Data protection notice
(Last updated: 1 June 2026)
hallo theo GmbH (referred to below as "we" or "us") is delighted that you are visiting our website at www.hallotheo.de (referred to below as the "Website").
Our principle is to collect only what we need, and to process this information solely to provide you with the service you expect.
1. Data controller
The controller for the processing of personal data on our website within the meaning of the General Data Protection Regulation (hereafter "GDPR") is:
hallo theo GmbH
Saarbrücker Straße 21
10405 Berlin
+49 (0) 30 340 430 00
support(at)hallotheo.de
For data protection queries or to exercise your rights as a data subject, you can contact us at any time by email at datenschutz(at)hallotheo.de.
2. Data protection officer
Our designated data protection officer is:
Kertos GmbH
Brienner Straße 41
80333 München
Email: dataprivacy(at)kertos.io
3. What is personal data?
Personal data is any information that relates to an identified or identifiable individual. This includes details such as your name, age, address, phone number, date of birth, email address or IP address. If we cannot link information to you personally, for example because it has been anonymised, it is not personal data. Processing personal data, such as collecting, retrieving, using, storing or sharing it, always requires a legal basis like your consent.
4. Data processing for providing and using the website
4.1 Scope and purpose of data processing
We only use your personal data when we need to in order to provide our website and services.
When you visit our website, your browser automatically sends personal data to our server, where it is stored in a log file.
We collect this information without your active input and store it until it is automatically deleted:
your computer's IP address
the date and time of your access
the name and URL of the file you retrieve
the website you came from (referrer URL)
your browser, potentially your computer's operating system and the name of your internet provider
We process this data in order to:
ensure a smooth connection to the website
make our website easy and comfortable to use
protect our system security
4.2 Legal basis
We process this data based on Art. 6(1)(f) GDPR. We need to process this data to provide the website and to ensure it remains secure and easy to use. This is in our company's legitimate interest.
4.3 Storage period and data deletion
The collected data is deleted as soon as it is no longer needed for the website. This happens after 30 days at the latest. Collecting and storing this data is necessary to run the website. Therefore, you cannot opt out. In certain cases, we store data for longer if the law requires us to do so.
5. International data transfers
We process your data mainly within the EU and the EEA. However, some service providers are based in third countries. The GDPR sets high standards for transferring data to these countries, and all recipients must meet these requirements. Before we send any data to a service provider in a third country, we assess their level of data protection. We only work with them if they can demonstrate an adequate level of protection. Regardless of where they are located, every service provider must sign a data processing agreement with us. Additional requirements apply to service providers outside the EEA. In line with Article 44 onwards of the GDPR, data may be transferred to service providers who meet at least one of the following conditions:
The European Commission has decided that the third country offers an adequate level of protection.
Standard contractual clauses have been included in the agreement with the data recipient.
Further safeguards under Article 46 of the GDPR are in place.
In special exceptional cases under Article 49 of the GDPR.
6. Recipients of your personal data
Within our company, only the people who need your personal data for the specified purposes will have access to it. We will only share your data with external recipients if we are legally authorised to do so, or if you have given us your consent. You can find an overview of these recipients below.
6.1 Website delivery services
Framer
Purpose: providing web hosting and associated services to manage and operate our website
Recipient: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands
Data processed:
Website usage data (e.g. visitor numbers, page views)
Server logs (e.g. IP addresses, access times)
Legal basis: performance of a contract under Art. 6 (1) (b) GDPR
Storage period: data is stored for the duration of the contract, and thereafter in accordance with statutory retention periods
Further information: https://www.framer.com/legal/privacy-statement/
6.2 Request a quote
Purpose: preparing quotes and customer communication
Recipients: HubSpot Ireland Limited, HubSpot House Development, 1 Sir John Rogerson's Quay, Dublin 2, D02 CR67, Ireland; Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands; Tally BV, Wijngaardstraat 22, 9000 Ghent, Belgium (provision, hosting and processing of online forms)
Processed data:
Contact details (e.g. first and last name, email address)
Business information (e.g. company name, number of units to be managed)
Communication data (e.g. mobile number, message content)
Content submitted via forms
Technical data (e.g. IP address, user agent, timestamp of transmission)
Submission metadata (e.g. submission ID, form ID)
Legal basis: consent under Art. 6 (1) (a) GDPR, and steps prior to entering into a contract under Art. 6 (1) (b) GDPR
Retention period: we store your data for the duration of our business relationship, and delete it once the statutory retention periods have expired
Further information: you need to provide your personal data so we can prepare a quote for you. If you choice not to provide it, we cannot create a tailored quote. You have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out before you withdrew your consent. https://legal.hubspot.com/de/privacy-policy; https://www.framer.com/legal/privacy-statement/; https://tally.so/help/privacy-policy
6.3 Booking an appointment
Purpose: Online appointment scheduling and management for initial consultations
Recipients: HubSpot Ireland Limited, HubSpot House, 1 Sir John Rogerson's Quay, Dublin 2, D02 CR67, Ireland; Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands; Tally BV, Wijngaardstraat 22, 9000 Ghent, Belgium (provision, hosting and processing of online forms)
Processed data:
Contact details (such as your name and email address)
Appointment details (such as your chosen date and time)
Technical data (such as your IP address and browser type)
Communication preferences (such as your chosen time zone)
Legal basis: Consent under Art. 6 (1) (a) GDPR or pre-contractual steps under Art. 6 (1) (b) GDPR
Storage period: For the duration of the business relationship and beyond in line with legal retention periods; we can delete your data upon request
Third-country transfer: Data transfer to the US based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR)
Further information: https://legal.hubspot.com/de/privacy-policy; https://www.framer.com/legal/privacy-statement/; https://tally.so/help/privacy-policy
6.4 Recommendation scheme
Purpose: implementation and management of the referral programme, in particular for registration, creating the referral link and processing any reward payouts
Recipient: Perspective Software GmbH, Müggelstr. 22, 10247 Berlin
Data processed:
First and last name
Email address
Customer status
Legal basis: implementation of (pre-)contractual measures pursuant to Art. 6 Para. 1 lit. b GDPR (participation in the referral programme and entitlement to rewards)
Retention period: until the referral programme and any reward claims are fully processed, and at the latest until the end of statutory retention periods
Further information: the terms and conditions and the specific privacy policy of the referral programme also apply. https://www.perspective.co/privacy-policy
6.5 Stripe (Perspective landing page)
Purpose: Processing payment transactions via the external payment page of the payment service provider Stripe. When you click the payment or booking button, you are redirected to a checkout page hosted by Stripe, where payment details are entered and processed directly. We do not receive any credit card or bank details.
Recipient: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
Data processed:
Identification and contact data, such as your name, email address, and billing address
Payment details, such as credit card number, account number, or payment method. These are entered and processed solely by Stripe
Transaction details, such as the amount, currency, timestamp, and transaction ID
Technical details, such as IP address, browser type, and device details used for fraud prevention
Legal basis: Performance of a contract in accordance with Art. 6 (1) (b) GDPR to process the payment, as well as legitimate interest in accordance with Art. 6 (1) (f) GDPR to prevent fraud and ensure secure payment processing
Storage period: Stripe stores payment and transaction details for the duration of the business relationship and in accordance with statutory retention periods.
Responsibility: Stripe acts as an independent controller as defined in Art. 4 (7) GDPR for processing transaction and payment details. Stripe’s own privacy policy applies for this processing.
Further information: https://stripe.com/de/privacy
6.6 Candidate Portal
Purpose: managing and running application processes, including communicating with candidates and improving recruitment
Recipients: Softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin, Germany
Data processed:
Personal details (e.g. name, date of birth)
Contact details (e.g. email address, phone number)
Application documents (e.g. CV, references)
Qualifications and work experience (e.g. education, previous employers, language skills)
Social media profiles (e.g. XING, LinkedIn, Facebook)
Communication history (e.g. emails, interview notes)
Application status and progress (e.g. invitations, rejections)
Legal basis: consent based on Art. 6 (1) (a) GDPR, and steps prior to entering into a contract based on Art. 6 (1) (b) GDPR
Retention period: we store your data for the duration of the application process. If your application is successful, this data will be transferred to your personnel file. If we reject your application, your data will be deleted after 6 months, unless you agree to us keeping it for longer.
Data transfer outside the EEA: no data is transferred to third countries. Your data is processed solely within the EU.
Further information: https://www.softgarden.de/unternehmen/datenschutz/
6.7 Brand
Purpose: Automated transfer, synchronisation and enrichment of personal data between our integrated systems (for example web forms, CRM and communication channels) via webhook-based workflows. Make acts as a technical intermediary; the data is processed for forwarding without being analysed for its own purposes.
Recipient: Make Europe sp. z o.o., Aleja Pokładowa 3, 30-376 Kraków, Poland
Processed data:
Identification and contact details (for example first and last name, email address, telephone number)
Business information (for example company name, role or position, units to be managed)
Transaction and enquiry details (for example quote number, services of interest, content of enquiry)
Communication and interaction data (for example messages received via forms, timestamps)
Technical metadata (for example source system IDs, trigger events, execution logs)
Legal basis:
Performance of a contract and steps prior to entering into a contract under Art. 6 (1) (b) GDPR
Legitimate interest under Art. 6 (1) (f) GDPR in the efficient and automated processing of enquiries and the consistent storage of data in our CRM and backend systems
Retention period: Data is processed transiently for forwarding between systems; execution logs are stored as configured for a maximum of 30 days and then automatically deleted.
More information: https://www.make.com/en/privacy-notice
6.8 Cookie consent management (Framer consent banner)
Purpose: obtaining, storing and documenting website visitors' consent to store cookies and similar technologies, and proving granted or withdrawn consent to comply with accountability obligations under data protection law
Recipient: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands
Processed data:
consent status (e.g. acceptance of all cookies, rejection of non-essential cookies)
timestamp of consent (e.g. date and time of consent or withdrawal)
technical identifier of your device or browser (e.g. browser ID, session ID)
cookie settings and preferences (e.g. selected cookie categories, banner version number)
IP address (e.g. for technical communication with the server when the page is called up)
Legal basis: Art. 6 (1) (c) GDPR (legal obligation to obtain and document consent in accordance with Art. 7 (1) GDPR) and Art. 6 (1) (f) GDPR (legitimate interest in fulfilling accountability obligations under Art. 5 (2) GDPR)
Storage duration: consent status is stored as a cookie in your browser for up to one year. Proof of consent (log data) is kept for three years.
Further information: https://www.framer.com/legal/privacy-statement/
6.9 Analysis and tracking
Cookies are small text files stored on your device by your browser. They do not run programs or install malware. Similar technologies include web storage (local/session storage), fingerprinting, tags and pixels. Most browsers accept these technologies by default, but you can adjust your settings to block them or to ask for your consent. If you block cookies or similar technologies, some features of the website may not work fully.
Purpose: We use tracking and analysis tools to constantly improve our website and adapt it to your needs. For this purpose, we collect details using these technologies or combine your device details (device fingerprinting).
Legal basis: We use technically necessary tools to run the website based on our legitimate interest under Art. 6(1)(f) GDPR, or to perform a contract or pre-contractual steps under Art. 6(1)(b) GDPR. In these cases, storing or accessing details on your device is strictly necessary and is governed by Section 25(2) TDDDG. We only use optional tools with your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. The tracking and analysis tools used, their purpose and the processed data are described below.
Google Ads
Purpose: Planning, running and managing online advertising campaigns, measuring conversions and linking website activities (such as form sign-ups) to previous ad clicks. To do this, we use the Google Click ID (GCLID) assigned by Google.
Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Data processed:
Access data (such as IP address, number of page views)
Usage data (such as behaviour on other websites, click paths)
Source and traffic data (such as previously visited pages, referrer URL)
Search data (such as keywords used, search terms)
Device data (such as device type, screen resolution)
Browser data (such as browser used, language settings)
Event data (such as interactions with ads, clicks on banners)
Location data (such as country, city, based on IP address)
Customer data for enhanced conversions (such as email address, hashed using SHA-256)
Online identifiers (such as advertising ID, Google Click ID u2013 GCLID)
Checking data in our own systems:
If you fill in a form on our website after clicking an ad, your GCLID may be stored in our internal systems (such as our CRM or analytical tools) alongside the details you enter (such as contact and transaction info). This helps us see which campaigns lead to enquiries or sales, so we can analyse and improve our marketing. We do not use this data to build a profile about you.
Legal basis: Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TDDDG
Retention period: Cookies are stored for up to 90 days.
Transfer to third countries: Data is transferred to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and additional Standard Contractual Clauses (SCCs).
More information: https://policies.google.com/privacy
Google Analytics 4
Purpose: web analysis. Recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google, LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Processed data:
Device data (e.g. IP address, device type, screen resolution)
Browser data (e.g. browser used, language, installed plug-ins such as ad blockers)
Usage data (e.g. pages visited, time spent on each page, click paths, scroll depth, entry and exit pages)
Event data (e.g. clicks on buttons or links, submitted forms)
Location data (e.g. country, city)
Source and traffic data (e.g. referrer URL, traffic source such as a search engine)
Conversion and goal-tracking data (e.g. newsletter sign-ups, goals achieved on the website)
Online identifiers (e.g. advertising ID, Google Click ID – GCLID)
Legal basis: Art. 6 Paragraph 1 point a GDPR and Section 25 Paragraph 1 TDDDG. Third-country transfer: For data transfers to the US, an adequacy decision of the EU Commission is in place, the EU-U.S. Data Privacy Framework. Google is certified under this framework. In addition, standard contractual clauses (SCCs) have been concluded with Google. Further information: https://policies.google.com/privacy
Google reCAPTCHA
Purpose: detecting and preventing automated requests (bots) to secure the website and the contact form
Recipient: Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland
Processed data:
Network data (such as IP address, referrer URL)
Device information (such as operating system, language settings)
User interactions (such as mouse movements, keystrokes)
Session information (such as duration of visit, location)
Legal basis: legitimate interest under Art. 6 (1) (f) GDPR (protecting the website from automated requests and ensuring the website runs smoothly)
Storage period: data is deleted once sent to Google
Further information: https://policies.google.com/privacy
Google Tag Manager
Purpose: Managing and triggering website tags through a single interface
Recipient: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Processed data:
Access data (e.g. time of page view, referrer URL)
Device data (e.g. IP address, device type)
Browser data (e.g. browser used, language settings)
Event data (e.g. tag triggering, interactions with integrated scripts)
Location data (e.g. country, city – based on IP address)
Legal basis: Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG
Storage duration: Cookies are stored for up to 90 days
Further information: https://policies.google.com/privacy
HubSpot Analytics
Purpose: monitoring the website, and supporting and improving digital marketing activities
Recipient: HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland
Data processed:
Identification data (e.g. unique user token, user ID in the cookie 'hubspotutk')
Access data (e.g. date and time of your visit, website domain)
Session data (e.g. number of sessions, duration of individual visits)
Device data (e.g. device type, operating system)
Browser data (e.g. browser used, language settings)
Usage data (e.g. pages viewed, repeat visits)
Legal basis: Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG
Storage period: cookies are stored for up to 90 days
More information: https://policies.google.com/privacy
Track your ad campaigns using the Google Click ID (GCLID)
Purpose: to match enquiries, leads or orders to our online advertising campaigns (campaign attribution) and to evaluate and optimise our marketing activities.
Data processed:
Master and contact data (such as name, email address, company affiliation) where provided in forms or bookings
Contract and transaction data (such as requested or booked services, quote and order details)
Event data (such as date and time of the enquiry or booking, pages visited)
Online identifiers, in particular the Google Click ID (GCLID) assigned by Google when you click one of our adverts
How it works: when you reach our website via one of our online adverts (for example on Google), the click is identified by a GCLID. If you then fill in a form or make a booking or order, this GCLID can be saved in our system together with your details. This allows us to see later which campaigns generated enquiries or deals.
Legal basis: your consent under Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG (marketing and tracking consent via the cookie banner). You can withdraw your consent at any time for the future by adjusting your choices in the cookie banner.
Storage period: we only store the GCLID and the linked data for as long as necessary to evaluate and optimise the respective campaigns, and will then delete or anonymise them.
Meta Pixel
Purpose: measuring how effective ads are on Meta platforms (Facebook, Instagram) through conversion tracking, and building audiences for interest-based advertising (retargeting)
Recipient: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Data processed:
HTTP header data (such as IP address, operating system used)
Browser details (such as browser type, language setting)
Pixel-specific cookie data (such as the _fbp cookie for browser identification and _fbc cookie to track ad clicks)
Page views and user interactions (such as visited subpages, viewed products)
Conversion data (such as completed purchases, form submissions)
Contact details submitted via conversion events, if any (such as hashed email address, phone number)
Legal basis: consent under Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TDDDG
Joint controllership: for the data collected via the Meta pixel, the website operator and Meta Platforms Ireland Ltd. are joint controllers under Art. 26 GDPR. You can view the underlying controller addendum here: https://www.facebook.com/legal/controller_addendum
Retention period: the _fbp cookie is stored on your device for 90 days. Event data sent to Meta can be saved there for up to 2 years. You can withdraw your consent at any time with future effect in the website's cookie settings.
More information: https://www.facebook.com/privacy/policy
Cookie name
Providers
Purpose
Category
Storage duration
__cf_bm
Cloudflare
Detect and block automated bot traffic
Strictly necessary
30 minutes
test_cookie
Google AdSense
Checking if your browser supports cookies
Marketing and tracking cookies
15 minutes
_ga
Google Analytics
How we collect information about your website use
A
1 year 1 month
_ga_[ID]
Google Analytics
How we collect information about your website use
A
1 year 1 month
_gcl_au
Google Tag Manager
How we improve your advertising across Google services
Marketing and tracking cookies
2 months 29 days
Contact us by email
When you contact us by email, we process the personal data you send us (such as your name, email address and the content of your message) solely to handle and respond to your enquiry. The legal basis for this is usually our legitimate interest in communicating with you under Art. 6 (1) (f) GDPR. If your enquiry relates to entering into or fulfilling a contract, the legal basis is the performance of pre-contractual measures or contract fulfilment under Art. 6 (1) (b) GDPR. We only store your data as long as necessary to process your enquiry. We do not share your data with third parties unless we are legally required to do so, or it is absolutely necessary to handle your request.
CRM, sales and lead management
Purpose: managing and maintaining relationships with customers, prospects, and other contractual or business partners (B2B). This includes lead management, qualifying and prioritising leads, documenting communication and contract histories, and planning and managing sales activities.
Recipients: HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland; Make Europe sp. z o.o., Aleja Pokładowa 3, 30-376 Kraków, Poland
Data processed:
First name and surname
Work contact details (such as email address, telephone number, and business address)
Company-related data (such as company name, industry, size of the company, job title/role, and department)
Data about contractual transactions and enquiries (such as offer numbers, service interests, and history of enquiries and interactions)
Communication and interaction data (such as appointments, meeting notes, attendance at events/webinars, responses to emails, and downloaded content)
Legal basis:
Performance of a contract and pre-contractual steps under Article 6(1)(b) GDPR, if you or your employer are in a contract or pre-contractual relationship with us.
In addition, legitimate interests under Article 6(1)(f) GDPR in efficiently organising sales and business relationships, targeted B2B communication, and improving our products and services. If we process your personal data for direct marketing, you can object to this processing at any time, with future effect.
Retention period: for the duration of the business relationship or as long as there is a legitimate interest in keeping the data (such as tracking enquiries or maintaining business relationships). Your data is then deleted or anonymised, unless statutory retention periods apply. We regularly delete contact details of prospects and leads with whom we have had no interaction over a longer period, or we only keep them in an anonymised form for statistical purposes.
Further information: https://legal.hubspot.com/de/privacy-policy
Data security and protective measures
We make sure your personal data stays safe and confidential. To prevent data manipulation, loss or misuse, we use technical and organisational security measures. We review and update these regularly to keep pace with technology.
Please bear in mind that other people or organisations on the internet may ignore data protection rules. Unencrypted data, such as emails, is particularly accessible to third parties. We have no influence over this. Protect your data through encryption or other measures to prevent misuse.
Data storage
We delete or block your personal data once the reason for storing it no longer applies. We may keep your data for longer if European or national laws require us to do so. We also block or delete your data when the legal storage period expires, unless we still need it for a contract.
Your rights
You have the following rights regarding your personal data:
a) Right of access: you can find out if we use your personal data. If we do, you have the right to know what data we hold, why we use it, who receives it and how long we keep it.
b) Right to rectification: you can ask us to correct inaccurate data quickly. You can also have incomplete data completed.
c) Right to erasure: you can ask us to delete your data. This applies if the data is no longer needed, you withdraw your consent or the data has been used incorrectly.
d) Right to restriction of processing: you can ask us to limit the use of your data, for example if it is inaccurate.
e) Right to data portability: you can receive your data in a common, machine-readable format.
f) Right to object: you can object to the use of your data at any time, especially for advertising. This also applies to profiling for advertising purposes.
g) Right to withdraw consent: you can withdraw your consent to the use of your data at any time with future effect. Any processing carried out before you withdraw your consent remains lawful.
Complaints: you can complain to a supervisory authority if you feel your rights have been violated.
12. Amendment history
Date
Version
Reason for the change
14/01/26
1.0
First draft of the revised privacy policy in the new format
11/02/26
1.1
Add a new processing activity
01/06/2026
2.0
Changes to the website
