Privacy Policy

Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Sitequest e.K.
Carlo Schulz
Uhlandstraße 23
75223 Niefern-Öschelbronn
Email: hi@site.quest
Phone: +49 7233 7024698

Data protection overview

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for.

What data we collect

Account data

When you register for an account, we collect your name and email address. Authentication is handled exclusively via magic link (email-based one-time login) and passkeys (WebAuthn) — we do not store passwords. If you add billing information, we also store your company name, address, and VAT identification number.

Payment data

Payment transactions are processed exclusively through our payment provider Mollie. We do not store credit card numbers or bank account details on our servers. We only store transaction references and payment status information required for order fulfillment and accounting.

Service usage data

When you use our services (such as virtual servers or domains), we process the technical data necessary to provision and manage those services. This includes server configurations, domain names, DNS records, and associated metadata.

Server log files

Our web server automatically collects and stores information in log files that your browser transmits to us. This includes your IP address, browser type and version, operating system, referrer URL, the pages you visit, and the date and time of access. This data cannot be attributed to specific persons. This data is not merged with other data sources.

Legal basis for processing

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — Processing is necessary to fulfill our contractual obligations to you, such as providing hosting services, managing domains, and processing payments.
  • Legal obligation (Art. 6(1)(c) GDPR) — We are legally required to retain certain data, for example invoices and accounting records under German tax law (§ 147 AO, § 257 HGB).
  • Legitimate interests (Art. 6(1)(f) GDPR) — Processing may be based on our legitimate interests, such as ensuring the security of our services, preventing fraud, and improving our platform. We always balance our interests against your rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR) — Where we rely on your consent, you may withdraw it at any time with effect for the future by contacting us.

Third-party service providers

To provide our services, we work with the following third-party processors. Where required under Art. 28 GDPR, we have concluded data processing agreements (DPA) with each provider.

Payment processing — Mollie B.V.

We use Mollie for processing payments.

  • Provider: Mollie B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands
  • Data processed: Payment details, transaction amounts, name, email address, IP address
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Security: PCI DSS Level 1 certified, TLS 1.2+ encryption
  • DPA: Included in the Mollie Terms of Service
  • Privacy policy: mollie.com/privacy

Accounting — sevDesk GmbH

We use sevDesk for accounting and invoicing.

  • Provider: sevDesk GmbH, Hauptstraße 115, 77652 Offenburg, Germany
  • Data processed: Invoice data, name, address, email address, payment amounts
  • Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest)
  • Server location: Germany
  • DPA: Auftragsverarbeitungsvertrag (AVV) concluded
  • Privacy policy: sevdesk.de/datenschutz

Server infrastructure — 24fire GmbH

We use 24fire for provisioning and managing virtual servers.

  • Provider: 24fire GmbH, Kronenstraße 4, 68723 Schwetzingen, Germany
  • Data processed: Server configurations, IP addresses, operating system images, usage metrics
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Datacenters: NTT Frankfurt, Germany; SkyLink Datacenter, Eygelshoven, Netherlands
  • DPA: Auftragsverarbeitungsvertrag (AVV) concluded
  • Privacy policy: 24fire.de/datenschutz

Domain registration — Hosting Concepts B.V. (Openprovider)

We use Openprovider for domain registration and management.

  • Provider: Hosting Concepts B.V. (Openprovider), Hofplein 20, 3032 AC Rotterdam, Netherlands
  • Data processed: Domain holder data, WHOIS contact information, DNS configurations
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Registration: ICANN-accredited registrar, Chamber of Commerce 24277249
  • DPA: Data Processing Agreement concluded per Art. 28 GDPR
  • Privacy policy: openprovider.com/legal/privacy-policy When you register a domain, your contact data (name, address, email, phone) is transmitted to the responsible domain registry and may be published via the public WHOIS database, as required by ICANN policies and registry regulations. This data transfer is covered by Openprovider's Data Processing Agreement.

Cookies

This website uses only strictly necessary cookies as defined by Art. 5(3) of the ePrivacy Directive. These cookies are essential for the website to function and cannot be switched off. No tracking, analytics, or marketing cookies are used. Because we only use strictly necessary cookies, no consent banner is required.

Authentication cookies

The following cookies are required for authentication and session management:

  • session — Your encrypted session token (httpOnly, secure, strict)
  • csrfToken — Cross-site request forgery protection token (httpOnly, secure, strict)
  • callbackUrl — Stores the redirect URL during the login flow (httpOnly, secure, strict)

Functional cookies

The following cookies are used temporarily during specific user actions:

  • webauthn-challenge — Temporary challenge token for passkey authentication (httpOnly, secure, deleted after use)
  • orderToken — Links your browser to an active checkout session (httpOnly, secure, 7 days)
  • cart — Stores your shopping cart contents (secure, 30 days)

Local storage

We use your browser's local storage (not cookies) to remember display preferences such as your selected currency and price display mode. This data never leaves your browser and is not transmitted to our servers.

None of the above contain tracking data and none are shared with third parties.

Your rights under the GDPR

You have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR) — You can request information about your stored personal data.
  • Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You can request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR) — You can request that we restrict the processing of your data under certain conditions.
  • Right to data portability (Art. 20 GDPR) — You can request to receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) — You can object to the processing of your data based on legitimate interests at any time.

To exercise any of these rights, please contact us at the email address listed above. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Data retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. In particular:

  • Account data is retained for the duration of your account and deleted upon request, subject to legal retention periods.
  • Invoices and accounting records are retained for 10 years in accordance with German tax law (§ 147 AO).
  • Server log files are automatically deleted after 90 days.

Data security

We use TLS encryption for all data transmitted between your browser and our servers. We do not store passwords — authentication is handled via magic links and passkeys (WebAuthn). Access to personal data is restricted to authorized personnel only. We regularly review our security measures to ensure the protection of your data.

Automated decision-making

We do not use automated individual decision-making, including profiling, as referred to in Art. 22(1) and (4) GDPR.

Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our services or legal requirements. The current version is always available on this page. We recommend checking this page periodically.

Last changed: 03.04.2026