Privacy Policy

This statement informs you pursuant to Art. 13 GDPR about the processing of personal data when you visit this website.

1. Controller

Baltasaar Services GmbH
Gensinger Str. 14, 55457 Horrweiler, Germany
Managing Director: Christian Heinz
Email: hello@christianheinz.com
HRB 38168 (Local Court of Augsburg) · VAT ID DE346169366

2. Hosting

This website is hosted on servers within the European Union (providers: Contabo / Hetzner, Germany). No data is transferred to third countries unless explicitly stated in this notice.

3. Access data (server logs)

When you access this website, technically necessary data is processed: IP address (shortened), date/time, user-agent, referrer, requested URL. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). Retention: max. 14 days.

4. Cookies and local storage

We use technically necessary cookies and localStorage entries (e.g. to store your cookie decision, language preference, and theme). Audience measurement and web analytics — both first-party (self-hosted, EU) and selected third-party providers — are used exclusively on the basis of your consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG); without consent, no such measurement takes place. Providers in use, purposes, and retention periods will be added to this notice once activated. Legal basis for necessary storage: § 25(2) no. 2 TTDSG.

5. Contact / chat widget

You can reach us by email or via the chat widget embedded in the site. For the chat widget:

• Only your messages and any voluntarily provided contact details are transmitted.
• To generate replies we use an AI service from Anthropic PBC (Claude), accessed on EU infrastructure. Prompt content is processed exclusively to reply to the specific request and is not used for model training (zero-retention via the Anthropic API).
• On escalation, your request is forwarded via Telegram to the team. Telegram is operated by Telegram FZ LLC, headquartered outside the EU; safeguards via Art. 49(1)(a) GDPR (your consent through active use of the chat with an escalation notice).
• Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(a) (consent).
• Retention: max. 90 days, after which the data is deleted or pseudonymised.

6. Form submissions (strategy call / executive assessment / ROI report)

Your form data (name, email, company, ROI details where applicable, message) is stored to process your request (Art. 6(1)(b) GDPR). In parallel with storage, a summary of your request is forwarded via Telegram to the team for timely handling (see section 5 on Telegram).

Retention: max. 36 months (3 years) from the last contact, after which automatic deletion follows, unless commercial or tax retention obligations apply. Every record carries an internal retention_until date; a regular sweep job removes records once they mature.

7. Appointment booking (booking.christianheinz.com)

If you navigate to booking.christianheinz.com and book a slot there, your details (name, email, company, phone, message, chosen slot) are processed on a server operated by the controller within the EU. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).

The following processors are involved in the booking flow:

• Cloudflare, Inc. (USA) — edge proxy and DDoS protection for the christianheinz.com domain. Processes IP address and user-agent, among others, to secure the connection. Third-country transfer on the basis of the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR); a Data Processing Addendum with Cloudflare is in place.
• Google LLC (USA) — Google Calendar and Gmail for automatically sending the booking confirmation and calendar invitation. Third-country transfer on the basis of the EU Standard Contractual Clauses; a data-processing agreement via Google Workspace is in place.

Retention for booking-request data: max. 36 months from the last contact, with the same deletion mechanism as in section 6.

8. Your rights

Under GDPR you have the right to:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Objection (Art. 21)
• Withdrawal of previously given consent (Art. 7(3)), with future effect
• Lodging a complaint with a supervisory authority (Art. 77), in Germany e.g. BayLDA

A plain-text email to hello@christianheinz.com is enough to exercise any of these.

9. No automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

10. SSL/TLS

This website uses end-to-end TLS encryption (HTTPS via Let's Encrypt).

Last updated: April 2026 · Imprint · Deutsche Fassung