1. Controller
The controller responsible for data processing on this website within the meaning of the GDPR is:
TS Kitchens GmbH, Truong Suarez Digitalagentur, Sternweg 20, 51147 Köln, Germany. Email: john@truong-suarez.de
For data protection inquiries, you can reach us through the same channel. The company has not currently appointed an external data protection officer (its size is below the statutory threshold).
2. Server logs when visiting the website
Each time our website is accessed, technical data is recorded in server log files. The following is processed: anonymized IP address (truncated by the last bytes); date and time of access; requested URL and HTTP status code; referrer URL (if available); user agent (browser, operating system).
The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in the security and stability of the service). Data is automatically deleted after 14 days. No merging with other data sources takes place.
3. Cookie banner & consent
On your first visit to the website, a cookie banner appears. There you can granularly select which categories of cookies and tracking you allow: Necessary — no consent required (session, consent storage, security); Statistics — anonymized web analytics (GA4); Marketing — conversion tracking for advertising platforms (Meta, TikTok, LinkedIn).
No marketing or statistics cookies are set before consent is given. You can adjust or revoke your choice at any time via the "Cookie settings" link in the footer.
The legal basis for processing after consent is Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG (formerly TTDSG).
4. Hosting (Vercel) & CDN (Cloudflare)
The website is hosted by Vercel Inc. (440 N Barranca Avenue #4133, Covina, CA 91723, USA). We use Vercel with the EU region (Frankfurt) enabled. For the content delivery network we use Cloudflare Germany GmbH.
Data processing agreements (DPA) as well as Standard Contractual Clauses (SCC) for any data transfers to third countries are in place with both providers. Vercel operates under the EU-US Data Privacy Framework (DPF); the main processing takes place in EU data centers.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a technically reliable provision of the service).
5. Web analytics with server-side GA4
After consent has been given for "Statistics", we use Google Analytics 4 with a server-side setup. Instead of a direct browser-to-Google connection, events run via our own tagging server at Stape (EU hosting, Germany).
What is collected: anonymized IP address (truncated in the EU region); pages visited, click paths, time spent; referrer, device type, browser; hashed user ID for returning-visitor analysis (only in the login area).
What we do not do: send no personally identifiable data (name, email) to Google; transmit no plain-text identifiers to Google; no cross-device linking without explicit consent.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The EU-US Data Privacy Framework applies to any USA transfers.
Storage period: 14 months, then automatic deletion. Legal basis: consent (Art. 6 (1) (a) GDPR).
6. Meta Pixel + Conversions API
After consent has been given for "Marketing", we use the Meta Pixel and the Meta Conversions API (CAPI) for conversion tracking of our ads on Facebook and Instagram.
Mandatory server-side setup: user data is hashed (SHA-256) before transmission to Meta; deduplication of browser pixel and server-side events via event IDs; hashed email addresses and phone numbers are used for advanced conversion matching.
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. We have concluded a Joint Controllership Addendum (JCA) with Meta.
Storage period: Up to 180 days in Meta systems, then automatic deletion. Legal basis: consent (Art. 6 (1) (a) GDPR).
7. TikTok Events API
After consent for "Marketing", we use the TikTok Events API for conversion tracking of TikTok ads. The data architecture corresponds to the Meta CAPI logic: hashing of personal data before sending, server-side transmission via the Stape EU server.
Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland. Standard Contractual Clauses are in place.
Legal basis: consent (Art. 6 (1) (a) GDPR).
8. LinkedIn Insight Tag
After consent for "Marketing", we use the LinkedIn Insight Tag to measure conversions from LinkedIn ads. Data is sent via our server-side container, with hashing according to the LinkedIn specification.
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
Legal basis: consent (Art. 6 (1) (a) GDPR).
9. Cookiebot
For the legally compliant obtaining and management of consent, we use Cookiebot from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot documents your consent decision with a timestamp and consent ID.
Cookiebot processes data exclusively in the EU. Legal basis: Art. 6 (1) (c) GDPR (legal obligation to obtain consent) as well as Art. 6 (1) (f) GDPR (legitimate interest in audit-ready documentation).
10. Contact and inquiry form
If you use our contact form or inquiry form at /kontakt, we process the following data to handle your request: name, email address; company (optional); subject + budget range (for preparation); the content of your message.
The data is stored in an EU-hosted PostgreSQL database (Vercel Postgres EU) and additionally sent to us by email (see Section 12).
Storage period: 6 months after the last contact, then automatic deletion. If a collaboration comes about, longer storage as part of the business relationship.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (a) GDPR (consent via the form checkbox).
11. Cal.com (appointment booking)
For the direct booking of an initial consultation, we use Cal.com Inc. (548 Market St, San Francisco, CA 94104, USA) with EU hosting (Frankfurt) enabled. The following is transmitted when booking: name, email address, selected appointment; optionally: message text and phone number.
The calendar is synchronized with Google Calendar. A DPA is in place with Cal.com. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures).
Alternative: If you do not want to use Cal.com, write to us by email — we will arrange the appointment manually.
12. Email delivery (Postmark / Resend)
For transactional email delivery (confirmations, replies to form inquiries) we use either: Postmark (ActiveCampaign LLC, Chicago, USA) — EU region Frankfurt; Resend (Resend Inc., San Francisco, USA) — EU region Frankfurt.
DPAs and SCCs are in place with both providers. The email content is used exclusively for delivery, not for further analysis or advertising.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures).
13. Social profile links
On our website we link to our profiles on LinkedIn. These are simple hyperlinks — no embedded plugins, no tracking by social media providers before the click.
Only when you click a link and navigate to LinkedIn do the privacy policies of the respective provider apply: linkedin.com/legal/privacy-policy.
14. Rights of the data subject
You have the right at any time to: access to the data stored about you (Art. 15 GDPR); rectification of incorrect or incomplete data (Art. 16 GDPR); erasure of your data (Art. 17 GDPR) — provided no statutory retention obligation prevents it; restriction of processing (Art. 18 GDPR); data portability in a structured, commonly used format (Art. 20 GDPR); withdrawal of a given consent with effect for the future (Art. 7 (3) GDPR); objection to processing based on legitimate interest (Art. 21 GDPR).
An informal email to john@truong-suarez.de is sufficient. We answer existing requests within the statutory deadline (usually within one month).
15. Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority about our data processing. The authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW). Kavalleriestraße 2–4, 40213 Düsseldorf
16. Updates to this statement
We update this privacy policy when tools, processes, or the legal situation change. You will always find the current version on this page. For the last update, see above ("Last updated").
For material changes that affect you (e.g. new processing purposes), we will obtain your consent again.