Privacy Policy.

We take the protection of your personal data seriously. This privacy policy explains what data we collect when you visit malpaux.com, how and when we collect it, how we use it, and what rights you have under the GDPR.

We have deliberately chosen service providers that minimise data collection. This website does not use cookies for analytics or tracking purposes.

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Malpaux GmbH
Chausseestraße 86
D-10115 Berlin
Germany

Email: hey@malpaux.com

Represented by: Paul Brachmann, Maximilian Lindner
Commercial register: Amtsgericht Berlin-Charlottenburg, HRB 252471

We are not required to appoint a Data Protection Officer under Art. 37 GDPR. For all data protection enquiries, please contact us directly at hey@malpaux.com.

2. Overview of data collection

We collect personal data in three ways, each described in detail in the sections that follow:

  1. Automatically, when you visit the website: your browser transmits technical data (such as your IP address, browser type, and the page requested) to our hosting provider and analytics service as part of the standard HTTP protocol. You do not need to take any action; this is a necessary part of how the internet works. See Sections 4 (Hosting) and 5 (Website Analytics) for full details.

  2. Voluntarily, when you contact us: if you send us an email, you provide us with personal data such as your name, email address, and the content of your message. See Section 6 (Contact by Email) for full details.

  3. When you visit our LinkedIn profile: LinkedIn collects and processes data in accordance with its own privacy policy. We receive only anonymised, aggregate statistics (such as page views and follower demographics) and cannot identify individual visitors. See Section 8 (Social Media – LinkedIn) for full details.

3. How we use your data

We use personal data exclusively for the purpose for which it was collected: technical data to deliver and secure the website, analytics data to produce anonymised usage statistics, email data to respond to your enquiry, and LinkedIn page statistics to understand the reach of our content. The specific legal basis and processing details for each purpose are set out in Sections 4 through 8 below.

We do not create user profiles, we do not serve personalised advertising, and we do not use your data for automated decision-making or profiling as defined in Art. 22 GDPR.

4. Hosting

This website is hosted by Framer B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands. When you access any page on malpaux.com, your browser automatically transmits certain technical data to Framer at the moment of each page request. This data includes:

  • IP address

  • Browser type and version (e.g., Chrome 126, Firefox 128)

  • Operating system (e.g., Windows 11, macOS 15, iOS 18)

  • Device type (desktop, tablet, or mobile)

  • Screen resolution

  • The specific page (URL) you requested

  • The referring URL (the page you came from, if any)

  • The date and time of the request

  • Language preferences sent by your browser

Framer uses this data to serve the requested web pages, maintain the security and stability of the website, and perform load balancing. Without this data, the website cannot function.

Framer acts as a processor on our behalf. The legal basis for this processing is our legitimate interest in providing a functional and secure website (Art. 6(1)(f) GDPR). Framer stores server log data for a limited period in accordance with its own data retention practices. Because Framer operates infrastructure in the United States, your data is transferred outside the EEA; Framer relies on Standard Contractual Clauses and other appropriate safeguards to ensure an adequate level of data protection.

For more information, see the Framer privacy policy at https://www.framer.com/privacy.

5. Website analytics

We use Pirsch Analytics, a service provided by Pirsch GmbH, to understand how visitors use our website. Pirsch is a privacy-friendly, cookie-free analytics tool that does not track individual users across websites and does not collect personal data in the traditional sense.

When you view a page, Pirsch processes the following data points in real time, derived from the same browser request described in Section 4:

  • Page URL

  • Referrer URL

  • Browser and operating system type

  • Device type

  • Screen resolution

  • Country of origin (derived from your IP address)

  • Date and time of the page view

Your IP address is used solely and momentarily for the purpose of geolocation and bot detection. It is never stored by Pirsch. Instead, Pirsch generates a daily hash that cannot be used to identify you and that is automatically deleted after 24 hours. The resulting output is anonymised, aggregate statistics, such as which pages are most visited, which countries visitors come from, and which devices they use, that we use to improve the content and performance of our website. No individual user profiles are created.

Because Pirsch does not use cookies and does not store personal data, no consent is required under the GDPR or the German TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz). The legal basis for this processing is our legitimate interest in understanding website usage to improve our services (Art. 6(1)(f) GDPR).

Pirsch GmbH is based in Germany and processes all data on servers within the European Union.

For more information, see the Pirsch privacy policy at https://pirsch.io/privacy.

6. Contact by email

If you contact us by email (e.g., at hey@malpaux.com), you voluntarily provide us with personal data. This data is collected only when you actively choose to send us a message and may include:

  • Your name

  • Your email address

  • The subject and content of your message

  • Any attachments you include

We use this data to read, understand, and respond to your enquiry. If your enquiry relates to the initiation of a contract, we also use your data to take pre-contractual steps at your request.

The legal basis for this processing is Art. 6(1)(f) GDPR (our legitimate interest in responding to enquiries) or, where your email relates to the initiation of a contract, Art. 6(1)(b) GDPR.

Our email is operated through Google Workspace, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google acts as a processor on our behalf and stores email data on its servers, which are located in data centres within the EU and the United States. Google relies on Standard Contractual Clauses to safeguard any transfers outside the EEA. For more information, see the Google Cloud privacy notice at https://cloud.google.com/terms/cloud-privacy-notice.

We retain your correspondence until your enquiry is fully resolved and for up to 12 months thereafter in case of follow-up questions, unless longer retention is required by statutory obligations (for example, tax and commercial law retention periods of 6 or 10 years under German law, §§ 147 AO, 257 HGB). Once the applicable retention period expires, we delete your correspondence from our systems.

7. Cookies

Cookies are small text files that websites place on your device to store information between page visits. They serve various purposes, from keeping a website functional to tracking user behaviour across the internet.

This website does not set any cookies for analytics, advertising, or tracking. Pirsch Analytics is entirely cookie-free.

Framer, as our hosting provider, sets strictly necessary cookies to deliver the website. These are limited to technical functions such as load balancing, security, and content delivery. They do not track you, do not profile you, and are not used for marketing. The legal basis for these cookies is Art. 6(1)(f) GDPR (legitimate interest in a functioning website).

You can configure your browser to block or delete cookies at any time. Instructions are available in the help section of your browser. For example, in Chrome under Settings → Privacy and Security → Cookies, in Firefox under Settings → Privacy & Security, and in Safari under Preferences → Privacy. Blocking strictly necessary cookies can prevent parts of the website from functioning correctly.Your name

  • Your email address

  • The subject and content of your message

  • Any attachments you include

We use this data to read, understand, and respond to your enquiry. If your enquiry relates to the initiation of a contract, we also use your data to take pre-contractual steps at your request.

The legal basis for this processing is Art. 6(1)(f) GDPR (our legitimate interest in responding to enquiries) or, where your email relates to the initiation of a contract, Art. 6(1)(b) GDPR.

Our email is operated through Google Workspace, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google acts as a processor on our behalf and stores email data on its servers, which are located in data centres within the EU and the United States. Google relies on Standard Contractual Clauses to safeguard any transfers outside the EEA. For more information, see the Google Cloud privacy notice at https://cloud.google.com/terms/cloud-privacy-notice.

We retain your correspondence until your enquiry is fully resolved and for up to 12 months thereafter in case of follow-up questions, unless longer retention is required by statutory obligations (for example, tax and commercial law retention periods of 6 or 10 years under German law, §§ 147 AO, 257 HGB). Once the applicable retention period expires, we delete your correspondence from our systems.

8. Social media: LinkedIn

We maintain a company page on LinkedIn at https://www.linkedin.com/company/malpaux/. The purpose of this page is to provide information about Malpaux GmbH and to communicate with the professional community.

When you visit our LinkedIn page, LinkedIn Ireland Unlimited Company processes your data as described in Section 2(d) above. LinkedIn is the controller for all data processing that occurs on the LinkedIn platform. We and LinkedIn are joint controllers within the meaning of Art. 26 GDPR with respect to the aggregated page statistics LinkedIn provides to us; LinkedIn has assumed primary responsibility for the processing of personal data in this context under its Page Insights Joint Controller Addendum.

We do not merge the aggregate data we receive from LinkedIn with any other data sources, and we cannot identify individual visitors to our LinkedIn page.

For information on LinkedIn's data processing, your rights, and how to adjust your privacy settings on LinkedIn, please see:

If you wish to object to the processing of your data by LinkedIn, you can adjust your settings directly in your LinkedIn account under Settings → Data Privacy.

9. No data sharing for marketing

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

10. Links to other websites

Our website contains links to other websites. This privacy policy applies only to malpaux.com. If you follow a link to another website, that website's own privacy policy governs how your data is handled. We are not responsible for the privacy practices of other sites.

11. Data transfers outside the EU

As described in Sections 4 and 6, your data is transferred to the United States through our use of Framer (hosting) and Google Workspace (email). Both providers rely on Standard Contractual Clauses approved by the European Commission as safeguards in accordance with Art. 46 GDPR. All analytics data processed by Pirsch remains within the European Union.

When you visit our LinkedIn company page, LinkedIn may transfer your data outside the European Union in accordance with its own privacy policy and the safeguards described therein.

12. Your rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your personal data and, if so, to access it.

  • Right to rectification (Art. 16 GDPR): to have inaccurate data corrected.

  • Right to erasure (Art. 17 GDPR): to have your data deleted, subject to legal retention obligations.

  • Right to restriction of processing (Art. 18 GDPR): to restrict the processing of your data under certain conditions.

  • Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used, machine-readable format.

  • Right to object (Art. 21 GDPR): to object to processing based on legitimate interests at any time, on grounds relating to your particular situation.

To exercise any of these rights, please contact us at hey@malpaux.com. We will respond to your request within one month of receiving it. If your request is complex or we receive a high volume of requests, we will notify you within that month and extend the response period by up to two further months as permitted under Art. 12(3) GDPR.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Malpaux GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59–61, 10555 Berlin, Germany, https://www.datenschutz-berlin.de

13. Obligation to provide data

You are not legally or contractually required to provide us with personal data. However, if you do not provide the data that your browser automatically transmits (such as your IP address), the website cannot be delivered to you. If you choose not to provide personal data when contacting us by email, we will be unable to respond to your enquiry.

14. Automated decision-making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

15. Legal basis and right to withdraw consent

We process personal data exclusively on the basis of legitimate interest (Art. 6(1)(f) GDPR) and, for pre-contractual enquiries, on the basis of contract performance (Art. 6(1)(b) GDPR). We do not process any data on the basis of consent. If we introduce consent-based processing in the future, we will update this policy and provide a clear way to withdraw consent at any time.

16. Changes to this privacy policy

We update this privacy policy when our practices or the applicable law change. The current version is always available on this website. We encourage you to review it periodically.

Last updated: 2026-07-05