Datenschutzerklärung (Privacy Policy)
Last updated: 17 June 2026
TODO (draft): This Datenschutzerklärung is a working draft. Before launch, have the final wording generated via eRecht24 / Usercentrics or reviewed by a lawyer — especially the sections on Google Analytics, Meta Pixel, and transfers to the USA.
This Privacy Policy explains, in plain language, what personal data we handle, why, and what rights you have. It covers this website and the Quote Recovery Sprint service provided by Anatolii Kharchuk (Marburg, Germany) ("we," "us," "our"), who runs the service personally.
We handle as little personal data as possible. We've split this into two parts, because two very different kinds of data are involved:
- Data about visitors to this website and people who book a call.
- Data we access inside a client's CRM while delivering a sprint.
1. Controller
The controller responsible for this website and for our own processing is:
Anatolii Kharchuk
Marburg, Germany
ai.kharchuk@gmail.com
For personal data inside a client's CRM, see Section 4 — there the client is the controller and we act as processor.
2. This website
Consent banner (Cookiebot). We use Cookiebot (Usercentrics A/S) as our consent manager. On your first visit it asks whether you accept analytics and/or marketing cookies, with separate, unticked categories and an equally prominent "Reject all". No analytics or marketing tool runs until you opt in, and you can change or withdraw your choice any time via "Cookie settings" in the footer. Visitors in the US see an opt-out experience as permitted by US state law.
Vercel Analytics. We use Vercel Analytics for aggregate, anonymous page metrics without cookies or anything that identifies you. It runs without requiring consent.
Google Analytics 4. Only if you consent to analytics, we load Google Analytics 4 (Google Ireland Ltd / Google LLC) to understand how the site is used. It sets cookies and may transfer data to Google servers in the USA. We use Google Consent Mode v2, which keeps these tags denied by default until you opt in. TODO: confirm the exact GA4 data categories and retention with your final legal text.
Meta Pixel. Only if you consent to marketing, we load the Meta Pixel (Meta Platforms Ireland Ltd / Meta Platforms, Inc.) to measure campaigns and reach. It sets cookies and may transfer data to Meta servers in the USA. Without marketing consent the Pixel is never loaded. TODO: confirm Pixel scope and any Conversions API use with your final legal text.
Transfers to the USA. Google and Meta may process data in the United States. Such transfers rely on the EU–U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses. The USA does not have an EU-equivalent level of data protection, and we ask for your explicit consent before any such transfer for analytics/marketing. TODO: verify the current transfer mechanism for each provider.
Booking a call. If you book a call, you're taken to Calendly. The name, email, and any details you enter there are collected and processed by Calendly under its own privacy policy and shared with us so we can hold the call. We use that information only to schedule and prepare for your call.
Legal bases (GDPR Art. 6). Google Analytics and the Meta Pixel run only on the basis of your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time. We also rely on our legitimate interest in operating and securing the website and cookieless analytics (Art. 6(1)(f)); on taking steps at your request and performing our contract when you book a call or hire us (Art. 6(1)(b)); and on compliance with legal obligations where they apply (Art. 6(1)(c)).
3. Booking and client communications
When you contact us or book a call, we process your name, email, company, and anything you choose to tell us, in order to reply, qualify whether the service is a fit, and run the engagement. We keep this only as long as needed and then delete it.
4. Data we access during a sprint
When you hire us, we get read-only access to your HubSpot or Pipedrive — deals, contacts, quote dates, and notes. Some of that is personal data about your own contacts and customers.
Who controls that data. It is your data and your relationship with those contacts. For this data you are the controller; we act only as your processor (Art. 28 GDPR) and, where U.S. state privacy laws apply, as your service provider. We process it solely to deliver the sprint you hired us for, on your documented instructions, and for no other purpose. We never use it for our own marketing, we never sell or share it, and we don't use it to train any public AI model. We're glad to sign a Data Processing Agreement (and an NDA) before access begins.
No standing copy. We work inside your CRM with read-only access. We don't copy or export your customer database; any working notes are kept to the minimum needed and are deleted after the sprint (see our Data Security page). We can't change anything in your CRM, and we never touch your drawings, specs, or files.
5. Who we share data with
We don't sell your personal data and we don't share it for cross-context behavioural advertising. We rely on a small number of service providers ("processors") to run the business:
- Vercel — website hosting and cookieless aggregate analytics.
- Cookiebot (Usercentrics) — cookie consent management.
- Google — Google Analytics 4 (only with your analytics consent).
- Meta — Meta Pixel (only with your marketing consent).
- Calendly — call scheduling.
- Stripe — invoicing and payment for clients.
Each processes data under its own terms. Some are based outside the EU/EEA (for example in the United States); where that involves a transfer of personal data, it is covered by appropriate safeguards such as the EU Standard Contractual Clauses or the EU–U.S. Data Privacy Framework. We may also disclose data where the law requires it.
6. International transfers
If you contact us from outside Germany, or if a client's CRM data sits with a non-EU provider, personal data may be processed in another country. Where that country isn't covered by an EU adequacy decision, we rely on safeguards such as Standard Contractual Clauses.
7. How long we keep data
- Website analytics: aggregate and anonymous; not tied to you.
- Call and booking details: kept only as long as needed to follow up, then deleted.
- Client CRM data: read-only access, revoked at the end of the sprint; working notes deleted within 30 days (see Data Security).
- Business records such as invoices: kept for as long as the law (including German tax law) requires.
8. Your rights
Under the GDPR you have the right to access your personal data, to have it corrected or erased, to restrict or object to its processing, to data portability, and — where processing is based on consent — to withdraw that consent at any time. To exercise any of these for data on this website or your booking, email ai.kharchuk@gmail.com.
You also have the right to lodge a complaint with a data-protection supervisory authority. Ours is the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit).
For personal data inside a client's CRM, the client is the controller — if you're a customer of one of our clients and want to exercise your rights, please contact that company; we'll support them in responding.
9. Security
We take a least-access, read-only approach and protect data as described on our Data Security page.
10. Children
This website and service are for businesses and are not directed to children. We don't knowingly collect data from anyone under 16.
11. Changes
We may update this policy as the business changes. We'll post the new version here with an updated date.
12. Contact
Questions about your data: ai.kharchuk@gmail.com.
13. Cookie Declaration
The list below is generated and kept up to date automatically by Cookiebot and shows every cookie this site uses, by category.