Legal

Privacy Policy

Last updated: January 26, 2026

Introduction

The protection of your personal data has the highest priority. This Privacy Policy explains the type, scope, and purpose of processing personal data (hereinafter "data") in connection with our online services. This includes the associated website, features and content, as well as external online presences such as social media profiles (collectively "online services"). Your personal data will be treated confidentially and in strict accordance with statutory data protection regulations and the provisions of this Privacy Policy.

General Information

This Privacy Policy provides a comprehensive overview of what happens to your personal data when you visit this website or use our services. Personal data is any information that can be used to personally identify you.

Data Controller

Data processing on this website and within the scope of our services is carried out by the website operator. The contact details of the controller can be found in the "Data Controller" section below.

Collection of Your Data

Personal data is collected in part by you actively providing it, for example by filling out a contact form, booking a consultation, or entering into a service contract. Other data is automatically collected or collected with your consent when you visit the website by the controller's IT systems. This primarily includes technical data (e.g., internet browser, operating system, or time of page access). This data collection occurs automatically as soon as you enter the website.

Use of Your Data

Some of the data is collected to ensure the error-free provision of the website and our services. Other data may be used to analyse user behaviour to optimise the offer and adapt it to your needs. In the context of our AI consulting and automation services, we process data exclusively for the fulfilment of the respective contractual purpose.

Data Transfer to Third Parties

In the course of the controller's business activities, it may be necessary to transfer personal data to third parties. This transfer only takes place when necessary for the fulfilment of a contract, when there is a legal obligation, when there is a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, or when another legal basis permits the transfer. When using external service providers for data processing, the transfer of personal data only takes place on the basis of a valid data processing agreement in accordance with Art. 28 GDPR.

Withdrawal of Consent to Data Processing

Certain data processing operations can only be carried out with your express consent. This consent can be withdrawn at any time. The lawfulness of the data processing carried out up to the time of withdrawal remains unaffected.

Right to Object (Art. 21 GDPR)

If the processing of your personal data is based on Art. 6 para. 1 lit. e or f GDPR, you have the right to object to this processing at any time for reasons arising from your particular situation. This also applies to profiling based on these provisions. If your personal data is used for direct marketing purposes, you have the right to object to this processing at any time; after your objection, we will no longer use your personal data for these advertising purposes.

Rights Under the GDPR

You have the right to:

  • Information about your stored personal data, its origin, recipients, and the purpose of processing
  • Correction or deletion of your data (subject to legal retention obligations)
  • Restriction of processing where applicable
  • Data portability in a structured, commonly used, machine-readable format
  • Lodge a complaint with a competent supervisory authority

Right to Lodge a Complaint with the Supervisory Authority

Competent supervisory authority for Baden-Württemberg:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart, Germany
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

Data Controller

The controller responsible for data processing on this website and in the context of services within the meaning of the GDPR is:

Malek Kilani — Elevate Wisely
Hafenstraße 25–27, 68159 Mannheim, Germany
Contact for Privacy Matters: malek.kilani@elevatewisely.com

Data Processors

We work with various data processors who process data on our behalf. These service providers are contractually obligated to treat the data confidentially and use it exclusively within the scope of the respective service. Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR have been concluded with all data processors.

Hosting

This website is hosted on infrastructure provided by external service providers to ensure reliable, secure, and high-performance delivery of this online offering.

Primary Website Hosting — Lovable

The main website (elevatewisely.com) is hosted by:

Lovable AB
Stockholm, Sweden
Website: lovable.dev

Lovable delivers this website through Cloudflare's global edge network (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA), which serves the site from data centres geographically close to the visitor.

Processed Data: When you visit our website, the following data is automatically collected and stored in server log files:

  • IP address of the accessing device
  • Date and time of access
  • Name and URL of the retrieved files
  • Website from which access occurred (referrer URL)
  • Browser type and version
  • Operating system used
  • Access provider name

Purpose of Data Processing:

  • Ensuring smooth website operation
  • Optimising website performance and loading times
  • Preventing and defending against cyber attacks
  • Ensuring IT security and system stability
  • Technical administration of the network infrastructure

Legal Basis: The processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in the reliable and secure provision of our website.

Data Processing Agreement: Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR apply with Lovable and its sub-processor Cloudflare for the processing of personal data related to hosting.

Storage Duration: Server log files are typically stored for a short period (up to 30 days) and then automatically deleted. Data required for evidence purposes may be stored longer until the respective incident is finally clarified.

Privacy information of our hosting providers: Lovable Privacy Policy · Cloudflare Privacy Policy

Landing Pages and Forms Hosting — HighLevel

For certain landing pages, forms, and marketing automation features, we also use services from:

HighLevel Inc.
Corporate HQ, 400 North Saint Paul St., Suite 920, Dallas, Texas 75201, USA

Data Transfer to USA: Personal data may be transferred to and processed in the USA. The data transfer is based on Standard Contractual Clauses (SCCs) approved by the European Commission in accordance with Art. 46 GDPR.

Details on data processing and data protection can be found in the provider's privacy policy: https://www.gohighlevel.com/privacy-policy

Legal Basis for Data Processing

  • Consent (Art. 6 para. 1 lit. a GDPR): Where you have given consent.
  • Contract Performance (Art. 6 para. 1 lit. b GDPR): Necessary for the performance of a contract or pre-contractual measures.
  • Legal Obligation (Art. 6 para. 1 lit. c GDPR): Processing necessary to comply with legal obligations.
  • Legitimate Interests (Art. 6 para. 1 lit. f GDPR): Processing to protect legitimate interests of the controller or a third party.

For certain processing operations, national regulations such as § 25 TTDSG may also apply.

International Data Transfers

If tools from companies based in countries with inadequate data protection levels are used on this website, your personal data may be transferred to and processed in these countries. For US providers, transfers rely either on certification under the EU-US Data Privacy Framework (DPF) or on Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46 GDPR, together with appropriate additional safeguards.

Storage Duration

Unless a more specific storage period is stated within this Privacy Policy, personal data will remain with the controller until the purpose for data processing no longer applies. Specific statutory retention periods apply, in particular:

  • Accounting documents: 10 years (§ 147 AO)
  • Business correspondence: 6 years (§ 257 HGB)
  • Marketing consents: until revocation of consent

Security Measures

We take comprehensive technical and organisational measures to protect your personal data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. Technical measures include SSL/TLS encryption (HTTPS) for all data transmissions, firewall systems, and regular security updates. Organisational measures include data minimisation, access on a need-to-know basis, and confidentiality obligations for everyone working with us.

Cookies

This website uses cookies. These are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone) when you visit the site. Cookies do not damage your end device, do not contain viruses, Trojans, or other malware. Information is stored in the cookie that arises in connection with the specifically used end device. However, this does not mean that we thereby become directly aware of your identity.

The use of cookies serves on the one hand to make the use of the offer more pleasant for you (e.g. session cookies, temporary cookies for user-friendliness). On the other hand, with your consent we use cookies to statistically record the use of the website and to evaluate it for the purpose of optimisation.

The data processed by essential cookies are necessary for the stated purposes to protect the legitimate interests of the controller in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Non-essential cookies are only set on the basis of your consent (Art. 6 para. 1 lit. a GDPR, § 25 TTDSG).

Most browsers automatically accept cookies. You can configure your browser so that no cookies are stored or that a notice always appears before a new cookie is created. Complete deactivation of cookies may result in you not being able to use all functions of the website.

Cookie Consent Banner

This website uses a cookie consent banner to manage your consents for the use of cookies and comply with GDPR requirements. The banner appears on your first visit to collect your consent before any non-essential cookies are placed on your device. You can choose to accept all cookies (including analytics) or decline non-essential cookies.

When you make a choice, a consent cookie is stored locally on your device that remembers your preference and the timestamp of your decision. It contains no personal identification data.

Types of Cookies We Use

1. Essential cookies (always active): cookie consent preferences, session management, security features. Legal basis: Art. 6 para. 1 lit. f GDPR.

2. Analytics cookies (require consent): Google Analytics 4 (see dedicated section below). Legal basis: Art. 6 para. 1 lit. a GDPR and § 25 TTDSG.

3. Marketing cookies (require consent): GoHighLevel tracking on landing pages and forms, conversion tracking. Legal basis: Art. 6 para. 1 lit. a GDPR.

Managing Your Cookie Preferences

You can change your cookie preferences at any time by clicking the “Cookie Settings” link in the website footer, by clearing your browser cookies (the banner will reappear on your next visit), or by using your browser settings to block or delete cookies.

Withdrawal of Cookie Consent

You can withdraw your cookie consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Google Analytics 4

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics is only loaded after you have given consent via our cookie banner.

What data is collected: pages visited and time spent, referrer URL, browser type and version, operating system, device type, screen resolution, approximate geographic location (city/country level), anonymised IP address, and interactions with website elements.

Purpose: understanding how visitors use the website, improving performance and user experience, identifying popular content, and generating aggregated usage statistics.

IP anonymisation: we have activated IP anonymisation (anonymizeIP). Your IP address is shortened within the EU/EEA before being transmitted to the USA.

Data transfer to the USA: Google LLC is certified under the EU-US Data Privacy Framework (DPF). Additional safeguards include Standard Contractual Clauses (SCCs) and technical and organisational measures implemented by Google.

Cookies used: _ga (distinguishes unique users, up to 2 years), _ga_[container-id] (stores and counts page views, up to 2 years), _gid (distinguishes users, 24 hours).

Storage duration: user-level and event-level data are retained for up to 14 months.

Google Signals: disabled. We do not allow Google to use our Analytics data for advertising purposes or to share it with other Google products.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) and § 25 TTDSG.

Your control options: decline analytics cookies in the cookie banner, install the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout), configure your browser to block third-party cookies, or withdraw your consent at any time via the Cookie Settings link.

A Data Processing Agreement under Art. 28 GDPR is in place with Google. More information: Google Analytics Privacy · Google Privacy Policy.

Social Media

We link to our profiles on the social networks listed below. The links are simple HTML links and do not load any third-party scripts or cookies until you actively click them. Once you visit those external sites, the respective provider's privacy policy applies and personal data (including your IP address) may be transmitted to the provider.

LinkedIn

Operator: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA). Profile: linkedin.com/in/malekkilani. Data transfer to the USA is based on Standard Contractual Clauses; LinkedIn is certified under the EU-US DPF. Legal basis when you interact with LinkedIn content: Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. f GDPR (legitimate interest). More information: LinkedIn Privacy Policy.

YouTube

Operator: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Channel: youtube.com/@Malek_Kilani. If we embed YouTube videos in the future, we use the extended data protection mode; cookies are only set when you play a video. Legal basis: Art. 6 para. 1 lit. f GDPR. More information: Google Privacy Policy.

Form Tools and Appointment Booking — GoHighLevel

Our website uses tools and services from GoHighLevel (HighLevel Inc., Dallas, USA) for contact forms, appointment booking, email marketing, and customer relationship management. When you interact with these tools, data such as contact information (name, email, phone number, company), communication content, appointment data, and technical data (IP, browser, device) may be processed. Data may be transferred to the USA based on Standard Contractual Clauses (SCCs). For details, see HighLevel's privacy policy linked above.

Contact

For any privacy request, email malek.kilani@elevatewisely.com.