Privacy policy

Governing language: This page is a translation of the German privacy notice. If the English and German texts differ, the German text at /de/datenschutz/ prevails for interpretation under applicable law.

1. Controller

Controller within the meaning of Art. 4 (7) GDPR (joint controllers pursuant to Art. 26 GDPR): Karlheinz Görg and Marco Graf

Represented by: Karlheinz Görg, Stresemannstraße 25, 61231 Bad Nauheim, Germany

Marco Graf, Mittelweg 26, 60318 Frankfurt am Main, Germany

Data protection officer: Marco Graf — Email: dpo@aquadock.eu

2. Collection and processing of personal data

2.1 When you visit the website (log files)

When you visit the website, the following data are stored automatically in server log files: IP address (anonymised), date and time of access, URL requested, referrer URL, browser and operating system, access status / HTTP status code.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interests in system security, stability, and error analysis). Retention: up to 7 days, then automatic deletion.

2.2 Contact form / email / phone / WhatsApp

When you contact us (form, email, phone, or WhatsApp), we collect: name, email address, telephone number where provided, and message content. If you use WhatsApp, data is transmitted to WhatsApp Ireland Limited (Meta); WhatsApp's privacy policy applies.

Legal basis: Art. 6 (1) (a) GDPR (consent) or Art. 6 (1) (b) GDPR (pre-contractual steps / performance of a contract). Retention: until your request is completed plus up to 12 months (unless a statutory retention obligation applies).

2.3 Sales partner application

When you apply as a sales partner via the form at /en/sales-partner/ (German: /de/vertriebspartner/), we process: first and last name, email, phone, company where provided, country/region, proposed sales territory, sales experience, industry experience, motivation, CV where uploaded (PDF/DOC/DOCX), LinkedIn profile, references, tax ID where applicable (DACH), consents, and technical metadata (anonymised IP, user agent).

Recipients / processor: storage in an EU-hosted Supabase database (CRM). CVs are stored in a private storage bucket.

Legal basis: Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (steps prior to a potential contract).

Retention: If your application is rejected, we store your data for up to 12 months and then delete it unless a further obligation applies. For active applications, we store data until the process is completed. If a contract is concluded, statutory retention obligations — in particular under commercial and tax law — may require longer storage of relevant contract documents. As a rule, these obligations provide for retention of 6 to 10 years. Withdraw consent or request access at info@aquadock.de.

Browser draft: The application form may save your entries locally under aquadock-sales-partner-draft:v1 (localStorage, max. 7 days). CV files are not stored; consents must be re-granted after restore. Legal basis: Art. 6 (1) (f) GDPR (usability).

2.4 Booking / conclusion of contract

To perform and administer rental or purchase contracts, we collect and process in particular: first and last name, billing and, if applicable, delivery address, email address, telephone number, and payment data.

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract and pre-contractual steps). Payment data are processed exclusively via the respective payment service provider (see section 5).

Retention: We store contract and booking data for the duration of the contractual relationship. Beyond that, we retain them only as long as needed to fulfil contractual and statutory obligations. Statutory retention obligations — in particular under commercial and tax law — may require storage of contract documents, booking records, and invoice data. As a rule, these obligations provide for retention of 6 to 10 years. Once the relevant obligation no longer applies, data are deleted unless further processing is required.

2.5 Newsletter / marketing

With your consent (Art. 6 (1) (a) GDPR) we send newsletters. You may withdraw consent at any time (unsubscribe link in the newsletter or email to info@aquadock.de). Retention: until withdrawal.

2.6 Partner inquiry and consultation booking

On Become a partner pages (e.g. /en/become-a-partner/, German: /de/partner-werden/) you can enquire about operating a rental station. We process the data you provide (e.g. name, email, phone, company, location, message, how you heard about us).

Legal basis: Art. 6 (1) (a) GDPR (consent via the form) and Art. 6 (1) (b) GDPR (pre-contractual steps).

Retention: until your request is completed plus up to 12 months, unless a longer statutory retention obligation applies.

You may optionally book a consultation via Brevo Meetings. If form fields are already filled in, name, email, phone, and company may be passed for prefill. When you click “Choose a time” or “Open calendar in a new tab”, Section 4.2 applies.

2.7 Station booking and user accounts

When you rent water sports equipment at an Aquadock rental station, booking usually takes place via a station-specific self-service flow on dedicated station booking pages. For this purpose, we — or the service providers named in section 5 — process in particular contact and identification data, booking details (e.g. period, equipment type), payment information, and — where required for use — access or unlock credentials (e.g. PIN or comparable authorisation). Use of the digital platform (website, app, user account) is governed by the terms of use; the rental contract by the general terms (binding German versions at /de/nutzungsbedingungen/ and /de/agb/).

Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). Where technical log data arises for secure station operation, Art. 6 (1) (f) GDPR applies (legitimate interests in operation, maintenance, and security).

Retention: Booking and billing data are retained as described in section 2.4. Operational access or unlock credentials are stored only for the rental period and a short follow-up period of up to 30 days — for example for support or any dispute resolution.

User accounts: Where we or our booking service providers offer persistent user accounts, profiles, or booking history (e.g. in a booking app or partner portal), we process the data required for this (e.g. login identifier, profile data, stored bookings) for performance of the contract and account administration.

Legal basis: Art. 6 (1) (b) GDPR (performance of the contract and account administration).

Retention: Storage ends when the account is deleted or statutory retention periods expire, unless a further obligation applies.

3. Cookies and consent management

We use strictly necessary cookies and local storage entries without consent (Section 25 (2) TTDSG). Optional analytics cookies and the Brevo live chat widget are set only after your explicit consent to the Analytics category (Section 25 (1) TTDSG in conjunction with Art. 6 (1) (a) GDPR). You can change or withdraw your choices at any time via the Cookie settings menu item in the website footer or the consent banner. Consent policy version: 2026-06-03.

Adjust preferences: Click the Cookie settings menu item in the footer at any time. In the consent tool you can accept, reject, or granularly adjust categories, view cookie details, and see your local consent history. If you disable analytics, we update Google Consent Mode to denied, do not load GA4 or the Brevo chat widget, and delete _ga and _ga_* cookies on your device.

Brevo live chat note: With consent to Analytics, the Brevo chat widget may load (Section 4.2). Brevo may set its own cookies or similar technologies. You may withdraw consent at any time via the Cookie settings menu item in the footer.

Marketing cookies: No marketing cookies are currently in use. A corresponding option is shown in the consent tool for transparency and will be activated only if marketing tools are added in the future.

The consent history (aquadock-consent-log) is stored locally in your browser only and limited to 25 entries (oldest entries are removed automatically).

4. Analytics tools

4.1 Google Analytics 4

We use Google Analytics 4 to design and improve the website as needed (see cookie table in Section 3). Legal basis: consent (Art. 6 (1) (a) GDPR in conjunction with Section 25 TTDSG). The script loads only after consent; page views are recorded on in-browser navigation. Consent policy version: 2026-06-03. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Transfers to the United States are based on the EU–US Data Privacy Framework (DPF) and/or standard contractual clauses (SCCs). The IP address is anonymised before transfer (IP masking).

Opt-out: via the Cookie settings menu item in the footer, via the consent banner, or via the Google Analytics Opt-out Browser Add-on.

4.2 Brevo (live chat and appointment booking)

We use services from Brevo (formerly Sendinblue; Brevo SAS, 106 boulevard Haussmann, 75008 Paris, France — Brevo privacy policy). Where Brevo processes data on our behalf, a data processing agreement pursuant to Art. 28 GDPR is in place.

Brevo Conversations (live chat)

On marketing pages (not station booking kiosks) you may contact us via live chat after consent to Analytics. This may involve chat content, technical metadata, and — if provided in a partner or contact form — contact details for identification.

Legal basis: consent (Art. 6 (1) (a) GDPR in conjunction with Section 25 (1) TTDSG). The widget loads only after analytics consent. Opt-out: via the Cookie settings menu item in the footer (disable analytics).

Brevo Meetings (appointments)

On Become a partner you may voluntarily book a consultation (popup or calendar at meet.brevo.com). Brevo processes data required for booking (e.g. name, email, chosen slot).

Legal basis: Art. 6 (1) (a) GDPR (consent by active booking) or Art. 6 (1) (b) GDPR (pre-contractual communication). Meeting scripts load only after you click.

5. Disclosure of data

We disclose personal data only where required for the purposes described in this notice and a legal basis exists. Recipients may fall into the following categories in particular:

For performance of a contract (Art. 6 (1) (b) GDPR), for example:

• Payment service providers (Stripe, PayPal)
• Hosting providers with servers in the EU
• Communication and appointment booking providers (Brevo)
• Specialised external providers for booking, payment, and, where applicable, access authorisation at our rental stations (see below)

Where legally required (Art. 6 (1) (c) GDPR), for example:

• Tax and revenue authorities, where a disclosure obligation exists

To establish, exercise, or defend legal claims (Art. 6 (1) (f) GDPR), for example:

• Recipients, where disclosure is required to establish, exercise, or defend legal claims

Rental at stations

For self-service booking at our autonomous rental stations, we engage specialised external providers for booking, payment, and, where applicable, access authorisation. They process data required to perform the rental (e.g. name, contact details, booking and payment information) for performance of the contract (Art. 6 (1) (b) GDPR).

Further details on the respective recipients and processing are available in the booking flow of the relevant station and in the privacy notices linked there. On request, we provide additional information — contact us at info@aquadock.de.

On station-specific booking pages, the usual website cookie banner is hidden to simplify mobile checkout. The privacy notices of the respective booking provider also apply to these pages.

Autonomous rental stations (hardware)

The autonomous rental stations generally do not process personal data beyond what is required in the respective booking flow for contract performance and for operation, maintenance, and security of the facility.

Processors (Art. 28 GDPR)

Where we engage service providers to process personal data on our behalf, we select them carefully and conclude the contracts required by law. A current list of processors is available on request — at dpo@aquadock.eu or info@aquadock.de.

Transfers to third countries

Recipients outside the European Union receive personal data only where an adequate level of data protection is ensured — in particular through the EU–US Data Privacy Framework (DPF) and/or standard contractual clauses (SCCs) pursuant to Art. 46 GDPR.

6. Data subject rights

You have the following rights under the GDPR vis-à-vis us:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Withdrawal of your consent (Art. 7 (3) GDPR), where processing is based on consent
• Objection (Art. 21 GDPR), where the requirements are met

To exercise your rights, email info@aquadock.de.

Important — no automated decision-making (Art. 22 GDPR): We do not use automated decision-making — in particular no profiling that produces legal effects concerning you or similarly significantly affects you.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The Hessian Commissioner for Data Protection and Freedom of Information (HBDI) is competent in particular: Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, phone +49 611 1408-0 — https://datenschutz.hessen.de

7. Data security

We use SSL/TLS encryption (at least 256-bit). We also implement technical and organisational measures to protect your data against loss, destruction, or unauthorised access.

8. Currency of this notice

This privacy notice is dated 7 June 2026. We will update it if the website, our processing activities, or the legal framework change. The current version is published on this page at /en/privacy/. The German reference version is at /de/datenschutz/ and prevails if the texts differ.