With the following privacy policy we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").
The terms used are not gender-specific.
Last updated: 2 June 2026
Benjamin Augustus
Hagedornstraße 7
80804 Munich
Email address: info@cavaspaces.com
The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.
Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases including profiling. Furthermore, the data protection laws of the individual federal states may apply.
Applicability of data protection requirements in the country of domicile: In the country in which the controller is domiciled, national data protection regulations apply in addition to the General Data Protection Regulation (GDPR).
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, availability and separation relating to it. Furthermore, we have established procedures that ensure the exercise of data subject rights, the erasure of data and responses to threats to the data. In addition, we take the protection of personal data into account as early as the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.
Securing online connections using TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signalled by the display of HTTPS in the URL.
In the course of our processing of personal data, it may happen that the data is transmitted to or disclosed to other bodies, companies, legally independent organisational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Data processing in third countries: Insofar as we transmit data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosing or transmitting data to other persons, bodies or companies (which becomes apparent from the postal address of the respective provider or where the privacy policy expressly refers to data transfer to third countries), this always takes place in accordance with the legal requirements.
For data transfers to the USA, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the EU Commission dated 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and establish contractual obligations to protect your data.
This twofold safeguard ensures comprehensive protection of your data: the DPF forms the primary layer of protection, while the standard contractual clauses serve as additional security. Should changes arise within the framework of the DPF, the standard contractual clauses take effect as a reliable fallback option.
For the individual service providers, we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English).
We erase personal data that we process in accordance with the legal provisions as soon as the underlying consent is withdrawn or there are no further legal bases for the processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist where legal obligations or special interests require longer retention or archiving of the data.
In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.
Where there are several pieces of information regarding the retention period or erasure deadlines for a piece of data, the longest period is always decisive. Where a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred.
Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
We process personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners (collectively "contractual partners"), for the purpose of initiating, performing and processing contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken upon request, as well as communication relating to the respective contractual relationship.
The processing serves, in particular, the fulfilment of our main and ancillary contractual obligations. These include the provision of the agreed services, any update and information obligations, the handling of warranty and other performance issues, the processing of withdrawals, terminations of continuing obligations, reversals, refunds and the handling of other contract-related declarations and enquiries.
The data processed includes, in particular, master data such as name, address and, where applicable, company, contact data such as email address and telephone number, contract and service data such as the subject matter of the contract, contract term, order or transaction number, usage and service data, payment and billing data, as well as communication content and histories.
In addition, we process the data to protect our rights and to fulfil legal obligations. This includes, in particular, commercial and tax law retention obligations, documentation obligations and, where applicable, verification and accountability obligations. This may also include the involvement of external service providers such as IT and telecommunications providers, payment service providers, banks, tax and legal advisors or other agents, insofar as this is necessary for the performance of the contract or to fulfil legal obligations.
Types of data processed: Master data; payment data; contact data; contract data.
Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
Purposes of processing: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; business processes and management procedures.
Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b) GDPR); legal obligation (Art. 6 (1) sentence 1 lit. c) GDPR); legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, use, in addition to banks and credit institutions, other service providers (collectively "payment service providers"). Payment transactions are carried out in accordance with the state of the art exclusively via encrypted connections, so that the data entered is protected from unauthorised access during transmission.
The data processed by the payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, total and recipient-related information. The data entered is, however, only processed by the payment service providers and stored with them. That is, we do not receive any account- or credit-card-related information, but only information confirming or denying the payment.
The terms and conditions and the data protection notices of the respective payment service providers apply to payment transactions and can be accessed within the respective websites or transaction applications. We also refer to these for further information and to assert rights of withdrawal, access and other data subject rights.
Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b) GDPR); legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Stripe: Payment services (technical integration of online payment methods); service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; legal bases: performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b) GDPR); website: https://stripe.com; privacy policy: https://stripe.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
We process users' data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
Types of data processed: Usage data; meta, communication and procedural data (e.g. IP addresses, timestamps); log data (e.g. log files).
Data subjects: Users (e.g. website visitors).
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL and, as a rule, IP addresses and the requesting provider. Log file information is stored for a maximum of 30 days and then deleted or anonymised.
STRATO: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; legal bases: legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR); website: https://www.strato.de; privacy policy: https://www.strato.de/datenschutz/. Data processing agreement: provided by the service provider.
The term "cookies" refers to functions that store information on users' devices and read information from them. Cookies may also be used in relation to various concerns, for example for the purposes of functionality, security and convenience of online offerings, as well as for the creation of analyses of visitor flows. We use cookies in accordance with the legal provisions. To this end, we obtain users' prior consent where required. Where consent is not necessary, we rely on our legitimate interests. Consent can be withdrawn at any time.
General information on withdrawal and objection (opt-out): Users can withdraw the consent they have given at any time and can also object to the processing in accordance with the legal requirements, including by means of the privacy settings of their browser.
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
We ask you to inform yourself regularly about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
Insofar as we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please check the details before contacting them.
Created with the free privacy policy generator by Dr. Thomas Schwenke (Datenschutz-Generator.de)