Privacy Policy – elve solutions

Last updated: 28 May 2026

This Privacy Policy explains how elve solutions (“we”, “us”, or “our”) collects, uses, discloses and protects personal data when you visit our website https://elve-solutions.com/ (the “Website”), when you contact us, and when we contact prospective business customers by email (“Cold Email Outreach”).

We are established in Germany and our Website is hosted in Germany. However, our services are directed primarily at business users located in the United States. This Privacy Policy is intended to meet the transparency requirements of the EU General Data Protection Regulation (“GDPR”) and, where applicable, US state privacy laws including the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA and similar comprehensive state privacy laws.

This Privacy Policy is not a contract and does not create any legal rights or obligations beyond those already provided by applicable law.

1. Controller and Contact Details

The data controller responsible for processing personal data is:

elve solutions
Ben Kiemel
An der Alten Ziegelei 38
48157 Münster
Germany

Email: ben@elve-solutions.com

We have not appointed a Data Protection Officer (DPO) because we are not legally required to do so under Section 38 BDSG.

2. Scope of This Privacy Policy

This Privacy Policy applies to:

Visitors to our Website;
Individuals who contact us by email or via the booking link to Cal.com embedded on or linked from our Website;
Prospective business customers and decision-makers we contact through Cold Email Outreach; and
Customers and business partners during the pre-contractual and contractual phase.

It does not apply to the processing of personal data of our customers’ end users in the context of delivering our services under a separate contract; such processing is governed by separate data processing agreements.

3. Categories of Personal Data We Process

Depending on how you interact with us, or whether we contact you as a business prospect, we may process the following categories of personal data:

Basic contact and identification data

First and last name
Business / company name
Job title / position
Business email address
Business phone number (where publicly available)
LinkedIn or other professional profile URL
Company website URL, industry, company size and similar firmographic data

Communication data

Content of messages you send to us by email or via our booking link
Content of cold outreach emails we send to you, your replies and our follow-ups
Date, time and metadata of communication (e.g. opens, clicks, replies — where technically recorded by our sending tool)
Calendar booking data (date, time, time zone, meeting topic) submitted through Cal.com

Technical and usage data (server logs and analytics)

IP address (in server logs, and transiently for analytics)
Date and time of access
Accessed URLs and files
Referrer URL (if provided by your browser)
Browser type and version, operating system, device information
Approximate location (country) based on IP address

For analytics we use the self-hosted WordPress plugin “Burst Statistics – Privacy-Friendly Analytics for WordPress” (“Burst”). According to Burst’s documentation, it does not store IP addresses or full user-agent strings in its database, and no analytics data is sent to third parties; all analytics data remains on our own WordPress installation.

Administrative and accounting data
For those who become customers: identification and contact details necessary for invoicing and accounting (e.g. name, company name, address, VAT/tax-related information), and records of services provided.

We do not knowingly process special categories of personal data under Art. 9 GDPR or “Sensitive Personal Information” as defined under the CCPA/CPRA.

4. How We Collect Personal Data

We collect personal data in the following ways:

Directly from you when you:

Send us an email;
Book a meeting through our Cal.com link;
Reply to one of our cold outreach emails.

Automatically when you:

Access and use our Website (server logs and privacy-friendly analytics generated by Burst Statistics).

From third-party sources (for Cold Email Outreach only):

Publicly available sources such as company websites, corporate registers, news articles, and professional social networks (e.g. LinkedIn);
B2B data providers, in particular Apollo.io (a US-based B2B contact database);
Web-scraping infrastructure (Apify Actors) used to collect publicly available business contact information from company websites and similar public sources.

We only collect business contact data of individuals in their professional capacity (employees, founders, decision-makers of legal entities). We do not knowingly collect data of private consumers for outreach purposes.

5. Purposes and Legal Bases of Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

5.1 Website provision and server logs

Purpose: To provide the Website, ensure its stability and security, prevent misuse, and enable basic troubleshooting.

Data processed: Technical and usage data stored in server log files.

Legal basis: Our legitimate interests (Art. 6(1)(f) GDPR) in providing a secure and reliable Website and in IT security.

Retention: Server logs are stored by our hosting provider for a short rolling period (typically up to 30 days), unless longer storage is required for the investigation of a specific security incident.

5.2 Email communication and booking requests

Purpose: To respond to inbound inquiries, schedule meetings, provide information about our services, and initiate or perform a contract.

Data processed: Name, business / company name, business email address, content of your message, calendar booking data.

Legal basis:

Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) where your request relates to entering into or performing a contract;
Our legitimate interests (Art. 6(1)(f) GDPR) in responding to general inquiries and maintaining business relationships.

Retention: We generally retain inquiries and related correspondence for at least 1 year after the last interaction, longer where necessary to establish, exercise or defend legal claims or to comply with statutory retention obligations.

5.3 Cold Email Outreach to business prospects

Purpose: To address potential business customers (B2B) in the United States with information about our agency services, to identify mutual fit, and to initiate a business relationship.

Data processed: First and last name, business email address, job title, company name, company website, industry, company size, LinkedIn URL (where applicable), engagement metadata such as opens, clicks and replies.

Source of data: Publicly available business sources, Apollo.io, and our own scraping pipelines built on Apify Actors. Data subjects are contacted in their professional capacity only.

Legal basis:

Our legitimate interests (Art. 6(1)(f) GDPR) in direct B2B marketing and acquiring new business customers. We have conducted a documented balancing test and concluded that the impact on data subjects is minimal because (i) only business contact data is processed, (ii) contact is limited to a small number of outreach emails, (iii) every email contains a clear and easy opt-out, and (iv) the data subject’s professional role implies a presumed interest in relevant business offers (§ 7(3) UWG analog reasoning for the EU; CAN-SPAM Act 15 U.S.C. § 7701 et seq. for US recipients).

Where the recipient is located in the EU/EEA and an explicit consent is required under § 7(2) No. 2 UWG, we obtain such consent before sending marketing emails. Our outreach is directed primarily at recipients in the United States.

Retention: Contact data of prospects is retained for as long as it is potentially relevant for outreach, but no longer than 24 months after the last meaningful interaction. Email addresses of recipients who have opted out are stored permanently on a suppression list for the sole purpose of ensuring we do not contact them again (Art. 6(1)(c) GDPR / CAN-SPAM Section 5).

5.4 Use of AI for personalization of outreach

Purpose: To draft and personalize outreach emails based on publicly available information about the recipient and their company.

Data processed: Name, company name, website content, LinkedIn information and similar publicly available business information; the personalized email draft.

Tools used: OpenAI API (OpenAI Ireland Ltd. / OpenAI, L.L.C., USA) for text generation; Instantly.ai AI features (where applicable) for personalization within the sending tool.

Legal basis: Our legitimate interests (Art. 6(1)(f) GDPR) in efficient and relevant business communication. We have configured our OpenAI usage so that prompts and outputs are not used for training of OpenAI models (API usage, opt-out by default per OpenAI policy).

Automated decision-making: We do not carry out automated decisions producing legal or similarly significant effects within the meaning of Art. 22 GDPR. AI is used only to assist in drafting communications, which are then reviewed and dispatched under human oversight.

5.5 Analytics (Burst Statistics)

Purpose: To analyze how our Website is used (e.g. visitor numbers, popular pages, referrers) in order to improve our content and user experience.

Data processed: Anonymized or pseudonymized usage data recorded by Burst (page views, sessions, approximate location at country level, referrers). IP addresses and full user-agent strings are processed transiently to derive analytics information but are not stored in Burst’s database. No analytics data is sent to third parties; all analytics data remains on our server. Burst is configured in cookieless mode.

Legal basis: Our legitimate interests (Art. 6(1)(f) GDPR) in obtaining privacy-friendly statistics about the use of our Website. Because no information is stored in or read from your terminal device, no consent under § 25 TDDDG is required.

Retention: Analytics data is retained for the period necessary for statistical evaluation, generally up to 24 months, after which it is deleted or further aggregated.

5.6 Accounting, invoicing and compliance

Purpose: To manage our customer relationships, issue invoices, maintain accounting records, and comply with tax and other legal obligations.

Legal basis:

Performance of a contract (Art. 6(1)(b) GDPR);
Legal obligations (Art. 6(1)(c) GDPR) under German commercial and tax law (in particular §§ 147 AO, 257 HGB);
Legitimate interests (Art. 6(1)(f) GDPR) in efficient administration and defense of legal claims.

Retention: 6 to 10 years under German law.

6. No User Accounts, Newsletters or Advertising Trackers

Our Website does not allow the creation of user accounts.
We do not operate a newsletter or marketing subscription on the Website.
We do not use third-party tracking pixels (e.g. Meta Pixel, LinkedIn Insight Tag, Google Ads, TikTok Pixel).
We do not use remarketing or retargeting tools.
We do not engage in cross-context behavioral advertising as defined under the CCPA/CPRA.

7. Cookies and Similar Technologies (§ 25 TDDDG)

Our Website does not intentionally deploy cookies or similar tracking technologies for advertising, analytics or cross-site profiling.

Burst Statistics is configured in cookieless mode and does not store information in or read information from your terminal device.
WordPress may set strictly necessary technical cookies (e.g. session cookies) only where required for site functionality; these are exempt from consent under § 25(2) No. 2 TDDDG.
We do not load Google Fonts, Google Maps, YouTube embeds, Vimeo embeds, LinkedIn or social plugins on our Website. All fonts are self-hosted.
Our Cal.com booking link opens only on user click in a new tab on cal.com’s own infrastructure. No content from Cal.com is embedded on our Website without your interaction.

If we introduce additional cookies or third-party services requiring consent in the future, we will implement an appropriate consent management platform before doing so.

8. Recipients and Categories of Recipients

We share personal data only where necessary for the purposes described above or where we are legally obliged to do so. Categories and concrete recipients include:

Category	Provider	Country	Purpose
Hosting	Powernetz	Germany	Website hosting
Email sending / cold outreach platform	Instantly.ai (Bunch Inc.)	USA	Sending and managing outreach emails
B2B data provider	Apollo.io (ZenProspect Inc.)	USA	Source of business contact data
Web scraping infrastructure	Apify s.r.o.	Czech Republic (EU); some Actors may run on US-based infrastructure	Collection of publicly available business data
AI text generation	OpenAI, L.L.C.	USA	Drafting and personalizing outreach emails
Scheduling	Cal.com, Inc. (linked, not embedded)	USA / EU	Meeting booking when you click the link
Email mailbox / workspace (sending infrastructure purchased via Instantly)	Google Workspace (Google Ireland Ltd. / Google LLC)	Ireland / USA	Email infrastructure for cold outreach and business correspondence
Tax advisor and accountant	German tax advisor	Germany	Bookkeeping and tax filings
Legal counsel	German law firm (case-by-case)	Germany	Legal advice and defense
Public authorities, courts	—	—	Where legally required

All processors act on our documented instructions under a data processing agreement (Art. 28 GDPR) or equivalent. We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

9. International Data Transfers

Some of our processors are located in or transfer data to the United States, including Instantly.ai, Apollo.io, OpenAI and Google (Google Workspace). When personal data is transferred to these recipients, we rely on the following safeguards:

EU-US Data Privacy Framework (DPF) where the recipient is self-certified under the DPF (this currently includes Google LLC and OpenAI, L.L.C.; we periodically verify certification status on dataprivacyframework.gov);
European Commission’s Standard Contractual Clauses (SCCs) in their 2021 version, combined with supplementary technical and organizational measures and a documented Transfer Impact Assessment (TIA) where the recipient is not DPF-certified (this currently includes Instantly.ai and Apollo.io);
Limiting the categories of data transferred to business contact data of professionals, which presents a lower risk profile than consumer or sensitive data.

You can request a copy of the relevant safeguards by contacting us at ben@elve-solutions.com.

10. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

Server logs: up to 30 days.
Inbound communication data: at least 1 year after the last interaction; longer where necessary for legal purposes.
Cold outreach prospect data: up to 24 months after the last meaningful interaction; thereafter deletion.
Suppression list (opt-out): stored permanently to ensure we do not re-contact you (legal obligation under CAN-SPAM and balancing of interests under GDPR).
Accounting and tax data: statutory periods of 6–10 years under German law.
Analytics data: up to 24 months.

11. Your Rights Under the GDPR (EU / EEA Residents)

To the extent the GDPR applies, you have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (“right to be forgotten”, Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR) — including the absolute right to object to direct marketing at any time. Upon objection, we will immediately cease processing your data for outreach and add your email address to our suppression list.
Right to withdraw consent (Art. 7(3) GDPR) with future effect, where processing is based on consent.
Right to lodge a complaint with a supervisory authority, in particular with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority competent for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
https://www.ldi.nrw.de

You can exercise your rights by contacting us at ben@elve-solutions.com. We will respond without undue delay and in any case within one month, as required by Art. 12(3) GDPR.

12. Information Notice Under Art. 14 GDPR (Cold Outreach Recipients)

If you have received an email from us without having previously contacted us, this section applies to you in addition to the rest of this Privacy Policy:

Source of your data: Publicly available business sources, Apollo.io, and our own scraping pipelines built on Apify Actors. Data subjects are contacted in their professional capacity only.
Categories of data: name, business email address, job title, company name, company website, industry, LinkedIn URL (where available), engagement metadata.
Purpose: B2B direct marketing for our agency services.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in B2B customer acquisition).
Recipients: see Section 8.
International transfers: see Section 9.
Retention: see Section 10.
Your rights: see Section 11. You can object to further processing at any time, free of charge, by replying with the word “unsubscribe”, clicking the unsubscribe link in our email, or contacting ben@elve-solutions.com.

13. Information for US Residents (CCPA/CPRA and Other State Laws)

Our services are directed primarily at individuals in the United States in their professional capacity. Depending on your state of residence, you may have specific rights under state privacy laws including the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas) and similar laws.

13.1 Notice at Collection (CCPA § 1798.100(b))

In the 12 months preceding the date of this Privacy Policy, we collect and process the following CCPA categories of personal information about prospective business contacts:

CCPA Category	Examples	Source	Business Purpose	Sold?	Shared (cross-context behavioral ads)?	Retention
Identifiers	name, business email, LinkedIn URL	publicly available sources, Apollo.io, Apify scraping	B2B marketing, prospecting	No	No	up to 24 months
Commercial information	company name, industry, role	same	same	No	No	up to 24 months
Internet or other electronic network activity	email opens, clicks, replies; website server logs	our sending tool, our hosting	measure outreach performance, secure site	No	No	logs 30 d; outreach metadata 24 m
Professional or employment-related information	job title, employer, seniority	publicly available sources, Apollo.io	B2B targeting	No	No	up to 24 months
Geolocation data (approximate, country-level)	country derived from IP	our analytics	Website analytics	No	No	up to 24 months

We do not collect Sensitive Personal Information as defined under the CPRA. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

13.2 Your US State Privacy Rights

Depending on your state, you may have the right to:

Know / access the categories and specific pieces of personal information we hold about you;
Delete personal information, subject to legal exceptions;
Correct inaccurate personal information;
Opt out of sale or sharing of personal information (we do not engage in either);
Opt out of targeted advertising (we do not engage in this);
Limit use of sensitive personal information (we do not process such data);
Non-discrimination for exercising your rights;
Appeal a denial of your request (Virginia, Colorado, Connecticut, Texas).

13.3 How to Exercise Your Rights

Contact us at ben@elve-solutions.com with the subject line “US Privacy Request“. We will verify your request using the email address from which you contact us and any additional information reasonably necessary. We respond within 45 days (extendable by another 45 days where permitted).

You may use an authorized agent to submit a request on your behalf; we may require written authorization and identity verification.

13.4 “Shine the Light” (California Civil Code § 1798.83)

California residents may request information about disclosures of personal information to third parties for the third parties’ direct marketing purposes. We do not disclose personal information for such purposes.

13.5 CAN-SPAM Act Compliance

All commercial emails sent by us comply with the CAN-SPAM Act (15 U.S.C. §§ 7701 et seq.):

We use accurate header information and non-deceptive subject lines.
We identify emails as commercial communications where required.
We include our valid physical postal address in every commercial email.
Every email contains a clear and conspicuous opt-out mechanism. Opt-out requests are honored within 10 business days, and opted-out addresses are added to a permanent suppression list.

14. Security

We implement appropriate technical and organizational measures (Art. 32 GDPR) to protect personal data, including:

Hosting with a reputable German provider (Powernetz);
TLS/HTTPS encryption for all data transmissions to and from the Website;
Access controls and the principle of least privilege for tools that process personal data;
Regular updates and maintenance of our WordPress installation, plugins, server environment and outreach infrastructure;
Multi-factor authentication on all administrative accounts;
Confidentiality obligations for any service provider with access to personal data.

No method of transmission over the internet is fully secure. In the event of a personal data breach posing a risk to data subjects, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR and, where required by Art. 34 GDPR, inform affected individuals without undue delay.

15. Children’s Privacy

Our Website and services are directed exclusively at adult business professionals. We do not knowingly collect personal data from children under 16 (EU/EEA, Art. 8 GDPR) or under 13 (United States, COPPA, 15 U.S.C. §§ 6501 et seq.). If you believe a child has provided us with personal data, please contact us so we can delete it.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this document and, where appropriate, provide additional notice on the Website. We encourage you to review this Privacy Policy periodically.

17. How to Contact Us

If you have any questions or wish to exercise your data protection rights:

elve solutions
Ben Kiemel
An der Alten Ziegelei 38
48157 Münster
Germany

Email: ben@elve-solutions.com