Privacy Policy
1. Data Controller
The controller within the meaning of GDPR Art. 4(7) is:
IJONIS UG (haftungsbeschränkt)c/o Factory Works GmbH
Stadtdeich 2-4
20097 Hamburg, Germany
Email:
For further details, see our Imprint.
2. Overview of Processing
In the course of providing HSRates, we process the following categories of personal data:
Usage Data
Data collected automatically on page load: accessed URL, referrer URL, timestamp, transferred data volume, browser type and version, operating system, screen resolution.
Contact Data (Lead Forms)
Data you voluntarily submit: email address (required), company name (optional), HS codes of interest, source page, form type.
Technical Data (with consent)
When you accept the cookie banner: cookie identifiers
(_ga, _gid), device-level analytics data
via Google Analytics 4; advertising cookies
(__gads, __gpi, __eoi)
via Google AdSense.
3. Legal Bases
We process personal data on the following legal bases:
- Art. 6(1)(a) GDPR (Consent) — Google Analytics 4 is only activated after you explicitly consent via the cookie banner.
- Art. 6(1)(f) GDPR (Legitimate Interest) — Cloudflare Web Analytics (cookieless, no personal data) and basic security measures (DDoS protection, TLS). Our legitimate interest is maintaining and improving the service.
- Art. 6(1)(b) GDPR (Contract Performance) — Processing lead form data to handle your inquiry.
4. Your Rights (GDPR)
You have the following rights regarding your personal data:
- Right of Access (Art. 15) — You may request information about the data we process.
- Right to Rectification (Art. 16) — Correction of inaccurate data.
- Right to Erasure (Art. 17) — Deletion of your data, provided no retention obligation applies.
- Right to Restriction (Art. 18) — Restriction of processing under certain conditions.
- Right to Data Portability (Art. 20) — Receive your data in a structured, commonly used format.
- Right to Object (Art. 21) — Object to processing based on legitimate interests.
- Withdrawal of Consent (Art. 7(3)) — You may withdraw consent at any time. Use the "Cookie Settings" link in the page footer.
- Right to Lodge a Complaint (Art. 77) — You have the right to complain to a supervisory authority (see Section 12).
To exercise your rights, contact us at the email address listed in Section 1.
6. Hosting & CDN
Cloudflare Pages
This website is hosted by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) and served through Cloudflare's global CDN.
Cloudflare processes technically necessary connection data (IP
address, timestamp) for content delivery and DDoS protection. The
__cf_bm cookie is used for bot management and is
strictly necessary.
Cloudflare participates in the EU-US Data Privacy Framework (DPF). Privacy policy: cloudflare.com/privacypolicy .
Supabase
Lead form data is stored with Supabase, Inc. (San Francisco, USA). Supabase acts as a data processor under Art. 28 GDPR.
Supabase participates in the EU-US Data Privacy Framework. Privacy policy: supabase.com/privacy .
7. Web Analytics
Cloudflare Web Analytics
We use Cloudflare Web Analytics, a privacy-friendly analytics solution that sets no cookies, stores no IP addresses, and processes no personal data. Consent is therefore not required (Art. 6(1)(f) GDPR).
Google Analytics 4
We use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyze website usage. GA4 is only activated after your explicit consent under TDDDG §25.
The following cookies are set:
-
_ga— Distinguishes users (duration: 2 years) -
_gid— Distinguishes users (duration: 24 hours)
Google participates in the EU-US Data Privacy Framework (DPF). Privacy policy: policies.google.com/privacy .
Opt-out: You can disable analytics at any time via the "Cookie Settings" in the page footer, or by installing the Google Analytics Opt-out Browser Add-on .
Google AdSense
We use Google AdSense (Google Ireland Limited) to display advertisements on our website. AdSense is only activated after your explicit consent under TDDDG §25.
The following cookies may be set:
-
__gads/__gpi— Ad delivery and personalisation (duration: 13 months) -
__eoi— User interaction with ads (duration: 6 months)
Google participates in the EU-US Data Privacy Framework (DPF). More information: Google Advertising Privacy .
8. Lead Forms & Email
The following data is collected via lead forms:
- Email address (required)
- Company name (optional)
- HS codes of interest
- Source page
- Form type
Legal basis: Art. 6(1)(a) GDPR (Consent). You consent to processing by submitting the form.
Withdrawal: You may withdraw your consent at any time by emailing the address listed in Section 1. The lawfulness of processing carried out before withdrawal remains unaffected.
9. Data Transfers to Third Countries
Some of our service providers are based in the United States, a third country outside the EEA:
- Cloudflare, Inc. — Participant in the EU-US Data Privacy Framework (adequacy decision under Art. 45 GDPR).
- Google Ireland Limited / Google LLC — Participant in the EU-US Data Privacy Framework.
- Supabase, Inc. — Participant in the EU-US Data Privacy Framework.
Note: The EU Commission's adequacy decision for the EU-US DPF may be revoked or amended in the future. We monitor the legal situation and adjust our safeguards accordingly.
10. Data Retention
- Lead data: Until revocation or 3 years after last activity, whichever comes first.
- Cookie consent: 1 year
(
hsrates-cookie-consent). - Google Analytics: 14 months (automatic data deletion in GA4).
- Server logs (Cloudflare): Maximum 72 hours.
11. Data Security
We implement technical and organizational measures in accordance with Art. 25 and Art. 32 GDPR to protect your data:
- Encryption of all data transfers via TLS/HTTPS.
- Encrypted connections to Supabase (PostgreSQL with SSL).
- Regular review of security measures.
- Access restriction to personal data following the principle of data minimization.