Privacy Policy

As of: May 2026

This Privacy Policy applies to the websites aria-strategy.com (marketing site) and check.aria-strategy.com (Aria Strategy Self-Check). Where sections apply to only one of the two applications, this is noted in the section.

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Jess Reisig (operating under the business name „Aria Strategy")
Martinskirchstraße 62
60529 Frankfurt am Main
Germany

Email: hello@aria-strategy.com
Phone: +49 1774973430

A separate appointment of a data protection officer is not required under Art. 37 GDPR or § 38 BDSG.

2. General Information on Data Processing

2.1 Scope of Personal Data Processing

We process personal data of our users in principle only to the extent necessary to provide a functional website and our content and services. Processing generally takes place only after consent from the user or based on another legal ground.

2.2 Legal Bases for Processing

The legal bases for the processing of personal data arise in particular from:

Art. 6(1)(a) GDPR: consent of the data subject
Art. 6(1)(b) GDPR: performance of a contract or pre-contractual measures
Art. 6(1)(c) GDPR: compliance with a legal obligation
Art. 6(1)(f) GDPR: legitimate interests pursued

2.3 Data Deletion and Retention Period

Personal data are deleted or blocked as soon as the purpose of storage ceases to apply. Further storage takes place only where this is provided for by European or national legislation (for example commercial or tax retention obligations). Specific retention periods are set out in the relevant sections below.

3. Hosting and Provision of the Websites

3.1 Hosting Provider

Both websites are hosted with

Hetzner Online GmbH
Industriestraße 25
91710 Gunzenhausen
Germany

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR exists with Hetzner. Data processing takes place on a server in the data centre in Helsinki, Finland (EU/EEA). No transfer to third countries takes place within the scope of hosting.

3.2 Server Log Files

When the websites are accessed, the following technical information is automatically processed by the web server:

Shortened IP address (anonymised, the last octets are removed before storage; re-identification of individual users is not possible)
Date and time of access
Name and URL of the file retrieved
Amount of data transferred
Notification of successful retrieval
Browser and operating system used
Referrer URL (previously visited page)

Purpose: ensuring stability and security of the applications, error analysis, protection against misuse.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical functionality and security).

Retention period: maximum of 7 days. No combination with other data sets takes place.

4. Aria Strategy Self-Check

This section applies exclusively to check.aria-strategy.com.

4.1 Description of Processing

At check.aria-strategy.com we offer a self-assessment tool („Aria Strategy Self-Check") that allows users to obtain an assessment of the maturity of their AI governance practice. Use of the tool is voluntary and free of charge.

4.2 Processed Data

a) Self-Check answers and calculation result

Substantive answers to the questions are stored temporarily in the database during the active session and are automatically deleted immediately after the result is displayed. Permanent storage of individual answers does not take place.
Pseudonymous session ID to assign answers during the session (cookie aria_session_id)
Automatically calculated score (0-100), risk level and product recommendation. These calculation results are stored permanently only in conjunction with contact data (see point b).

b) Contact data (voluntary, only when results are requested)

First and last name
Email address
Company/organisation
Position/role
Phone number (optional)
Tracking source (UTM parameters from the calling link, if present)
Consent status with timestamp (to document consent in accordance with Art. 7 GDPR)

Note on pseudonymisation: calculation results are linked to contact data only when the user voluntarily provides contact data and gives consent. In that case there is pseudonymisation; full anonymity is no longer ensured.

4.3 Purposes and Legal Bases

a) Carrying out the Self-Check and displaying the result
Legal basis: Art. 6(1)(b) GDPR (performance of the requested service).

b) Sending the result report by email
Legal basis: Art. 6(1)(a) GDPR (consent).

c) Contact for further consulting services
Legal basis: Art. 6(1)(a) GDPR (consent). Consent is given by actively ticking a checkbox before the data is submitted. A pre-selected checkbox is not used.

4.4 Automated Evaluation

Answers are evaluated automatically by a rule-based scoring engine and assigned to a maturity score. No automated decision with legal effect within the meaning of Art. 22 GDPR takes place. The evaluation serves solely to inform the user and to prepare a possible consulting conversation.

4.5 Retention Period

Data category	Retention period
Pseudonymous session answers without transmission of contact data	immediate deletion at end of session, at the latest after 24 hours
Lead record (contact data + calculation result + consent status)	12 months after last interaction, then automated deletion
If a business relationship is established	in accordance with commercial and tax retention periods (up to 10 years, §§ 147 AO, 257 HGB)

Upon withdrawal of consent, deletion takes place without delay.

5. Contact by Email

If you contact us by email (for example at hello@aria-strategy.com), your information is processed to handle the enquiry.

Processed data: sender's email address, name (if provided), content of the message.

Legal basis:

Art. 6(1)(b) GDPR (pre-contractual measures or contract initiation)
Art. 6(1)(f) GDPR (legitimate interest in handling enquiries)

Retention period: until the enquiry has been fully processed. For business correspondence, commercial retention periods apply (up to 6 years, § 257 HGB).

6. Cookies and Similar Technologies

The marketing site aria-strategy.com sets no cookies. The following cookies are used exclusively by check.aria-strategy.com.

Cookie name	Purpose	Retention
`aria_session_id`	Assigning user requests during the session (Self-Check)	Session duration
`aria_lang`	Storage of the language preference (DE/EN/NL)	12 months

Legal basis: § 25(2) no. 2 TDDDG (strictly necessary cookies; no consent required).

No tracking, analytics or marketing cookies are used. A cookie consent banner is therefore not required.

7. Recipients and Processors

For the data processing, we use the following processors, each with a DPA in accordance with Art. 28 GDPR:

Provider	Scope	Location	Purpose	Third country?
Hetzner Online GmbH	aria-strategy.com and check.aria-strategy.com	Germany (server Helsinki, FI)	Hosting of the websites, provision of the Postgres database	no (EU/EEA)
Hetzner Mail	check.aria-strategy.com	Germany	Sending of Self-Check result confirmations and internal notifications	no (EU/EEA)
42he GmbH (CentralStation CRM)	check.aria-strategy.com	Cologne, Germany	Lead management. Upon completion of the Self-Check, contact data plus a note with score and recommendation are transmitted.	no (EU/EEA)
Cal.com, Inc. (EU region)	check.aria-strategy.com	Cal.com Inc. based in the USA, EU region hosting	Appointment booking service (initial consultation). When the booking button is clicked, name, email address and the chosen appointment are transmitted.	EU region hosting, data remains in the EU. Standard Contractual Clauses (SCC) are agreed in the DPA.
Bunnyway d.o.o. (Bunny.net Fonts)	aria-strategy.com and check.aria-strategy.com	Slovenia, EU	Provision of the Inter typeface via fonts.bunny.net (privacy-friendly alternative to Google Fonts). When the font is requested, the user's IP address is transmitted to Bunny.net.	no (EU/EEA)

No personal data are transmitted to recipients outside of the processors listed above. No operational data processing takes place in third countries (outside the EU/EEA).

8. External Links

Our websites may contain links to external websites and profiles. By clicking such a link, you leave our scope. We are not responsible for the data processing on the linked websites. The privacy policy of the respective external provider applies.

Embedded content such as social plug-ins is not used on our pages.

9. Data Security

We implement technical and organisational measures to ensure the security of personal data. These include in particular:

Encrypted data transmission via TLS/SSL (HTTPS) with automatic certificate renewal via Let's Encrypt
Access control and token-based authentication for administrative areas
Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy)
Rate limiting to protect against automated misuse
IP anonymisation in server logs
Up-to-date patching of all system components
Logging and monitoring to detect security incidents

The measures are reviewed regularly and adapted to the state of the art.

10. Your Rights as a Data Subject

You have the following rights vis-à-vis the controller in respect of the personal data concerning you:

Right	Content	Legal basis
Access	Information about the personal data stored about you	Art. 15 GDPR
Rectification	Correction of inaccurate or incomplete data	Art. 16 GDPR
Erasure	Erasure of your data („right to be forgotten")	Art. 17 GDPR
Restriction	Restriction of processing	Art. 18 GDPR
Data portability	Receipt of your data in a machine-readable format	Art. 20 GDPR
Objection	Objection to processing based on legitimate interests	Art. 21 GDPR
Withdrawal	Withdrawal of given consent with effect for the future	Art. 7(3) GDPR

To exercise your rights, please contact: hello@aria-strategy.com

We will examine your request without delay and usually reply within one month. For complex requests, the deadline may be extended by two further months; you will be informed in that case.

11. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You may turn in particular to the supervisory authority of your place of residence or the authority responsible for us:

The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 31 63
65021 Wiesbaden
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
Website: datenschutz.hessen.de

A list of all supervisory authorities in Germany is available at: bfdi.bund.de

12. Obligation to Provide Data

The provision of personal data is neither required by law nor contractually. You are not obliged to provide data.

Consequences of not providing data:

Without answering the Self-Check questions, the Self-Check cannot be carried out.
Without providing contact data, no result report can be sent and no individual consulting request can be processed.

Beyond the functional limitations mentioned, no disadvantages arise for you from not providing data.

13. No Automated Decision-Making within the Meaning of Art. 22 GDPR

No decision based solely on automated processing that produces legal effects concerning you or significantly affects you in a similar way takes place. The scoring engine used in the Self-Check serves solely to inform and does not replace individual consulting.

14. Amendments to this Privacy Policy

We reserve the right to adapt this Privacy Policy where this is required by new functions, changed legal requirements or official requirements. The version available at the time of use applies.

Material changes are communicated via the applications. To existing contacts, we additionally communicate material changes by email where a corresponding communication relationship exists.

As of: May 2026