Privacy policy version 1.0 · 2026
GDPR · BDSG · TDDDG COMPLIANT
LEGAL · DATA PROTECTION

Privacy Policy

How WLF Energy GmbH collects, uses, stores and protects your personal data — under the GDPR, the German BDSG, and the TDDDG. Your data, your rights — clearly explained.

15
POLICY SECTIONS
09
YOUR GDPR RIGHTS
30
DAY RESPONSE TIME
7
DAY LOG RETENTION
THE 60-Second version

If you don't read the rest, read this.

The whole policy in four cards. What we collect, why we use it, who we share with, and your rights. If you need detail, every card links to the full section below.

The essentials
04 / 04 Key points
N° 01
WHAT

We collect what you give us.

Forms you fill, emails you send, accounts you create. Plus technical data your browser sends automatically — IP, browser type, pages visited.

See § 02 · What we collect →
N° 02
WHy

To respond and operate.

Quote requests, contracts, newsletters you signed up for, securing the website. Every purpose has a defined Article 6 GDPR legal basis.

See § 03 · Why we use it →
N° 03
WHo

A short list of processors.

Kinsta hosting (EU), CRM, analytics — only with your consent. We do not sell your data. We do not share it for third-party marketing.

See § 06 · Who we share with →
N° 04
YOu

Eight GDPR rights, on call.

Access, correction, deletion, portability. Email legal@wlfenergy.de. We respond inside 30 days, free of charge.

See § 09 · Your rights →
YOU'RE READING
01 OF 15

PROGRESS 0%
PREVIOUS
NEXT
Just want to email the DPO?
READING TIME ~ 8 min UPDATED 18 May 2026 EFFECTIVE 1 January 2026
01 · WHO WE ARE & WHAT THIS IS

Introduction .

This Privacy Policy explains how WLF Energy GmbH ("WLF Energy," "we," "us," or "our") collects, uses, stores, shares, and protects your personal data when you access wlfenergy.de, our digital services, gated portals, contact and quote-request forms, newsletter, or any other channel referencing this Policy.

We respect your privacy and we are committed to protecting your personal data. This Policy is written in plain English and reflects our obligations under Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications and Digital Services Data Protection Act (TDDDG), and other applicable data protection laws.

For our broader governance framework, see our GDPR Compliance Framework. For tracking, see our Cookie Policy.

02 · CATEGORIES OF PERSONAL DATA

Data Categories .

Three sources of data: what you give us, what your device sends automatically, and what reaches us via business channels.

What you provide directly

  • Name, salutation, professional title, email, phone, postal address
  • Company, role, industry, country of operation
  • Messages, project descriptions, product interest from forms
  • Account credentials (passwords stored as cryptographic hashes, never plain text)
  • Application materials — CV, cover letter, references
  • Investor verification — qualification status, signed NDAs
  • Newsletter preferences

What is collected automatically

  • IP address, browser, OS, device type, screen resolution, language
  • Pages visited, time spent, click paths, referring website
  • Cookie identifiers (only with your consent — see Cookie Policy)
  • Server log data: access time, requests, HTTP codes, data volume

What reaches us from third parties

  • Business contacts shared by partners, suppliers, or customers
  • Professional information from public databases (LinkedIn, company registers)
  • Referrals — with your consent

What we don't collect: personal data of children under 18, special category data (health, religion, biometrics), payment card information, or government ID numbers — except where law requires.

03 · LAWFUL GROUNDS WE RELY ON

Purpose & Legal Basis .

Every processing activity has a defined purpose and a valid legal basis under Article 6 GDPR. No purpose creep. No data used outside what we tell you.

PurposeData UsedLegal Basis
Operating the websiteIP address, browser, logsArt. 6(1)(f) — legitimate interest
Responding to inquiriesName, email, messageArt. 6(1)(b) and (f)
Processing quote requestsContact + project dataArt. 6(1)(b) — pre-contractual
Managing user accountsCredentials, profileArt. 6(1)(b) — contract
Gated investor accessIdentity, NDA, access logsArt. 6(1)(b) and (f)
Sending newslettersEmail, preferencesArt. 6(1)(a) — your consent
Processing job applicationsApplication materials§ 26 BDSG + Art. 6(1)(b)
Website analyticsCookies, usage dataArt. 6(1)(a) — your consent
Marketing & retargetingCookies, usage dataArt. 6(1)(a) — your consent
Legal complianceAs applicableArt. 6(1)(c) — legal obligation
Fraud / securityLogs, security eventsArt. 6(1)(f) — legitimate interest
04 · HOSTING, LOGS & COOKIES

Website & Hosting .

Our website is hosted by Kinsta Inc. on infrastructure inside the European Union, with a CDN that prioritises EU endpoints. A data processing agreement under Article 28 GDPR is in place.

When you visit, our hosting provider automatically stores server log files: IP address (anonymised where technically feasible), date and time, URL accessed, data volume, HTTP status, browser and OS, and referrer URL.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is operating the website securely, protecting against cyberattacks, and analysing technical issues.

Retention: Server log files are deleted or anonymised after seven (7) days, unless a security incident requires longer retention.

Cookies: Non-essential cookies — analytics, marketing, personalisation — are activated only with your prior consent, which you may withdraw at any time via the "Cookie Settings" link in the footer.

05 · FORMS, EMAILS & ACCOUNTS

Your Interactions .

Different forms, different purposes, different retention. Here is the full list of touchpoints and how we treat each one.

Contact forms and inquiries. Name, email, optional phone and company, and your message — processed to respond to your inquiry under Art. 6(1)(b) and (f) GDPR. Retained for 12 months after closure.

Quote requests. Contact, project specifications, location, capacity needs, timeline, and budget — under Art. 6(1)(b) GDPR. Retained for up to 24 months from last contact if no contract results.

Newsletter. Email and preferences — under your consent, Art. 6(1)(a) GDPR. Retained until you unsubscribe; proof of unsubscribe kept for 3 years.

User accounts. Credentials and profile — under contract, Art. 6(1)(b) GDPR. Retained for account life plus 12 months.

Investor portal access. Identity verification, NDA, access logs — Art. 6(1)(b) and (f) GDPR. Retained for the relationship plus 6 years.

Press kit downloads. Email and media affiliation — Art. 6(1)(f) GDPR. Retained for 24 months.

Job applications. CV, cover letter, references — under § 26 BDSG and Art. 6(1)(b) GDPR. Rejected applications deleted after 6 months unless you consent to talent pool retention (24 months, renewable).

06 · PROCESSORS & PARTNERS

Recipients .

A short list of named processors, our group companies, project counterparties on a need-to-know basis, and authorities where law requires. We do not sell your data. We do not share it for third-party marketing.

Service providers (processors under Art. 28 GDPR DPAs)

  • Kinsta Inc. — website hosting (EU infrastructure)
  • CRM provider — sales pipeline (current details available on request)
  • Email marketing provider — newsletter delivery
  • Applicant Tracking System — recruitment
  • Google Analytics — Google Ireland Ltd., consent only
  • Meta Pixel — Meta Platforms Ireland Ltd., consent only
  • LinkedIn Insight Tag — LinkedIn Ireland Unlimited Co., consent only
  • Hotjar — Hotjar Ltd. (Malta), consent only

WLF Energy group companies. Including WLF Energy InfraCo B.V., for coordinating sales, projects, and investor relations. Legal basis: Art. 6(1)(f) GDPR — efficient internal administration of the corporate group (cf. Recital 48 GDPR).

Project partners and counterparties. On a case-by-case basis, limited to what is necessary, with confidentiality and data protection commitments in place. Legal basis: Art. 6(1)(b) or (f) GDPR.

Government authorities and professional advisors. Courts, regulators, attorneys, tax advisors, or auditors — where legally required or to establish, exercise, or defend legal claims.

07 · CROSS-BORDER DATA FLOWS

International Transfers .

Several providers above — notably Google, Meta, and LinkedIn — may transfer personal data outside the European Economic Area, principally to the United States. Where this happens, we apply safeguards under Chapter V of the GDPR.

Adequacy decisions. Where the recipient is certified under the EU–US Data Privacy Framework, transfers rely on the European Commission adequacy decision.

Standard Contractual Clauses. For transfers outside an adequacy decision, we rely on SCCs adopted by the European Commission under Art. 46(2)(c) GDPR.

Supplementary measures. Where appropriate, additional technical or contractual measures are applied based on a Transfer Impact Assessment.

Important: US data protection law may not provide a level of protection equivalent to EU law. By consenting to non-essential cookies, you also consent to the associated international transfers under Art. 49(1)(a) GDPR where applicable.

08 · HOW LONG WE KEEP DATA

Retention .

No data is kept "just in case." Each category has a defined period — driven by purpose, contract, or statutory obligation. At the end of the period, data is securely deleted or anonymised across active systems, backups, and archives.

Data CategoryPeriodReason
Server log files7 daysTechnical operation, security
Contact form inquiries12 monthsBusiness correspondence
Quote requests (non-converted)24 monthsRe-engagement potential
Customer & contract data10 yearsGerman Commercial / Fiscal Code
Newsletter (active)Until unsubscribePerformance of consent
Newsletter (after unsubscribe)3 yearsProof of unsubscribe
User accountsAccount life + 12 monthsService provision + records
Investor portal access logsRelationship + 6 yearsCommercial law obligations
Press kit downloads24 monthsPR tracking
Rejected job applications6 monthsAGG / equal treatment law
Talent pool (with consent)24 months, renewableConsent-based
Marketing analytics14 monthsStandard configuration
Cookie consent records12 monthsProof of consent
Tax-relevant documents10 years§ 147 Abgabenordnung
Commercial correspondence6 years§ 257 HGB
09 · WHAT GDPR GIVES YOU

Your Rights .

Under the GDPR, you have full rights over your personal data. To exercise any of them, write to legal@wlfenergy.de. We respond within one month, free of charge.

ArticleRightWhat it means
Art. 15 GDPRAccessConfirm whether we hold data about you, and receive a free copy.
Art. 16 GDPRRectificationHave inaccurate or incomplete data corrected without delay.
Art. 17 GDPRErasure"Right to be forgotten" — subject to retention obligations and legal claims.
Art. 18 GDPRRestrictionRestrict processing in defined circumstances; the data is marked and limited.
Art. 20 GDPRPortabilityReceive your data in a machine-readable format and send it to another controller.
Art. 21 GDPRObjectObject to processing on legitimate-interest grounds. Unconditional for marketing.
Art. 22 GDPRAutomated decisionsWe do not engage in solely automated decision-making that produces legal effects.
Art. 7(3) GDPRWithdraw consentWithdraw consent at any time. Prior processing remains lawful.
Art. 77 GDPRLodge a complaintWith a supervisory authority — see § 10 for ours.

Verification: We may need to verify your identity proportionate to the sensitivity of the request. We respond within one (1) month, extendable by two further months for complex requests, with notice.

10 · WHERE TO COMPLAIN

Supervisory Authority .

You may lodge a complaint with any EU/EEA supervisory authority — typically in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Our competent authority:

Hessian Commissioner for Data Protection and Freedom of Information (HBDI)
Gustav-Stresemann-Ring 1 · 65189 Wiesbaden · Germany
datenschutz.hessen.de

11 · SAFEGUARDS & BREACH RESPONSE

Security .

Under Article 32 GDPR, we implement appropriate technical and organisational measures aligned with ISO/IEC 27001 and the BSI IT-Grundschutz methodology.

  • Role-based access control (RBAC) following the principle of least privilege
  • Multi-factor authentication for sensitive systems
  • Encryption of sensitive personal data at rest and in transit
  • Pseudonymisation of personal data where appropriate
  • Strong password complexity requirements and automatic session timeouts
  • Physical access control to office premises via electronic systems
  • Regular review of access rights and segregation of duties
  • Documented incident response procedures

More detail: Further detail is set out in our GDPR Compliance Framework.

12 · USE BY MINORS

Children .

Our website is intended for adult users only. We do not knowingly collect personal data from anyone under the age of eighteen (18).

If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at legal@wlfenergy.de.

13 · HOW WE NOTIFY CHANGES

Updates .

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, regulatory guidance, or our internal practices. The updated Policy will be published on this website with a revised effective date.

Where changes are material — for example, affecting the legal basis of processing, introducing new categories of recipients, or expanding processing purposes — we will notify you in advance through a prominent notice on the website or, if you have a user account, by email.

Continued use: Your continued use of the website after the effective date of any revised Privacy Policy constitutes acknowledgement of the changes, save where additional consent is required by law.

14 · REACH THE RIGHT DESK

Contact .

For any question, comment, or request regarding this Privacy Policy or our processing of your personal data, write to the Chief Legal Officer.

CompanyWLF Energy GmbH
AddressSchumannstraße 27, 60325 Frankfurt am Main, Germany
Data Protection ContactEivind Nilsen, Chief Legal Officer
Data Protection Emaillegal@wlfenergy.de
General Inquirieshello@wlfenergy.de
Telephone+49 69 34866210
Websitewww.wlfenergy.de
Response TimeWithin 30 days · free of charge
15 · OTHER POLICIES THAT APPLY

Related Documents .

This Privacy Policy is one of six legal documents that govern your relationship with WLF Energy. The full set is published at wlfenergy.de.

Cookie Policy. Every cookie used on the site, its purpose, retention, and how to manage it.

GDPR Compliance Framework. Our governance, accountability, and data protection management system.

Impressum. Full legal notice as required under German law.

Disclaimer. Liability and intellectual property terms.

Terms of Use. Conditions for using wlfenergy.de.