Kunden-Login
menu-close
Get a Quote
Contact
Get a quote
Contact
Get Quote
hamburger-icon

Succession

Blog

About Us

Contact
Get a quote

Privacy Policy

hallo theo GmbH (hereinafter: “we”, “us”) is pleased that you are visiting our website www.hallotheo.de (hereinafter: the “Website”). Our principle is to collect only what is necessary and to process such information solely for the purposes of providing the services you expect. 
(Last updated: 14 January 2026) 

 

1. Controller 

The controller responsible for processing personal data on our Website within the meaning of the General Data Protection Regulation (hereinafter: “GDPR”) is: 

hallo theo GmbH 
Saarbrücker Straße 21
10405 Berlin 
+49 (0) 30 340 430 00 
support@hallotheo.de 

For data protection inquiries or to exercise your data subject rights, you may contact us at any time by email at: datenschutz@hallotheo.de 


2. Data Protection Officer 

Our appointed Data Protection Officer is: 

Kertos GmbH 
Brienner Straße 41  
80333 Munich  
Email: dsb@kertos.io 


3. What is Personal Data? 

Personal data means any information relating to an identified or identifiable natural person. This includes information such as your name, age, address, telephone number, date of birth, email address or IP address. Information for which we cannot (or only with disproportionate effort) establish a link to you as an individual—for example through anonymisation—does not constitute personal data. Any processing of personal data (e.g., collection, querying, use, storage or transmission) always requires a legal basis such as your consent. 


4. Data Processing for Website Provision and Use 

4.1 Scope and Purpose of Processing 

We use your personal data only to the extent necessary to provide our Website and related services. 

When you visit our Website, your browser automatically transmits personal data to our server, where such data is stored in log files. 

We collect and store the following information without any action from you until it is automatically deleted: 

  • Your computer’s IP address 
  • Date and time of access 
  • Name and URL of the file accessed 
  • Website from which you accessed our Website (referrer URL) 
  • Browser used, and where applicable the operating system and your Internet service provider

     

We process this data in order to: 

  • ensure a smooth connection to our Website 
  • enable convenient use of our Website 
  • ensure IT security

     

4.2 Legal Basis 

We process this data on the basis of Art. 6 (1) (f) GDPR. Processing the above data is necessary to provide the Website and ensure secure and convenient functionality, which constitutes a legitimate interest of our company. 

4.3 Storage Period and Deletion 

Collected data is deleted once it is no longer required for the operation of the Website, at the latest after 30 days. Collection and storage of this data are essential for Website operation and therefore cannot be objected to. In certain cases, data may be stored longer where legally required. 


5. International Data Transfers 

We primarily process your data within the EU and the EEA. Some service providers, however, are located in so-called “third countries”. The GDPR imposes high requirements for data transfers to such countries. All recipients must fulfil these requirements. Before transferring data to a provider in a third country, we review their data protection level and select them only if they can demonstrate adequate safeguards. Regardless of location, everyprovider must conclude a data processing agreement with us. For providers outside the EEA, additional requirements apply. Pursuant to Art. 44 et seq. GDPR, data may be transferred to providers that satisfy at least one ofthe following conditions: 

  • An adequacy decision by the European Commission 
  • Standard Contractual Clauses included in the contract 
  • Additional guarantees pursuant to Art. 46 GDPR 
  • Specific derogations under Art. 49 GDPR

     

6. Recipients of Personal Data 

Within our company, only those individuals who require access to your personal data for the respective purposes may access it. Personal data is only transferred to external recipients where we are legally permitted to do so or where you have provided your consent. Below is an overview of the respective recipients: 

6.1 Services for Website Provision 

GoDaddy 

Purpose: Provision of web hosting services and related services for the management and operation of our Website 

Recipient: GoDaddy.com, LLC, 14455 N. Hayden Road, Suite 219, Scottsdale, AZ 85260, USA 

Processed Data: 

  • Contact information (e.g., name, email address) 
  • Payment information (e.g., credit card data, billing address) 
  • Website usage data (e.g., visitor numbers, page views) 
  • Server logs (e.g., IP address, access time) 
  • Domain information (e.g., registration data, WHOIS entries)

     

Legal Basis: Performance of a contract pursuant to Art. 6 (1) (b) GDPR 

Storage Period: For the duration of the contractual relationship and subsequently in accordance with statutory retention periods 

Third Country Transfer: Data transfer to the USA based on Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR 

Further Information: https://de.godaddy.com/legal/agreements/privacy-policy 

 

WordPress 

Purpose: Operation and administration of our Website and provision of content and features 
 
Recipient: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA  

Processed Data: 

  • Technical data (e.g., IP address, browser type) 
  • Usage data (e.g., page views, visit duration) 
  • User account data (e.g., username, email address) 
  • Comment data (e.g., comment content, timestamps) 
  • Contact form data (e.g., name, email address)

     

Legal Basis: Legitimate interest pursuant to Art. 6 (1) (f) GDPR (Website operation), consent pursuant to Art. 6 (1) (a) GDPR (for user accounts and comments) 

Storage Period: For the duration of Website operation; user accounts and comments until deletion by user or Website operator

Third Country Transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR 

Further Information: https://automattic.com/privacy/ 


6.2 Content Delivery Network 

Cloudflare 

Purpose: Acceleration of Website loading times and protection against DDoS attacks via content delivery network 
 
Recipient: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA 
 
Processed Data: 

  • Accessed webpage
  • Browser type 
  • Operating system 
  • Referrer URL 
  • IP address 
  • Requesting provider

     

Legal Basis: Legitimate interest pursuant to Art. 6 (1) (f) GDPR (Website security and performance) 
 
Storage Period: Data may be transmitted and stored on Cloudflare servers in the USA 
 
Third Country Transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR 

Further Information: https://www.cloudflare.com/privacypolicy/.  


6.3 Requesting an Offer 

Purpose: Preparation of offers and customer communication 
 
Processed Data: 

  • Contact data (e.g., first and last name, email address)
  • Business information (e.g., company name, units to be managed)
  • Communication data (e.g., mobile number, message content)

     

Legal Basis: Consent pursuant to Art. 6 (1) (a) GDPR and pre-contractual measures pursuant to Art. 6 (1) (b) GDPR 

Storage Period: For the duration of the business relationship and thereafter in accordance with statutory retention periods. 

Further information: Providing your personal data is necessary for us to prepare a quote. If you do not provide this data, we cannot create a customized quote. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. 
 

6.4 Appointment Booking 

Purpose: Online scheduling and management of initial consultation appointments 

Recipient: HubSpot, Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA 

Processed Data: 

  • Contact data (e.g., name, email address) 
  • Appointment details (e.g., selected date, time) 
  • Technical data (e.g., IP address, browser type) 
  • Communication preferences (e.g., time zone)

     

Legal Basis: Consent pursuant to Art. 6 (1) (a) GDPR or pre-contractual measures pursuant to Art. 6 (1) (b) GDPR  

Storage Period: For the duration of the business relationship and thereafter in accordance with statutory retention periods; deletion on request 
 
Third Country Transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR 

Further information: https://legal.hubspot.com/de/privacy-policy 

 

6.5 Applicant Portal 

Softgarden 

Purpose: Management and execution of recruitment processes, including applicant communication and process optimization 

Recipient: Softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin, Germany 

Processed Data: 

  • Personal information (e.g., name, date of birth) 
  • Contact details (e.g., email address, telephone number)
  • Application documents (e.g., CV, certificates) 
  • Qualifications and work experience (e.g., education, prior employers, language skills) 
  • Social network profiles (e.g., XING, LinkedIn, Facebook) 
  • Communication history (e.g., emails, interview notes)
  • Application status and progress (e.g., invitations, rejections)

     

Legal Basis: Consent pursuant to Art. 6 (1) (a) GDPR and pre-contractual measures pursuant to Art. 6 (1) (b) GDPR 

Storage Period: Data is stored for the duration of the application process. If the applicant is successfully hired, the data is transferred to their personnel file. If the application is unsuccessful, the data is deleted after 6 months, unless the applicant has consented to longer storage.

Third Country Transfer: None; data processed exclusively within the EU 

Further information: https://www.softgarden.de/unternehmen/datenschutz/ 

 

6.6 Consent Management 

Cookiebot 

Purpose: Management of cookie and tracking consents and documentation of proof of consent 

Recipient: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark 

Processed Data: 

  • Device data (e.g., IP address, device type) 
  • Event data (e.g., preference settings, interaction with embedded scripts)

     

Legal Basis: Legitimate interest pursuant to Art. 6 (1) (f) GDPR (compliance and documentation obligations) 

Storage Period: up to 180 days  

Further information:https://www.cookiebot.com/de/privacy-policy/.   

 

6.7 Analytics and Tracking 

Cookies are small text files stored on your device by your browser. Cookies do not execute programs nor install malware. Comparable technologies include web storage (local/session storage), fingerprinting, tags and pixels. Most browsers enable such technologies by default; however, you may adjust your settings to block their use or require prior consent. Blocking cookies or similar technologies may impair certain websitefunctionalities. 

Purpose: We use tracking and analytics tools to continuously optimise our website and adapt it to your needs. For these purposes, information is collected via the respective technologies or combined with deviceinformation (device fingerprinting). 

Legal basis: Technologies that are technically required for the operation of the website are used on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR or for the performance of a contract or pre-contractualmeasures pursuant to Art. 6(1)(b) GDPR. In such cases, storing or accessing information on your device is strictly necessary and carried out pursuant to Sec. 25(2) TDDDG. Optional tools are used exclusively with yourconsent pursuant to Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG. The tracking and analytics tools used, including their respective purposes and processed data, are described below. 

 

Google Ads

Purpose: Planning, execution and management of online advertising campaigns as well as measurement of conversions and attribution of website activities (e.g. form submissions) to prior ad clicks. This includes the use of the “Google Click ID” (GCLID) assigned by Google. 

Recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

Categories of processed data: 

  • Access data (e.g. IP address, number of page views) 
  • Usage data (e.g. behaviour on other websites, click paths) 
  • Source and traffic data (e.g. previously visited pages, referrer URL) 
  • Search data (e.g. search terms, queries) 
  • Device data (e.g. device type, screen resolution) 
  • Browser data (e.g. browser used, language settings) 
  • Event data (e.g. ad interactions, banner clicks) 
  • Location data (e.g. country, city – based on IP) 
  • Customer data for enhanced conversions (e.g. email address, hashed via SHA-256) 
  • Online identifiers (e.g. advertising ID, Google Click ID – GCLID)
     

Additional evaluation in our systems: 
If you submit a form on our website after clicking on an ad, the GCLID may be stored together with your details (e.g. contact and transaction data) in our internal systems (e.g. CRM or analytics systems). This enables us to determine which campaigns generated enquiries or conversions and to statistically assess and optimise our advertising activities. No individual profiling for additional purposes takes place. 

Legal basis: Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG 

Storage period: Cookies may be stored for up to 90 days. 

Third-country transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and supplementary Standard Contractual Clauses (SCCs). 

Further information: policies.google.com/privacy 

 

Google – Analytics 4  

Purpose: Web analytics 

Recipient: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

Categories of processed data: 

  • Device data (e.g. IP address, device type, screen resolution) 
  • Browser data (e.g. browser used, language, installed plug-ins such as ad blockers) 
  • Usage data (e.g. visited pages, session duration, click paths, scroll depth, entry and exit pages) 
  • Event data (e.g. button/link clicks, form submissions) 
  • Location data (e.g. country, city) 
  • Source and traffic data (e.g. referrer URL, access source such as search engine) 
  • Conversion and goal completion data (e.g. newsletter subscriptions, achieved website goals) 
  • Online identifiers (e.g. advertising ID, Google Click ID – GCLID)

     

Legal basis: Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG 

Third-country transfer: For transfers to the USA, an adequacy decision exists under the EU-U.S. Data Privacy Framework. Google is certified under this framework; transfers are thus based on Art. 45 GDPR. In addition, Standard Contractual Clauses (SCCs) have been concluded with Google. 

Further information: policies.google.com/privacy 

 

Google reCAPTCHA 

Purpose: Detection and prevention of automated requests (bots) to secure the website and contact forms. 

Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

Categories of processed data: 

  • Network data (e.g. IP address, referrer URL) 
  • Device information (e.g. operating system, language settings) 
  • User interactions (e.g. mouse movements, keystrokes) 
  • Session information (e.g. duration of stay, approximate location)

     

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (protection of the website against automated requests and ensuring availability). 

Storage period: Data is deleted after transmission to Google. 

Third-country transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR). 

Further information: policies.google.com/privacy 

 

Google – Tag Manager 

Purpose: Management and triggering of website tags via a unified interface. 

Recipient: Google Ireland Limited, … and Google LLC, … 

Categories of processed data: 

  • Access data (e.g. time of page access, referrer URL)
  • Device data (e.g. IP address, device type) 
  • Browser data (e.g. browser used, language settings) 
  • Event data (e.g. tag triggers, interactions with integrated scripts) 
  • Location data (e.g. country, city – based on IP)

     

Legal basis: Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG 

Storage period: Cookies may be stored for up to 90 days. 

Third-country transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR) and supplementary SCCs. 

Further information: policies.google.com/privacy 

 

HubSpot Analytics 

Purpose: Monitoring of website activity and support/optimisation of digital marketing activities. 

Recipient: HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA. 

Categories of processed data: 

  • Identification data (e.g. unique user token, cookie “hubspotutk”)
  • Access data (e.g. date and time of visit, domain) 
  • Session data (e.g. number and duration of visits) 
  • Device data (e.g. device type, operating system) 
  • Browser data (e.g. browser used, language settings) 
  • Usage data (e.g. visited pages, returning visits) 

Legal basis: Art. 6(1)(a) GDPR and Sec. 25(1) TDDDG 

Storage period: Cookies may be stored for up to 90 days. 

Third-country transfer: Transfer to the USA based on the EU-U.S. Data Privacy Framework (Art. 45 GDPR). 

Further information: policies.google.com/privacy 

 

Evaluation of Advertising Campaigns using the Google Click ID (GCLID) 

Purpose: Attribution of enquiries, leads or orders to our online advertising campaigns and the evaluation and optimisation of marketing activities. 

Recipient: Internal departments (marketing, sales, controlling); where applicable, technical service providers (e.g. CRM or analytics systems) acting as processors. 

Categories of processed data: 

  • Master and contact data (e.g. name, email address, company affiliation) as provided in forms/bookings 
  • Contract and transaction data (e.g. requested/booked services, offers and orders) 
  • Event data (e.g. date/time of enquiry/booking, visited pages) 
  • Online identifiers, in particular the Google Click ID (GCLID) generated when clicking on one of our ads

     

Functionality: If you access our website via one of our online ads (e.g. Google), the click is marked with a GCLID. If you subsequently submit a form or place a booking/order, this GCLID may be stored togetherwith your provided details. This allows us to assess which campaigns resulted in enquiries or conversions. 

Legal basis: Your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG (marketing and tracking consent via the cookie banner). You may withdraw your consent at any time with effect forthe future via the cookie banner settings. 

Storage period: We store the GCLID and related data only for as long as required to evaluate and optimise the respective campaigns; afterwards the data is deleted or anonymised. 
 

Name of cookie 

Provider 

Functionality 

Category 

Storage period 

elementor 

WordPress 

Supporting the visual design of the website 

Technically necessary cookies 

Infinite 

wpEmojiSettingsSupports 

WordPress 

Emoji display support 

Technically necessary cookies 

Session 

__cf_bm 

CloudFlare 

Protection against bot requests and improvement of loading times 

Technicallynecessarycookies 

30 mins 

test_cookie 

Google Adsense 

Check whether the browser supports cookies 

Marketing/tracking cookies 

15 mins 

_ga 

Google Analytics 

Collection of information about website usage 

Statistics cookies 

1 yr 
1 mth 

_ga_[ID] 

Google Analytics 

Collection of information about website usage 

Statistics cookies 

1 yr 
1 mth 

rc::a 

Google Recaptcha 

Differentiation between humans and bots when accessing the website 

Technicallynecessarycookies 

Infinite 

rc::c 

Google Recaptcha 

Differentiation between humans and bots when accessing the website 

Technicallynecessarycookies 

Session 

_gcl_au 

Google Tag Manager 

Optimization of advertising via Google services 

Marketing/tracking cookies 

2 mth 
29 days 

_gcl_ls 

Google Tag Manager 

Optimization of advertising via Google services 

Marketing/tracking cookies 

Infinite 

_cfuvid 

HubSpot 

Providing form functionality 

Technicallynecessarycookies 

Session 

HUBLYTICS_EVENTS_53 

HubSpot 

Temporary storage of tracking events until network transmission 

Statistics cookies 

Session 

__hmpl 

HubSpot 

Collection of user preferences and interactions with web campaign content 

Statistics cookies 

Session 

__hssc 

Hubspot Analytics 

Analytical evaluation of user interactions 

Statistics cookies 

30 mins 

__hssrc 

Hubspot Analytics 

Browser session detection 

Statistics cookies 

Session 

__hstc 

Hubspot Analytics 

Long-term tracking of user interactions 

Statistics cookies 

5 mth 
27 days 

hubspotutk 

Hubspot Analytics 

Tracking user discovery and interactions 

Statistics cookies 

5 mth 
27 days 

CookieConsent 

Cookiebot 

Storage of consent to the use of cookies 

Preference cookies 

31 days 

pll_language 

Cookiebot 

Storage of the user’s language preferences 

Preference cookies 

11 mth 
31 days 

cf_clearance 

unknown 

Detection of secure access to the website 

Technicallynecessarycookies 

11 mth 
31 days 

 

7. Contact via Email 

If you contact us by email, we process the personal data you provide (e.g. name, email address, content of your message) exclusively for the purpose of handling and responding to your request. The legal basis for such processing is generally our legitimate interest in communicating with you pursuant to Art. 6(1)(f) GDPR or – to the extent your enquiry relates to the conclusion or performance of a contract – the performance of pre-contractual measures or fulfilment of a contract pursuant to Art. 6(1)(b) GDPR. We store your data only for as long as is necessary to process your request. Your data will not be disclosed to third parties unless we are legallyobliged to do so or such disclosure is strictly necessary for processing your enquiry. 

 

8. Data Security and Technical and Organisational Measures

We ensure that your personal data remains secure and confidential. To prevent manipulation, loss or misuse of data, we implement technical and organisational security measures. These measures are regularly reviewedand updated to reflect the current state of the art. 

Please note that other parties or institutions on the internet may not comply with data protection rules. In particular, unencrypted data such as emails may be accessible to third parties. This is beyond our control. You areadvised to protect your data by using encryption or other suitable measures in order to prevent misuse. 

 

9. Storage of Data 

Personal data is deleted or blocked once the purpose for which it has been stored ceases to apply. Continued storage may occur where required by European or national legislation. Data is also deleted or blocked once theapplicable statutory retention periods expire, unless the data is required for the performance of a contract. 


10. Rights of the Data Subject 

With regard to your personal data, you have the following rights: 

a) Right of access: You may request confirmation as to whether we process personal data concerning you. If so, you have the right to obtain information regarding the data concerned, the purposes of processing, therecipients of the data and the storage period. 

b) Right to rectification: You may request the prompt rectification of inaccurate data. You may also request completion of incomplete data. 

c) Right to erasure: You may request the deletion of your data, in particular if it is no longer required for the purposes for which it was collected, if you withdraw your consent or if the data has been unlawfully processed. 

d) Right to restriction of processing: You may request the restriction of processing, for example if the accuracy of the data is contested. 

e) Right to data portability: You have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format. 

f) Right to object: You may object at any time to the processing of your data, particularly for direct marketing purposes. This also applies to profiling insofar as it is related to such direct marketing. 

g) Right to withdraw consent: You may withdraw your consent to data processing at any time with effect for the future. The lawfulness of processing based on consent prior to withdrawal remains unaffected. 

 Right to lodge a complaint: You may lodge a complaint with a supervisory authority if you believe that your rights under data protection law have been infringed. 

 

11. Change history 

Date 

Version  

Reason for changes 

14.01.26 

1.0  

First version of the revised data protection information in the new format