Privacy Policy

Controller and representative contact

The controller responsible for processing under Article 4(7) GDPR is Floradynam, with its principal contact point at the Berlin address below. If you are located outside Germany but within the EU or EEA, you may still contact this office first; we coordinate responses centrally unless law assigns a different competence.

We do not require a data protection officer (DPO) appointment for every small undertaking, yet we maintain internal ownership for privacy tasks. If you believe a dedicated DPO should exist under Article 37 GDPR for our future corporate form, we will publish the name and reachability data here once confirmed with counsel.

Material and territorial scope

This Policy covers processing linked to the public website, email correspondence initiated through published addresses, contact forms, optional newsletter or wait-list flows if we launch them, paid educational products, consulting retainers billed by us, and workshop registration lists. Corporate customers and vendors receive supplemental data processing agreements where Article 28 GDPR applies.

Territorially, the GDPR applies when you are in the European Economic Area or when processing relates to offering goods or services to such persons or monitoring their behaviour. Visitors from other regions may benefit from parallel rights under local statutes; we honour those where they impose stricter duties than our baseline.

Legal bases in detail

We document a lawful basis before any new processing activity goes live. The table below summarises anchors for the major processing clusters we operate today.

Balancing test for legitimate interests

Where we rely on Article 6(1)(f), we weigh our interest in operating a trustworthy publishing property against your rights. Examples include retaining truncated IP addresses for security analytics, enforcing rate limits on forms, and maintaining backup integrity. You may object pursuant to Article 21 GDPR; we will cease unless we demonstrate compelling grounds.

Consent mechanics

Consent is collected through clear affirmative actions, separate from other terms where required, and logged with a timestamp and consent variant identifier. Withdrawing consent is as easy as giving it: use the cookie controls, email us, or adjust browser storage as described in the Cookie Policy.

Categories of personal data

Depending on your path through the site, we may process some or all of the following categories:

• Identity and contact data: name, email address, telephone number if supplied, organisation, job title in B2B contexts.
• Message content: free-text questions, attachments if we enable them, chat transcripts from supported channels.
• Transaction data: billing identifiers, partial payment instrument metadata handled exclusively by PCI-compliant processors, invoice line items.
• Technical data: browser type, device class, operating system, language preferences, coarse geolocation derived from IP, session identifiers.
• Usage data: page paths, scroll depth if measured anonymously, interaction heatmaps if you consent to associated cookies.
• Compliance data: records demonstrating consent, objection notices, fraud investigations.

We do not set out to collect special categories under Article 9 GDPR. If you volunteer health-related or biometric detail in unstructured text, we will delete it as soon as practicable unless otherwise required by law.

Sources of data

Most data comes directly from you when you type into forms, call published numbers, or pay for services. Additional sources can include:

• Your employer when they sponsor a cohort seat and supply roster data with appropriate authority.
• Payment service providers forwarding transaction confirmations.
• Public registers when we verify corporate customers or address legal process.
• Analytics partners returning aggregated audience insights under consent.

We treat inferred data (for example inferring city from IP) as personal data only when it can still identify or single out an individual.

Purposes of processing

Purposes are minimised to what we actually need. They include delivering editorial pages over TLS, authenticating administrators, operating wait-lists and ticketed events, measuring readership trends under consent, defending against abusive traffic, fulfilling contracts with you, complying with accounting rules, and resolving disputes.

Marketing communications

We send promotional email only after a double opt-in or equivalent clearly labelled signup. Every marketing email contains an unsubscribe link processed automatically where technically feasible. Service messages about your purchases or legal updates may still arrive because they are necessary for the relationship.

Retention and deletion

Retention windows follow necessity and statute:

• Contact and support tickets: typically twenty-four months from closure unless an unresolved matter requires longer, after which we erase or aggregate beyond recognition.
• Marketing proof: consent artefacts up to twenty-six months after the last interaction unless national law demands a longer evidence horizon.
• Web server logs: ninety days by default, with short encrypted holds for verified abuse cases.
• Financial records: German commercial and tax law currently prescribes retention up to ten calendar years from year-end for relevant vouchers.
• Backup snapshots: rolling encrypted copies may temporarily retain erased data until the backup cycle expires; we document restoration procedures to honour deletion promptly after rotation.

Recipients and categories of processors

Internal recipients are staff trained on confidentiality. External recipients fall into categories such as infrastructure hosts (often EU regions), transactional email providers, customer relationship tooling, webinar platforms, accountants, and legal advisors bound by professional secrecy. Each processor signs Article 28 terms unless a statutory exemption applies.

We do not sell your personal information for money. Limited disclosures to advertising partners occur only with granular consent and under contract.

International transfers

If data leaves the EEA, we implement appropriate safeguards such as Standard Contractual Clauses, supplementary measures where case law requires them, or reliance on adequacy decisions. You may request a copy of the relevant transfer analysis by contacting us; commercially sensitive annexes may be redacted.

Data subject rights

You may exercise the following rights under GDPR chapters III:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction (Article 18)
• Right to data portability (Article 20) where processing is automated and based on contract or consent
• Right to object (Article 21) for legitimate-interest processing or direct marketing
• Right to withdraw consent at any time without retroactive invalidity
• Right to lodge a complaint with a supervisory authority

We respond within one month unless complexity warrants a two-month extension with notice. Identification may be required to prevent disclosure to impersonators.

Security of processing

Measures include encrypted transport (HTTPS), hardened TLS configurations, role-based access, multi-factor authentication for privileged accounts, pseudonymisation in analytics pipelines, vulnerability monitoring, vendor due diligence, and incident response playbooks. Absolute security is unattainable; we investigate credible threats promptly and notify authorities or data subjects when Article 33 or 34 GDPR requires.

Cookies and similar technologies

Our Cookie Policy provides granular tables describing identifiers, vendors, expiry dates, and consent categories. Necessary storage powers session integrity and stores your banner decision; optional analytics and marketing storage loads only after affirmative opt-in when we wire those tools.

Open the Cookie Policy

Third-party sites and embeddings

Pages may link to external resources. Embedded media players or maps can set their own cookies when you interact; those vendors act as independent controllers unless we jointly determine purposes with them.

Children

Services are directed at adults capable of consenting. If you are a parent and believe a child provided data without permission, contact us and we will delete promptly where verification succeeds.

Changes and how to reach us

Material updates receive a revision date at the top of this page and, when appropriate, an in-site banner for fourteen days. Continued use after notice constitutes acknowledgement unless mandatory law requires explicit acceptance.

Questions flow to service@floradynam.world or the postal address above. Regulatory post may also be directed there.