Privacy Policy

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and in external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: February 26, 2026

The AI SHIFT Consulting is a brand of
Umbrella Holding UG (haftungsbeschränkt)
Rosenstraße 13
92648 Vohenstrauß
Germany

Managing Director: Patrick Meier

Email address: contact@the-ai-shift.consulting

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

• Inventory data.
• Contact data.
• Content data.
• Audio data (when using the voice assistant).
• Usage data.
• Meta, communication and procedural data.
• Log data.

Categories of data subjects

• Service recipients and clients.
• Communication partners.
• Users.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Organizational and administrative procedures.
• Content Delivery Network (CDN).
• AI Voice Assistant.
• Feedback.
• Provision of our online offering and user experience.
• Information technology infrastructure.
• Reach measurement (analytics).
• Consent management.

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations may apply in your or our country of residence or domicile.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) — The data subject has given their consent to the processing of their personal data for a specific purpose or several specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is party.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller, provided that such interests are not overridden by the interests of the data subject.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG).

We use cookies and similar technologies that store or retrieve information on your device (e.g. cookies, local storage). The legal basis for this is § 25 TDDDG. Technically necessary technologies are used to provide the website; all others only on the basis of your consent.

You can withdraw or adjust a given consent at any time via the cookie settings. The lawfulness of processing until revocation remains unaffected.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology.

Vercel BotID / Bot Protection (Abuse and Fraud Prevention)

We use security features provided by Vercel (Vercel Inc.) on our website, specifically "BotID" and "Bot Protection", to detect and block automated access (bots) and to ensure the stability and security of our online offering (e.g. protection against spam via forms, credential stuffing, scraping or DDoS-like access patterns).

The following technical usage and connection data may be processed:

• IP address (possibly abbreviated/aggregated depending on configuration),
• Timestamps and request metadata (e.g. HTTP headers, referrer, URL, status codes),
• Device and browser information (e.g. user agent),
• Event/risk indicators for detecting automated access (e.g. bot signals, suspicious patterns),
• Possible cookie/identifier information if Vercel uses it to identify/block recurring attacks.

Legal basis: Legitimate interest in the secure provision of the website and protection against abusive access (Art. 6 para. 1 lit. f GDPR).

Service provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

Third-country transfer: Processing in the USA cannot be excluded. Where data is transferred to third countries, this is done on the basis of legal requirements (e.g. EU standard contractual clauses).

Further information: Vercel Privacy Policy

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), this is always done in compliance with legal requirements.

For data transfers to the USA, the EU-U.S. Data Privacy Framework (DPF, adequacy decision of the EU Commission dated 10.07.2023) may serve as a basis depending on the provider. In addition or alternatively, we conclude standard contractual clauses with the respective providers. Further information on the DPF and the list of certified companies can be found at: https://www.dataprivacyframework.gov/

We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is revoked or no further legal basis for processing exists.

Retention and deletion of data: The following general retention periods apply under German law:

• 10 years — books, records, annual financial statements, inventory (§ 147 AO, § 257 HGB).
• 8 years — accounting documents, invoices (§ 147 AO).
• 6 years — other business documents (§ 147 AO, § 257 HGB).
• 3 years — data required for warranty and liability claims (§§ 195, 199 BGB).

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, arising in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time to processing of your personal data carried out on the basis of Art. 6 para. 1 lit. e or f GDPR.
• Right to withdraw consent: You have the right to withdraw consent given at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to receive a copy of such data.
• Right to rectification: You have the right to request that incomplete or incorrect data be rectified.
• Right to erasure and restriction: You have the right to request the erasure of data or to request restriction of processing.
• Right to data portability: You have the right to receive data you have provided in a structured, commonly used and machine-readable format.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or device.

• Types of data processed: Usage data; meta, communication and procedural data; log data.
• Data subjects: Users.
• Purposes of processing: Provision of our online offering; information technology infrastructure; security measures; CDN.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations:

When contacting us (e.g. via contact form or email) and in the context of existing user and business relationships, the information of the persons making enquiries is processed insofar as this is necessary to respond to the contact enquiries.

• Types of data processed: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback.
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information:

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers, including interactive 3D scenes, fonts, an AI voice assistant and a consent management platform.

The integration always requires that the third-party providers of this content process the IP address of users, as without the IP address they could not send the content to the user's browser.

• Types of data processed: Usage data; meta, communication and procedural data; content data; audio data (only when using the voice assistant).
• Data subjects: Users.
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) for the AI voice assistant; Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) for consent management; Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) for all other services.

Further information on processing operations:

We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please verify the information before contacting us.

This section provides an overview of the terms used in this privacy policy. Where terms are legally defined, their legal definitions apply.

• Inventory data: Inventory data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles and similar assignments, including names, contact information and customer numbers.
• Content Delivery Network (CDN): A CDN is a service that enables content of an online offering, especially large media files such as graphics or scripts, to be delivered faster and more securely via regionally distributed servers.
• Content data: Content data includes information generated in the course of creating, editing and publishing content of all kinds.
• Contact data: Contact data is essential information that enables communication with persons or organizations, including telephone numbers, postal addresses and email addresses.
• Meta, communication and procedural data: Categories containing information about how data is processed, transmitted and managed, including metadata, communication records and process documentation.
• Usage data: Usage data refers to information capturing how users interact with digital products, services or platforms, including page views, dwell time, click paths and device types.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person.
• Log data: Log data is information about events or activities logged in a system or network, including timestamps, IP addresses, user actions and error messages.
• Controller: "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations performed on personal data, whether by automated means, including collection, recording, storage, transmission and deletion.