Privacy Policy

1. Controller

Dunkhase Leadership Consulting
Dipl.-Oec. Daniel Dunkhase
Pohlstr. 1
10785 Berlin, Germany

Email: info@dunkhase-consulting.com
Phone: +49 30 2579 4150
Website: www.dunkhase-consulting.com

2. Overview of Data Processing

This privacy policy applies to the website www.dunkhase-consulting.com, all accessible subpages, forms and landing pages hosted via HubSpot, and related online services (e.g. appointment booking, AI-based consulting tools).

Personal data is generally collected directly from the data subjects (via website forms, email, phone or social media) and not from third-party sources. No data is shared with third parties for marketing or advertising purposes.

Types of Data Processed

• Master data (e.g. names, addresses)
• Contact data (e.g. email, phone numbers)
• Content data (e.g. text entries, photographs, videos)
• Usage data (e.g. pages visited, content interests, access times)
• Meta/communication data (e.g. device information, IP addresses)

Categories of Data Subjects

Visitors and users of the online services (hereinafter collectively referred to as “users”).

Purposes of Processing

• Provision of the online services, their functions and content
• Responding to contact enquiries and communicating with users
• Appointment scheduling via the online booking system
• Security measures
• Reach measurement (only after consent)

3. Applicable Legal Bases

In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing:

• Consent (Art. 6(1)(a) GDPR): e.g. cookie consent, web analytics
• Performance of a contract (Art. 6(1)(b) GDPR): e.g. consulting services, appointment booking
• Legal obligation (Art. 6(1)(c) GDPR): e.g. tax retention obligations
• Legitimate interests (Art. 6(1)(f) GDPR): e.g. website optimisation, IT security

4. Security Measures

We take appropriate technical and organisational measures in accordance with Art. 32 GDPR, taking into account the state of the art, to ensure a level of protection appropriate to the risk. Our website is accessible exclusively via HTTPS (TLS encryption).

5. Data Processing and Recipients

Where we transmit personal data to third parties or grant them access, this is done exclusively on the basis of a legal permission, your consent or our legitimate interest. A data processing agreement pursuant to Art. 28 GDPR is in place with all service providers.

Key Data Processors

HubSpot Germany GmbH (DPA)
Purpose: Hosting, CMS, CRM, cookie consent, appointment booking
Location: EU cluster (Dublin/Frankfurt), TLS 1.3, AES-256
Model training: No

Microsoft Ireland Operations Ltd. (DPA)
Purpose: Email server (Microsoft 365)
Location: EU Data Boundary (EU/EFTA data centres)
Model training: No

OpenAI Ireland Ltd. (DPA)
Purpose: Operation of Leader’s Sidekicks (AI consulting tool)
Location: EU data centres; third-country transfer to USA possible (SCC, EU-US DPF)
Model training: Contractually and technically disabled (Enterprise/API configuration)

Anthropic (DPA)
Purpose: AI-assisted text processing in consulting practice (without personal data)
Location: USA (SCC, EU-US DPF)
Model training: Contractually disabled (API configuration)

Mistral AI (DPA)
Purpose: AI language model for European data processing
Location: EU (France)
Model training: No

Langdock GmbH (DPA)
Purpose: Secure AI platform for consulting processes
Location: EU (Germany)
Model training: No

n8n GmbH (DPA)
Purpose: Workflow automation
Location: EU (Germany)
Model training: No

Aiven Oy (DPA)
Purpose: Database infrastructure
Location: EU (Finland)
Model training: No

Amazon Web Services EMEA SARL (DPA)
Purpose: Cloud infrastructure
Location: EU (Frankfurt)
Model training: No

Google Ireland Limited
Purpose: Web analytics (Google Analytics), spam protection (reCAPTCHA)
Location: EU; third-country transfer to USA possible (SCC, EU-US DPF)
Model training: No

Third-Country Transfers

Where the use of individual services (in particular OpenAI, Anthropic, Google) requires the transfer of personal data to the USA, this is done exclusively under the safeguards provided for in Art. 44 et seq. GDPR:

• Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
• EU-US Data Privacy Framework pursuant to Art. 45 GDPR (adequacy decision), where the respective provider is certified

We note that despite these safeguards, a residual risk of government access (in particular under FISA 702) cannot be entirely excluded for transfers to the USA.

Principle: European Providers Preferred

For the processing of personal and client-related data, we preferably use European providers (Mistral, Langdock, n8n, Aiven — all EU-based). US providers (OpenAI, Anthropic) are generally only used for processing without personal data, or — where personal data is involved — exclusively under the contractual safeguards mentioned above and with contractually disabled model training.

6. Rights of Data Subjects

You have the following rights:

• Access (Art. 15 GDPR): Confirmation and information about processed data
• Rectification (Art. 16 GDPR): Correction of inaccurate data
• Erasure (Art. 17 GDPR): Deletion of your data, provided no retention obligations apply
• Restriction (Art. 18 GDPR): Restriction of processing
• Data portability (Art. 20 GDPR): Receipt of your data in a machine-readable format
• Objection (Art. 21 GDPR): Objection to processing, in particular for direct marketing
• Withdrawal (Art. 7(3) GDPR): Withdrawal of consent with effect for the future
• Complaint (Art. 77 GDPR): Right to lodge a complaint with the competent supervisory authority

Competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Germany.

7. Cookies and Consent Management

What Are Cookies?

Cookies are small files stored on your device. We distinguish between:

• Technically necessary cookies: Required for the operation of the website (e.g. session cookies, cookie consent settings)
• Analytics cookies: For reach measurement and website optimisation (only after consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG)
• Marketing cookies: For personalised content (only after consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG)

Cookie Consent

We use a cookie consent banner (opt-in). Analytics and marketing cookies are technically loaded only after your explicit consent. You can withdraw your consent at any time — either via the cookie settings icon on our website or via your browser’s cookie settings.

8. Hosting and Content Management System

This website is hosted by HubSpot Germany GmbH. HubSpot processes access data (IP address, timestamp, page accessed, browser type) on the basis of our legitimate interests in secure and efficient provision (Art. 6(1)(f) GDPR). Location: EU cluster (Dublin/Frankfurt). DPA

Server Log Files

The following data is recorded with each access: page accessed, date and time, data volume transferred, browser type and version, operating system, referrer URL, IP address. Log file information is stored for a maximum of 30 days and then deleted.

9. Fonts

This website uses the font Inter. The font is loaded via HubSpot’s content delivery network. No direct request is made to Google servers. Your IP address is not transmitted to Google.

10. Online Appointment Booking (HubSpot Meeting Tool)

We offer you the opportunity to schedule an initial consultation via the booking tool integrated into our website by HubSpot.

Data processed: Name, email address, optionally company and message
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures)
Location: HubSpot EU cluster (Dublin/Frankfurt)
Retention period: Your data is stored in the HubSpot CRM and deleted as soon as it is no longer required for the purpose of processing, at the latest upon expiry of statutory retention periods.
Required information: The provision of name and email address is required for scheduling an appointment. Without this information, no appointment can be booked.

Calendar synchronisation is via Microsoft 365 (EU Data Boundary). Further information: HubSpot Privacy Policy

11. Contact

When contacting us (by email, phone or via social media), your information is processed to handle the enquiry pursuant to Art. 6(1)(b) GDPR. Your data may be stored in our CRM system (HubSpot). We delete enquiries as soon as they are no longer required and review necessity every two years.

12. Processing When Using Leader’s Sidekicks

Description

Leader’s Sidekicks is an AI-based chat service (large language model) for creating conversation guides, checklists and reflection prompts for executives.

Data Flow

Prompts (your text inputs)
Recipient: OpenAI Ireland Ltd. (EU tenant)
Purpose: Generating the response
Retention: According to our configuration, up to 30 days for security and abuse prevention purposes (admin option: 0 days)
Model training: Contractually and technically disabled

AI outputs
Recipient: Your browser only
Purpose: Delivery of the response
Retention: No server storage by Dunkhase

Log metadata
Recipient: OpenAI
Purpose: Mandatory logging (security, abuse detection)
Retention: For a period determined by OpenAI (currently at least 6 months); details: OpenAI Privacy Policy. Specific retention periods may change due to legal obligations or court orders; the current version can be found in OpenAI’s privacy policy.
Model training: No

Legal Basis

Art. 6(1)(b) GDPR (contract/pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in secure provision).

No Local Storage

Dunkhase Leadership Consulting stores neither prompts nor AI outputs on its own servers. Processing is carried out exclusively by OpenAI Ireland Ltd. under the safeguards set out in Section 5.

AI Disclosure Pursuant to EU AI Act

The content is generated fully automatically by an AI system. Despite high quality standards, errors or inaccuracies may occur. Final decisions on the use of results rest with the user. The human decides — AI supports.

Third-Country Transfer

Although OpenAI Ireland Ltd. uses EU data centres, security logging and technical support may involve a transfer to the USA. This is based on Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework. Despite these safeguards, a residual risk of government access cannot be entirely excluded (cf. Section 5).

Data Subject Rights

We forward erasure or access requests relating to AI prompts to OpenAI without delay. Your rights under Art. 15–21 GDPR remain unaffected.

13. Use of AI in Consulting Practice

In the course of our consulting services, we use AI tools for support (e.g. text analysis, summaries, research). We distinguish as follows:

• Processing involving personal or client data: Carried out via European providers (Mistral, Langdock, n8n, Aiven — all EU-based). US providers are only used for this purpose under the contractual safeguards set out in Section 5 and with contractually disabled model training.
• Processing without personal data (e.g. general research, text drafts without client data): US-based AI providers (OpenAI, Anthropic) may also be used for this purpose.

For all AI systems used, model training with client data is contractually and technically disabled to the best of our knowledge and configuration. The specific implementation depends on the respective product variant and provider configuration. We regularly review the data processing agreements and privacy notices of our providers and adjust our configuration accordingly.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in efficient service delivery).

14. Web Analytics (Google Analytics)

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited. Google Analytics is loaded only after your explicit consent via our cookie consent banner.

IP anonymisation: The last digits of the IP address are deleted on EU servers, so that direct personal identification is excluded.
Legal basis: Art. 6(1)(a) GDPR (consent)
Retention period: Data linked to cookies is automatically deleted after 14 months.
Third-country transfer: Although Google Ireland Limited is the contracting party, data may be transferred to the USA (SCC, EU-US Data Privacy Framework). A residual risk of government access cannot be entirely excluded.
Opt-out: You can prevent data collection by not granting or withdrawing consent in the cookie consent banner, or by installing the browser plugin at https://tools.google.com/dlpage/gaoptout.

Google privacy policy: https://policies.google.com/privacy

15. Spam Protection (reCAPTCHA)

To protect our forms, we use the reCAPTCHA service from Google Ireland Limited. reCAPTCHA is loaded only after your consent via our cookie consent banner (Art. 6(1)(a) GDPR). Additionally, we have a legitimate interest in protection against automated abuse (Art. 6(1)(f) GDPR).

Your IP address is truncated within the EU and transmitted to Google. A third-country transfer to the USA may occur (SCC, EU-US Data Privacy Framework).

Google privacy policy: https://policies.google.com/privacy

16. Social Media

We maintain online presences on the following platforms:

• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland). Privacy policy: https://www.linkedin.com/legal/privacy-policy

When accessing our social media profiles, the privacy policies of the respective platform apply. We do not embed social media plugins on our website that automatically transmit data to these platforms.

17. Contractual Services and Coaching

We process the data of our clients and contractual partners pursuant to Art. 6(1)(b) GDPR for the fulfilment of contractual services. This includes master data, contact data, contract data and payment data.

Certain information (e.g. billing address) is required for the performance of the contract; without this information, we cannot provide the contractual services.

Deletion takes place after fulfilment of contractual and statutory obligations. Statutory retention periods: 10 years pursuant to §§ 147(1) AO, 257(1) Nos. 1 and 4 HGB; 6 years pursuant to § 257(1) Nos. 2 and 3 HGB.

18. Deletion of Data

The data processed by us is deleted or its processing restricted in accordance with Art. 17 and 18 GDPR as soon as it is no longer required for its purpose and no statutory retention obligations apply.

19. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal situations or changes to our services. The current version can always be found on this page.

Last updated: March 2026