This Privacy Policy explains how WastedStudios UG (haftungsbeschränkt) (the “Controller”, “we”, “us”) processes personal data when you visit and use our website and related pages, features and content (together, the “Website”). It also describes your rights under the EU General Data Protection Regulation (“GDPR”) and German rules on end-device access (Telecommunications-Digitale Services Data Protection Act – “TDDDG”, § 25).
1. CONTROLLER (ART. 13(1)(A) GDPR)
WastedStudios UG (haftungsbeschränkt)
Lindwurmstr. 145
80337 Munich
Germany
Email: hello [at] wastedstudios.com
Register Court: Amtsgericht München (Munich District Court)
Registration number: HRB 223991
VAT ID: DE 304 847 583
2. SUPERVISORY AUTHORITY (ART. 13(2)(D) GDPR)
You have the right to lodge a complaint with a supervisory authority. For private-sector organisations established in Bavaria (Germany), the competent supervisory authority is generally:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27
91522 Ansbach
Germany
Phone: +49 981 53-1300
Email: [email protected]
3. KEY DEFINITIONS
“Personal data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data (e.g., collection, storage, use, disclosure).
4. YOUR RIGHTS (ART. 12–22 GDPR)
Subject to legal requirements, you have the right to:
– Access your personal data (Art. 15 GDPR)
– Rectification (Art. 16 GDPR)
– Erasure (Art. 17 GDPR)
– Restriction of processing (Art. 18 GDPR)
– Data portability (Art. 20 GDPR)
– Object to processing based on legitimate interests (Art. 21 GDPR), in particular to direct marketing
– Withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
To exercise your rights, contact us using the details in section 1.
5. GENERAL INFORMATION ON OUR PROCESSING ACTIVITIES (ART. 13 GDPR)
5.1 Categories of data we may process
Depending on how you use the Website, we may process:
– Usage data (e.g., pages visited, interactions, timestamps)
– Device and log data (e.g., IP address, browser type/version, operating system, referrer URL)
– Communication data (e.g., email content when you contact us)
– Cookie identifiers and similar online identifiers (depending on your consent settings)
5.2 Legal bases
We process personal data only if permitted under the GDPR, in particular:
– Consent (Art. 6(1)(a) GDPR)
– Contract / pre-contractual measures (Art. 6(1)(b) GDPR)
– Legal obligation (Art. 6(1)(c) GDPR)
– Legitimate interests (Art. 6(1)(f) GDPR)
Where we store or access information on your end device (e.g., cookies, local storage, similar identifiers), we also comply with § 25 TDDDG:
– Consent is generally required (§ 25(1) TDDDG), unless
– The storage/access is strictly necessary to provide a service expressly requested by you (§ 25(2) TDDDG).
6. WEBSITE HOSTING AND SERVER LOG FILES
6.1 Hosting provider (processor)
ALL-INKL.COM – Neue Medien Münnich
Hauptstr. 68
02742 Friedersdorf
Germany
6.2 What we process
When you access the Website, our hosting provider automatically processes server log data, which may include:
– IP address
– Date/time of access
– Requested URL/file, status code
– Referrer URL
– Browser/OS information
– Amount of data transferred
6.3 Purposes and legal basis
We process log data to ensure the security and stability of the Website (e.g., defense against attacks, troubleshooting).
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and reliable operation).
6.4 Retention
Log data is generally stored for up to 7 days and then deleted, unless a longer retention is required to investigate security incidents.
7. CONTENT DELIVERY NETWORK (CDN) – CLOUDFLARE
7.1 Provider
We use Cloudflare as a CDN and security service to improve performance and protect the Website (e.g., DDoS mitigation, firewalling).
Cloudflare Germany GmbH, c/o Design Offices München Atlas, Rosenheimer Straße 143C – 8th floor, 81671 München, Germany
7.2 Data processed
Depending on configuration and traffic, Cloudflare may process:
– IP address
– Request/response metadata (URLs, headers)
– Device/browser information
– Security-related events and logs
7.3 Purposes and legal basis
Purpose: Website delivery, performance, stability, and protection against abuse/attacks.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and efficient operation).
7.4 International transfers
Cloudflare is headquartered in the USA and may process data in the USA and other countries. Where applicable, transfers are based on an adequacy decision (EU–U.S. Data Privacy Framework) and/or EU Standard Contractual Clauses with additional safeguards, depending on configuration and recipient entity.
8. CONSENT MANAGEMENT AND SIMILAR TECHNOLOGIES
8.1 Strictly necessary technologies
Strictly necessary cookies/technologies are used to provide the Website functions you request.
Legal basis: Art. 6(1)(f) GDPR and § 25(2) TDDDG (strict necessity).
9. MATOMO (SELF-HOSTED WEB ANALYTICS)
We use the open-source web analytics tool Matomo to analyse how our Website is used and to improve its content and functionality.
9.1 Provider
Matomo is operated by us on our own servers (self-hosted).
No data is transmitted to third-party analytics providers.
WastedStudios UG (haftungsbeschränkt)
Lindwurmstr. 145
80337 Munich
Germany
9.2 Data processed
When you visit our Website, Matomo processes usage data that may include:
IP address (shortened/anonymised before storage)
Pages visited and navigation paths
Date and time of the request
Referrer URL (the previously visited page)
Browser type and version
Operating system
Device type and screen resolution
Approximate geographic location (based on anonymised IP)
The data is processed in aggregated form for statistical analysis.
9.3 Cookies and identifiers
Matomo is configured to operate without tracking cookies.
No cookies or similar identifiers are stored on your device for analytics purposes.
9.4 Purposes and legal basis
Purpose: reach measurement, website statistics and optimisation of our online offering.
Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in analysing and improving the performance and usability of our Website) in conjunction with § 25(2) TDDDG where no storage of information on the end device takes place.
Our legitimate interest lies in understanding how our Website is used so that we can improve its functionality, content and user experience.
9.5 Data retention
Analytics data collected through Matomo is stored for a limited period and then automatically deleted or aggregated. Raw log data is generally retained for a maximum of 12 months, after which it is deleted or anonymised.
9.6 Objection
You have the right to object to the processing of your data for analytics purposes at any time pursuant to Art. 21 GDPR. If you object, we will stop processing your data for these purposes.
10. EMBEDDED YOUTUBE VIDEOS (PRIVACY-ENHANCED MODE)
Our Website embeds YouTube videos. We use YouTube’s privacy-enhanced mode (youtube-nocookie.com). When you load or play a video, YouTube/Google may still process personal data (e.g., IP address, device data) and may store/read information on your device (e.g., cookies), depending on your settings and interaction.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent), unless the embedded content is strictly necessary in a specific case.
We recommend implementing a two-click solution so that YouTube content is loaded only after you consent or click to play.
11. FONTS (SELF-HOSTED GOOGLE FONTS)
We primarily use self-hosted fonts. On some pages, Google Fonts may be used.
– If fonts are served from our own servers: no data is transmitted to Google for font delivery.
– If fonts are loaded from Google servers (e.g., fonts.googleapis.com / fonts.gstatic.com): your IP address and technical request data are transmitted to Google.
Where Google Fonts are loaded from Google servers, we rely on consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG) unless fonts are strictly necessary in a specific case. We recommend self-hosting fonts wherever possible.
12. CONTACTING US (EMAIL)
When you contact us, we process your message and contact details to respond.
Legal basis:
– Art. 6(1)(b) GDPR if your request relates to a contract or pre-contractual measures, otherwise
– Art. 6(1)(f) GDPR (legitimate interest in handling inquiries)
Retention: We store communications for as long as necessary to process your request and then delete them, unless longer storage is required (e.g., for legal defense or statutory retention).
Provision of data: Providing your contact details is necessary to respond. If you do not provide the required information, we may be unable to process your request.
13. CUSTOMER RELATIONSHIPS / CONTRACTS (IF APPLICABLE)
If you become a customer, we process the data necessary to provide our services, manage the relationship, and issue invoices.
Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligations, e.g., tax and commercial retention).
Retention: According to statutory retention periods (e.g., commercial and tax law), where applicable.
Provision of data: Contract-related data is required to conclude and perform a contract. Without it, we cannot provide contractual services.
14. SOCIAL MEDIA LINKS
Our Website contains links to our social media presences. When you click a link, you will be redirected to the respective platform. From that point on, the platform provider processes personal data under its own responsibility. Please consult the respective providers’ privacy notices.
We do not use social media tracking pixels or embedded social media plugins on our Website (only links).
15. RECIPIENTS, PROCESSORS AND DISCLOSURES
We share personal data only as necessary for the purposes described above, in particular with:
– Processors (Art. 28 GDPR) such as our hosting provider (section 6) and CDN/security provider (section 7)
– Analytics provider (section 9), if you consent
– Authorities or third parties where we are legally obliged to do so (Art. 6(1)(c) GDPR) or where disclosure is necessary to establish, exercise or defend legal claims (Art. 6(1)(f) GDPR)
16. INTERNATIONAL DATA TRANSFERS
If we transfer personal data to recipients outside the EU/EEA (e.g., Cloudflare/Google depending on configuration), we ensure an adequate level of protection, for example through:
– Adequacy decisions (e.g., EU–U.S. Data Privacy Framework where applicable), and/or
– EU Standard Contractual Clauses and additional safeguards.
You can request further information on the safeguards in place by contacting us.
17. DATA RETENTION (ART. 13(2)(A) GDPR)
Unless stated otherwise above, we delete personal data when it is no longer necessary for the purposes for which it was collected, and we have no legal obligation to retain it. Where retention obligations apply, processing is restricted accordingly.
18. SECURITY (ART. 32 GDPR)
We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
19. AUTOMATED DECISION-MAKING / PROFILING (ART. 13(2)(F) GDPR)
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
20. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time (e.g., to reflect changes in processing or legal requirements). The “Last updated” date at the top indicates when this Privacy Policy was last revised.
Last updated: 10 March 2026
