Skip to main content
Your selection
Legal

Privacy Policy

We treat your data with the utmost care. On this page you will find transparently all information about the processing of your personal data at CanBeOnline.

Privacy Policy

This privacy policy informs you about the type, scope and purposes of the processing of personal data on the website canbeonline.com (including subpages) as well as about your rights under the GDPR.

1. Controller

  • Serkan Kabak
  • Postal address: Hugo-Junkers-Straße 90, 50739 Köln
  • E-mail: info@canbeonline.de
  • Phone: +49 15679153170

A data protection officer has not been appointed.

2. Overview (Summary)

  • When visiting the website, technically necessary data is processed (e.g., IP address in server logs) to deliver and secure the site.
  • When using the contact form, we process the data you enter to handle your inquiry; communication takes place via e-mail (via Postmark). No storage in a database occurs.
  • Cookies: We currently only use technically necessary cookies (Session/CSRF).
  • Tracking: Google Analytics and Facebook Pixel are currently disabled and are not loaded.

3. Hosting, Website Provision, Server Logs

3.1 What data is processed?

With each access to the website, the following data may be processed in server logs:

  • IP address (or shortened/full IP depending on hosting setup)
  • Date and time of access
  • Accessed page/file (URL/path)
  • Referrer URL (if transmitted)
  • User-Agent (browser/OS)
  • HTTP status code and transmitted data volume

3.2 Purposes and legal basis

  • Purposes: Delivery of the website, stability, error analysis, IT security, abuse prevention.
  • Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure, stable operation).

3.3 Recipients / Data processing

  • Hosting service provider (processor pursuant to Art. 28 GDPR): DigitalOcean, LLC, 101 Avenue of the Americas, New York, NY 10013, USA (server operation in EU data centers; data processing agreement pursuant to Art. 28 GDPR concluded).
  • Server management (processor pursuant to Art. 28 GDPR): Laravel Forge (service by Laravel Holdings Inc., USA) – server management/deployment/monitoring; data processing agreement pursuant to Art. 28 GDPR concluded.

3.4 Storage duration

  • Server logs: Storage for up to 14 days. The log data (e.g., web server and system logs) that arise during server operation via Laravel Forge are regularly automatically deleted. Longer retention occurs exclusively on a case-by-case basis (e.g., for analysis of security incidents or technical faults) and only as long as necessary.

4. Contact (Contact Form)

4.1 What data is processed?

When you use our contact form, we process:

  • Mandatory information: Name, e-mail address, message text, confirmation of privacy notices (checkbox).
  • Voluntary information: Phone number, preferred contact method (e-mail/phone/WhatsApp), company name, industry, timeframe, budget, up to 5 inspiration/reference URLs, selected packages/add-ons.
  • Technical metadata: Page/path information and context of triggering (e.g., from which page/position the form was opened).

4.2 Spam and abuse protection

To protect against spam, we also process:

  • a honeypot field (invisible to humans; bots often fill it out) and
  • rate limiting based on IP address (limitation of requests per time period).

The IP address is processed only for the purpose of abuse prevention to the technically necessary extent.

4.3 Purposes and legal bases

  • Purposes: Processing and responding to your inquiry, follow-up questions, offer creation and project initiation.
  • Legal bases: Art. 6 para. 1 lit. b GDPR (pre-contractual communication) as well as Art. 6 para. 1 lit. f GDPR (security/abuse prevention).

4.4 How does communication take place?

After submitting the form, you will receive a confirmation e-mail. Internally, we receive a copy for processing the inquiry (as BCC recipient of the confirmation e-mail).

Important: Your contact inquiry is not stored in a database or CMS. Processing takes place exclusively via e-mail; your data only ends up in the e-mail inboxes of the processing persons.

Note on "WhatsApp": WhatsApp can be selected as the preferred contact method in the form. However, the inquiry itself is processed via e-mail. Communication via WhatsApp only takes place if you actively contact us via WhatsApp or we contact you there at your express request.

4.5 Storage duration

  • Contact inquiries: Since no storage in a database occurs, retention is based on e-mail archiving in the processing inboxes (usually until deletion after completion of processing or according to internal e-mail retention policies).
  • As a rule, we delete or anonymize contact inquiries no later than 6 months after the inquiry has been fully processed, unless statutory retention obligations or the assertion/defense of legal claims require longer storage.
  • If a contract is concluded, statutory retention obligations may apply (up to 10 years).

5. E-mail Sending (Postmark)

For sending e-mails, we use Postmark (service of Wildbit LLC, USA).

  • Purpose: Delivery of the confirmation e-mail and forwarding of the inquiry to internal recipients.
  • Data types: E-mail address, name, contents of your message and possibly other contact data/project details you provided.
  • Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual communication) as well as Art. 6 para. 1 lit. f GDPR (reliable delivery/communication).
  • Processing / third-country transfer: We use Postmark as a processor. Processing in the USA cannot be fully excluded. To safeguard transfers, we implement appropriate safeguards (in particular EU Standard Contractual Clauses) and consider additional technical and organizational measures where required.

6. Language Switching (DE/EN)

When you change the language, we store your selection in the current session so that the website is subsequently displayed in the selected language.

  • Data types: Language preference (locale), session information.
  • Purposes: Display of the website in your preferred language.
  • Legal basis: Art. 6 para. 1 lit. f GDPR in conjunction with § 25 para. 2 TTDSG (technically necessary function).

7. Cookies and comparable technologies

7.1 Necessary Cookies

We currently only use technically necessary cookies.

Name Purpose Type Storage duration
XSRF-TOKEN CSRF protection (forms/requests) technically necessary up to approx. 120 minutes
canbeonline_session Session management (e.g., language setting/flash messages) technically necessary up to approx. 120 minutes

Legal basis: Art. 6 para. 1 lit. f GDPR in conjunction with § 25 para. 2 TTDSG.

7.2 Tracking / Marketing (currently disabled)

Google Analytics and Facebook Pixel are currently disabled and are not loaded. If we use such tools in the future, this will only be done after prior consent via a consent banner; this privacy policy will then be updated accordingly.

8. Recipients, Third Country Transfer

8.1 Recipients

  • Hosting service provider (processor): DigitalOcean, LLC (server operation in EU data centers)
  • Server management (processor): Laravel Forge (Laravel Holdings Inc.)
  • E-mail service provider: Postmark (Wildbit LLC, USA)
  • Internal recipients: the mailbox address(es) configured by us that process your inquiry.

8.2 Third country transfer (USA)

When using service providers based in the USA (e.g., Postmark / Wildbit LLC; DigitalOcean, LLC; Laravel Forge/Laravel Holdings Inc.), processing/transmission of personal data to a third country cannot be completely ruled out (e.g., through support/administration access).

  • DigitalOcean: DigitalOcean is certified under the EU‑U.S. Data Privacy Framework (DPF); in addition, EU Standard Contractual Clauses (SCC) are typically used via the relevant contractual terms (e.g., DPA).
  • Postmark / Laravel Forge: For transfers to the USA, we implement appropriate safeguards (in particular EU Standard Contractual Clauses (SCC)) and, where required, perform a risk assessment and implement supplementary measures.

You can request further information or a copy of the safeguards from us. This information will be updated in case of changes.

9. Security

We implement technical and organizational measures to protect your data (including TLS/SSL encryption, access restrictions, abuse protection in the contact form).

10. No automated decision-making

Automated decision-making including profiling pursuant to Art. 22 GDPR does not take place.

11. Rights of data subjects

You have the following rights (Art. 15–21 GDPR): Information, rectification, erasure, restriction of processing, data portability, objection (for processing based on Art. 6 para. 1 lit. f GDPR) as well as withdrawal of given consents with effect for the future (Art. 7 para. 3 GDPR). Furthermore, there is a right to lodge a complaint with a supervisory authority.

Contact for data protection inquiries: info@canbeonline.de.

Supervisory authority (NRW, Germany): State Commissioner for Data Protection and Freedom of Information North Rhine‑Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf – ldi.nrw.de.

12. Changes to this privacy policy

We adapt this declaration if the data processing or legal situation changes.

Last updated: 17.12.2025

Back to home