Effective Date: March 22, 2026
Last Updated: March 26, 2026

This Privacy Policy explains how Thomas Halbritter, operating as Halbritter Media, Rathausstr. 41, 84082 Laberweinting, Germany ("Controller," "we," "us," or "our") collects, uses, stores, and protects personal data in connection with the website situationaldynamics.com ("Website") and the managed content services ("Services").

We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the German Federal Data Protection Act (BDSG), and the German Telemedia Act (TMG) / Digital Services Act implementation provisions.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Thomas Halbritter
Halbritter Media
Rathausstr. 41
84082 Laberweinting,
Germany
Email: info@situationaldynamics.com
Phone: +49 174 7322853

2. Categories of Personal Data We Collect

2.1 Website Visitors

When you visit our Website, we may collect the following data:

Automatically collected data: IP address (anonymized where technically feasible), browser type and version, operating system, referring URL, pages visited and time spent, date and time of access, and device information.

Cookies and tracking: We use Google Analytics to analyze website usage. See Section 7 for details on cookies.

Voluntarily provided data: If you contact us via email or fill out a form, we collect the information you provide, such as your name, email address, and the content of your message.

2.2 Service Subscribers (Clients)

When you subscribe to our Services, we additionally collect:

Account and billing data: Full name, business name, email address, billing address, VAT identification number (if applicable), and payment information (processed by Stripe; we do not store full credit card numbers).

Brand and content data: Information you provide in the brand questionnaire, including business description, target audience, brand voice and tone preferences, visual style preferences, and brand assets (logos, colors, images).

Social media account data: Social media profile names and platform identifiers provided through OAuth authentication via Buffer. We do not receive or store your social media passwords.

Service usage data: Content approval and rejection decisions, publishing history, and communication records related to the Services.

2.3 Demo Form Participants

When you submit a demo request through our brand questionnaire form, we collect the following data: your name, email address, company name, website URL, business description, brand voice preferences, brand color (hex code), font preference, and visual style preference.

This data is processed to generate sample AI-rendered social media posts demonstrating our service capabilities. The demo results are delivered to the email address you provide. The legal basis for this processing is your consent under Article 6(1)(a) GDPR, provided via the consent checkbox on the form.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

3.1 Performance of Contract (Article 6(1)(b) GDPR)

We process account, billing, brand, and social media data to provide the Services you have subscribed to, including content generation, approval workflows, and publication.

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process website usage data and anonymized, aggregated service performance data for website security and fraud prevention, service improvement and optimization, and internal analytics. Our legitimate interest is the operation and improvement of our Website and Services. This interest does not override your fundamental rights and freedoms.

3.3 Consent (Article 6(1)(a) GDPR)

We process data through Google Analytics based on your consent, obtained via our cookie consent mechanism. You may withdraw your consent at any time (see Section 7).

3.4 Legal Obligation (Article 6(1)(c) GDPR)

We retain invoicing and payment records as required by German tax law (Section 147 AO, Section 257 HGB), typically for 10 years.

3.5 Processing on Behalf of Clients (Article 28 GDPR)

In the course of providing the Services, we act as a data processor on behalf of our clients with respect to content that is generated and published on their social media channels. The scope, nature, and purpose of this processing, as well as the obligations and rights of both parties, are governed by the data processing terms set out in our Terms of Service. Clients, as data controllers for their own social media audiences, are responsible for ensuring that the content they approve for publication complies with applicable data protection laws.

4. Recipients and Sub-Processors

We share personal data with the following categories of third-party service providers ("sub-processors") who process data on our behalf. All sub-processors are bound by data processing agreements that comply with Article 28 GDPR.

4.1 Website and Hosting

Framer B.V. provides website hosting and delivery, processing IP addresses, browser data, and page visits, and is located in the Netherlands (EU).

Google LLC (Google Analytics) handles website analytics and traffic analysis, processing anonymized IP addresses, browsing behavior, and device data, and is located in the USA (EU-US Data Privacy Framework).

Cal.com, Inc. provides appointment scheduling, processing names, email addresses, and booking details, and is located in the USA (EU-US Data Privacy Framework).

4.2 Payment Processing

Stripe, Inc. provides payment processing and subscription management, processing names, email addresses, billing addresses, VAT IDs, and payment card details, and is located in the USA (EU-US Data Privacy Framework).

4.3 Service Delivery Infrastructure

n8n GmbH provides form hosting and workflow automation for demo requests, processing names, email addresses, and brand questionnaire data, and is located in Germany (EU).

Google LLC (Google Sheets, Google Drive) handles client configuration storage, brand questionnaire data, and content management, processing brand data, content ideas, and publishing schedules, and is located in the USA (EU-US Data Privacy Framework).

Google LLC (Gemini AI) provides AI content generation and brand analysis, processing brand questionnaire responses and content parameters, and is located in the USA (EU-US Data Privacy Framework). Buffer, Inc. provides social media scheduling and publishing, processing social media profile identifiers, published content, and publishing schedules, and is located in the USA.

Hetzner Online GmbH provides server hosting for automation infrastructure, processing data through the automation pipeline, and is located in Germany (EU).

PhantomJSCloud (phantomjscloud.com), operated by ArtOfSolving, Inc., provides headless browser rendering for visual content, processing generated HTML and CSS code to produce image files (no personal data in standard operation), and is located in the USA. No personal data is transferred to this service; only programmatically generated design code and AI-generated images are processed.

ImgBB (ibb.co) provides temporary image staging (auto-deleted after 10 minutes), processing generated images (no personal data in standard operation), and is located in the USA.

Shotstack Pty Ltd provides video rendering for short-form content, processing generated visual content (no personal data in standard operation), and is located in Australia.

Catbox (catbox.moe) provides temporary image hosting for the publishing pipeline, processing generated images (no personal data in standard operation), and is located in the USA.

Buffer, Inc. provides social media scheduling and publishing, processing social media profile identifiers, published content, and publishing schedules, and is located in the USA. Transfers are safeguarded by Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR, supplemented by Buffer's data processing agreement.

4.4 Note on AI Processing

Content generated by AI models (Google Gemini) is based on inputs derived from your brand questionnaire and content parameters. The AI processes brand voice, tone, audience, and style information you provide. We do not submit personal client data (names, addresses, payment details) to AI models for content generation. We access Gemini through Google's paid API tier, under which Google does not use API inputs or outputs to train its foundation models, in accordance with Google's Cloud Data Processing Addendum and AI/ML Terms of Service.

5. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). We ensure appropriate safeguards for international data transfers through the following mechanisms:

EU-US Data Privacy Framework: Google LLC and Stripe, Inc. are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission (Adequacy Decision of July 10, 2023).

Standard Contractual Clauses (SCCs): For sub-processors not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (June 2021 version) as the transfer mechanism, supplemented by additional technical and organizational measures where necessary.

Data minimization: For sub-processors involved only in content rendering (ImgBB, PhantomJS, Shotstack, catbox.moe), no personal client data is transferred. These services process only AI-generated content (images, videos) that does not contain personal data in standard operation.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Website visitor data (Google Analytics): 14 months (Google Analytics data retention setting), then automatically deleted.

Client account and service data: For the duration of the subscription, plus 30 days after cancellation to allow for reactivation.

Invoicing and payment records: 10 years from the end of the calendar year in which the transaction occurred, as required by German tax law (Section 147 AO).

Brand questionnaire and content data: Deleted within 90 days after termination of the subscription, unless retention is required by law.

Communication records: 3 years after the last communication, unless a longer retention is required for legal claims.

Demo form submissions, brand questionnaire data, and generated demo content are retained for 12 months after submission. This retention period allows us to deliver the demo, conduct consented follow-up communications, and improve our service through aggregated, non-identifiable analysis of content generation patterns. After 12 months, demo data is automatically deleted unless you have become a paying client, in which case client retention terms apply (Section 6). You may request early deletion at any time by contacting info@situationaldynamics.com.

7. Cookies and Tracking

7.1 Essential Cookies

Our Website uses essential cookies that are strictly necessary for the operation of the Website, including session management and security. These cookies do not require consent under Article 5(3) of the ePrivacy Directive.

7.2 Analytics Cookies (Google Analytics)

We use Google Analytics (provided by Google LLC) to analyze how visitors use our Website. Google Analytics uses cookies to collect information about your browsing behavior.

We have configured Google Analytics with the following privacy settings: IP anonymization is enabled, data sharing with Google is disabled where possible, and data retention is set to 14 months.

Google Analytics cookies are only set after you provide consent through our cookie consent banner. You may withdraw your consent at any time by adjusting your cookie settings or by deleting your browser cookies.

Legal basis: Article 6(1)(a) GDPR (consent).

7.3 Payment Cookies (Stripe)

When you proceed to checkout, Stripe may set cookies necessary for payment processing and fraud prevention. These cookies are essential for the transaction you have initiated.

Legal basis: Article 6(1)(b) GDPR (performance of contract).

7.4 Scheduling Cookies (Cal.com)

When you use the embedded scheduling widget or visit our booking page, Cal.com may set cookies necessary for the scheduling functionality. These cookies are essential for the service you have requested.

Legal basis: Article 6(1)(b) GDPR (pre-contractual measures at your request).

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, please contact us at info@situationaldynamics.com.

Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.

Right to rectification (Article 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data.

Right to erasure (Article 17 GDPR): You have the right to request the deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, you withdraw your consent (where consent is the legal basis), or the data has been unlawfully processed. This right is subject to legal retention obligations.

Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of your data.

Right to data portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to withdraw consent (Article 7(3) GDPR): Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for us is:

Bayerisches Landesamt fur Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany Website: https://www.lda.bayern.de

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS/SSL), access controls and authentication for internal systems, regular review of security practices, and use of reputable, security-certified sub-processors (Stripe PCI-DSS, Hetzner ISO 27001).

10. Automated Decision-Making

Our Services use AI models to generate content proposals. However, no automated decision-making with legal or similarly significant effects (within the meaning of Article 22 GDPR) takes place. All content requires your explicit manual approval before publication. The Human-in-the-Loop approval process ensures that you retain full control over what is published.

11. Children's Privacy

Our Website and Services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated to active subscribers via email. The "Last Updated" date at the top of this page indicates the most recent revision. We encourage you to review this Privacy Policy periodically.

13. Contact

For any questions or concerns regarding this Privacy Policy or our data processing practices, please contact:

Thomas Halbritter
Halbritter Media
Rathausstr. 41
84082 Laberweinting,
Germany
Email: info@situationaldynamics.com
Phone: +49 174 7322853