Privacy Policy.

The controller responsible for the processing of personal data on this website is:

WP Nova GmbH · Sedelhofgasse 13 · 89073 Ulm · Germany

Phone · +49 172 6772963 · Email · info@wp-nova.ai

We have not appointed a data protection officer. The legal thresholds of § 38 BDSG do not apply to us. Enquiries regarding data protection can be sent to the address above.

Under the GDPR, you have the following rights regarding personal data concerning you:

• Right of access (Art. 15 GDPR) — to know whether we process your data, and if so which
• Right to rectification (Art. 16 GDPR) — to correct inaccurate data
• Right to erasure (Art. 17 GDPR) — to have your data deleted
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR), in particular to processing based on legitimate interests
• Right to withdraw consent at any time (Art. 7 (3) GDPR), without affecting the lawfulness of processing based on consent before its withdrawal
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority responsible for us is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart.

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, on servers located in the European Union. Hetzner acts as a processor on our behalf under a data processing agreement pursuant to Art. 28 GDPR.

We may additionally route traffic through Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) as a reverse proxy and for protection against attacks. Where Cloudflare is used, it acts as a processor under an EU-approved data processing agreement and the European Commission Standard Contractual Clauses as a transfer safeguard (Art. 46 (2) (c) GDPR).

When you access this website, our server or the upstream proxy automatically records technical information in log files:

• IP address of the requesting device (stored in shortened form where possible)
• Date and time of the request
• Requested URL and HTTP status code
• User agent string and referrer (if transmitted)
• Amount of data transferred

Processing is based on our legitimate interest in operating a stable, secure website (Art. 6 (1) (f) GDPR). Log files are kept for a maximum of 14 days and are then deleted or anonymised, unless they are required for longer to investigate a specific security incident.

If you contact us via the contact form or by email, the data you enter (name, email address, company, message) is transmitted to us via Microsoft Graph and delivered to a mailbox operated by us on Microsoft 365 (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland).

Content of contact form submissions is not stored in our application database — it is processed solely by email.

Legal basis: Art. 6 (1) (b) GDPR where the enquiry relates to the performance of a contract or pre-contractual measures; otherwise Art. 6 (1) (f) GDPR on the basis of our legitimate interest in responding to enquiries.

Retention: we retain enquiries for as long as needed to handle your request and, where applicable, to comply with statutory retention obligations (typically up to 6 or 10 years under §§ 147 AO, 257 HGB). Beyond that, messages are deleted.

Microsoft may transfer data to the United States. Where this happens, Microsoft relies on the EU-US Data Privacy Framework and the European Commission Standard Contractual Clauses (Art. 46 (2) (c) GDPR) as transfer safeguards.

Subject to your consent, we use PostHog, a product analytics tool, to understand how visitors use our website. The service is operated by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA, via its EU infrastructure at eu.i.posthog.com, where all event data for this website is stored.

PostHog processes data such as pages viewed, interactions, device type, coarse location (derived from IP), referrer and a pseudonymous identifier stored in browser storage. We have configured PostHog so that profiles are only created for explicitly identified users.

Legal basis: your consent pursuant to Art. 6 (1) (a) GDPR and § 25 (1) TTDSG. You can withdraw consent at any time via the "Cookie settings" link in the site footer; withdrawal does not affect the lawfulness of prior processing. If you do not consent, no analytics data is collected.

Retention: PostHog event data is retained for up to 12 months. A data processing agreement pursuant to Art. 28 GDPR is in place with PostHog.

We use the following categories of data stored on your device:

• Essential — a localStorage entry (wpnova.consent) that remembers your cookie choice, plus your theme and language preference. These are required for the site to function and are set on the basis of § 25 (2) no. 2 TTDSG.
• Analytics (optional) — PostHog sets cookies and localStorage entries to recognise returning visitors and tie events into sessions. Only set after you accept in the consent banner.

You can revoke or change your cookie choice at any time via the "Cookie settings" link in the site footer. You can also delete cookies and localStorage in your browser settings.

Where personal data is transferred to recipients outside the European Economic Area (for example Microsoft 365, Cloudflare, or PostHog), we rely on one of the safeguards under Chapter V GDPR — typically the European Commission Standard Contractual Clauses (Art. 46 (2) (c) GDPR), supplemented by the EU-US Data Privacy Framework adequacy decision where applicable.

On request, we will provide a copy of the safeguards in place.

We only share personal data where this is necessary. Regular recipients acting as processors on our behalf are:

• Hetzner Online GmbH — hosting (EU)
• Cloudflare, Inc. — reverse proxy / DDoS protection, where enabled (US; SCCs + EU-US DPF)
• Microsoft Ireland Operations Limited — business email / Microsoft 365 (EU with possible transfer to US under SCCs + EU-US DPF)
• PostHog, Inc. — analytics, EU infrastructure (US entity; SCCs + EU-US DPF)

We maintain appropriate technical and organisational measures in line with Art. 32 GDPR to protect personal data against unauthorised access, accidental loss, alteration or disclosure. This includes encrypted connections (HTTPS/TLS), access controls and regular review of our processing activities.

We may update this policy to reflect changes in our processing activities or legal requirements. The current version is always available at this URL. Substantial changes will be indicated by an updated "Last updated" date above.