Privacy Policy

Last updated: 19 June 2026

1. Introduction

This Privacy Policy informs you about the nature, scope, and purposes of the processing of personal data in connection with your use of our websites:

We process personal data in accordance with the provisions of the General Data Protection Regulation ("GDPR"), the German Federal Data Protection Act ("BDSG"), the German Telecommunications Digital Services Data Protection Act ("TDDDG", formerly TTDSG), and the professional confidentiality obligations applicable to attorneys under German law.

2. Controller

The controller within the meaning of Art. 4(7) GDPR is:

Dr. Theresa Rath, Fasanenstr. 15, 10623 Berlin, Germany

and

Dr. Julius Hagen, Couvenstr. 4, 40211 Düsseldorf, Germany

Email: info@rh-legal.eu
Phone: +4930-75438452 and +49211-97632101

3. Hosting and Content Delivery

3.1 Hosting Provider

Our websites are hosted by:

Vercel Inc.
440 N Barranca Avenue #4133
Covina, CA 91723
United States

3.2 Categories of Data Processed

When you access our websites, the following information may be processed automatically:

  • IP address
  • Date and time of access
  • Requested URL and resources
  • Browser type and version
  • Operating system
  • Referrer URL
  • HTTP status codes
  • Other technical information necessary for website delivery and security

3.3 Purposes of Processing

Processing is carried out for the purposes of:

  • Providing and maintaining the website
  • Ensuring system security and stability
  • Detecting and preventing misuse and cyberattacks
  • Performance optimization and troubleshooting

3.4 Legal Basis

The legal basis for this processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, reliable, and efficient operation of our online services.

3.5 International Data Transfers

As Vercel is headquartered in the United States, personal data may be transferred to countries outside the European Economic Area ("EEA").

Where such transfers occur, they are based on appropriate safeguards pursuant to Art. 44 et seq. GDPR, including:

  • Standard Contractual Clauses adopted by the European Commission;
  • Data Processing Agreements pursuant to Art. 28 GDPR;
  • Additional technical and organizational measures where appropriate.

Further information is available in Vercel's Privacy Policy.

4. Server Log Files

Our hosting provider automatically collects and stores information in server log files.

Purposes

  • Maintaining system security
  • Monitoring system performance
  • Investigating technical incidents
  • Preventing unauthorized access and abuse

Legal Basis

Art. 6(1)(f) GDPR.

Retention Period

Server log data is generally retained for a period of 7 to 14 days unless longer retention is required for security investigations or legal obligations.

5. Website Analytics

5.1 Analytics Provider

We use PostHog Ltd. for website analytics.

5.2 Configuration

PostHog is configured in a privacy-conscious manner and, where technically feasible, without the use of tracking cookies.

5.3 Categories of Data Processed

  • Pages visited
  • User interactions and events
  • Technical device information
  • Browser information
  • Approximate geographic location
  • Truncated or shortened IP information where applicable

5.4 Purposes

  • Understanding website usage
  • Improving website functionality and user experience
  • Measuring website performance

5.5 Legal Basis

Where analytics processing does not require consent under applicable law, processing is based on Art. 6(1)(f) GDPR.

Where consent is legally required, processing is based on Art. 6(1)(a) GDPR in conjunction with applicable cookie and tracking regulations.

5.6 Retention

Analytics data is retained only for as long as necessary for the stated purposes and in accordance with configured retention settings.

Further information can be found in PostHog's Privacy Policy.

6. Contact Forms and Client Communications

6.1 Categories of Data Processed

When you contact us via contact forms, email, telephone, or other communication channels, we may process:

  • Name
  • Email address
  • Telephone number
  • Company information (if provided)
  • Subject matter of the inquiry
  • Information relating to legal matters
  • Any additional information voluntarily provided

Legal inquiries may contain special categories of personal data within the meaning of Art. 9 GDPR.

6.2 Purposes

We process such information for:

  • Responding to inquiries
  • Providing legal advice and legal services
  • Conflict checks
  • Establishing, performing, and administering mandates
  • Exercising or defending legal claims

6.3 Legal Basis

Depending on the nature of the communication, processing is based on:

  • Art. 6(1)(b) GDPR (pre-contractual measures and contract performance);
  • Art. 6(1)(f) GDPR (legitimate interests in effective communication and client management);
  • Art. 9(2)(f) GDPR (establishment, exercise, or defense of legal claims);
  • Art. 9(2)(a) GDPR where explicit consent is obtained and required.

6.4 Security

Communications transmitted through our website are protected using current TLS/SSL encryption technology.

Please note that email communications over the internet may contain inherent security risks. Where particularly sensitive information is involved, we may recommend alternative secure communication channels.

7. Email Communication and Infrastructure

7.1 Service Provider

We use:

Sendinblue GmbH (Brevo)
Köpenicker Straße 126
10179 Berlin
Germany

for email processing and communication management.

7.2 Categories of Data Processed

Brevo may process:

  • Email addresses
  • Names
  • Telephone numbers (if provided)
  • Message contents
  • Communication metadata
  • Delivery and technical information
  • IP addresses where technically necessary

7.3 Purposes

  • Receiving and sending emails
  • Ensuring reliable email delivery
  • Managing communications with clients and prospective clients
  • Preventing abuse and ensuring system security

7.4 Legal Basis

  • Art. 6(1)(b) GDPR;
  • Art. 6(1)(f) GDPR.

7.5 Data Processing Agreement

A Data Processing Agreement pursuant to Art. 28 GDPR has been concluded with Brevo.

7.6 International Transfers

Where Brevo or its subprocessors process data outside the EEA, appropriate safeguards pursuant to Art. 44 et seq. GDPR are implemented.

Further information can be found in Brevo's Privacy Policy.

8. Attorney-Client Confidentiality

As a law firm, we are subject to statutory confidentiality obligations, including but not limited to:

  • § 43a Bundesrechtsanwaltsordnung (BRAO);
  • § 203 German Criminal Code (StGB);
  • Applicable professional rules governing attorneys.

All information entrusted to us in the course of legal representation is treated as strictly confidential.

9. Retention of Personal Data

Unless a longer retention period is required by law, personal data is retained only for as long as necessary to fulfill the purposes for which it was collected.

Retention periods may include:

  • General inquiries: until the inquiry has been fully resolved;
  • Mandate and client files: in accordance with applicable legal retention obligations, generally between six and ten years after completion of the mandate;
  • Accounting and tax-related records: as required by statutory retention requirements.

After expiration of the applicable retention period, data will be deleted or anonymized unless further retention is required by law or necessary for the establishment, exercise, or defense of legal claims.

10. Recipients of Personal Data

Personal data may be disclosed only where necessary and legally permissible.

Recipients may include:

  • Hosting providers;
  • Analytics providers;
  • Email and communication service providers;
  • IT and technical support providers acting as processors;
  • Courts, authorities, regulatory bodies, and law enforcement agencies where required by law;
  • Other recipients where disclosure is necessary for legal representation or the performance of a mandate.

We do not sell personal data to third parties.

11. Cookies and Similar Technologies

Our websites currently do not use tracking cookies for advertising or behavioral profiling purposes.

If cookies or similar technologies requiring consent are implemented in the future:

  • Appropriate consent mechanisms will be provided;
  • Processing will comply with applicable GDPR and TDDDG requirements;
  • This Privacy Policy will be updated accordingly.

Technically necessary cookies may be used where required for the operation and security of the website.

12. Technical and Organizational Security Measures

Pursuant to Art. 32 GDPR, we implement appropriate technical and organizational measures to protect personal data, including:

  • TLS/SSL encryption;
  • Access control mechanisms;
  • Role-based authorization systems;
  • Secure hosting infrastructure;
  • Logging and monitoring systems;
  • Regular software updates and security maintenance;
  • Measures designed to ensure confidentiality, integrity, availability, and resilience of systems.

13. Rights of Data Subjects

Subject to the applicable legal requirements, you have the following rights:

  • Right of access (Art. 15 GDPR);
  • Right to rectification (Art. 16 GDPR);
  • Right to erasure (Art. 17 GDPR);
  • Right to restriction of processing (Art. 18 GDPR);
  • Right to data portability (Art. 20 GDPR);
  • Right to object to processing (Art. 21 GDPR);
  • Right to withdraw consent at any time with future effect where processing is based on consent.

To exercise these rights, please contact us using the details provided in Section 20.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

A list of German supervisory authorities is available from the respective state data protection authorities.

15. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

16. Provision of Personal Data

The provision of personal data is generally voluntary.

However, certain information may be necessary for:

  • Responding to inquiries;
  • Conducting conflict checks;
  • Establishing attorney-client relationships;
  • Performing contractual and legal obligations.

Failure to provide such information may prevent us from processing your request or providing legal services.

17. Amendments to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time in order to reflect changes in legal requirements, regulatory guidance, technical developments, or our processing activities.

The version published on this website at the time of your visit shall apply.

18. Applicable Legal Framework

This Privacy Policy is intended to comply with:

  • Regulation (EU) 2016/679 (GDPR);
  • German Federal Data Protection Act (BDSG);
  • German Telecommunications Digital Services Data Protection Act (TDDDG);
  • Applicable professional regulations governing attorneys in Germany.

Nothing in this Privacy Policy shall limit statutory rights or obligations arising under applicable law.

19. Contact Regarding Data Protection

For all questions concerning data protection or the exercise of your rights, please contact:

Dr. Theresa Rath, Fasanenstr. 15, 10623 Berlin, Germany

or

Dr. Julius Hagen, Couvenstr. 4, 40211 Düsseldorf, Germany

Email: info@rh-legal.eu
Phone: +4930-75438452 or +49211-97632101

Table of Contents
Privacy Policy - Rath Hagen Rechtsanwälte – Criminal Defense Lawyers in Germany