Skip to content

Privacy Policy

1. Controller

Dunkhase Leadership Consulting
Dipl.-Oec. Daniel Dunkhase
Pohlstr. 1
10785 Berlin, Germany

Email: info@dunkhase-consulting.com
Phone: +49 30 2579 4150
Website: www.dunkhase-consulting.com

A data protection officer has not been appointed; there is no statutory obligation to appoint one.

2. Overview of Data Processing

This privacy policy applies to the website www.dunkhase-consulting.com, all accessible subpages, forms and landing pages hosted via HubSpot, and related online services (e.g. appointment booking, AI-based consulting tools).

Personal data is generally collected directly from the data subjects (via website forms, email, phone or social media) and not from third-party sources. No data is shared with third parties for marketing or advertising purposes.

Types of Data Processed

  • Master data (e.g. names, addresses)
  • Contact data (e.g. email, phone numbers)
  • Content data (e.g. text entries, photographs, videos)
  • Usage data (e.g. pages visited, content interests, access times)
  • Meta/communication data (e.g. device information, IP addresses)

Categories of Data Subjects

Visitors and users of the online services (hereinafter collectively referred to as "users").

Purposes of Processing

  • Provision of the online services, their functions and content
  • Responding to contact enquiries and communicating with users
  • Appointment scheduling via the online booking system
  • Security measures
  • Reach measurement (only after consent)

3. Applicable Legal Bases

In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing:

  • Consent (Art. 6(1)(a) GDPR): e.g. cookie consent, web analytics
  • Performance of a contract (Art. 6(1)(b) GDPR): e.g. consulting services, appointment booking
  • Legal obligation (Art. 6(1)(c) GDPR): e.g. tax retention obligations
  • Legitimate interests (Art. 6(1)(f) GDPR): e.g. website optimisation, IT security

4. Security Measures

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR, taking into account the state of the art, to ensure a level of protection appropriate to the risk. Our website is accessible exclusively via HTTPS (TLS encryption).

5. Data Processing and Recipients

Where we transmit personal data to third parties or grant them access, this is done exclusively on the basis of a legal permission, your consent or our legitimate interest. Insofar as service providers process personal data on our behalf, data processing agreements pursuant to Art. 28 GDPR are in place.

Key Service Providers and Recipients

HubSpot Germany GmbH (DPA)
Purpose: Hosting, CMS, CRM, cookie consent, appointment booking
Location: EU cluster (Dublin/Frankfurt), TLS 1.3, AES-256
Model training: No

Microsoft Ireland Operations Ltd. (DPA)
Purpose: Email server (Microsoft 365, incl. Exchange Online for sending Leader's Sidekicks reminder emails)
Location: EU Data Boundary (EU/EFTA data centres)
Model training: No

OpenAI Ireland Ltd. (DPA)
Purpose: AI-assisted text processing in consulting practice (without personal data)
Location: EU data centres; only if personal data cannot be excluded in an individual case may a third-country transfer to the USA occur, then under SCC and EU-US DPF
Model training: Contractually and technically disabled (Enterprise/API configuration)

Anthropic (DPA)
Purpose: AI-assisted text processing in consulting practice (without personal data)
Location: USA (SCC, EU-US DPF)
Model training: Contractually disabled (API configuration)
Note: Does not concern Leader's Sidekicks; the AI processing there runs via Amazon Bedrock, without Anthropic being a recipient.

Mistral AI (DPA)
Purpose: AI language model for European data processing
Location: EU (France)
Model training: No

Langdock GmbH (DPA)
Purpose: Secure AI platform for consulting processes
Location: EU (Germany)
Model training: No

n8n GmbH (DPA)
Purpose: Workflow automation (incl. orchestration of Leader's Sidekicks)
Location: EU (Germany)
Model training: No

Aiven Oy (DPA)
Purpose: Database infrastructure (incl. storage of Leader's Sidekicks data)
Location: EU (Finland)
Model training: No

Amazon Web Services EMEA SARL (DPA)
Purpose: Cloud infrastructure and AI processing for Leader's Sidekicks via Amazon Bedrock (Claude models, eu-central-1 Frankfurt region)
Location: EU (Frankfurt)
Model training: No
Note: The model provider (Anthropic) gains no access to the data via Amazon Bedrock and is not a separate recipient; no USA transfer of the content data takes place for this processing.

Google Ireland Limited
Purpose: Web analytics (Google Analytics), spam protection (reCAPTCHA)
Location: EU; third-country transfer to USA possible (SCC, EU-US DPF)
Model training: No

Third-Country Transfers

Where the use of individual services (in particular OpenAI, Anthropic, Google) requires the transfer of personal data to the USA, this is done exclusively under the safeguards provided for in Art. 44 et seq. GDPR:

  • Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
  • EU-US Data Privacy Framework pursuant to Art. 45 GDPR (adequacy decision), where the respective provider is certified

We note that despite these safeguards, a residual risk of government access (in particular under FISA 702) cannot be entirely excluded for transfers to the USA. The AI processing of Leader's Sidekicks takes place entirely in the EU (Amazon Bedrock, Frankfurt) and is not affected by any USA transfer.

Principle: European Providers Preferred

For the processing of personal and client-related data, we preferably use European providers (Mistral, Langdock, n8n, Aiven, all EU-based; for Leader's Sidekicks also Amazon Bedrock in the EU). US providers (OpenAI, Anthropic) are generally only used for processing without personal data, or, where personal data is involved, exclusively under the contractual safeguards mentioned above and with contractually disabled model training.

6. Rights of Data Subjects

You have the following rights:

  • Access (Art. 15 GDPR): Confirmation and information about processed data
  • Rectification (Art. 16 GDPR): Correction of inaccurate data
  • Erasure (Art. 17 GDPR): Deletion of your data, provided no retention obligations apply
  • Restriction (Art. 18 GDPR): Restriction of processing
  • Data portability (Art. 20 GDPR): Receipt of your data in a machine-readable format
  • Objection (Art. 21 GDPR): Objection to processing, in particular for direct marketing
  • Withdrawal (Art. 7(3) GDPR): Withdrawal of consent with effect for the future
  • Complaint (Art. 77 GDPR): Right to lodge a complaint with the competent supervisory authority

Competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Germany.

7. Cookies and Consent Management

What Are Cookies?

Cookies are small files stored on your device. We distinguish between:

  • Technically necessary cookies: Required for the operation of the website (e.g. session cookies, cookie consent settings)
  • Analytics cookies: For reach measurement and website optimisation (only after consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG)
  • Marketing cookies: For personalised content (only after consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG)

Cookie Consent

We use a cookie consent banner (opt-in). Analytics and marketing cookies are technically loaded only after your explicit consent. You can withdraw your consent at any time, either via the cookie settings icon on our website or via your browser's cookie settings.

8. Hosting and Content Management System

This website is hosted by HubSpot Germany GmbH. HubSpot processes access data (IP address, timestamp, page accessed, browser type) on the basis of our legitimate interests in secure and efficient provision (Art. 6(1)(f) GDPR). Location: EU cluster (Dublin/Frankfurt). DPA

Server Log Files

The following data is recorded with each access: page accessed, date and time, data volume transferred, browser type and version, operating system, referrer URL, IP address. Log file information is stored for a maximum of 30 days and then deleted.

9. Fonts

This website uses the font Inter. The font is loaded via HubSpot's content delivery network. No direct request is made to Google servers. Your IP address is not transmitted to Google.

10. Online Appointment Booking (HubSpot Meeting Tool)

We offer you the opportunity to schedule an initial consultation via the booking tool integrated into our website by HubSpot.

Data processed: Name, email address, optionally company and message
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures)
Location: HubSpot EU cluster (Dublin/Frankfurt)
Retention period: Your data is stored in the HubSpot CRM and deleted as soon as it is no longer required for the purpose of processing, at the latest upon expiry of statutory retention periods.
Required information: The provision of name and email address is required for scheduling an appointment. Without this information, no appointment can be booked.

Calendar synchronisation is via Microsoft 365 (EU Data Boundary). Further information: HubSpot Privacy Policy

11. Contact

When contacting us (by email, phone or via social media), your information is processed to handle the enquiry pursuant to Art. 6(1)(b) GDPR. Your data may be stored in our CRM system (HubSpot). We delete enquiries as soon as they are no longer required and review necessity every two years.

12. Processing When Using Leader's Sidekicks

Description

Leader's Sidekicks is an AI-supported learning companion and reflection partner for leaders. The service operates as a pure text chat: you enter text, an AI system responds in natural language and supports you in reflecting on leadership situations. No voice, video or image processing takes place.

Who Is Responsible? (Two Usage Scenarios)

When using Leader's Sidekicks, we distinguish between two scenarios. This does not constitute joint controllership within the meaning of Art. 26 GDPR, but two alternative role models:

Scenario 1: Free use via this website / direct use. If you use Leader's Sidekicks directly via our website or as an individual, Dunkhase Leadership Consulting (DLC) is the controller within the meaning of Art. 4(7) GDPR. For this scenario, the present Section 12 is the authoritative document.

Scenario 2: Corporate client programmes. If Leader's Sidekicks is used as part of a programme that a company commissions from us for its leaders, the respective company is the controller. In that case, DLC acts solely as a processor on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. Participants are then employees of the company; their employer, as controller, informs them about the processing of their data. For this scenario, the present section applies only subordinately and in addition.

The following sections describe the processing from the perspective of Scenario 1, in which DLC is itself the controller. Technically, the processes run identically in Scenario 2; in that case, however, the company that defines the processing under the DPA is the responsible controller.

Data Flow and Storage

So that your learning companion works across several sessions, we store your inputs and the AI responses. Storage takes place with our database service provider Aiven Oy (processor, EU/Finland), encrypted at rest and in transit (HTTPS/TLS).

The architecture deliberately separates your data into two distinct tables. This separation is a central data protection measure following the principle of data protection by design (privacy by design, Art. 25 GDPR):

Table A: identifying data. This holds first name, email address and a hashed (not stored in plain text) password. This data is used exclusively for login and for sending reminder emails.

Table B: pseudonymised data. This holds an internal code (a random UUID), the conversation history (your messages and the AI responses) and a summary created by the AI system. This table contains no clear name.

The AI system itself processes only the internal code, the conversation history and your first name. At no point does it receive your last name, your email address, a company name or your login data. In this way, the AI processing remains separated from your identifying data.

Required information: First name, email address and a password are required to set up and use your access. Entering conversation content is voluntary but necessary for the reflection function. Without this information, Leader's Sidekicks cannot be used, or only to a limited extent.

AI Processing via AWS Bedrock (EU)

The actual text generation is performed by Claude language models, which we operate via the Amazon Bedrock service of Amazon Web Services EMEA SARL (AWS) in the eu-central-1 (Frankfurt) region. AWS acts as our processor in this respect.

  • No third-country transfer for AI processing: Processing of the content data passed to the models (your inputs and the responses) takes place in the EU (Frankfurt region). These inputs are not transferred to the USA as part of the AI processing.
  • The model provider is not a separate recipient: When using Amazon Bedrock, the models are operated within the AWS infrastructure. Based on how Amazon Bedrock operates and AWS's contractual assurances, the model provider (Anthropic) gains no access to your data in this process; it is therefore not a separate recipient within the meaning of Art. 13(1)(e) GDPR.
  • No model training: Your inputs and the generated responses are not used to train or improve the AI models.

The orchestration of the workflows (for example combining input, code and first name, as well as sending reminders) takes place via our automation platform n8n GmbH (processor, EU/Germany).

Reminder Emails

So that the learning companion provides you with continuous support throughout the programme period, we send reminder emails. For this we use the data stored in Table A (first name, email address). Insofar as reminders are part of the booked learning companion, we base their sending on Art. 6(1)(b) GDPR. Insofar as we additionally remind you to use the service, we base this on our legitimate interest in effective support (Art. 6(1)(f) GDPR); you can object at any time. The technical sending takes place via Exchange Online as part of Microsoft 365 (Microsoft Ireland Operations Ltd., EU Data Boundary; see Section 5).

Retention Period and Deletion

Your data in Table A and Table B is deleted as soon as it is no longer required for the purpose of the learning companion, at the latest six months after your participation ends. This covers your access data (Table A) as well as conversation history and evaluations (Table B). Technical security and log data is stored only for as long as required for security and abuse prevention. Deletion is implemented technically; your data is fully erasable.

Access by Trainers

As part of a programme or consulting engagement, an individual evaluation of your use may be passed to the trainer accompanying you, so that they can advise and support you specifically. This evaluation serves exclusively coaching purposes, that is, your personal development and support. It is never used for any assessment, performance or aptitude evaluation, and is not passed to your employer for such purposes. For the individual evaluation, the internal code (Table B) is linked to your person; this linking breaks the otherwise existing pseudonymisation.

Individual trainer access is not a precondition for participation or use. We distinguish by scenario:

  • Direct use (Scenario 1): The personal sharing with your trainer takes place only on the basis of your explicit, voluntary consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.
  • Corporate client programmes (Scenario 2): Here the corporate client, as controller, determines the applicable legal basis. Personal trainer access takes place only if the respective programme provides for it in a data-protection-compliant manner, you have been separately informed and, where required, have separately and voluntarily consented.

If you refuse or withdraw consent, this will not result in any disadvantage for you; trainers then receive, at most, anonymised, aggregated evaluations without personal reference.

Notes on Inputs About Third Parties (Information Pursuant to Art. 14 GDPR)

Your free-text inputs may contain statements about other people, for example about employees, colleagues or superiors. Where personal data of third parties is processed in this way, we inform you pursuant to Art. 14 GDPR as follows:

  • Data source: inputs of the leader using the service.
  • Data categories: freely entered information on professional situations, roles and behaviour, possibly names.
  • Purpose: supporting the reflection of the leader using the service.
  • Legal basis: Art. 6(1)(f) GDPR; the interests of the affected third parties are safeguarded.
  • Recipients: the processors listed in Section 5, in particular Amazon Web Services (Amazon Bedrock), n8n and Aiven.
  • Retention period: as above, at most six months after participation ends.
  • Rights: see Section 6.

We are regularly unable to inform these third parties directly (Art. 14(5) GDPR). We therefore ask you to avoid entering the clear names of third parties as far as possible.

Leader's Sidekicks is not intended for the entry of special categories of personal data within the meaning of Art. 9 GDPR (e.g. information on health, religion or trade union membership). Should such information nevertheless be entered, we do not process it deliberately, but exclusively technically within the scope of providing the chat function, and we delete it after the stated periods or upon a legitimate request. Please also do not use Leader's Sidekicks for emergencies or for medical, psychotherapeutic or employment-law-sensitive case assessments.

Legal Bases

Insofar as DLC acts as the controller (Scenario 1, direct use), the processing is based on Art. 6(1)(b) GDPR (establishment and performance of the usage relationship or pre-contractual measures at your request) and on Art. 6(1)(f) GDPR (legitimate interest in a secure and functional provision of the service). In Scenario 2 (corporate client programmes), the respective corporate client, as controller, determines the legal basis; DLC processes the data there on instructions on the basis of the DPA (Art. 28 GDPR).

No automated decision-making within the meaning of Art. 22 GDPR takes place. Leader's Sidekicks makes no binding assessments or decisions with legal or similarly significant effect; the content serves exclusively for reflection and learning support.

AI Disclosure Pursuant to the EU AI Act

For Leader's Sidekicks, we comply with the transparency obligations under Art. 50 of the EU Artificial Intelligence Act (EU AI Act) for AI systems that interact with natural persons. We expressly inform you that with every interaction you are communicating with an AI system and not with a natural person (transparency obligation). The content is generated fully automatically and may contain errors or inaccuracies. The results do not constitute professional, legal or psychological advice; please review the outputs on your own responsibility. AI supports, the human decides: final decisions on the use of the results rest with you.

Data Subject Rights

You have the rights set out in Section 6, in particular the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction (Art. 18 GDPR), data portability (Art. 20 GDPR) and objection (Art. 21 GDPR). Your right to erasure is fully implemented technically (see the Retention Period and Deletion section). Insofar as you use Leader's Sidekicks as part of a corporate client programme (Scenario 2), please direct requests regarding your data to your employer as the controller; we support the employer as a processor in fulfilling them.

13. Use of AI in Consulting Practice

In the course of our consulting services, we use AI tools for support (e.g. text analysis, summaries, research). We distinguish as follows:

  • Processing involving personal or client data: Carried out via European providers (Mistral, Langdock, n8n, Aiven, all EU-based). US providers are only used for this purpose under the contractual safeguards set out in Section 5 and with contractually disabled model training.
  • Processing without personal data (e.g. general research, text drafts without client data): US-based AI providers (OpenAI, Anthropic) may also be used for this purpose. Should personal data not be excludable in an individual case, processing takes place only under appropriate safeguards pursuant to Art. 44 et seq. GDPR and without model training.

This section does not concern Leader's Sidekicks; for that, Section 12 applies exclusively (AI processing via Amazon Bedrock in the EU).

For all AI systems used, model training with client data is contractually and technically disabled to the best of our knowledge and configuration. The specific implementation depends on the respective product variant and provider configuration. We regularly review the data processing agreements and privacy notices of our providers and adjust our configuration accordingly.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in efficient service delivery).

14. Mindset Check (interactive web tool)

On selected pages we offer the “Mindset Check: Leading in the Age of AI” – a self-check you can use without registration and without providing a name or email address. The tool is provided via a separate infrastructure that is technically separate from Leader's Sidekicks (subdomain tools.dunkhase-consulting.com). We process the following:

Click answers (self-assessment)

Your answers to the given statements are stored without name and without email address under a random session ID (UUID), together with timestamp, language and the calculated posture values. We use this data solely in aggregated form to operate the tool, build statistical benchmarks and improve the offering. The session ID is automatically replaced by a new random value at the latest seven days after use, so that the already nameless evaluation data can no longer be assigned to a session. Storage and database operation are carried out by Aiven Oy (processor, EU/Finland) and via Amazon Web Services (hosting/Lambda, EU region Frankfurt). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and improving the tool).

Optional AI dialogue

You can optionally conduct a short dialogue with an AI assistant. Your free-text input is transmitted, in order to generate the response, to Claude language models which we operate via Amazon Bedrock of Amazon Web Services EMEA SARL (AWS) in EU regions (cf. Section 12). This free-text input is not stored permanently and not transmitted to our CRM; no transfer of content data to a third country takes place in the context of the AI processing, and no model training occurs. Please do not enter personal or confidential data in the free text. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the optional dialogue function).

Voice function (optional: microphone and read-aloud)

Optionally, you can conduct the dialogue by voice: live transcription of your spoken input (speech recognition) and, if desired, reading the responses aloud (speech synthesis). For this, the audio or the text to be read aloud is transmitted to the Azure AI Speech service of Microsoft Ireland Operations Ltd. in the Germany West Central region (EU/Germany; see also Section 5). For live transcription, your microphone audio is sent directly from your browser to Azure (EU) using a short-lived token. The audio, the transcript and the spoken text are used solely for immediate processing and are not stored and not logged. The voice function is voluntary; the microphone is activated only after your explicit browser permission, and read-aloud is off by default. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the optional voice function).

Report by email (only on request)

If you request your personal report, we process your first and last name, your email address and your mindset profile in our CRM (HubSpot Germany GmbH; see Section 5) in order to send you the report and to contact you about your result and a no-obligation initial conversation. Legal basis: Art. 6(1)(a) GDPR (consent), which you can withdraw at any time with effect for the future via the unsubscribe link in every email. Recipients, third-country transfer and retention periods are governed by Sections 5 (Data Processing and Recipients), 10 (Online Appointment Booking) and 19 (Deletion of Data).

AI notice pursuant to the EU AI Act

The optional dialogue is conducted by an AI assistant. Pursuant to Art. 50 of the EU AI Act, we inform you that you are interacting with an AI system and not with a natural person. The responses are generated fully automatically, may contain errors and do not replace individual advice.

15. Web Analytics (Google Analytics)

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited. Google Analytics is loaded only after your explicit consent via our cookie consent banner.

IP anonymisation: The last digits of the IP address are deleted on EU servers, so that direct personal identification is excluded.
Legal basis: Art. 6(1)(a) GDPR (consent)
Retention period: Data linked to cookies is automatically deleted after 14 months.
Third-country transfer: Although Google Ireland Limited is the contracting party, data may be transferred to the USA (SCC, EU-US Data Privacy Framework). A residual risk of government access cannot be entirely excluded.
Opt-out: You can prevent data collection by not granting or withdrawing consent in the cookie consent banner, or by installing the browser plugin at https://tools.google.com/dlpage/gaoptout.

Google privacy policy: https://policies.google.com/privacy

16. Spam Protection (reCAPTCHA)

To protect our forms, the reCAPTCHA service from Google Ireland Limited may be used. Insofar as reCAPTCHA is active, it is loaded only after your consent via our cookie consent banner; this consent covers access to your device and the associated data processing (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). In addition, we have a legitimate interest in protecting our forms against automated abuse; insofar as this does not involve consent-requiring access to your device, we base the processing on Art. 6(1)(f) GDPR.

Your IP address is truncated within the EU and transmitted to Google. A third-country transfer to the USA may occur (SCC, EU-US Data Privacy Framework).

Google privacy policy: https://policies.google.com/privacy

17. Social Media

We maintain online presences on the following platforms:

When accessing our social media profiles, the privacy policies of the respective platform apply. We do not embed social media plugins on our website that automatically transmit data to these platforms.

18. Contractual Services and Coaching

We process the data of our clients and contractual partners pursuant to Art. 6(1)(b) GDPR for the fulfilment of contractual services. This includes master data, contact data, contract data and payment data.

Certain information (e.g. billing address) is required for the performance of the contract; without this information, we cannot provide the contractual services.

Deletion takes place after fulfilment of contractual and statutory obligations. Statutory retention periods: 10 years pursuant to §§ 147(1) AO, 257(1) Nos. 1 and 4 HGB; 6 years pursuant to § 257(1) Nos. 2 and 3 HGB.

19. Deletion of Data

The data processed by us is deleted or its processing restricted in accordance with Art. 17 and 18 GDPR as soon as it is no longer required for its purpose and no statutory retention obligations apply.

20. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal situations or changes to our services. The current version can always be found on this page.

Last updated: June 2026

Cookie-Einstellungen