Privacy Policy

1. Controller

The controller responsible for data processing within the meaning of the GDPR is:

2. Collection and Processing of Personal Data

We collect personal data only to the extent necessary for the provision of our services or where you have voluntarily provided it to us.

When you visit our website we automatically process the following data:

• IP address (anonymised after the session)
• Date and time of access
• Pages accessed and time spent
• Browser type and operating system

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technically error-free provision of the website).

3. Contact Form and Email Contact

When you contact us via the contact form or by email, we process the following data:

• Name
• Email address
• Phone number (optional)
• Message and enquiry details
• Requested package (if specified)

Purpose: Processing your enquiry and getting in touch with you.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and your consent pursuant to Art. 6(1)(a) GDPR.

Storage period: Your enquiry data will be stored for the duration of the business relationship and for 3 years after its end, unless statutory retention obligations require a longer storage period.

Email dispatch: We use our own mail infrastructure to process your enquiry and send confirmation messages. Your data will not be passed on to third parties for advertising purposes.

4. Online Booking and Payment Processing (Stripe)

For booking and payment processing we use the service Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (hereinafter Stripe).

When making a booking, Stripe processes the following data:

• First and last name
• Email address
• Payment data (credit card data is processed exclusively by Stripe)
• IP address and device information

Purpose: Processing payments and fraud prevention.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Data transfer: Stripe may transfer data to the USA. The transfer is based on EU standard contractual clauses pursuant to Art. 46 GDPR.

For more information, please refer to Stripe's privacy policy: stripe.com/de/privacy

5. Recipients of Data

Your personal data will generally not be passed on to third parties, except where this is required by law or necessary for the fulfilment of the contract. In connection with the operation of our website, we use the following service providers:

• Hosting provider (servers located in the EU)
• Email provider IONOS SE, Berlin (processing on German servers)
• Stripe Payments Europe, Ltd., Dublin (payment processing – see Section 4)

All service providers are contractually obliged to comply with the GDPR (data processing agreements pursuant to Art. 28 GDPR).

6. Cookies, Tracking and Third-Party Services

Our website uses technically necessary cookies for the secure operation of the website (e.g. session management). These cookies are essential for operation and cannot be deactivated.

Google Analytics 4

With your consent, we use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to analyse the use of our website (e.g. page views, time spent, scroll depth).

• Purpose: analysis and optimisation of our website
• Legal basis: Art. 6(1)(a) GDPR (your consent)
• Data transfer: Google LLC, USA (standard contractual clauses pursuant to Art. 46 GDPR)
• Storage period: 14 months (Google default)

Further information: policies.google.com/privacy

ProvenExpert (Review Widget)

Our website includes a widget from the review service provider ProvenExpert (Expert Systems AG, Charlottenstraße 4, 10969 Berlin). When the widget is loaded, a connection is established to ProvenExpert servers, during which your IP address may be transmitted.

• Purpose: display of verified customer reviews
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

Further information: provenexpert.com/datenschutzerklaerung

7. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR): You may request information about the data stored about you.
• Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): You may under certain circumstances request a restriction of processing.
• Right to data portability (Art. 20 GDPR): You have the right to receive your data in a commonly used format.
• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.

To exercise your rights, please contact: welcome@nexstorya.de

8. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for Bavaria is:

9. Data Security

We use technical and organisational security measures to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. In detail:

• Transport encryption: All data transfers are made exclusively via HTTPS with TLS 1.2/1.3. Unencrypted HTTP requests are automatically redirected to HTTPS.
• Encryption of stored booking data: Booking data (name, email, phone, appointment details) is stored server-side encrypted with AES-256-GCM. Without the server-side key, the data cannot be read.
• Access control: The administration area is accessible exclusively via an encrypted VPN (WireGuard). Direct access from the internet is technically prevented.
• Consent documentation: For online bookings, the timestamp (ISO), IP address and the version of the Privacy Policy and T&Cs in force at the time are stored together with the booking. This serves as proof of consent pursuant to Art. 7(1) GDPR and § 312g BGB.
• Automatic data deletion: Completed and cancelled bookings are automatically deleted from the system after 3 years, unless statutory retention obligations (e.g. under HGB, AO) require otherwise.
• Security log: Security-relevant events (e.g. failed reCAPTCHA checks, exceeding request limits) are recorded in an internal log that is not publicly accessible.

10. Currency and Amendments to this Privacy Policy

This Privacy Policy is currently valid and was last updated in May 2026. Due to the further development of our website or due to changes in legal or regulatory requirements, it may be necessary to amend this Privacy Policy.