Privacy Policy
Last updated: 06 August 2025
1. Overview
General information
The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data means any information relating to an identified or identifiable natural person. Detailed information can be found in the sections below.
Who is responsible for data processing on this website?
Data processing on this website is carried out by the website operator. The operator’s contact details are listed in the section “Controller”.
How do we collect your data?
Some data is collected when you provide it to us (e.g., via the contact form). Other data is collected automatically or with your consent by our IT systems when you visit the website (e.g., browser, operating system, time of access). Collection starts automatically as soon as you enter the website.
What do we use your data for?
We use data to provide the website without errors, to ensure security and prevent attacks, and—if you consent—to analyze usage and measure reach.
What rights do you have?
You have the right at any time to receive free information about the origin, recipients and purpose of your stored personal data, and to request rectification, erasure, restriction of processing, data portability, and to object to certain processing operations. You can withdraw consent at any time with effect for the future. You also have the right to lodge a complaint with a supervisory authority. You can contact us at any time regarding these and other privacy questions.
Analytics and third-party tools
When you visit this website, your browsing behavior may be statistically evaluated, primarily using analytics programs. Details are provided below.
2. Hosting
RAIDBOXES
We host our website with RAIDBOXES. Provider: Raidboxes GmbH, Hafenstraße 32, 48153 Münster, Germany(“RAIDBOXES”). When you visit the website, RAIDBOXES collects server log files (IP address, date/time, referrer URL, requested resources, user agent, error codes where applicable), which are required for delivery, security and stability.
Details: https://raidboxes.io/legal/privacy/
We have concluded a Data Processing Agreement (DPA) with RAIDBOXES. Information and conclusion: https://raidboxes.io/dpa/
The use of RAIDBOXES is based on Art. 6(1)(f) GDPR (legitimate interest in reliable and secure provision of our website). Where consent is requested, processing is based exclusively on Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG (Germany) for storing/accessing information on the end device; consent can be withdrawn at any time.
3. General information and mandatory information
Controller
The controller responsible for processing on this website is:
Melly & Martin Photography GbR
Melanie Ober & Martin Loch
Ernst-Mey-Straße 16
04229 Leipzig, Germany
Phone: +49 151 17537 118
E-mail: info@mellyandmartin.com
The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
Storage duration
Unless a more specific storage period is stated in this privacy policy, personal data will remain with us until the purpose of processing no longer applies. Statutory retention obligations remain unaffected.
Legal bases
Depending on the process, we rely on Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract or pre-contractual steps), Art. 6(1)(c) GDPR (legal obligation) or Art. 6(1)(f) GDPR (legitimate interests). Where information is stored on or accessed from your device, this is—if required—based on Section 25(1) TTDSG (consent) or Section 25(2) TTDSG(strictly necessary).
Note on transfers to third countries (incl. USA)
Some providers process data in the USA or other non-EU countries. Where a provider is certified under the EU-U.S. Data Privacy Framework (DPF), transfers may rely on that framework; otherwise, providers typically rely on the EU Standard Contractual Clauses (SCCs) and additional measures. See the respective provider notices for details.
Withdrawal of your consent
Many processing operations are only possible with your express consent. You can withdraw consent at any time; the lawfulness of processing up to the withdrawal remains unaffected.
Right to object under Art. 21 GDPR
You have the right to object at any time on grounds relating to your particular situation to processing based on Art. 6(1)(e) or (f) GDPR, including profiling. Where data is processed for direct marketing, you may object at any time; this also applies to profiling related to such direct marketing.
Right to complain to a supervisory authority
You have the right to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
SSL/TLS encryption
This site uses SSL/TLS encryption. You can recognize an encrypted connection by the “https://” and the lock icon in your browser.
4. Data collection on this website
Server log files at the hoster
RAIDBOXES automatically collects and stores information in server log files that your browser transmits (see “Hosting”).
Cookies
We use technically necessary cookies and—subject to your consent—optional cookies/technologies for statistics, marketing and comfort. Necessary cookies are processed on the basis of Art. 6(1)(f) GDPR in conjunction with Section 25(2) TTDSG. Optional cookies are used only with consent (Art. 6(1)(a) GDPR, Section 25(1) TTDSG). You can configure your browser to block or delete cookies; functionality may be limited.
Consent Management Tool (CMT)
We use a consent management tool to obtain and manage consents. The CMT logs consents/withdrawals, sets technically necessary cookies, and controls the loading of external services only after you have agreed. Legal basis: Art. 6(1)(c) GDPR (documenting consent) and Art. 6(1)(f) GDPR (lawful collection/management). For the activation of consent-required services: Art. 6(1)(a) GDPR, Section 25(1) TTDSG.
Contact form / e-mail / phone
If you contact us, we process your details to handle your request. Legal bases: Art. 6(1)(b) GDPR (contractual/pre-contractual communication) or Art. 6(1)(f) GDPR (general inquiries). Data is retained until your request is completed or statutory obligations require longer retention.
Communication via WhatsApp (Business)
We use WhatsApp Business (provider: WhatsApp Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland). Content is end-to-end encrypted; metadata (e.g., sender/recipient, timestamps) may be processed. Legal basis: Art. 6(1)(b) GDPRor Art. 6(1)(f) GDPR; where applicable Art. 6(1)(a) GDPR (consent). Transfers to the USA may rely on the EU-U.S. DPF and/or SCCs. Details: https://www.whatsapp.com/legal/business-data-transfer-addendum
We have configured the app so that no automatic address book sync is performed. A DPA has been concluded.
5. Social media / embeds
Meta (Facebook plugins, Like/Share)
When activated (only after consent), a connection to Meta’s servers is established. Meta can associate activities with your profile. Joint controllership under Art. 26 GDPR is limited to collection/transfer; further processing is carried out by Meta. Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG (consent) or Art. 6(1)(f) GDPR (visibility in social media). Data transfers to the USA may rely on DPF/SCCs. Controller Addendum / policy: https://www.facebook.com/legal/controller_addendum, https://www.facebook.com/policy.php
Instagram features (Meta)
The same applies to Instagram embeds (e.g., feeds/buttons). Legal bases as above; transfers to the USA may rely on DPF/SCCs. Controller Addendum: https://www.facebook.com/legal/controller_addendum.
Note: Until you consent, such content is not loaded (placeholder display).
6. Analytics and advertising
Google Tag Manager
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Tag Manager itself does not set cookies and does not create profiles; it serves to deploy other tags. Legal basis: Art. 6(1)(f) GDPR (efficient management); for tags requiring consent: Art. 6(1)(a) GDPR, Section 25(1) TTDSG.
Google Analytics (GA4)
We use Google Analytics 4. Google processes measurement data, among other things, in EU data regions; IP addresses are not stored in GA4. Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG (consent). You can manage consent in the CMT. Transfers to the USA may rely on the EU-U.S. DPF and/or SCCs.
Browser opt-out: https://tools.google.com/dlpage/gaoptout
Google Ads & Conversion Tracking
If enabled and consented, we use Google Ads including conversion tracking to measure the success of ads. Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG (consent) or Art. 6(1)(f) GDPR (legitimate interest in effective marketing). Transfers to the USA may rely on DPF/SCCs.
Meta Pixel (Facebook/Instagram)
If enabled and consented, we use the Meta Pixel for conversion measurement/remarketing. Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG (consent). Joint controllership (Art. 26 GDPR) with Meta Platforms Ireland Ltd. for collection/transfer (Controller Addendum: https://www.facebook.com/legal/controller_addendum). Transfers to the USA may rely on DPF/SCCs.
7. Plugins and tools
Vimeo (Do-Not-Track mode)
Provider: Vimeo.com, Inc., 555 West 18th Street, New York, NY 10011, USA. When visiting pages with Vimeo videos—after consent—a connection to Vimeo is established. We use the Do-Not-Track mode where available (no tracking cookies). Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG (consent) or Art. 6(1)(f) GDPR (appealing presentation). Privacy: https://vimeo.com/privacy (transfers to the USA may rely on DPF/SCCs).
Local fonts (Google Fonts – self-hosted)
This website uses locally hosted fonts. The font files are stored on our servers and delivered from there. No connection to Google servers is established, and no personal data is transmitted to Google in connection with font delivery.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent, performant presentation). Under Section 25(2) TTDSG, this is a strictly necessary function—no consent is required.
Google Maps
Provider: Google Ireland Limited. When using map functions—after consent—IP addresses, etc., are transmitted to Google. Legal basis: Art. 6(1)(a) GDPR, Section 25(1) TTDSG. Further information: Google Privacy Policy.
8. Audio and video conferencing
We use Zoom for online meetings (Zoom Video Communications, Inc., 55 Almaden Blvd, 6th Floor, San Jose, CA 95113, USA). Metadata (e.g., IP/device data, start/end, duration, participants) and—depending on usage—content data (chat, audio/video) may be processed. Legal bases: Art. 6(1)(b) GDPR (contract/pre-contractual communication) or Art. 6(1)(f) GDPR (efficient communication); where applicable Art. 6(1)(a) GDPR (consent). Transfers to the USA may rely on the EU-U.S. DPF and/or SCCs.
Privacy: https://zoom.us/de-de/privacy.html
We have concluded a DPA with Zoom. Data we process directly is deleted when the purpose ceases or you object/withdraw consent; statutory obligations remain unaffected.
9. Your rights
Access, rectification, erasure, restriction, data portability
You have the statutory data subject rights (Arts. 15–21 GDPR). You can contact us at any time regarding these rights or any other privacy questions.
Objection to unsolicited marketing e-mails
We hereby object to the use of contact data published within the legal notice obligations for sending unsolicited advertising and information materials.
10. Changes to this Privacy Policy
We may amend this Privacy Policy to reflect changes in the law, our services or technical developments. The current version is available on this page.