Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).

The terms used are gender-neutral.

As of: April 18, 2026

Data Controller

IT & Consulting D. Meyer
Rödingsmarkt 9
20459 Hamburg
Germany

Email address: mail@bila.chat
Legal Notice: bila.chat/imprint

Overview of Data Processing

Types of data processed

Master data · Payment data · Contact data · Content data · Contract data · Usage data · Meta, communication, and process data · Contact information (Facebook) · Event data (Facebook) · Log data

Special categories of data

Health data

Categories of data subjects

Service recipients and clients · Employees · Prospective clients · Communication partners · Users · Business and contractual partners · Patients · Third parties

Purposes of processing

Provision of contractual services and fulfillment of contractual obligations · Communication · Security measures · Direct marketing · Audience measurement · Tracking · Office and organizational procedures · Remarketing · Conversion measurement · Click tracking · Audience targeting · Organizational and administrative procedures · Feedback · Marketing · Profiles containing user-related information · Provision of our online services and user-friendliness · IT infrastructure · Financial and payment management · Public relations · Sales promotion · Business processes and management procedures · Artificial intelligence (AI)

Relevant Legal Bases Under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or our country of domicile.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or for several specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG).

Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (Swiss DPA). Unlike the GDPR, the Swiss DPA does not generally require that a legal basis for the processing of personal data be specified, provided that the processing is carried out in good faith and is lawful and proportionate (Art. 6(1) and (2) of the Swiss DPA).

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, to ensure a level of protection appropriate to the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability, and its segregation. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the erasure of data, and responses to data breaches.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

International Data Transfers

Data processing in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in connection with the use of third-party services, this is always done in accordance with legal requirements.

For data transfers to the U.S., we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the European Commission dated July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers.

Further information on the DPF and a list of certified companies can be found on the U.S. Department of Commerce website at dataprivacyframework.gov.

Rights of Data Subjects

Rights of data subjects under the GDPR:

  • Right to object: You have the right to object at any time to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed, as well as access to this data and a copy of the data.
  • Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data.
  • Right to erasure and restriction of processing: You have the right to request that data concerning you be erased without delay, or alternatively, to request a restriction on the processing of the data.
  • Right to data portability: You have the right to receive the data concerning you in a structured, commonly used, and machine-readable format.
  • Complaint to a supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside.

Business Services

We process personal data of our contractual and business partners for the purpose of initiating, executing, and fulfilling contractual relationships as well as comparable legal relationships. We process master data, contact details, contract and service data, usage and service data, payment and billing data, as well as communication content and history.

Data is deleted as soon as it is no longer required for the aforementioned purposes and no statutory retention obligations preclude this. Statutory retention periods, particularly under commercial and tax law, may require longer storage.

Legal bases: Art. 6(1)(b) GDPR · Art. 6(1)(c) GDPR · Art. 6(1)(f) GDPR

Provision of the Online Service and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Services used:

  • Vercel: Services in the field of providing IT infrastructure and related services. Service provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. vercel.com/legal/privacy-policy. Basis for transfers to third countries: Standard Contractual Clauses.
  • GitHub: Platform for version control of software projects. Service provider: GitHub B.V., Netherlands. GitHub Privacy Statement.
  • Hostinger: IT infrastructure services. Service provider: Hostinger International Ltd, 61 Lordou Vironos Str., 6023 Larnaca, Cyprus. hostinger.de.

Use of Cookies

Cookies are functions that store and retrieve information on users’ end devices. We use cookies in accordance with legal requirements. We obtain users’ consent in advance when necessary. If consent is not required, we rely on our legitimate interests.

Storage duration:

  • Session cookies: Deleted at the latest after a user leaves an online service and closes their device.
  • Persistent cookies: Remain stored even after the device is closed. Storage duration may be up to two years unless otherwise specified.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Services used:

  • CookieConsent: Storage and management of consents, logging of user decisions, display of notices regarding data protection and cookies. cookieconsent.orestbida.com

Registration, Login, and User Accounts

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account. The processed data includes login information (username, password, and an email address).

Legal basis: Art. 6(1)(b) GDPR · Art. 6(1)(f) GDPR

Blogs and Publication Media

We use blogs or comparable means of online communication. Readers’ data is processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media), the information provided by the inquiring individuals is processed to the extent necessary to respond to contact inquiries and any requested actions.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) · Art. 6(1)(b) GDPR

Communication via Messenger

We use messengers for communication purposes. In the case of end-to-end encryption of content, we would like to point out that the communication content is encrypted from end to end.

Services used:

  • Telegram (historical — service decommissioned 2026-05-31): A cloud-based messaging service. Service provider: Representative in the EU: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium. telegram.org/privacy. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Instagram: Sending messages via the Instagram social network. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • WhatsApp: Communication service secured by end-to-end encryption. Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Chatbots and Chat Functions

We offer chatbot functions as communication options. When you use our chat services, we may process your personal data including identification number, content of conversations, and metadata.

Services used:

  • ManyChat: Automated messaging, chatbot creation, social media integration. Service provider: ManyChat, Inc., 535 Everett Ave, Palo Alto, CA 94301, USA. manychat.com/legal/privacy. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Artificial Intelligence (AI)

We use artificial intelligence (AI), which involves the processing of personal data. Our AI systems are used in strict compliance with legal requirements, including the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization, integrity, and confidentiality.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Services used:

  • Claude API (Anthropic): Interface access to AI-based services designed to understand and generate natural language. Service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA. anthropic.com/legal/privacy. Basis for transfers to third countries: Standard Contractual Clauses.
  • ChatGPT / OpenAI API: AI-based service for natural language understanding and generation. Service provider: OpenAI Ireland Ltd, 117–126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland. openai.com/policies/eu-privacy-policy. Basis for transfers to third countries: Standard Contractual Clauses.
  • Google Gemini: AI system for advanced language and image processing. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring, and Optimization

Web analytics is used to evaluate visitor traffic to our online offering and may include pseudonymized data regarding visitors’ behavior, interests, or demographic information. Pseudonymous user profiles may be created using information from the use of various devices, whereby cookies may be used.

Security measures: IP masking (pseudonymization of the IP address)

Legal basis: Consent (Art. 6(1)(a) GDPR)

Services used:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. Google Analytics does not log or store individual IP addresses for EU users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. policies.google.com/privacy. Opt-out: tools.google.com/dlpage/gaoptout. Basis for transfers to third countries: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses.
  • Google Tag Manager: Software tool that allows us to centrally manage website tags via a user interface. Service provider: Google Ireland Limited. Legal basis: Consent (Art. 6(1)(a) GDPR).

Online Marketing

We process personal data for the purpose of online marketing, which may include the marketing of advertising space or the display of advertising and other content based on users’ potential interests, as well as the measurement of its effectiveness.

Legal basis: Consent (Art. 6(1)(a) GDPR) · Legitimate interests (Art. 6(1)(f) GDPR)

Opt-out options:

Services used:

  • Meta Pixel and Audience Targeting (Custom Audiences): Identification of visitors as a target audience for Meta ads. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Legal basis: Consent (Art. 6(1)(a) GDPR). Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses.
  • Facebook Ads / Instagram Ads: Placement of ads within Facebook and Instagram platforms. Service provider: Meta Platforms Ireland Limited. Legal basis: Consent (Art. 6(1)(a) GDPR).
  • Google Ads and conversion tracking: Online marketing methods used to place content and ads within Google’s advertising network. Service provider: Google Ireland Limited. Legal basis: Consent (Art. 6(1)(a) GDPR). Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses.

Social Media Presence

We maintain online presences on social media platforms and process user data to communicate with users active on these platforms or to provide information about us.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Platforms:

Changes and Updates

We ask that you regularly review the content of our Privacy Policy. We will update the Privacy Policy as soon as changes to our data processing activities make this necessary.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means.
  • Controller: The natural or legal person that determines the purposes and means of the processing of personal data.
  • Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them.
  • Cookies: Functions that store and retrieve information on users’ end devices.
  • Tracking: The ability to track users’ behavior across multiple online services.
  • Remarketing: Technology used to remind users of products or services they have previously shown interest in.
  • Conversion tracking: A method used to determine the effectiveness of marketing campaigns.
  • Profiles containing user-related information: Automated processing of personal data to analyze or predict certain personal aspects relating to a natural person.