top of page

Privacy Policy

Stephan Crafton  -  Mind Architects

Version: 01.01.2026


Governing language. This English Privacy Policy is provided for the convenience of international visitors and customers. The definitive German version (Datenschutzerklärung) is available at https://www.stephancrafton.de/datenschutz. In the event of any discrepancy between this English version and the German version, the German version shall prevail. Processing of personal data takes place under the laws of the Federal Republic of Germany and the European Union.

This Privacy Policy informs you, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”) and the German Telecommunications-Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”), about the nature, scope and purpose of the processing of personal data on our website www.stephancrafton.de and within the context of our business activities. The use of our website is generally possible without providing any personal data. If you wish to use specific services via our website (e.g. contact form, booking via Calendly, payment processing), processing of personal data may become necessary. Where no statutory basis exists for such processing, we obtain your consent.

We have implemented numerous technical and organisational measures as the controller to ensure the most complete protection possible of personal data processed via this website. Nevertheless, internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us through alternative means, for example by telephone.

1. Definitions

This Privacy Policy is based on the terms used by the European legislator in the GDPR. We use the following definitions, among others:

1.1 Personal data
Personal data means any information relating to an identified or identifiable natural person (the “data subject”) within the meaning of Art. 4 (1) GDPR.

1.2 Data subject
Data subject means any identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

1.3 Processing
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 (2) GDPR).

1.4 Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future (Art. 4 (3) GDPR).

1.5 Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person (Art. 4 (4) GDPR).

1.6 Pseudonymisation
Pseudonymisation means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information (Art. 4 (5) GDPR).

1.7 Controller
Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 (7) GDPR).

1.8 Processor
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 (8) GDPR).

1.9 Recipient
Recipient means a natural or legal person, public authority, agency or other body, to which the personal data are disclosed (Art. 4 (9) GDPR).

1.10 Third party
Third party means a natural or legal person other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (Art. 4 (10) GDPR).

1.11 Consent
Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them (Art. 4 (11) GDPR).

2. Name and contact details of the controller

The controller within the meaning of the GDPR and other national data protection laws of the Member States of the European Union, as well as other provisions related to data protection, is:

Stephan Crafton  -  Mind Architects

Groß Schlebach 12
53359 Rheinbach
Germany

Phone: +49 (0)15733666660
E-mail: contact@stephancrafton.de
Website: https://www.stephancrafton.de
VAT ID: DE329963073
 

2.1 Data Protection Officer
The appointment of a Data Protection Officer is not legally required. If you have any questions or comments regarding data protection, please contact the controller named in section 2 directly.
 

3. Cookies and similar technologies

Our website uses cookies. Cookies are text files that are stored on a computer system via a web browser. They often contain a so-called cookie ID, a unique identifier consisting of a character string by which websites and servers can be assigned to the specific browser in which the cookie was stored.

We use technically necessary cookies on the basis of section 25 (2) no. 2 TTDSG to provide functions of the website (e.g. storing your cookie preferences). All non-strictly-necessary cookies, in particular those used for statistical or marketing purposes, are only set with your express consent pursuant to section 25 (1) TTDSG in conjunction with Art. 6 (1) (a) GDPR. You can withdraw your consent at any time via the cookie settings on our website.

You can prevent the setting of cookies through a corresponding setting in your browser at any time and delete cookies that have already been set. If cookies are completely deactivated, not all functions of our website may be usable.
 

4. Collection of general data and information (server log files)

Our website collects a series of general data and information when accessed by a data subject or an automated system. This data is stored in the server's log files. The following may be collected:

•    browser types and versions used
•    the operating system used by the accessing system
•    the website from which an accessing system reaches our website (so-called referrer)
•    the sub-pages accessed via an accessing system
•    date and time of access to the website
•    an abbreviated Internet Protocol address (anonymised IP address)
•    the internet service provider of the accessing system
•    other similar data and information used to defend against attacks on our IT systems

When using this general data and information, we draw no conclusions about the data subject. This information is needed to (1) deliver the contents of our website correctly, (2) improve the contents of our website, (3) ensure the long-term functionality of our IT systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack. The legal basis is Art. 6 (1) (f) GDPR; the legitimate interest is the secure and stable operation of the website. Log files are deleted no later than 30 days after collection unless further retention obligations exist or the data is required to investigate a security incident.
 

5. Contact via the website or by e-mail

Our website provides our contact details for electronic communication. If you contact us by e-mail or via a contact form, the personal data you transmit (in particular name, e-mail address, content of the request) is automatically stored and processed solely for the purpose of handling your enquiry and any subsequent communication. The data is not passed on to third parties.

The legal basis for the processing is Art. 6 (1) (b) GDPR if your enquiry relates to the conclusion of a contract, or otherwise Art. 6 (1) (f) GDPR; the legitimate interest is the effective handling of enquiries. Data collected in the context of contact will be deleted as soon as it is no longer required for the purpose of its collection, and provided that no statutory retention obligations (in particular under section 257 of the German Commercial Code (HGB) and section 147 of the German Fiscal Code (AO)) prevent erasure.
 

6. Data processing in the context of contract performance

In the course of our business activities (leadership trainings, coachings, communication trainings, NLP-based training courses and workshops), we process the personal data required for the initiation, performance and invoicing of the contract. This includes in particular name, address, e-mail address, telephone number, any company affiliation and billing data.

The legal basis is Art. 6 (1) (b) GDPR (contract performance and pre-contractual measures) and, where statutory retention obligations apply, Art. 6 (1) (c) GDPR. The data is stored for as long as is necessary for the performance of the contract and is then subject to the statutory retention periods (e.g. ten years under section 147 AO, six years under section 257 HGB).
 

7. Routine erasure and blocking of personal data

We process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or as provided for by the European legislator or another legislator in laws or regulations to which we are subject. If the purpose of storage no longer applies, or if a storage period prescribed by law expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.

8. Rights of the data subject

As a data subject, you have numerous rights vis-à-vis us as the controller. In particular:
 

8.1 Right to confirmation (Art. 15 (1) GDPR)

You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed.
 

8.2 Right of access (Art. 15 GDPR)

You have the right to obtain at any time and free of charge information about the personal data stored about you and a copy of this information. You may also request information about:

  • the purposes of the processing

  • the categories of personal data concerned

  • the recipients or categories of recipient to whom the personal data have been or will be disclosed

  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

  • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing concerning the data subject, or to object to such processing

  • the existence of the right to lodge a complaint with a supervisory authority

  • where the personal data are not collected from the data subject, any available information as to their source

  • the existence of automated decision-making, including profiling, referred to in Art. 22 GDPR

8.3 Right to rectification (Art. 16 GDPR)

You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.
 

8.4 Right to erasure (“right to be forgotten”, Art. 17 GDPR)
You have the right to obtain from us the erasure of personal data concerning you without undue delay, where one of the grounds set out in Art. 17 (1) GDPR applies and to the extent that the processing is not necessary.
 

8.5 Right to restriction of processing (Art. 18 GDPR)
You have the right to obtain restriction of processing where one of the conditions set out in Art. 18 (1) GDPR is met.
 

8.6 Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR, and the processing is carried out by automated means.
 

8.7 Right to object (Art. 21 GDPR)
You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions. We will no longer process the personal data in the event of the objection unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. If you object to processing for direct marketing purposes, we will no longer process the personal data for those purposes.
 

8.8 Right to withdraw consent (Art. 7 (3) GDPR)
You have the right to withdraw any consent you have given to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
 

8.9 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The supervisory authority competent for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44 

40102 Düsseldorf, Germany

Phone: +49 (0)211 38424-0
E-mail: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de
 

8.10 Automated decision-making, including profiling (Art. 22 GDPR)
Automated decision-making or profiling pursuant to Art. 22 GDPR does not take place.

9. Services used and processors engaged

We use the following external services in connection with our website and our business activities. Processing takes place on the legal basis indicated in each case. Where data is transferred to third countries (in particular the USA), such transfers are based on the safeguards set out in Chapter V GDPR (in particular the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR).


9.1 Web hosting

Our website is operated with an external hosting provider whose servers are located in the European Union. Personal data collected on our website are stored on the servers of the host (in particular IP addresses, contact requests, meta and communication data, contract data, contact data, names, website access data and other data generated via the website). The use takes place for the purpose of contract performance vis-à-vis our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1) (f) GDPR). A data processing agreement pursuant to Art. 28 GDPR has been concluded with the host.
 

9.2 Calendly
We use Calendly on our website to enable the booking of consulting, coaching and training appointments. The operating company is Calendly LLC, 271 17th St NW, Suite 1000, Atlanta, GA 30363, USA.

When using Calendly, personal data such as name, e-mail address, possibly telephone number, the selected time slot and any further information you provide are processed. The data is processed in data centres in the USA, operated by Amazon Web Services (AWS), among others. Connections are TLS-encrypted; data is encrypted at rest. The legal basis is Art. 6 (1) (a) GDPR (consent), which you provide with your booking request, and Art. 6 (1) (b) GDPR for the initiation and performance of the contract. We rely on the EU-US Data Privacy Framework for the transfer of data to the USA.

Privacy policy of Calendly: https://calendly.com/privacy
 

9.3 Zoom (online video conferencing)

For online coaching, online training and online consulting, we use the Zoom service. Provider is Zoom Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, USA.

When using Zoom, various types of data are processed, in particular user details (first and last name, e-mail address), meeting metadata (topic, IP address, device/hardware information) and, where applicable, audio, video and chat data. Recordings are made only with the prior express consent of the participants.

The legal basis is Art. 6 (1) (b) GDPR (contract performance) for delivering the booked service and Art. 6 (1) (f) GDPR (legitimate interest in the effective conduct of online events). Where personal data is transferred to Zoom in the USA, this is based on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Zoom.

Further information: https://explore.zoom.us/en/privacy/
 

9.4 PayPal
On our website we offer payment via PayPal. Provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

If you choose PayPal as the payment method, the payment data you enter will be transmitted to PayPal in accordance with the PayPal privacy policy. The legal basis for the transfer is Art. 6 (1) (b) GDPR (contract performance). You may object to the processing of your personal data by PayPal at any time. However, an objection will not affect personal data which must be processed for the performance of the contract.

PayPal privacy policy: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
 

9.5 LinkedIn
We operate a company profile on LinkedIn and may link from our website to our LinkedIn profile. Provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

When you visit our LinkedIn profile, LinkedIn processes personal data in accordance with its own privacy policy. We ourselves do not receive personal data of the visitors to our profile from LinkedIn, but only aggregated statistics (Page Insights). For these processing operations, LinkedIn and we are joint controllers within the meaning of Art. 26 GDPR. The legal basis is Art. 6 (1) (f) GDPR; the legitimate interest is the public presentation of our business and communication with interested persons.

Joint controller addendum: https://legal.linkedin.com/pages-joint-controller-addendum.

Privacy policy: https://www.linkedin.com/legal/privacy-policy
 

9.6 Instagram
We operate a company profile on Instagram and may link to it from our website. Provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you visit our Instagram profile, Meta processes personal data in accordance with its own privacy policy. Where we receive aggregated insights, we are joint controllers with Meta (Art. 26 GDPR). The legal basis is Art. 6 (1) (f) GDPR; the legitimate interest is the public presentation of our business and communication with our target audience.

Privacy policy: https://privacycenter.instagram.com/policy
 

9.7 YouTube
We operate a YouTube channel and may embed videos on our website. Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).

When you access an embedded video, a connection is established with the YouTube servers. We embed videos in extended privacy mode (“no-cookie”), so that YouTube does not set cookies before you actively decide to play. Once the video starts, YouTube may set cookies and similar technologies and process personal data, in particular IP addresses.

The legal basis for embedding is Art. 6 (1) (a) GDPR (consent via our cookie banner) and Art. 6 (1) (f) GDPR (legitimate interest in an appealing presentation of our online offering).

Google privacy policy: https://policies.google.com/privacy
 

9.8 Substack (newsletter)
We send our newsletter via the Substack platform. Provider is Substack Inc., 548 Market Street PMB 72296, San Francisco, CA 94104, USA.

When you subscribe to our newsletter, you provide us at least with your e-mail address. Substack stores this information in the USA and may collect additional data (e.g. open and click rates of newsletters, device and browser information). We use the double-opt-in procedure: after entering your e-mail address you receive a confirmation message. Your subscription is only active after you click on the confirmation link. The date of subscription, the date of confirmation and the IP address are logged for evidentiary purposes.

The legal basis for sending the newsletter is your consent pursuant to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future, e.g. via the unsubscribe link in each newsletter or by e-mail to us. We rely on the EU-US Data Privacy Framework and on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR for the transfer of data to the USA. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Substack to the extent necessary for the processing.

Substack privacy policy: https://substack.com/privacy
 

9.9 Stripe (payment processing)
On our website we offer payment processing via Stripe. Provider for customers in the European Economic Area is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (parent company: Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA).

If you choose Stripe as your payment method, the data required for payment processing (in particular first and last name, e-mail address, billing and payment data, device information and, where applicable, credit card or SEPA data) is transmitted directly to Stripe. We ourselves do not receive or store full credit card details. Stripe is certified to the Payment Card Industry Data Security Standard (PCI-DSS).

The legal basis for the processing is Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (f) GDPR (legitimate interest in efficient and secure payment processing). Where Stripe transfers data to its parent company in the USA, such transfer is based on the EU-US Data Privacy Framework and on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Stripe.

Stripe privacy policy: https://stripe.com/privacy
 

9.10 Microsoft 365
We use Microsoft 365 (in particular Microsoft Outlook, OneDrive for Business and Microsoft Word) for our business communication and administration. Provider for customers in the EEA is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA).

When using these services, personal data is processed which arises in the context of communication with us (e.g. e-mail content, attachments, contact data) as well as for contract initiation and performance. Microsoft additionally processes diagnostic and telemetry data to the extent necessary for the operation of the services.

The legal basis is Art. 6 (1) (b) GDPR (contract performance and pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in professional, secure and reliable business communication and administration). A data processing agreement pursuant to Art. 28 GDPR (Microsoft Products and Services Data Protection Addendum, “DPA”), including the EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, has been concluded with Microsoft. Data transfers to the USA are additionally based on the EU-US Data Privacy Framework (Microsoft is certified).

Microsoft privacy statement: https://privacy.microsoft.com/en-us/privacystatement
 

9.11 Microsoft Teams
For online meetings, coachings and trainings, we also use Microsoft Teams as an alternative to Zoom. Provider is Microsoft Ireland Operations Limited (see section 9.10).

When using Microsoft Teams, inventory, content, usage, meta and connection data is processed. This includes in particular first and last name, e-mail address, profile picture (if stored), audio, video and chat data during the session, IP address and device/hardware information. Recordings are made only with the prior express consent of the participants.

The legal basis is Art. 6 (1) (b) GDPR (contract performance) for the delivery of the booked service and Art. 6 (1) (f) GDPR (legitimate interest in the effective conduct of online events). The data processing agreement concluded with Microsoft (see section 9.10), including the EU Standard Contractual Clauses, applies. Data transfers to the USA are additionally based on the EU-US Data Privacy Framework.

Further information about Microsoft Teams: https://privacy.microsoft.com/en-us/privacystatement
 

9.12 Google Analytics 4
We use the web analytics service Google Analytics 4 (GA4) on our website. Provider for users in the EEA is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).

Google Analytics uses cookies and similar technologies that allow analysis of your use of our website. The information generated by the cookie about your use of this website is generally transmitted to a Google server in the USA and stored there. We have activated IP anonymisation; your IP address is therefore truncated by Google within the EU before being transferred to the USA. We use Google Analytics exclusively with IP anonymisation (“Google Signals” is deactivated unless otherwise indicated).

The legal basis is solely your consent pursuant to Art. 6 (1) (a) GDPR and section 25 (1) TTDSG, which you provide via our cookie banner. You can withdraw your consent at any time with effect for the future by adjusting the cookie settings on our website. Data transfers to the USA are additionally based on the EU-US Data Privacy Framework (Google is certified) and on EU Standard Contractual Clauses. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Google. Personal data in Google Analytics is automatically deleted after 14 months by default.

You can additionally prevent tracking by Google Analytics by installing the browser add-on at: https://tools.google.com/dlpage/gaoptout?hl=en.

Google privacy policy: https://policies.google.com/privacy
 

9.13 Meta (Facebook, Meta Pixel)
We operate a company page on Facebook and may use the Meta Pixel on our website. Provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA).

When you visit our Facebook page, Meta processes personal data in accordance with its own privacy policy. To the extent we receive aggregated insights (“Page Insights”), Meta and we are joint controllers within the meaning of Art. 26 GDPR. The essential content of the joint controller arrangement between Meta and us is available at https://www.facebook.com/legal/terms/page_controller_addendum.

Where we use the Meta Pixel on our website, this allows Meta to identify visitors to our website as a target group for the display of advertisements (“Facebook Ads”). The Meta Pixel is loaded only with your express consent pursuant to Art. 6 (1) (a) GDPR and section 25 (1) TTDSG. You can withdraw your consent at any time with effect for the future. Data transfers to the USA are based on the EU-US Data Privacy Framework and on EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR.

Meta privacy policy: https://www.facebook.com/about/privacy
 

10. International data transfers and global applicability

Where we transfer data to service providers in third countries (outside the European Economic Area), this is done only where (i) an adequacy decision of the EU Commission pursuant to Art. 45 GDPR exists (in particular the EU-US Data Privacy Framework for accordingly certified US companies), (ii) appropriate safeguards pursuant to Art. 46 GDPR have been agreed (in particular EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914, supplemented as required by additional technical and organisational measures as required by the Schrems II case law), or (iii) explicit consent pursuant to Art. 49 (1) (a) GDPR has been provided. A list of the service providers used with a third-country reference is set out in section 9 of this policy.

Before any data transfer to a third country, we assess the level of data protection in the recipient country and, if necessary, take additional measures such as encryption, pseudonymisation or contractual safeguards to ensure a level of protection essentially equivalent to that of the EU.
 

10.1 Global applicability of this Privacy Policy
This Privacy Policy applies to all visitors to our website and customers worldwide. We apply the protection standard of the GDPR uniformly to all personal data, regardless of whether the data subject's residence or place of stay is inside or outside the EEA. Where additional rights or information obligations exist under other national data protection laws (e.g. UK GDPR, Swiss DSG, California CCPA/CPRA, Brazilian LGPD), we supplement the information below as follows:
 

10.1.1 United Kingdom (UK GDPR)
For persons resident in the United Kingdom, the provisions of the UK GDPR and the Data Protection Act 2018 apply. The data subject rights set out in section 8 are available to you accordingly. Complaints may also be addressed to the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom, https://ico.org.uk.
 

10.1.2 Switzerland (revDSG)
For persons resident in Switzerland, the revised Swiss Federal Act on Data Protection (revDSG) applies. The rights set out in section 8 are available to you accordingly. The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, https://www.edoeb.admin.ch.
 

10.1.3 California, USA (CCPA/CPRA)
For California residents, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) additionally applies. In particular, you have the right to (i) information about the categories of personal information collected over the last 12 months, their sources, processing purposes and recipients; (ii) correction of inaccurate information; (iii) deletion of personal information; (iv) limitation on the use of sensitive personal information; and (v) opt-out of the sale or sharing of your personal information. We do not sell or share personal information within the meaning of the CCPA/CPRA. You may submit requests to the contact details set out in section 2 marked as “California Privacy Request”. We will not discriminate against you for exercising your rights.
 

10.1.4 Brazil (LGPD) and other jurisdictions
For persons whose data fall within the scope of the Brazilian Lei Geral de Proteção de Dados (LGPD) or comparable data protection laws, the rights described in section 8 apply mutatis mutandis. Requests can be addressed to us via the contact details set out in section 2.
 

10.1.5 EU representative (Art. 27 GDPR)
As the controller has its registered place of business in the European Union (Germany), the appointment of an EU representative pursuant to Art. 27 GDPR is not required. For controllers established outside the EU/EEA whose processing activities fall within the territorial scope of the GDPR pursuant to Art. 3 (2) GDPR, the respective national requirements apply.
 

11. Legal bases of processing

We process personal data only on the basis of a lawful processing basis. In particular:

  • Art. 6 (1) (a) GDPR: consent of the data subject for one or more specific purposes.

  • Art. 6 (1) (b) GDPR: processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • Art. 6 (1) (c) GDPR: processing necessary for compliance with a legal obligation to which we are subject (e.g. tax or commercial law retention obligations).

  • Art. 6 (1) (f) GDPR: processing necessary for the purposes of legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

12. Legitimate interests

Where processing of personal data is based on Art. 6 (1) (f) GDPR, our legitimate interests are the conduct of our business activities, ensuring smooth website operation, responding to enquiries, protection against misuse, and the public presentation of our business.
 

13. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period (in particular section 257 HGB and section 147 AO). After the period has expired, the data is routinely deleted, provided it is no longer required for contract performance or contract initiation. Where processing is based on consent, the data is deleted as soon as consent is withdrawn, provided no other legal basis applies.
 

14. Provision of personal data

We point out that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions. Sometimes it may be necessary for the conclusion of a contract that a data subject provides us with personal data which must subsequently be processed by us. Failure to provide the personal data may have the consequence that the contract cannot be concluded.
 

15. Minors

Our offering is generally directed at adults. Persons under 18 years of age should not transmit personal data to us without the consent of their legal guardians. We do not knowingly collect personal data from children under 16 years of age, nor do we request such data or pass it on to third parties. If we become aware that we have received personal data of a minor without the necessary consent, we will delete such data without undue delay.
 

16. Data security

We take technical and organisational measures pursuant to Art. 32 GDPR to protect your personal data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. These include in particular TLS/SSL encryption of the website, access controls, password protection, regular data backups and the obligation of processors to comply with the data protection level of the GDPR. Our security measures are continuously reviewed and adapted in line with technological developments.
 

17. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy in order to adapt it to current legal requirements or to changes in our services and data processing operations. The current version of this Privacy Policy is available at any time on our website at www.stephancrafton.de/privacypolicy.

Version: 1. January 2026

Legal Notice     Privacy Policy     GTC

2026

Stephan Crafton - Mind Architects

Rebuilding your thoughts for you best future

bottom of page