Data Protection
Privacy Notice (GDPR)
This notice explains how econworks GmbH processes personal data on econ.works / econworks.de, in line with the EU GDPR.
Last updated: September 11, 2025
Controller
econworks GmbH
Schleiermacherstraße 10, 64283 Darmstadt, Germany
Contact: contact@econworks.de
Data protection inquiries: Please contact us using the details above.
No DPO is required under Sec. 38 BDSG at present.
1. Hosting & Server Logs
Our Website is hosted by Vercel Inc. As our processor, Vercel processes server log data (e.g., IP address, user-agent, URL, timestamp) to deliver and secure the service.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure, error-free operation)
Recipients: Vercel Inc. (processor) incl. listed sub-processors
International transfers: US – covered by the EU-US Data Privacy Framework (where certified) or Standard Contractual Clauses
Retention: We only use log data for troubleshooting and security; hoster-side retention may apply
Vercel Web Analytics (optional): If enabled, privacy-friendly, cookie-less analytics may be used. Depending on configuration, consent may still be required (see Section 4).
2. Contact / Chat
When you actively send us a message (e.g., via chat or form), we process the data you provide (name, email, message contents) to respond.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual communications) or Art. 6(1)(f) GDPR
Retention: Up to 12 months for support history; longer where statutory limitation periods apply
2.1 Use of OpenAI (only when chat is actively used)
If you start the AI chat, parts of your input may be relayed via our server to the OpenAI API to generate an answer. We use the API with no training on your data; OpenAI may retain API data for up to 30 days for abuse prevention (Zero Data Retention is available for eligible endpoints upon request).
Legal basis: Art. 6(1)(b) and/or (f) GDPR; for optional conveniences, Art. 6(1)(a) GDPR (consent)
Recipients: OpenAI (processor) incl. listed sub-processors
International transfers: US – via DPF (if certified) or SCCs
2.2 Internal notifications via Slack (optional)
We may forward support messages to our internal Slack workspace to expedite handling.
Legal basis: Art. 6(1)(f) GDPR
Recipients: Slack Technologies, LLC (processor)
International transfers: US – via DPF (if certified) or SCCs
3. Scheduling via Calendly (only if used)
If you book a meeting, you are redirected to Calendly or an embedded widget is displayed. Calendly processes your inputs (name, email, preferences) to schedule the appointment. The embed may use cookies/local storage.
Legal basis: Art. 6(1)(b) GDPR
Recipients: Calendly, LLC (processor)
International transfers: US – via DPF (if certified) or SCCs
Note: The embedded widget is loaded only after consent where required (Section 4).
4. Cookies, Local Storage & Consent
We do not set non-essential cookies by default. Where services like embedded Calendly or optional analytics store/access information on your device, we ask for your consent first.
Legal basis: Sec. 25 TDDDG (formerly TTDSG) for device access; Art. 6(1)(a) GDPR for processing
Withdrawal: You can withdraw consent anytime with future effect via our consent settings
Strictly necessary storage (e.g., consent state, security) is used without consent.
5. Third-party Resources
We avoid third-party resources (e.g., remote web-fonts) where possible. If necessary, we only load external content after prior consent ("two-click solution").
6. Your Rights
You have the rights under Art. 15–22 GDPR:
- Access to your personal data
- Rectification of incorrect data
- Erasure of your data
- Restriction of processing
- Data portability
- Objection to processing
You may lodge a complaint with your supervisory authority. For Hesse, Germany: Hessian Commissioner for Data Protection and Freedom of Information –https://datenschutz.hessen.de
7. Security Measures
We implement appropriate technical and organisational measures (Art. 32 GDPR), including TLS encryption, access controls, logging, and deletion routines.