Privacy Policy

Privacy Policy

1. Introduction
Protecting your personal data is of the utmost importance to us. This privacy policy explains what data we collect, how we use it, and what rights you have under the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telemedia Act (TMG).

The data controller for this website is:

Sarah Hartel | sarahby
Borromäerinnenstraße 89
51688 Wipperfürth
Germany

Phone: +49 (0) 1578 7071867
Email: sarah@sarah-by.com

2. General Information on Data Processing
We process personal data only to the extent necessary for providing a functional website, our content, and services. Processing is generally only carried out with your consent or when permitted by law.

Legal bases for processing:

• Art. 6(1)(a) GDPR: based on your consent

• Art. 6(1)(b) GDPR: for performance of a contract or pre-contractual measures

• Art. 6(1)(c) GDPR: to fulfill legal obligations

• Art. 6(1)(f) GDPR: for legitimate interests (e.g. technically necessary cookies)

3. Hosting & Content Management
Our website is built on Squarespace and hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient website delivery)

4. Data Collection on This Website

a) Access Data & Server Logs
The following data is automatically collected when you visit the site:

• IP address (anonymized)

• Date and time of access

• Accessed page/file

• Browser type and OS

• Referrer URL

This data is used solely to ensure site functionality and is not merged with other data sources.
Legal basis: Art. 6(1)(f) GDPR

b) Contact Forms (Squarespace & Typeform)
If you contact us via form, we process the personal data you voluntarily provide. Depending on the form, this may include:

• Name

• Email

• Phone number

• Age

• Occupation

• Goals, desires, challenges

• Free-text personal info

Data is collected solely to prepare for consultations, respond to your inquiries, or explore potential collaboration.

Legal basis:

• Art. 6(1)(b) GDPR (pre-contractual steps)

• Art. 9(2)(a) GDPR (consent for sensitive data)

Data will not be shared with third parties and will be deleted after 6 months unless further cooperation is established.

5

. Use of Cookies
Our website uses cookies and similar technologies. Upon your first visit, you can manage preferences via Squarespace’s consent tool.

• Technically necessary cookies: Art. 6(1)(f) GDPR

• Analytics & marketing cookies: Art. 6(1)(a) GDPR (consent required)

You can withdraw your consent at any time.

6. Analytics & Marketing Tools
We use the following tools to analyze usage and optimize advertising. Data processing takes place only with your explicit consent via the cookie banner (Art. 6(1)(a) GDPR), unless otherwise stated.

a) Google Tag Manager
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
The tool manages other tags and does not collect personal data itself.
Legal basis: Art. 6(1)(f) GDPR

b) Google Analytics
Google Ireland Ltd. – IP anonymization is enabled.
Data collected:

• Truncated IP address

• Browser & OS

• Referrer

• Server request time

• Click and scroll behavior
  Data may be transferred to the USA based on Standard Contractual Clauses (SCCs).
  Opt-out: Google Analytics Opt-out Browser Add-on

c) Meta Pixel
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Tracks user actions after Meta ad interactions.
Collected data:

• Device & browser info

• IP address

• Page views

• Interactions
  Transfer to the USA based on SCCs.
  Opt-out via your Facebook settings.

d) Google Ads & Remarketing
Google Ireland Ltd.
Shows targeted ads across Google’s network based on prior interactions.
Collected data:

• IP address

• Usage data

• Page views

• Interactions
  Transfer: USA (SCCs).
  Opt-out via Google Ads Settings

e) LinkedIn Insight Tag
LinkedIn Ireland Unlimited Company
Provides anonymized reports and audience insights.
Collected data:

• URL

• Referrer

• IP address

• Device/browser

• Timestamp
  Opt-out via LinkedIn cookie preferences.

f) Hotjar
Hotjar Ltd., Malta
Visual behavior analytics (clicks, scrolls, mouse movements).
IP is anonymized; data is not personally identifiable.
Opt-out: Deactivate Hotjar Tracking

Note: Tools are only active after your cookie consent. You can withdraw this at any time via the footer link or browser settings.

7. Newsletter & Email Marketing

a) Provider & Processing
We use KlickTipp (KLICK-TIPP LIMITED, UK) to send newsletters.
Data is stored on EU servers and processed under a data processing agreement per Art. 28 GDPR. No transfers outside the EU.

Processed data:

• Email address (required)

• First name (optional)

• IP address and timestamp at signup
  Legal basis: Art. 6(1)(a) GDPR (consent)

b) Double Opt-In
Registration follows a double opt-in. A confirmation email is required before activation.

c) Performance Tracking
KlickTipp tracks open rates and clicks pseudonymously.
You may opt out by unsubscribing from the newsletter.

d) Revocation of Consent
Unsubscribe anytime via the link in emails or by contacting: sarah@sarah-by.com

8. Embedded Content & Third-Party Services

a) YouTube
Google Ireland Ltd.
Your IP address is transmitted when playing embedded videos. If logged into YouTube, your behavior may be linked to your profile.
Legal basis: Art. 6(1)(a) GDPR (cookie consent)
Transfer: USA (SCCs)

b) Social Media Links
Our site links to external profiles (Instagram, Facebook, LinkedIn, YouTube, Spotify). No data is processed by us; third-party policies apply.

c) Cal.com
For simplified appointment scheduling, we use the service cal.com, operated by Cal.com, Inc., 2261 Market Street #4451, San Francisco, CA 94114, USA.

When using the booking form on our website, the following data may be processed:

• Name

• Email address

• Optional: phone number

• Selected appointment time

Data transmission is encrypted. Cal.com processes data solely on the basis of a data processing agreement pursuant to Art. 28 GDPR. Data transfers to the USA are carried out based on EU Standard Contractual Clauses in accordance with Art. 46 GDPR.

Legal basis: Art. 6(1)(b) GDPR (appointment scheduling)
Data transfer: USA – Standard Contractual Clauses

d) HubSpot
HubSpot Inc., USA
Used for managing contacts, forms, and email communications.
Transfer: USA (SCCs)
Legal basis: Art. 6(1)(b) and (f) GDPR

e) Meta Business Manager
Used to manage Meta Ads. No data is collected directly, but data may be shared via the Meta Pixel (see section 6c).
Legal basis: Art. 6(1)(a) GDPR

9. Data Transfers to Third Countries
Some tools (e.g., Google, Meta, Hotjar) transfer data to third countries such as the USA, under SCCs pursuant to Art. 46(2)(c) GDPR.

10. Your Rights
You have the right to:

• Access (Art. 15 GDPR)

• Rectification (Art. 16 GDPR)

• Erasure (Art. 17 GDPR)

• Restriction (Art. 18 GDPR)

• Data portability (Art. 20 GDPR)

• Objection (Art. 21 GDPR)

To exercise these rights, simply email: sarah@sarah-by.com
You also have the right to lodge a complaint with the relevant supervisory authority.

11. Updates to This Privacy Policy
This privacy policy is current as of June 1, 2025.
Future updates due to technical or legal changes will be published here.