your personal data is necessary to comply with a legal obligation under Union or Member State law to which the data controller is subject.
Your personal data has been collected in relation to the offer of information society services pursuant to Art. 8 (1) GDPR.
If we have made your personal data public and are obliged to delete it pursuant to Art. 17 (1) GDPR, we will take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to deletion does not apply if processing is necessary:
For exercising the right of freedom of expression and information;
- For compliance with a legal obligation which requires processing under the law of the Union or of the Member States to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- For reasons of public interest in the area of public health pursuant to Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
For the establishment, exercise, or defence of legal claims.
8.4 Right to restriction of processing (Art. 18 GDPR)
You may request the restriction of processing of your personal data under the following conditions:
If you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
- The processing is unlawful, and you oppose the deletion of the personal data and request the restriction of its use instead;
- We no longer need the personal data for the purposes of processing, but you need it for the establishment, exercise, or defence of legal claims; or
If you have objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether our legitimate reasons outweigh your reasons.
If the processing of your personal data has been restricted, such data shall – with the exception of storage – only be processed with your consent, or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing has been lifted under the above conditions, you will be informed by us before the restriction is lifted.
8.5 Right to notification (Art. 19 GDPR)
If you have exercised your right to rectification, deletion, or restriction of processing, we are obliged to notify all recipients to whom your personal data has been disclosed of such rectification, deletion, or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about those recipients.
8.6 Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format in order to transmit it to another controller, provided that:
The processing is based on consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR or Art. 9 (2) lit. a) GDPR or on a contract pursuant to Art. 6 (1) sentence 1 lit. b) GDPR; and
The processing is carried out by automated means.
When exercising your right to data portability, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
8.7 Right to object to processing (Art. 21 GDPR)
Where we base the processing of your personal data on our legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR), you have the right to object to the processing. The same applies if we base the processing on Art. 6 (1) sentence 1 lit. e) GDPR.
In the event of such an objection, please explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and will either stop or adjust the data processing or demonstrate to you our compelling, legitimate grounds based on which we will continue the processing.
8.8 Right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement—if you believe that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
9. How to exercise these rights
To exercise these rights, please contact info@hbg.ngo.
10. Right to make changes
We reserve the right to amend this privacy policy in compliance with legal requirements.
Version: October 2025
This translation was generated using AI. The German version of the privacy policy is legally binding.