Legal
Privacy policy
1. At a glance
The following information gives a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
2. Controller
The controller responsible for data processing on this website pursuant to Art. 4 (7) GDPR is:
traqx GmbHRepresented by the managing directors: Alexander Schrot and Daniel Herrmann
Enzweilerweg 3a · 66709 Weiskirchen · Germany
Phone: +49 171 3697577
Email: info@traqx.io
A data protection officer has not been appointed; the controller is your point of contact for all data protection matters.
3. Server logs (technically required)
When you visit this website, the hosting provider automatically collects technical information in server log files: IP address (anonymised after 7 days), date and time of access, page accessed, referrer, user agent. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in technically reliable operation. Retention: 7 days, then automatic deletion. No merger with other data sources takes place.
4. Contact
If you contact us via form, email or phone, we store the information you provide (name, email, company, message content) to process the enquiry and for follow-up questions. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Retention: deletion as soon as the enquiry has been finally processed, at the latest after 12 months, unless statutory retention obligations apply. Data is not shared with third parties.
5. Lead magnets (PDF downloads)
To request our practical guides (e.g. our “12 QA Questions Before the First Pilot” or our “10 GxP-AI Prompt Patterns”) we ask for your email address and, optionally, your name and company. The data is stored solely to provide the requested material and for documentation of consent. Legal basis: Art. 6 (1) (a) GDPR (consent). Retention: until your withdrawal, at most 24 months. The newsletter subscription is offered as a separate opt-in checkbox on the lead-magnet form (no coupling — you can request the material without subscribing). No marketing emails are sent without separate consent.
5a. Newsletter (double opt-in)
Procedure: If you sign up for our newsletter, we use the double-opt-in procedure: after entering your email address and name you receive a confirmation email with a verification link. Only after you click that link do we activate the subscription and document your consent.
Data: email address, name, consent timestamp, confirmation IP.
Purpose: sending the monthly traqx newsletter with practice insights, plus documentation of the consent process pursuant to Art. 7 (1) GDPR.
Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) No. 3 UWG.
Retention: for as long as your subscription is active; consent logs are additionally retained for 3 years after the end of the subscription as evidence in the event of complaints.
Withdrawal: every newsletter contains a one-click unsubscribe link in the footer. Alternatively a short email to info@traqx.io is sufficient.
Processor: transactional emails and the newsletter are sent via the Google Workspace SMTP relay (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland); the Google Workspace data-processing agreement applies. We currently use no third-party email-marketing tool; recipient and sequence management is self-hosted in our own system. Should this change, we will update this section.
5b. Retention overview & justifications
A consolidated view of all retention periods with the rationale behind each one — the principle: minimal storage, clear purpose, documented basis.
| Data category | Retention | Justification |
|---|---|---|
| Server logs | 7 days | Sufficient for technical fault analysis & security forensics — Art. 6 (1) (f) GDPR. IP anonymisation kicks in immediately on log close. |
| Contact enquiries | 12 months | B2B sales cycles in pharma typically run 6–9 months. 12 months covers follow-ups without unnecessary stockpiling. Statutory retention (e.g. § 257 HGB) only applies once a contract is concluded. |
| Lead magnets | up to 24 months | Until withdrawal of consent; the 24-month cap covers documentation of consent (Art. 7 GDPR) and a typical re-engagement cycle. Withdrawal at any time, deletion within 7 days of request. |
| Newsletter subscription | active subscription + 3 yrs consent log | Email + name only as long as the subscription is active. The consent log (timestamp + IP) is retained for 3 years to cover the statutory limitation period (§ 195 BGB) for complaints under § 7 UWG. |
| Cookies (incl. analytics) | 30 min – 14 months | Per tool, detailed in 6.9. GA4 capped at 14 months (the GA4 minimum; shorter is only possible via property reset); all other tools are below or at industry standard. |
| Cookiebot consent | 12 months | Maximum window the EDPB considers reasonable for repeat consent requests. After 12 months a fresh banner appears. |
6. Cookies, analytics & tracking
This website uses analytics and tracking tools that go beyond pure reach measurement and create usage profiles. Personal data may be processed (in particular IP address, device and browser information, behaviour data) and transferred to third countries (including the USA). Legal basis is your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. Consent is granted on your first visit via our cookie banner and can be withdrawn at any time with effect for the future — see section 6.10 below. Withdrawal is as simple as granting consent (Art. 7 (3) GDPR); the lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
6.0 Consent management (Cookiebot)
ProviderCybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (a Usercentrics company) — EU-based provider.
PurposeCookiebot is the consent management platform (CMP) we use to document your consent in line with § 25 TTDSG and Art. 7 GDPR and to block analytics and tracking tools until you opt in.
DataCookiebot stores a "CookieConsent" cookie containing your consent state (categories, timestamp, anonymous identifier) and a server-side consent log.
Retentionup to 12 months from the moment consent is given; renewed on the next visit after expiry.
Legal basisthe processing of the consent data itself rests on Art. 6 (1) (c) GDPR (legal obligation to document consent).
Third-country transferprimary processing in the EU; sub-processors may include service providers outside the EEA under EU Standard Contractual Clauses.
Data processing agreementconcluded with Cybot A/S.
6.1 Google Analytics 4
ProviderGoogle Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).
PurposeTracking tool that goes beyond pure reach measurement. Google uses the collected data for the operation of GA4 and partly for its own purposes (to that extent no commissioned processing in the narrow sense).
Datapseudonymous identifiers (client ID), IP address (shortened on an EU server, see below), page views, dwell time, scroll depth, click events, device and browser information, approximate location (country / region from IP).
Retentionup to 14 months for event-level data, then automatic deletion.
IP shorteningThe IP address is shortened on an EU server before being forwarded to the USA (the "_anonymizeIp" equivalent in GA4 is active by default).
Third-country transferprocessing on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Note: the supervisory authorities point out that the legal certainty gained may only be temporary; the predecessor regimes (Safe Harbor, Privacy Shield) were invalidated by the CJEU.
Data processing agreementconcluded with Google Ireland Ltd.
6.2 Microsoft Clarity
ProviderMicrosoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent: Microsoft Corporation, USA).
PurposeSession recordings and heatmaps to improve usability. Note: session recordings are a particularly intensive form of processing — they can capture sensitive content even though input fields are masked by default. We have configured the strictest masking level ("Strict") for all form fields.
Datamouse movements, clicks, scroll behaviour, page views, device and browser information, shortened IP address, country.
Retentionup to 12 months from the last recorded session.
Third-country transferMicrosoft is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The reservations noted above for GA4 apply analogously.
Data processing agreementMicrosoft Online Services DPA concluded.
6.3 Leadfeeder (Dealfront)
ProviderDealfront Germany GmbH (Leadfeeder), Markgrafenstraße 36, 10117 Berlin, Germany — EU-based provider.
PurposeB2B identification of visiting companies based on commercially licensed IP-address databases (e.g. RIPE, ARIN, public corporate IP ranges) to inform our sales outreach. The aim is identification of the company, not of an individual user. Important note from a data protection perspective: IP addresses can constitute personal data, particularly when combined with other data. We therefore treat Leadfeeder processing as relevant under the GDPR.
DataIP address, page views, timestamp, dwell time, referrer.
Data sourcesDealfront enriches IP data with publicly available company information and licensed B2B databases.
Retentionup to 12 months on visit level; aggregated reports may be retained longer.
Third-country transferDealfront operates primarily on EU infrastructure; sub-processors may include US service providers under EU Standard Contractual Clauses.
Data processing agreementconcluded with Dealfront Germany GmbH.
6.4 Google Ads (conversion tracking & remarketing)
ProviderGoogle Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA).
PurposeWe use Google Ads conversion tracking and (where activated) remarketing to measure the success of advertising campaigns and to address visitors with relevant ads.
Datapseudonymous click ID (gclid), conversion event, conversion timestamp, device and browser information. Cookies used include "_gcl_au" (conversion linker) and "test_cookie" (technical test cookie from doubleclick.net).
Retention"_gcl_au" up to 90 days; conversion logs in the Google Ads account according to Google's retention settings.
Third-country transferprocessing on Google servers, including in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
Data processing agreementconcluded with Google Ireland Ltd.
6.5 LinkedIn Insight Tag
ProviderLinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA).
PurposeThe LinkedIn Insight Tag enables campaign measurement, audience analytics and (where activated) retargeting for LinkedIn ad campaigns.
DataIP address (truncated), timestamp, page URL, device characteristics, LinkedIn member ID where the visitor has been logged in to LinkedIn. Cookies used include "bcookie", "lidc", "bscookie".
Retentionup to 6 months for directly identifying data; aggregated campaign reports may be retained longer.
Third-country transferprocessing on LinkedIn servers, including in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
Data processing agreementconcluded with LinkedIn Ireland Unlimited Company.
6.6 Google Tag Manager
ProviderGoogle Ireland Limited (see 6.1).
PurposeGoogle Tag Manager (GTM) is a tag-management system that loads other tracking tags on this website (e.g. Google Analytics, Google Ads, LinkedIn Insight Tag). GTM itself does not set any cookies and does not collect personal data per se; it only orchestrates the tags loaded after consent.
Datatechnical request data (IP address, timestamp, user agent) is briefly processed by Google's GTM loader server. GTM itself sets no persistent identifier.
Third-country transferthe GTM loader is hosted on Google infrastructure, including in the USA. Safeguards as in 6.1.
Notewe have configured GTM so that no measurement tag fires before you have given consent via our Cookiebot banner.
6.7 Cloudflare (CDN & bot management)
ProviderCloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, with EU representative Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich.
PurposeCloudflare is used by our hosting provider as a content delivery network (CDN) and security layer. The "__cf_bm" cookie is set by Cloudflare's bot management to distinguish humans from automated traffic in real time and to mitigate DDoS attacks and content scraping.
NecessityWithout bot mitigation our website would be vulnerable to credential stuffing, scraping and DDoS attacks that would compromise availability, integrity and the security of the personal data we process (e.g. lead-magnet form submissions, newsletter sign-ups). Bot mitigation is therefore a technical security measure within the meaning of Art. 32 GDPR (security of processing). Cloudflare itself classifies "__cf_bm" as "strictly necessary" (Cloudflare cookie documentation). Forgoing Cloudflare bot management would weaken the security of personal-data processing on this site.
DataIP address, request headers, technical fingerprint of the request. No persistent, cross-site identifier.
Retentionthe "__cf_bm" cookie expires after at most 30 minutes of inactivity. Aggregated security logs at Cloudflare are retained briefly under Cloudflare's standard retention.
Legal basis§ 25 (2) No. 2 TTDSG (technically required for the service requested by the user) and Art. 6 (1) (f) GDPR (overriding legitimate interest in a secure, available website).
Third-country transferCloudflare is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Note: the legal certainty of the framework may be limited; annulment proceedings are pending before the General Court of the EU (case T-553/23).
Data processing agreementconcluded as part of the hosting contract.
6.8 Google Search Console
ProviderGoogle Ireland Limited (see 6.1).
PurposeGoogle Search Console (GSC) lets us monitor how this website performs in Google's search results — indexing status, search queries that lead to the site, click-through rates and technical crawl errors.
Cookies / trackingGSC itself sets no cookies on visitors of this website and loads no client-side script. Ownership of the domain is verified via a static HTML meta tag and / or a DNS TXT record.
Dataaggregated search analytics from Google (search queries, impressions, clicks) — not directly linked to individual visitors. The data is made available to us in aggregated form only.
Legal basisArt. 6 (1) (f) GDPR — legitimate interest in monitoring the site's search visibility.
Third-country transferthe aggregated reports are generated on Google infrastructure (including the USA). Safeguards as in 6.1.
6.9 Cookie storage durations
Session cookies are deleted when the browser is closed. Persistent cookies have the following maximum lifetimes: Google Analytics 4 — up to 14 months (data retention shortened to 14 months in the GA4 settings); Microsoft Clarity — up to 12 months; Google Ads ("_gcl_au") — up to 90 days; LinkedIn ("bcookie") — up to 6 months; Cloudflare ("__cf_bm") — at most 30 minutes of inactivity; Leadfeeder — typically session-based, no client-side storage; CookieConsent (Cookiebot) — up to 12 months from the moment consent is given.
6.9a Cookie declaration
6.10 Withdrawal of consent
As easy as granting it — you can withdraw your consent at any time with effect for the future:
- Open the cookie settings: click the "Cookie settings" link in the footer to re-open the banner and adjust your choice (this controls GA4, Clarity, Google Ads, LinkedIn and Leadfeeder alike).
- By email: send a short message to info@traqx.io — we will block the relevant tools for you.
- Per tool: for Google Analytics the official browser opt-out is available; for Google Ads via the ad personalisation settings; for LinkedIn via the LinkedIn opt-out. Microsoft Clarity and Leadfeeder are controlled exclusively via our cookie banner.
The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected (Art. 7 (3) GDPR).
7. Web fonts
This website loads fonts from Google Fonts. Connection data (in particular the IP address) is transmitted to Google. Provider: Google Ireland Limited (see section 6.1). Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a consistent typographic presentation. As a fallback, fonts are also held locally so that font loading can fail safely without breaking the layout.
8. Technical and organisational measures (TOM)
To protect your data we implement appropriate technical and organisational measures pursuant to Art. 32 GDPR — among them: TLS encryption (HTTPS) for the entire site, encrypted database connections, server hosting in the EU (Kinsta / GCP Frankfurt), restricted admin access via individual accounts with strong passwords and 2FA, regular automatic backups, role-based access control, a documented record of processing activities pursuant to Art. 30 GDPR, and data minimisation at the application level. We review and update these measures continuously.
9. Your rights as a data subject
Under the GDPR you have the following rights:
- Right of access (Art. 15 GDPR) — information about which of your personal data we process.
- Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
- Right to erasure (Art. 17 GDPR) — deletion of your data where the legal conditions are met.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR) — receipt of your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including direct marketing. See the highlighted notice below.
- Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future, see section 6.10.
- Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU member state of your residence, your workplace or the place of the alleged infringement. Competent supervisory authority for our registered office: Unabhängiges Datenschutzzentrum Saarland (Independent Data Protection Centre Saarland), Fritz-Dobisch-Straße 12, 66111 Saarbrücken.
Special notice · Art. 21 GDPR
Right to object pursuant to Art. 21 GDPR. You have the right, on grounds relating to your particular situation, at any time to object to processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR (legitimate interests), including profiling based on those provisions. If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defence of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time; following an objection, the personal data will no longer be processed for such purposes.
How to exercise the right: a short email to info@traqx.io is sufficient. We confirm receipt and act within the statutory time limits.
Requests regarding these rights are to be directed to: info@traqx.io. We respond within the statutory period (usually one month).
10. Currency of this privacy policy
Last updated: 2 June 2026. We reserve the right to adapt this policy so that it always meets current legal requirements. The current version can always be retrieved from this website.