PRIVACY POLICY

HOME

Privacy Policy

ClimeNow GmbH (Luise-Ullrich-Str. 20, 80636 Munich, Germany, hello@climenow.com) explains below which personal data we process, for what purpose, on which legal basis, and how long.
This notice fulfils Art. 12–14 GDPR and § 25 TTDSG.


5  Who receives your data?
We use carefully selected processors under Art. 28 GDPR:
- Webflow Inc. – Website/CMS hosting (EU servers via AWS)
- Usercentrics GmbH – Consent management (Germany)
- Typeform SL – Surveys & structured assessments (EU, SCCs)
- Google LLC – Analytics 4 (USA, IP anonymised, DPF)
- EmailJS Inc. – Automatic email delivery (USA, DPF + SCCs)
- Calendly LLC – Scheduling (USA, DPF + SCCs)
- Microsoft Ireland Ops Ltd. – Microsoft 365 (EU Data Boundary)
- Pipedrive OÜ – CRM (EU-based)
- LinkedIn Corp. – Insight Tag (USA, only after consent)
- Papermark Inc. – Secure data room (USA, DPF + SCCs)
Public authorities may receive data where required by law.

6  International transfers
Where data is transferred outside the EEA, we rely on:
- An adequacy decision (e.g. UK)
- EU–US Data Privacy Framework for certified providers (e.g. Google, Calendly, EmailJS)
- Standard Contractual Clauses (SCCs) with supplementary safeguards
- EU hosting options wherever possible

7  How long do we store data?
- Server logs: 14 days
- Consent records: 3 years (legal burden of proof)
- Typeform/assessment data: 24 months after completion or deletion request
- Calendly bookings: 12 months after meeting
- CRM prospects: 24 months after last contact
- Contracts & invoices: 6/10 years (German tax & commercial law)
- Newsletter: until unsubscribe or consent withdrawal

8  Cookies & similar tech
Strictly necessary cookies run automatically. Analytics/marketing cookies (Google, LinkedIn) load only after explicit consent in the Usercentrics banner. You can change your choice any time via the fingerprint icon in the footer.

9  No automated decision‑making
We do not conduct automated decision-making or profiling under Art. 22 GDPR.

10  Your rights
Under Art. 15–21 GDPR, you may request:
- Access
- Correction
- Deletion
- Restriction
- Data portability
- Objection to processing
- Withdrawal of consent at any time
You may also lodge a complaint with the Bavarian Data Protection Authority (BayLDA, Ansbach).

11  Security
We use TLS encryption, strict access control, MFA, regular penetration testing, ISO 27001-certified hosting and internal information-security controls.

12  External links
Links to third-party sites (e.g. LinkedIn, partner pages) are subject to their own privacy policies.

13  Updates
We may update this policy from time to time. Substantial changes will be communicated via e-mail or a website banner at least 14 days before they take effect.

Last updated: 17 July 2026