This Privacy Policy explains how WastedStudios UG (haftungsbeschränkt) (the “Controller”, “we”, “us”) processes personal data when you visit and use our website and related pages, features and content (together, the “Website”). It also describes your rights under the EU General Data Protection Regulation (“GDPR”) and German rules on end-device access (Telecommunications-Digitale Services Data Protection Act – “TDDDG”, § 25).
1. CONTROLLER (ART. 13(1)(A) GDPR)
WastedStudios UG (haftungsbeschränkt)
Lindwurmstr. 145
80337 Munich
Germany
Email: hello [at] wastedstudios.com
Register Court: Amtsgericht München (Munich District Court)
Registration number: HRB 223991
VAT ID: DE 304 847 583
2. SUPERVISORY AUTHORITY (ART. 13(2)(D) GDPR)
You have the right to lodge a complaint with a supervisory authority. For private-sector organisations established in Bavaria (Germany), the competent supervisory authority is generally:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27
91522 Ansbach
Germany
Phone: +49 981 53-1300
Email: [email protected]
3. KEY DEFINITIONS
“Personal data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data (e.g., collection, storage, use, disclosure).
4. YOUR RIGHTS (ART. 12–22 GDPR)
Subject to legal requirements, you have the right to:
– Access your personal data (Art. 15 GDPR)
– Rectification (Art. 16 GDPR)
– Erasure (Art. 17 GDPR)
– Restriction of processing (Art. 18 GDPR)
– Data portability (Art. 20 GDPR)
– Object to processing based on legitimate interests (Art. 21 GDPR), in particular to direct marketing
– Withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
To exercise your rights, contact us using the details in section 1.
5. GENERAL INFORMATION ON OUR PROCESSING ACTIVITIES (ART. 13 GDPR)
5.1 Categories of data we may process
Depending on how you use the Website, we may process:
– Usage data (e.g., pages visited, interactions, timestamps)
– Device and log data (e.g., IP address, browser type/version, operating system, referrer URL)
– Communication data (e.g., email content when you contact us)
– Cookie identifiers and similar online identifiers (depending on your consent settings)
5.2 Legal bases
We process personal data only if permitted under the GDPR, in particular:
– Consent (Art. 6(1)(a) GDPR)
– Contract / pre-contractual measures (Art. 6(1)(b) GDPR)
– Legal obligation (Art. 6(1)(c) GDPR)
– Legitimate interests (Art. 6(1)(f) GDPR)
Where we store or access information on your end device (e.g., cookies, local storage, similar identifiers), we also comply with § 25 TDDDG:
– Consent is generally required (§ 25(1) TDDDG), unless
– The storage/access is strictly necessary to provide a service expressly requested by you (§ 25(2) TDDDG).
6. WEBSITE HOSTING AND SERVER LOG FILES
6.1 Hosting provider (processor)
ALL-INKL.COM – Neue Medien Münnich
Hauptstr. 68
02742 Friedersdorf
Germany
6.2 What we process
When you access the Website, our hosting provider automatically processes server log data, which may include:
– IP address
– Date/time of access
– Requested URL/file, status code
– Referrer URL
– Browser/OS information
– Amount of data transferred
6.3 Purposes and legal basis
We process log data to ensure the security and stability of the Website (e.g., defense against attacks, troubleshooting).
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and reliable operation).
6.4 Retention
Log data is generally stored for up to 7 days and then deleted, unless a longer retention is required to investigate security incidents.
7. CONTENT DELIVERY NETWORK (CDN) – CLOUDFLARE
7.1 Provider
We use Cloudflare as a CDN and security service to improve performance and protect the Website (e.g., DDoS mitigation, firewalling).
Cloudflare Germany GmbH, c/o Design Offices München Atlas, Rosenheimer Straße 143C – 8th floor, 81671 München, Germany
7.2 Data processed
Depending on configuration and traffic, Cloudflare may process:
– IP address
– Request/response metadata (URLs, headers)
– Device/browser information
– Security-related events and logs
7.3 Purposes and legal basis
Purpose: Website delivery, performance, stability, and protection against abuse/attacks.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and efficient operation).
7.4 International transfers
Cloudflare is headquartered in the USA and may process data in the USA and other countries. Where applicable, transfers are based on an adequacy decision (EU–U.S. Data Privacy Framework) and/or EU Standard Contractual Clauses with additional safeguards, depending on configuration and recipient entity.
8. COOKIES, CONSENT MANAGEMENT AND SIMILAR TECHNOLOGIES
8.1 What we use
We may use cookies and similar technologies (e.g., local storage, pixels). Some are strictly necessary for the Website to function; others are optional and used for analytics or to load third-party resources.
8.2 Consent and how you can change your choice
Optional cookies/technologies are used only if you give consent via our consent banner / consent management platform (“CMP”), where deployed.
You can withdraw consent at any time with effect for the future by opening our cookie settings: [PLACEHOLDER: link or UI path, e.g., “Cookie Settings” in the website footer].
8.3 Rollout note (important)
If, during a technical rollout of the Website, the CMP is temporarily not available on a page, we intend not to set non-essential cookies on that page and to load optional third-party resources only after consent or a user-triggered action. Please ensure this matches your actual technical setup.
8.4 Strictly necessary technologies
Strictly necessary cookies/technologies are used to provide the Website functions you request.
Legal basis: Art. 6(1)(f) GDPR and § 25(2) TDDDG (strict necessity).
8.5 Optional technologies (analytics/third-party resources)
Optional technologies are used only with your consent.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.
8.6 Cookie/technology list
For transparency, we provide (or will provide) a list of cookies and technologies (provider, purpose, retention) in our CMP.
[PLACEHOLDER: Provide cookie list if CMP does not show it.]
9. GOOGLE ANALYTICS 4
If you consent, we use Google Analytics 4 (“GA4”) to analyse how the Website is used and to improve it.
9.1 Provider
Google Analytics is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Depending on configuration, data may also be processed by Google LLC (USA).
9.2 Data processed
Depending on the implementation, this may include:
– Online identifiers (cookies/IDs)
– Device and browser information
– Usage and interaction data
– Technical data such as IP address (processed by Google as required to provide the service)
9.3 Purposes and legal basis
Purpose: reach measurement, statistics, optimisation.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent).
9.4 Advertising features / Google Signals
We do not use Google Ads features or Google Signals in GA4.
9.5 International transfers
If data is transferred to the USA, this is based on an adequacy decision (EU–U.S. Data Privacy Framework) where the recipient is certified and/or on EU Standard Contractual Clauses with additional safeguards, depending on the setup.
9.6 Retention
Google Analytics 4 data retention for user-level and event data is set to 14 months. After the retention period expires, the data is automatically deleted by Google.
9.7 Withdrawal of consent
You can withdraw your consent at any time via our cookie settings (see section 8).
10. EMBEDDED YOUTUBE VIDEOS (PRIVACY-ENHANCED MODE)
Our Website embeds YouTube videos. We use YouTube’s privacy-enhanced mode (youtube-nocookie.com). When you load or play a video, YouTube/Google may still process personal data (e.g., IP address, device data) and may store/read information on your device (e.g., cookies), depending on your settings and interaction.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent), unless the embedded content is strictly necessary in a specific case.
We recommend implementing a two-click solution so that YouTube content is loaded only after you consent or click to play.
11. FONTS (SELF-HOSTED AND GOOGLE FONTS)
We primarily use self-hosted fonts. On some pages, Google Fonts may be used.
– If fonts are served from our own servers: no data is transmitted to Google for font delivery.
– If fonts are loaded from Google servers (e.g., fonts.googleapis.com / fonts.gstatic.com): your IP address and technical request data are transmitted to Google.
Where Google Fonts are loaded from Google servers, we rely on consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG) unless fonts are strictly necessary in a specific case. We recommend self-hosting fonts wherever possible.
12. CONTACTING US (EMAIL)
When you contact us, we process your message and contact details to respond.
Legal basis:
– Art. 6(1)(b) GDPR if your request relates to a contract or pre-contractual measures, otherwise
– Art. 6(1)(f) GDPR (legitimate interest in handling inquiries)
Retention: We store communications for as long as necessary to process your request and then delete them, unless longer storage is required (e.g., for legal defense or statutory retention).
Provision of data: Providing your contact details is necessary to respond. If you do not provide the required information, we may be unable to process your request.
13. CUSTOMER RELATIONSHIPS / CONTRACTS (IF APPLICABLE)
If you become a customer, we process the data necessary to provide our services, manage the relationship, and issue invoices.
Legal basis: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (legal obligations, e.g., tax and commercial retention).
Retention: According to statutory retention periods (e.g., commercial and tax law), where applicable.
Provision of data: Contract-related data is required to conclude and perform a contract. Without it, we cannot provide contractual services.
14. SOCIAL MEDIA LINKS
Our Website contains links to our social media presences. When you click a link, you will be redirected to the respective platform. From that point on, the platform provider processes personal data under its own responsibility. Please consult the respective providers’ privacy notices.
We do not use social media tracking pixels or embedded social media plugins on our Website (only links).
15. RECIPIENTS, PROCESSORS AND DISCLOSURES
We share personal data only as necessary for the purposes described above, in particular with:
– Processors (Art. 28 GDPR) such as our hosting provider (section 6) and CDN/security provider (section 7)
– Analytics provider (section 9), if you consent
– Authorities or third parties where we are legally obliged to do so (Art. 6(1)(c) GDPR) or where disclosure is necessary to establish, exercise or defend legal claims (Art. 6(1)(f) GDPR)
16. INTERNATIONAL DATA TRANSFERS
If we transfer personal data to recipients outside the EU/EEA (e.g., Cloudflare/Google depending on configuration), we ensure an adequate level of protection, for example through:
– Adequacy decisions (e.g., EU–U.S. Data Privacy Framework where applicable), and/or
– EU Standard Contractual Clauses and additional safeguards.
You can request further information on the safeguards in place by contacting us.
17. DATA RETENTION (ART. 13(2)(A) GDPR)
Unless stated otherwise above, we delete personal data when it is no longer necessary for the purposes for which it was collected, and we have no legal obligation to retain it. Where retention obligations apply, processing is restricted accordingly.
18. SECURITY (ART. 32 GDPR)
We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
19. AUTOMATED DECISION-MAKING / PROFILING (ART. 13(2)(F) GDPR)
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
20. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time (e.g., to reflect changes in processing or legal requirements). The “Last updated” date at the top indicates when this Privacy Policy was last revised.
Last updated: 12 February 2026
