Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

ELTAES Schönwald & Weber GbR
Bleichenberg 13
39590 Tangermünde, Germany
Represented by: Tiemo Schönwald, Erik Weber
Contact: [email protected]
Website: elbwaerme.de

2. General Information on Data Processing

We process personal data only insofar as this is necessary for the provision of a functional website and our content. Legal bases derive in particular from Art. 6(1) GDPR.

3. Provision of the Website (On-Prem Hosting) and Server Log Files

3.1 Scope of Processing

Whenever our website is accessed, our server (Nginx, on-premises) automatically processes data and information from the accessing device in what are known as server log files. In particular, the following data may be processed:

• IP address
• Date and time of the request
• Page/URL requested
• HTTP status code
• Data volume transferred
• Referrer URL (if transmitted by the browser)
• Browser type/version, operating system

3.2 Purpose of Processing

Processing is carried out for the delivery of the website, to ensure stability and security (e.g. error analysis, defence against attacks) and for technical administration.

3.3 Legal Basis

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation).

3.4 Retention Period

Server log files are retained for 14 days and then deleted, unless retention for evidential purposes (e.g. in the event of security incidents) is required.

3.5 Recipients

Recipients of the data are exclusively internal units or IT service providers engaged by us, to the extent they require access for maintenance/administration.

4. Use of Cloudflare (Reverse Proxy/CDN/Security Services)

4.1 Description

We use Cloudflare as a reverse proxy and security service (e.g. DDoS protection, Web Application Firewall) and for the efficient delivery of our website. Requests to our website are first routed through Cloudflare’s servers.

4.2 Scope of Processing

In particular, the following data may be processed:

• IP address
• Metadata relating to HTTP requests (e.g. URL, headers, timestamp, status codes)
• Technical information about the device/browser
• Security/risk information (e.g. for detecting abusive access)

Cloudflare may also set technically necessary cookies where required for security functions (e.g. bot detection or challenge/captcha functions). Where such cookies are used, they serve exclusively for security purposes.

4.3 Purpose of Processing

• Protection of the website against attacks and misuse
• Ensuring availability, stability and performance

4.4 Legal Basis

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure, efficient operation and protection against attacks).

4.5 Recipients / Data Processing Agreement

Cloudflare is a recipient of the data described above and is typically engaged as a data processor. The specific contracting party may be Cloudflare, Inc. and/or a Cloudflare entity in Europe, depending on the account/contract structure.

4.6 International Data Transfers

Cloudflare is an international provider with a presence in the USA. It cannot therefore be ruled out that personal data may be transferred to third countries (in particular the USA). Cloudflare states that it uses appropriate safeguards for international data transfers, including EU Standard Contractual Clauses (SCCs) and, where applicable, certifications under the EU-U.S. Data Privacy Framework.

Further information:

• Cloudflare GDPR/Transfers
• Cloudflare DPA

4.7 Retention Period

Retention at Cloudflare depends on the respective security and operational purposes and the configured settings. We do not store Cloudflare logs separately beyond the periods specified in section 3.4 unless necessary.

5. Cookies, Local Storage and Consent

Our website uses cookies and similar technologies only where this is technically necessary or where you have given your consent. On your first visit you can use our consent banner to choose between the categories "Necessary", "Statistics" and "Marketing". Your choice is stored in a first-party cookie (elbwaerme_consent_v1, retention up to 12 months). You can change or withdraw your consent here at any time with effect for the future. Technically necessary cookies may additionally be set by Cloudflare where security functions require them. The legal basis for this is Art. 6(1)(f) GDPR in conjunction with § 25(2) No. 2 TDDDG.

5.1 Language Selection Cookie

We use a technically necessary cookie to store a language preference you have manually selected and to reapply it on subsequent page visits.

• Purpose: Storage of language preference.
• Retention period: No expiry; until deleted in the browser.
• Legal basis for storing/reading on the device: § 25(2) No. 2 TDDDG (German Telecommunications and Telemedia Data Protection Act).
• Legal basis for processing personal data (where personal data is involved, e.g. via IP in server logs): Art. 6(1)(f) GDPR (legitimate interest in user-friendly presentation).

5.2 Web Analytics with Google Analytics 4

With your consent we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). GA4 helps us understand how visitors use our website so we can improve content and the user experience.

Scope of processing (only after you have granted consent):

• IP address (processed in shortened/anonymised form by GA4)
• Device and browser information (e.g. operating system, screen size)
• Approximate location (country/region, derived from the IP)
• Pages visited, time on page and click paths
• Referrer URL (previously visited page)
• Pseudonymous identifiers stored in cookies (in particular _ga and _ga_<container-id>, retention up to 24 months)

Purpose: Reach measurement, understanding usage behaviour, improving our content and the performance of the website.

Legal basis: Your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Without consent neither GA4 scripts are loaded nor cookies or other identifiers are placed on your device.

Consent Mode v2: We use Google's Consent Mode v2. By default the signals analytics_storage, ad_storage, ad_user_data and ad_personalization are set to "denied" and are only updated to "granted" after your choice.

Recipients / data processing: Google Ireland Limited acts as data processor; Google LLC (USA) may have intra-group access.

International data transfers: Transfers to the USA via Google LLC cannot be ruled out. Google is certified under the EU-U.S. Data Privacy Framework; in addition, EU Standard Contractual Clauses (SCCs) apply.

Retention period: We have set user-level data retention in GA4 to 2 months. Aggregated (non-personal) reports may be kept beyond that.

Withdrawal and further information: You can withdraw your consent via the cookie settings at any time. Further information can be found in Google's privacy notices and via the official browser add-on to disable GA:

• Google Privacy Policy
• Google Ads Data Processing Terms
• GA opt-out browser add-on

5.3 Google Ads / Conversion Tracking (planned)

If you consent to the "Marketing" category, we may enable Google Ads conversion tracking to measure the success of advertising campaigns and, where applicable, display personalised ads. We honour the consent signals ad_storage, ad_user_data and ad_personalization in line with Google Consent Mode v2. The legal basis is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. As long as you do not consent to "Marketing", no corresponding tags are loaded and no marketing cookies are set.

6. Contact and Interest List

6.1 Contact by Email

When you contact us by email, the data you provide (e.g. email address, message content) is processed for the purpose of handling your enquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual/contractual communication) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). Data is deleted once it is no longer required for the purpose of communication and no statutory retention obligations apply.

6.2 Interest List for a Heating Connection

When you use the form on the homepage to join the interest list, we process the details entered there: name, email address, property address, energy source, heating capacity, annual consumption with unit, and optionally phone number and living area. We also store language setting, consent timestamp, IP address, user agent and technical information about the confirmation email delivery.

The purposes of processing are managing the interest list, planning the heating connection, contacting you later when the project starts, sending a confirmation email and protecting the form against misuse.

The legal basis is your consent under Art. 6(1)(a) GDPR. Where processing is required to prepare a possible business relationship, Art. 6(1)(b) GDPR also applies. For abuse prevention, error analysis and technical security, we process IP address and user agent on the basis of Art. 6(1)(f) GDPR.

Recipients of the data are internal units and technical service providers we use for hosting, database operation and email delivery. The SMTP service provider receives the data required to send the confirmation email, in particular email address, name and email content.

We retain form submissions for as long as the interest list is needed for planning and contact purposes, or until you withdraw your consent. Statutory retention obligations and necessary records relating to security incidents remain unaffected.

7. Your Rights as a Data Subject

You have the following rights, insofar as the legal requirements are met:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

8. Right to Object (Art. 21 GDPR)

Where we process data on the basis of Art. 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds.

9. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

10. Currency and Amendments

This privacy policy is current and dated: 20 May 2026. We reserve the right to update it if the legal situation or the services we use change.