Privacy policy

We operate our websites in accordance with the principles set out below: We undertake to comply with the statutory data protection provisions and strive to always observe the principles of data avoidance and data minimization.

§1 Name and Address of the Controller and the Data Protection Officer

a) The Controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States of the European Union as well as other data protection provisions is: nara GmbH, Leigthonstraße 3, 97074 Würzburg, [privacy@nara.de](mailto:privacy@nara.de) [https://nara.de](https://nara.de)

b) The Data Protection Officer

You can contact the controller’s data protection officer as follows: SiDIT GmbH, [www.sidit.de](http://www.sidit.de), Email: [info@sidit.de](mailto:info@sidit.de)

§2 Definitions

We have designed our privacy policy according to the principles of clarity and transparency. Should there nevertheless be any ambiguities regarding the use of different terminology, the corresponding definitions can be viewed here.

§3 Legal Basis for Data Processing

a) Processing of personal data under the GDPR

We process your personal data, such as your first and last name, your email address and IP address, etc., only if there is a legal basis for doing so. In particular, the following provisions of the GDPR may apply:

• Art. 6(1) sentence 1 lit. a GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific purposes. • Art. 6(1) sentence 1 lit. b GDPR: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. • Art. 6(1) sentence 1 lit. c GDPR: Processing is necessary for compliance with a legal obligation to which the controller is subject. • Art. 6(1) sentence 1 lit. d GDPR: Processing is necessary in order to protect the vital interests of the data subject or of another natural person. • Art. 6(1) sentence 1 lit. e GDPR: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. • Art. 6(1) sentence 1 lit. f GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

However, we will always point out again at the relevant places in this privacy policy on which legal basis the processing of your personal data is carried out.

b) Consent of legal guardians pursuant to Art. 8(1) sentence 2 alt. 2 GDPR

A legal guardian must consent to all data processing operations within the scope of this website for which the consent of a minor who has not yet reached the age of 16 is required. Information on the individual processing operations, their purposes and the data categories concerned, for which the consent of the data subject is required, can be found in this privacy policy.

You may revoke your consent at any time by sending the revocation declaration in text form to the controller’s contact details. Processing up to the time of revocation remains lawful.

c) Processing of information pursuant to § 25(1) TDDDG

We also process information in accordance with § 25(1) TDDDG by storing information on your end device or accessing information that is already stored on your end device. This may involve both personal information and non-personal data, e.g. cookies, browser fingerprints, advertising IDs, MAC addresses and IMEI numbers. An end device is any device directly or indirectly connected to the interface of a public telecommunications network for sending, processing or receiving messages, § 2(2) no. 6 TDDDG.

As a rule, we process this information on the basis of your consent, § 25(1) TDDDG.

To the extent an exception under § 25(2) no. 1 and no. 2 TDDDG applies, we do not require consent. Such an exception applies if we access or store information exclusively in order to transmit a message via a public telecommunications network or if this is strictly necessary so that we can provide a telemedia service expressly requested by you. You may revoke your consent at any time.

We inform you that revoking consent does not affect the lawfulness of processing carried out on the basis of consent up to the time of revocation.

§4 Disclosure of Personal Data

Disclosure of personal data is also processing within the meaning of section 3 above. However, we would like to inform you separately here about the disclosure to third parties. The protection of your personal data is very important to us. For this reason, we are particularly careful when it comes to disclosing your data to third parties.

Data is therefore disclosed to third parties only if there is a legal basis for processing. For example, we disclose personal data to persons or companies that work for us as processors pursuant to Art. 28 GDPR. A processor is anyone who processes personal data on our behalf—i.e. in particular in a relationship subject to our instructions and control.

In accordance with the GDPR, we conclude a data processing agreement with each of our processors in order to oblige them to comply with data protection provisions and thus ensure comprehensive protection of your data.

§5 Storage Period and Deletion

Your personal data will be deleted by us as soon as it is no longer necessary for the purposes for which it was collected or otherwise processed, unless processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.

§6 SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content—such as inquiries that you send to us as the website operator—this website uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

§7 Use of AI Systems (Artificial Intelligence)

To optimize our processes and improve your personalized visitor experience on our website, your personal data may be processed by artificial intelligence (AI) technologies. AI is used in particular to:

• perform data analyses, • create forecasts, • close security gaps, • and make routine processes more efficient.

The AI used operates in accordance with the principles of the GDPR. Any decisions that have legal or similar effects on you are not made solely by the AI, but are supplemented by human intervention.

§8 Collection and Storage of Personal Data and the Type and Purpose of Its Use

a) External Hosting

Our website is hosted by Amazon WebSevices Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA. For this reason, all personal data collected on our website is stored on our host’s servers, unless an external service of a third party is integrated. This may include the IP address, your email address, communication data or similar. Which specific personal data is involved can be found below in the individual functions and services we describe. If we use an external service of a third party, this is made clear in the description of the respective service or tool.

The host processes your data only on our instructions and insofar as this is necessary for the provision of services on the website. The host does not process the data for its own purposes. We have concluded a data processing agreement with it.

b) When Visiting the Website

When you access our website, information is automatically sent by the browser used on your end device to the server of our website. This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted:

• IP address of the requesting device • date and time of access • name and URL of the retrieved file • website from which access is made (referrer URL) • browser used and, if applicable, the operating system of your device as well as the name of your access provider

We process the above data for the following purposes:

• ensuring a smooth connection setup of the website • ensuring convenient use of our website • evaluation of system security and stability • error analysis • other administrative purposes

Data that allows conclusions to be drawn about your person, such as the IP address, is deleted at the latest after 7 days. If we store the data beyond this period, it is pseudonymized so that it can no longer be attributed to you.

The legal basis for data processing is Art. 6(1) sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about your person.

c) Use of the “Storyblok” Service

Our website uses the “Storyblok” service, a content management system (CMS) provided by Storyblok GmbH, Peter-Behrens-Platz 9, 4040 Linz, Austria.

Storyblok is a headless CMS used to operate and manage our website. By integrating the service, we can create and provide content more flexibly and efficiently. For these purposes, the following data is processed, among other things:

• your IP address, • information about your operating system, • content and timestamp of your request.

This data is automatically collected when you use our website and serves security, error analysis, and optimization of the performance and stability of the website.

Processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1) lit. f GDPR, as it is necessary to ensure the stability, security and functionality of our website.

We have concluded a data processing agreement with Storyblok pursuant to Art. 28 GDPR.

Further information on data processing by Storyblok can be found in their privacy policy at: [https://www.storyblok.com/privacy](https://www.storyblok.com/privacy).

d) HubSpot CRM

We have connected the HubSpot CRM system (HubSpot Inc., 25 Street, Cambridge, MA 02141, USA) to our website.

In this context—depending on the function you use—personal data of visitors to our website as well as (potential) customers is processed. The processing of your personal data within our HubSpot CRM system is based on our legitimate interest pursuant to Art. 6(1) sentence 1 lit. f GDPR. Further information on data protection at HubSpot can be found at [https://legal.hubspot.com/de/privacy-policy](https://legal.hubspot.com/de/privacy-policy).

e) Newsletter

Newsletter content and registration data We send our newsletter and carry out statistical surveys and analyses as well as log the registration process only if you order it from us and have given your corresponding consent pursuant to Art. 6(1) sentence 1 lit. a GDPR, § 25(1) TDDDG. The contents of the newsletter are described specifically when registering for the newsletter. To register for the newsletter, it is sufficient to provide your email address. If you provide further voluntary information such as your name and/or gender, this will be used exclusively to personalize the newsletter sent to you.

Double opt-in and logging For security reasons, so that no one can register with third-party email addresses, we use the so-called double opt-in procedure for newsletter registration. After registering, you will first receive an email asking you to confirm your registration. Only upon confirmation does the registration become effective.

In addition, your newsletter registration is logged. Logging includes storing the registration and confirmation time, the data you provided and your IP address. If you make changes to your data, these changes are also logged.

Revocation If you no longer wish to receive our newsletter, you can revoke your consent at any time with effect for the future. To do so, you can click the unsubscribe link at the end of each newsletter or send us an email to: [privacy@nara.de](mailto:privacy@nara.de) Revocation of consent does not affect the lawfulness of processing carried out on the basis of consent up to the time of revocation.

Use of “MailChimp” We send our newsletter with the help of the newsletter service “MailChimp”, offered by Rocket Science Group, LLC (675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA).

The email addresses of our newsletter recipients, as well as other data described in these notices, are stored on MailChimp servers in the USA. MailChimp uses this information to send and evaluate the newsletters on our behalf. Furthermore, according to its own information, MailChimp may use this data to optimize or improve its own services, e.g. for technical optimization of sending and displaying newsletters or for economic purposes to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them itself or to pass it on to third parties.

We have concluded a data processing agreement with MailChimp. You can find MailChimp’s data protection provisions here: [[https://mailchimp.com/legal/privacy/](https://mailchimp.com/legal/privacy/)]

Statistical surveys and analyses The newsletters sent via MailChimp contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from MailChimp’s server when the newsletter is opened. As part of this retrieval, the following technical information is initially collected:

• information about the browser • information about your system • your IP address • time of retrieval

This information is used to improve the services based on technical data, target groups and their reading behavior, the retrieval locations (which can be determined using the IP address) and the access times.

The statistical surveys also include determining whether and when newsletters are opened and which links in the newsletter are clicked. For technical reasons, this information can be assigned to individual newsletter recipients, but neither we nor MailChimp aim to monitor individual users. The evaluations serve us much more to recognize our users’ reading habits and to adapt our content to them or to send different content according to our users’ interests.

Use of “HubSpot” Registration is carried out with the help of the newsletter service “HubSpot”, offered by HubSpot Inc. (25 First Street, Cambridge, MA 02141, USA).

The email addresses of our interested parties, as well as other data described in these notices, are stored on HubSpot servers in the USA. HubSpot uses this information to send and evaluate participation links on our behalf. Furthermore, according to its own information, HubSpot may use this data to optimize or improve its own services, e.g. for technical optimization of sending and displaying the invitation or for economic purposes to determine from which countries the recipients come. However, HubSpot does not use the data of our interested parties to write to them itself or to pass it on to third parties.

We have concluded the standard contractual clauses with HubSpot. HubSpot does not obtain any right to disclose your data. You can find HubSpot’s data protection provisions here.

f) Book a Demo

We provide a form on our website so that you have the option to book a demo appointment with us. To use the form, you must provide a name for personal salutation, a valid email address and a telephone number for contact purposes so that we know who the request is from and can process it.

If you send us inquiries via the form, your details from the inquiry form, including the contact data you provide there, as well as your IP address, will be processed pursuant to Art. 6(1) sentence 1 lit. b and f GDPR for the implementation of pre-contractual measures carried out at your request or for the purposes of our legitimate interest, namely the exercise of our business activity.

The inquiries and the associated data will be deleted at the latest 3 months after receipt, unless they are required for a further contractual relationship.

§9 Rights of the Data Subject

You have the following rights:

a) Right of access

Pursuant to Art. 15 GDPR, you have the right to request information about your personal data processed by us. This right of access includes information about:

• the purposes of processing • the categories of personal data • the recipients or categories of recipients to whom your data has been disclosed or will be disclosed • the planned storage period or at least the criteria for determining the storage period • the existence of a right to rectification, erasure, restriction of processing or objection • the existence of a right to lodge a complaint with a supervisory authority • the origin of your personal data, if it was not collected from you • the existence of automated decision-making including profiling and, where applicable, meaningful information about the logic involved

b) Rectification

Under Art. 16 GDPR, you have the right to the immediate rectification of inaccurate or incomplete personal data stored by us.

c) Erasure

Under Art. 17 GDPR, you have the right to request the immediate erasure of your personal data stored by us, provided that further processing is not required for one of the following reasons:

• the personal data is still necessary for the purposes for which it was collected or otherwise processed • for exercising the right to freedom of expression and information • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller • for reasons of public interest in the area of public health pursuant to Art. 9(2) lit. h and i as well as Art. 9(3) GDPR • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing • for the establishment, exercise or defense of legal claims

d) Restriction of processing

Pursuant to Art. 18 GDPR, you may request restriction of the processing of your personal data for one of the following reasons:

• You contest the accuracy of your personal data. • The processing is unlawful and you oppose the erasure of the personal data. • We no longer need the personal data for the purposes of processing, but you need it for the establishment, exercise or defense of legal claims. • You have objected to processing pursuant to Art. 21(1) GDPR.

e) Notification

If you have asserted the right to rectification, erasure or restriction of processing under Art. 16, Art. 17 or Art. 18 GDPR, we will inform all recipients to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to request that we inform you of these recipients.

f) Data portability

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to request that this data be transmitted to a third party, provided that the processing was carried out by automated means and is based on consent pursuant to Art. 6(1) sentence 1 lit. a or Art. 9(2) lit. a or on a contract pursuant to Art. 6(1) sentence 1 lit. b GDPR.

g) Withdrawal of consent

Pursuant to Art. 7(3) GDPR, you have the right to withdraw your consent given to us at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent up to the time of withdrawal. In the future, we may no longer continue the data processing that was based on your withdrawn consent.

h) Complaint

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

i) Objection

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, insofar as there are grounds relating to your particular situation, or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without you having to state your particular situation. If you wish to exercise your right of withdrawal or objection, it is sufficient to send an email to [privacy@nara.de](mailto:privacy@nara.de)

j) Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

i. is necessary for entering into, or performance of, a contract between you and us ii. is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests iii. is based on your explicit consent

However, such decisions must not be based on special categories of personal data pursuant to Art. 9(1) GDPR, unless Art. 9(2) lit. a or g GDPR applies and appropriate measures to protect your rights and freedoms and your legitimate interests have been taken.

With regard to the cases mentioned in i) and iii), we take appropriate measures to safeguard your rights and freedoms and your legitimate interests, which include at least the right to obtain human intervention on our part, to express your point of view and to contest the decision.

§10 Changes to this Privacy Policy

If we change this privacy policy, this will be indicated on the website.

Status: 28/01/2026