Privacy Policy
Information on the processing of your personal data
1. Privacy at a glance
This website processes personal data only to the extent necessary to operate the site, respond to inquiries, and handle incoming job applications. It is cookie-free with respect to marketing and tracking cookies — technically required components (hosting, bot protection, language preference) are detailed below.
The controller is Herakles GbR (see Section 3). You have the right at any time to access, rectify, erase, restrict, and port your data, to withdraw consent, and to lodge a complaint with the competent supervisory authority. See Section 3 for details.
2. Hosting
External hosting
This website is hosted externally. Personal data collected on this website is stored on the hoster's servers. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses, and other data generated via a website.
External hosting takes place for the purposes of contract fulfillment with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). Where consent has been requested, processing is exclusively based on Art. 6(1)(a) GDPR and § 25(1) TDDDG insofar as the consent covers the storage of cookies or access to information on the user's end device. Consent may be revoked at any time.
We use the following hoster:
Vercel Inc.
340 S Lemon Ave #4133
Walnut, CA 91789
USA
Server region: Frankfurt am Main, Germany (Vercel Edge Network). Transfer to Vercel infrastructure in the United States is safeguarded by the EU-US Data Privacy Framework and the EU Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
Data processing agreement
We have concluded a Data Processing Agreement (DPA) with Vercel. This is a contract required by data protection law which ensures that the processor handles the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
3. General notes and mandatory information
Data protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.
When you use this website, various items of personal data are collected. Personal data is data with which you can be personally identified. This Privacy Policy explains which data we collect and for what purpose. It also explains how and for what purpose this is done.
We note that data transmission via the internet (e.g., when communicating by email) can have security gaps. Complete protection of data against third-party access is not possible.
Information on the controller
The controller responsible for data processing on this website is:
Herakles GbR
Authorized representatives: Bryan Marcel Gundrum and Luca Hemmerle
Rosenbuschstr. 2
80538 Munich
Germany
Phone: +49 171 1061038
Email: info@herakles-defense.com
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).
Retention period
Unless a more specific retention period has been mentioned within this Privacy Policy, your personal data will remain with us until the purpose for the data processing ceases. If you assert a justified request for erasure or withdraw consent to data processing, your data will be deleted unless we have other legally permissible grounds for storing your personal data (e.g., tax or commercial-law retention obligations); in the latter case, deletion will take place after these grounds cease.
General notes on legal bases of data processing
Where you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR where special categories of data within the meaning of Art. 9(1) GDPR are processed. Consent may be withdrawn at any time. Where your data is required for contract fulfillment or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR.
Withdrawal of your consent to data processing
Many data processing operations are only possible with your explicit consent. You can revoke consent already given at any time. The lawfulness of the data processing carried out until the revocation remains unaffected by the revocation.
Right to lodge a complaint with the supervisory authority
In the event of GDPR violations, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their workplace, or the place of the alleged violation. This right of complaint exists without prejudice to other administrative or judicial remedies.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place insofar as it is technically feasible.
Information, rectification and erasure
Within the framework of applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing, and where applicable a right to correction or erasure of this data. You may contact us at any time regarding this and further questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You may contact us at any time. The right to restriction of processing exists in the following cases: when you dispute the accuracy of your personal data stored with us, when the processing of your personal data was/is unlawful and you request restriction instead of erasure, or when we no longer need your personal data but you need it for the assertion, exercise, or defense of legal claims.
SSL / TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. An encrypted connection is indicated by the browser address bar switching from „http://" to „https://" and by the lock symbol in your browser bar. When SSL/TLS encryption is activated, data transmitted to us cannot be read by third parties.
Objection to promotional emails
We hereby object to the use of contact data published as part of our imprint obligation for the sending of unsolicited advertising and information material. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising information being sent, e.g., via spam emails.
4. Data collection on this website
Cookies
This website is cookie-free with respect to marketing and tracking cookies. Technically necessary are only a language-preference cookie (NEXT_LOCALE) and — when using our forms — security cookies of the bot protection (Cloudflare Turnstile). Neither contains personally identifying tracking information; they are set without consent based on our legitimate interest in a functional, abuse-protected website (Art. 6(1)(f) GDPR).
Contact form
If you send us inquiries via our contact form, your details from the inquiry form, including the contact data you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.
This data is processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or required for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time.
Application form
If you apply for an advertised or speculative position via our application form, we process the data you provide — name, contact details, information about yourself and your qualifications, and your uploaded CV — exclusively for the purpose of carrying out the application process.
Legal basis is Art. 6(1)(b) GDPR in conjunction with § 26 BDSG (initiation of an employment relationship).
Retention period: application documents will be deleted no later than six months after completion of the application process (or after notification of rejection). This period corresponds to the requirements of § 26 BDSG in conjunction with § 61b ArbGG (preservation periods for potential AGG claims). Longer retention — for example, for inclusion in a talent pool for future openings — will only take place on the basis of your express consent (Art. 6(1)(a) GDPR), which you can revoke at any time for the future.
Inquiry by email or phone
If you contact us by email or phone, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent. Legal basis: Art. 6(1)(b)/(f) GDPR.
5. Form services and bot protection
For the operation of our contact and application forms, we use the following service providers. We have concluded a data processing agreement under Art. 28 GDPR with each of them where required.
Resend (email delivery)
We use Resend (Resend, Inc., USA) for the delivery of emails triggered by our forms — both the internal notification and the confirmation email to you. The data you provided in the respective form is transmitted to Resend for the purpose of email delivery. Legal basis is Art. 6(1)(b) and (f) GDPR — our legitimate interest in reliable delivery of form messages. Transfer to the USA is safeguarded by the EU Commission's Standard Contractual Clauses.
Cloudflare Turnstile (bot protection)
To protect our forms against automated entries, we use Cloudflare Turnstile, a service of Cloudflare, Inc., USA. Turnstile checks technical characteristics of your browser and your interaction to determine whether an entry comes from a human. IP address as well as device and browser information are processed. Turnstile operates without advertising cookies and without cross-site tracking. Legal basis is Art. 6(1)(f) GDPR. Transfer to the USA is safeguarded by EU Standard Contractual Clauses.
Upstash (rate limiting)
To protect our forms against excessively frequent submissions, we use rate limiting via Upstash (Upstash, Inc.). Your IP address is briefly processed to count the number of requests per time window. Legal basis is Art. 6(1)(f) GDPR — our legitimate interest in protecting our systems against abusive use. Data is only retained briefly and then automatically deleted.
Error monitoring (Sentry)
For the technical stability of our website, we use Sentry (Functional Software, Inc.), a service for automated capture of program errors. If an error occurs on the website, technical error data — error message, affected page, browser and device type — is transmitted to Sentry so we can fix the error. Processing takes place in Sentry's EU region. No IP addresses are intentionally transmitted and no session recording takes place. Legal basis is Art. 6(1)(f) GDPR.
6. Data transfers to third countries
In providing our online services, we use service providers some of which are headquartered outside the European Economic Area (EEA) or process data in third countries. The following overview summarizes all relevant transfers:
| Service | Purpose | Processing location | Legal basis for third-country transfer |
|---|---|---|---|
| Vercel Inc. | Hosting, Edge network, web analytics | USA (Frankfurt region for EU traffic) | EU-US Data Privacy Framework + EU Standard Contractual Clauses |
| Plausible Insights OÜ | Cookie-free web analytics | EU (Hetzner, Germany) | No third-country transfer |
| Resend, Inc. | Email delivery for forms | USA | EU Standard Contractual Clauses |
| Cloudflare, Inc. | Turnstile bot protection for forms | USA / global edge network | EU Standard Contractual Clauses |
| Sentry (Functional Software, Inc.) | Error monitoring | EU region Frankfurt | No third-country transfer |
| Upstash, Inc. | Rate limiting, internal counters | EU region Frankfurt | No third-country transfer |
All EU Standard Contractual Clauses comply with Art. 46(2)(c) GDPR. To the extent that usage-related data is transferred to US recipients, we note the ongoing risk of access by US authorities based on US surveillance laws (in particular CLOUD Act, FISA 702). Where possible, we choose EU sub-processors or configure EU server regions.
7. No automated decision-making / No AI profiling
We do not use any automated decision-making systems, profiling algorithms, or artificial-intelligence-based selection or evaluation procedures within the meaning of Art. 22 GDPR on this website. Incoming contact and application messages are reviewed and evaluated exclusively through human processing.
Should we use AI-supported auxiliary systems in the future (e.g., for mere translation, spell-checking, or full-text search), they will be used exclusively as supporting tools — the final decision on responding to your inquiry or on the course of an application process is always made by a human.
8. Reach measurement
This website uses a deliberately minimal, cookie-free reach measurement. We use no session replay, no heatmaps, no A/B testing and no external marketing trackers. No profiling and no cross-site re-identification takes place.
Vercel Web Analytics
We use Vercel Web Analytics (Vercel Inc., USA) for cookie-free reach measurement. No cookies are set and no persistent identifiers are stored. Vercel generates a server-side, daily-rotating hash to roughly delineate sessions; this hash is discarded after a maximum of 24 hours. Aggregated data such as page URL, referrer, approximate geolocation (country/region), browser and device type is collected. Legal basis is Art. 6(1)(f) GDPR. Transfer to the USA is safeguarded by EU Standard Contractual Clauses.
Plausible Analytics
In parallel with Vercel we use Plausible Analytics, a cookie-free web analytics tool hosted in Germany (Hetzner) and operated by Plausible Insights OÜ, Tallinn, Estonia. Plausible does not set cookies, collects no personal data and does not track users across multiple sessions.
Collected aggregated and anonymised only: pages visited and time on page, referring website and any UTM campaign parameters, browser and operating-system category, visitor country (derived from IP and anonymised before storage), clicks on outbound links and file downloads.
The IP address is used to derive the country and is discarded immediately afterwards. Plausible uses a daily-rotating in-memory hash; identifying a user across sessions is technically impossible.
All data remains within the EU (servers in Germany). No third-country transfer takes place. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in privacy-friendly reach measurement). More information: plausible.io/privacy and plausible.io/data-policy.
Vercel Speed Insights
To ensure fast and stable delivery of our website, we use Vercel Speed Insights. Only technical performance metrics (Core Web Vitals, load times) and approximate country of origin are recorded — without IP address, without cookie, without persistent identifier. Legal basis is Art. 6(1)(f) GDPR.
Internal aggregate counters
To monitor the functionality of our forms, we maintain internal, purely aggregated monthly counters at Upstash (EU region, see Section 5): number of successful submissions per category, funnel steps (opened, started, submitted, abandoned), touched input fields (without field contents), and bot/spam protection triggers. Only monthly totals are stored — no field contents, no IP addresses, no timestamps of individual events, no personally identifying data. Legal basis is Art. 6(1)(f) GDPR — legitimate interest in detecting usability barriers and abuse of our forms.
Questions about data protection?
If you have any questions about the collection, processing, or use of your personal data, about information, rectification, blocking, or deletion of data, please contact: info@herakles-defense.com