Privacy Policy

Last updated: March 2026

1. Data Controller and Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

MOTH Studios / Iterion UG (haftungsbeschränkt) [Address to be added] 10115 Berlin

Email: hello@moth-studios.de
Website: www.moth-studios.de

The appointment of a data protection officer is not legally required, as our company generally does not employ more than 20 persons permanently engaged in automated processing of personal data (§ 38(1) BDSG). For data protection enquiries, please contact us at the email address above.

2. Data Processing on Our Website

2.1 Encrypted Communication

For security reasons and to protect the transmission of personal data, our website uses TLS encryption (recognisable by "https://" in the browser address bar). This means that data you transmit to us cannot be read by third parties.

2.2 Accessing the Website / Server Log Files

Each time our website is accessed, our hosting provider (Cloudflare, Inc., USA) automatically collects data and information from the accessing system. The following data is collected:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved page
  • Website from which access is made (referrer URL)
  • Browser used and, if applicable, the operating system of your computer
  • Name of your access provider

The temporary storage of this data is technically necessary for the provision of the website. The data is stored in Cloudflare's server log files for a maximum of 24 hours and then automatically deleted.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the proper provision and security of our website.

2.3 Contact

If you contact us by email, the data you provide (e.g. your name, email address and your message) will be stored by us in order to process your enquiry and in case of follow-up questions. The data will be deleted once the enquiry, including any follow-up questions, has been conclusively dealt with, unless statutory retention obligations apply (generally 6 to 10 years pursuant to § 257 HGB and § 147 AO).

The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing your enquiry).

The provision of your email address is necessary for contact purposes, as we would otherwise be unable to respond. There is no legal or contractual obligation to provide this data.

2.4 Appointment Booking (Cal.com)

On our website, we offer you the option of booking appointments with us via the service Cal.com (Cal.com, Inc., USA). The booking widget is only loaded after you actively click the corresponding button. Before this click, no data is transmitted to Cal.com and no cookies from Cal.com are set.

When you load the widget and book an appointment, the data you enter (e.g. name, email address, desired appointment) is transmitted to Cal.com and processed there. Cal.com may also set its own cookies that are necessary for the functionality of the booking tool.

Your booking data will be stored for as long as necessary for the appointment processing and any follow-up communication, generally until the completion of the booked appointment plus any statutory retention periods.

The legal basis for loading the widget is your consent by click pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. The legal basis for processing the booking data is Art. 6(1)(b) GDPR (pre-contractual measures). The provision of data is necessary for booking an appointment; without this information, no appointment can be booked.

As Cal.com, Inc. is based in the USA, personal data may be transferred to the USA. For more details, see Section 5 (Data Transfer to Third Countries).

3. Use of Technologies

3.1 Cookies and Local Storage

Our website only uses technically necessary cookies that are required for the operation of the site (e.g. language selection). These cookies do not contain personal data and are automatically deleted at the end of the browser session. Tracking cookies or cookies for advertising purposes are not used.

The legal basis for the use of technically necessary cookies is § 25(2) No. 2 TDDDG and Art. 6(1)(f) GDPR.

3.2 Google Fonts (Self-Hosted)

Our website uses fonts from Google Fonts. These are downloaded at build time and served from our own server (self-hosting via Next.js). No connection to Google servers is made when visiting our website, and no data is transmitted to Google.

3.3 Automated Decision-Making

No automated decision-making including profiling pursuant to Art. 22 GDPR takes place.

4. Disclosure of Data

Your personal data will not be transferred to third parties for purposes other than those listed below. We only share your personal data with third parties if:

  • You have given your express consent (Art. 6(1)(a) GDPR),
  • the disclosure is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in not having your data disclosed (Art. 6(1)(f) GDPR),
  • there is a legal obligation for the disclosure (Art. 6(1)(c) GDPR), and
  • this is legally permissible and necessary for the processing of contractual relationships with you (Art. 6(1)(b) GDPR).

To provide our website and services, we use the following data processors:

  • Cloudflare, Inc. (USA) — Hosting and delivery of the website (Content Delivery Network)
  • Cal.com, Inc. (USA) — Appointment booking service (only loaded after your active consent)

We have concluded data processing agreements with these service providers in accordance with Art. 28 GDPR.

5. Data Transfer to Third Countries

Insofar as we process data in a third country (i.e. outside the European Union or the European Economic Area) or this occurs in the context of the use of third-party services, this only takes place if it is for the fulfilment of our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests.

The transfer of personal data to the USA to Cloudflare, Inc. and Cal.com, Inc. is based on the adequacy decision of the European Commission on the EU-U.S. Data Privacy Framework (DPF) pursuant to Art. 45 GDPR. Cloudflare is certified under the EU-U.S. Data Privacy Framework. Additionally, Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place as additional safeguards in case the DPF certification should lapse.

You can check the certification status of the aforementioned companies at https://www.dataprivacyframework.gov/list.

6. Storage Duration

We store your personal data only for as long as is necessary for the fulfilment of the purposes for which it was collected, or as required by law. The following specific periods apply:

  • Server log files (Cloudflare): maximum 24 hours
  • Contact enquiries: until processing is complete, then in accordance with statutory retention periods (up to 10 years per § 257 HGB / § 147 AO)
  • Appointment booking data: until completion of the appointment and any follow-up communication, then in accordance with statutory retention periods

After the respective purpose ceases to apply or these periods expire, the corresponding data is routinely deleted or blocked.

7. Your Data Protection Rights

7.1 Overview of Your Rights

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)

7.2 Right to Withdrawal and Objection

If your personal data is processed on the basis of consent pursuant to Art. 6(1)(a) GDPR, you have the right to withdraw your consent at any time (Art. 7(3) GDPR). The withdrawal does not affect the lawfulness of the processing carried out until the withdrawal. You may declare the withdrawal by email to hello@moth-studios.de.

If we base the processing of your personal data on the balancing of interests pursuant to Art. 6(1)(f) GDPR, you may object to the processing. This is the case if the processing is not necessary in particular for the performance of a contract with you. When exercising such an objection, we ask that you explain the reasons why we should not process your personal data as we have done.

7.3 Right to Lodge a Complaint with the Supervisory Authority

You have the right pursuant to Art. 77 GDPR to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The competent supervisory authority for us is:

Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219 10969 Berlin Phone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de

8. Obligation to Provide Personal Data

The provision of personal data is neither legally nor contractually required. You are not obliged to provide personal data. However, failure to provide certain data may mean that you cannot use individual functions of our website (e.g. contact, appointment booking).

9. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services. The new privacy policy will then apply to your next visit.