Legal
Privacy Policy
How ContrailRisks collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Last updated: April 2026
Controller
The controller responsible for data processing on this website is:
ContrailRisks UG (haftungsbeschränkt)
Managing Director: Fabrizio Di Carlo
Rosenthaler Straße 72A, 10119 Berlin, Germany
Email: hello@contrailrisks.com
Data We Collect and Why
a) Contact form
When you submit the contact form, we collect your first name, last name, email address, company name (optional), and your message. This data is processed solely to respond to your enquiry. The legal basis is your consent (Art. 6(1)(a) GDPR), which you grant by accepting our privacy notice and submitting the form. You may withdraw your consent at any time by contacting us at hello@contrailrisks.com. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Contact form submissions are transmitted to and stored in HubSpot (HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA), our CRM provider. HubSpot acts as a data processor under a Data Processing Agreement that includes Standard Contractual Clauses (SCCs) for transfers of personal data to the United States, in accordance with Art. 46(2)(c) GDPR. For more information, see legal.hubspot.com/dpa.
b) Cloudflare Web Analytics
This website uses Cloudflare Web Analytics to understand how visitors use the site. Cloudflare Web Analytics is privacy-first: it does not use cookies, does not fingerprint individual users, and does not track users across sites. IP addresses are anonymised before any data is stored. No personally identifiable information is collected or shared. The legal basis is our legitimate interest in understanding aggregate website usage to improve our services (Art. 6(1)(f) GDPR). For more information, see Cloudflare's privacy policy.
c) HubSpot Analytics (consent-only)
If you accept all cookies, we load the HubSpot tracking script (hs.js) to understand how visitors engage with the site — which pages are read, how visitors navigate, and whether they return after an initial visit. This data is processed by HubSpot, Inc. (see section (a) above for processor details) and may set the following cookies: hubspotutk, __hstc, __hssc, __hssrc. The legal basis is your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time via the Cookie Preferences link in the site footer.
d) OpenStreetMap (Contact page)
The Contact page embeds a map provided by OpenStreetMap, operated by the OpenStreetMap Foundation (OSMF), St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. The map is only loaded if you accept cookies or explicitly request it. When loaded, your browser establishes a direct connection to OpenStreetMap's servers, which may process your IP address. The legal basis is your consent or, where not given, our legitimate interest in displaying our office location (Art. 6(1)(f) GDPR). For more information, see OSMF's privacy policy.
How Long We Keep Your Data
Contact form data is retained in HubSpot for up to 3 years from the date of last contact, after which it is deleted. You may request deletion at any time (see Section 5). Cloudflare Web Analytics data is aggregated and anonymised — no personal data is retained. HubSpot Analytics cookies have a maximum lifespan of 13 months and are cleared immediately if you withdraw consent.
International Data Transfers
HubSpot is based in the United States. Data transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, providing adequate safeguards under Art. 46(2)(c) GDPR. Cloudflare processes analytics data on infrastructure within the EU where possible; any transfers outside the EU are covered by Cloudflare's SCCs.
Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- —Access — request a copy of the data we hold about you (Art. 15)
- —Rectification — request correction of inaccurate data (Art. 16)
- —Erasure — request deletion of your data ("right to be forgotten") (Art. 17)
- —Restriction — request that we limit processing of your data (Art. 18)
- —Portability — receive your data in a structured, machine-readable format (Art. 20)
- —Objection — object to processing based on legitimate interests (Art. 21)
- —Withdraw consent — at any time, without affecting prior processing (Art. 7(3))
To exercise any of these rights, please contact us at hello@contrailrisks.com. We will respond within one month.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The authority competent for ContrailRisks UG is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany
Changes to This Policy
We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically. Material changes will be indicated by an updated date.