TATAR Global

Legal · Data protection

Privacy Policy

This policy explains how we handle personal data under Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG) and, where applicable, equivalent national regimes governing our partners' jurisdictions.

Last updated · 10 May 2026

Düsseldorf · Germany

§ 01

Scope and overview

This policy applies to personal data we process through this website, our contact channels, and our institutional engagements. It does not cover the websites of third parties to which we may link.

Where a separate engagement-specific data processing agreement is in force, that agreement prevails over this general policy in matters it specifically addresses.

We process personal data only for clearly defined purposes, in the smallest amount necessary to fulfil those purposes, and for no longer than the law and the purpose require.

01

§ 02

Data controller

The controller responsible for the processing of personal data through this website, within the meaning of Article 4(7) GDPR, is:

Controller
TATAR Global GmbH
Address
Stromstraße 46, 40221 Düsseldorf, Germany
Email
[email protected]
Telephone
+49 151 23 737372

Full statutory company information is available in our Imprint.

02

§ 03

Data protection contact

For all questions concerning the processing of your personal data and the exercise of your rights under the GDPR, please write to [email protected] with the subject line "Data protection".

Where a Data Protection Officer has been appointed for a specific engagement or jurisdiction, contact details will be disclosed in the relevant engagement notice.

03

§ 04

Purposes of processing

We process personal data only for the following defined purposes:

  • Responding to enquiries submitted through our contact form, by email, or by other channels you initiate.
  • Operating, securing and improving this website, including basic traffic measurement and abuse prevention.
  • Carrying out institutional engagements you or your organisation have asked us to perform, on the terms of the relevant engagement.
  • Meeting our statutory obligations, including tax, accounting, anti-money-laundering and record-keeping requirements under German and EU law.
  • Defending and asserting legal claims, where necessary.

04

§ 05

Lawful bases

We rely on the following lawful bases under Article 6(1) GDPR:

  • Article 6(1)(a) — your consent, where you have explicitly given it, for example before optional cookies or marketing communications.
  • Article 6(1)(b) — performance of a contract or steps taken at your request prior to entering into a contract, including responding to enquiries about a possible engagement.
  • Article 6(1)(c) — compliance with a legal obligation to which we are subject under German or EU law.
  • Article 6(1)(f) — our legitimate interests in operating, securing and improving our service and in defending legal claims, where these interests are not overridden by your fundamental rights and freedoms.

05

§ 06

Categories of data

Depending on how you interact with us, we may process the following categories of personal data:

  • Identification and contact data: name, organisation, role, email address, telephone number, postal address.
  • Communication content: the message and any attachments you choose to send us, and the metadata of that exchange.
  • Technical data: IP address, browser identifiers, device and operating-system information, pages visited and timestamps, where collected for security and basic measurement.
  • Engagement data: information you or your organisation share with us in the course of an engagement, on the terms of that engagement.
  • We do not knowingly collect special categories of data (Article 9 GDPR) through this website. Where such data must be processed in a specific engagement, a separate written basis is established.

06

§ 07

Recipients and processors

We disclose personal data only to the recipients and processors necessary to deliver the purposes set out above. These currently include:

  • Our hosting provider, which operates the server infrastructure on which this website runs, on the basis of a written processor agreement.
  • Cloudflare, Inc. and its EU affiliates, providing the content delivery network, security layer and the Turnstile bot-protection service that fronts this website.
  • Email service providers used to deliver and receive transactional correspondence.
  • Professional advisers (accountants, auditors, lawyers) under their respective professional secrecy obligations, where strictly necessary.
  • Public authorities, courts and regulators, where we are legally required to disclose information.

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising.

07

§ 08

International transfers

Where the recipients listed above process personal data outside the European Economic Area, transfers are made on the basis of a current adequacy decision by the European Commission, the Standard Contractual Clauses adopted by the Commission, or another lawful transfer mechanism under Chapter V of the GDPR.

Specifically: traffic to this website is fronted by Cloudflare, which operates a global network. Cloudflare relies on the EU–U.S. Data Privacy Framework and on Standard Contractual Clauses for transfers outside the EEA. A copy of the relevant safeguards can be requested from us at [email protected].

08

§ 09

Retention

We keep personal data only as long as necessary for the purpose for which it was collected, or as required by law. Our default retention periods are:

  • Contact-form submissions and direct correspondence: up to 24 months from the last meaningful exchange, unless an engagement requires longer retention.
  • Server and security logs containing IP addresses: up to 30 days, unless required for the investigation of a specific security incident.
  • Engagement records and related correspondence: for the term of the engagement and the statutory retention period that follows it (typically 6 to 10 years under §147 AO and §257 HGB).
  • Accounting records: 10 years from the end of the calendar year in which the document was issued, in accordance with German tax law.

09

§ 10

Your rights

Subject to the conditions set out in the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Article 15) — to obtain confirmation of whether we process your data and a copy of that data.
  • Right to rectification (Article 16) — to have inaccurate or incomplete data corrected.
  • Right to erasure (Article 17) — to have your data deleted, where one of the conditions of Article 17 applies.
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20) — to receive your data in a structured, commonly used and machine-readable format, where processing is based on consent or contract and carried out by automated means.
  • Right to object (Article 21), in particular against processing based on our legitimate interests.
  • Right to withdraw consent at any time, where processing is based on Article 6(1)(a) or 9(2)(a) — withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please write to [email protected]. We may need to verify your identity before acting on a request.

10

§ 11

Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

For our principal place of business, the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen / LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf — https://www.ldi.nrw.de.

11

§ 12

Security

We apply technical and organisational measures appropriate to the risks of the processing, including transport-layer encryption (HTTPS), strong authentication for administrative access, the principle of least privilege, write-ahead logging and regular backups for our application database, and the use of memory-hard password hashing (Argon2id) for stored credentials.

Despite reasonable safeguards, no method of transmission over the internet or electronic storage is fully secure. Where you transmit highly sensitive information, we encourage you to do so through encrypted channels agreed with us in advance.

12

§ 13

Children's data

This website is not directed at children, and we do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided personal data to us, please contact us so that we can delete it.

13

§ 14

Automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you, within the meaning of Article 22 GDPR.

14

§ 15

Changes to this policy

We may amend this policy from time to time to reflect changes in our practice, in technology or in the law. We will publish the updated version on this page with a new "last updated" date. Material changes will be highlighted, and where required by law we will obtain renewed consent.

15

Legal documents

Other policies in this set