Datenschutzerklärung
Privacy Policy
1. Responsible Entity (Verantwortlicher)
Louis Sieg
ReadySecGo
Herwarthstraße 31
50672 Köln, Germany
Email: info@readysecgo.com
Phone: +49 221 29887384
2. Scope of This Policy
This policy covers three distinct contexts in which we process personal data. Where a section applies to only one context, this is stated explicitly.
- (A) Website — our public site at readysecgo.com, including the Knowledge Hub, the contact form, the self-assessment quiz, and the booking link.
- (B) Consulting Services — the information-security and compliance advisory work we perform for clients (internal audit, gap analysis, audit readiness, virtual CISO), and the business communication around it.
- (C) Compliance App — our compliance-automation application at app.readysecgo.com. The app is currently in a limited pre-launch / beta phase.
3. What Data We Collect and Why
3.1 Website (A)
Contact form. When you submit a contact request, we collect your name, email address, company name, and your message. We use this solely to respond to your inquiry. Submissions are processed in our CRM (HubSpot).
Self-assessment quiz. If you choose to receive your quiz results by email, we collect your email address and your answers and forward them to HubSpot to generate and send your results. This happens only with your explicit consent, which you may withdraw at any time at info@readysecgo.com.
Knowledge Hub. Public articles are served from our headless CMS (Sanity). If you sign in to the Knowledge Hub, authentication is handled by Supabase, which sets a strictly necessary session cookie (see section 7).
Server logs. Our hosting provider (Vercel) automatically records technical access data including IP address, browser type, pages visited, and timestamps. We use this for security and performance and do not use it to identify you.
Booking. The contact page links out to Google Calendar to book a consultation. We do not embed Google Calendar on our pages; data is only transmitted to Google after you actively click the booking link and open Google in a new tab.
3.2 Consulting Services (B)
To deliver and administer our advisory services we process the business-contact and engagement data of clients and their staff — for example names, business email addresses, roles, and the content of our correspondence and project documentation. We use Google Workspace for business email, calendar, and document handling, and HubSpot to manage the client relationship.
Where, in the course of an engagement, we process personal data contained in a client’s own systems or documents strictly on that client’s behalf and under their instructions, the client is the controller and we act as a processor under a separate data-processing agreement (Art. 28 GDPR). This policy then governs only the data for which ReadySecGo is itself the controller.
3.3 Compliance App — app.readysecgo.com (C)
When you use the app we process the account and usage data needed to operate it — for example your name, email address, authentication identifiers, and the records you create in the application. Authentication and the application database are provided by Supabase; the application is hosted on Vercel. Both are configured for EU data residency (see sections 5 and 6).
For personal data that customers upload into the app about their own staff or third parties, the customer is the controller and ReadySecGo acts as a processor under a data-processing agreement (Art. 28 GDPR). As the app is in a limited beta, this section will be expanded before general availability.
4. Legal Bases for Processing
We process your data on the following legal bases under the GDPR:
- Art. 6(1)(b) GDPR — performance of a (pre-)contractual obligation: responding to inquiries, delivering consulting services, and operating the app for account holders.
- Art. 6(1)(a) GDPR — consent: sending quiz results by email, and any non-essential cookies once a consent banner is in use.
- Art. 6(1)(f) GDPR — legitimate interest: operating a secure and functional website and app (server logs, error monitoring, abuse prevention).
- Art. 6(1)(c) GDPR — legal obligation: statutory commercial and tax retention duties.
5. Recipients and Processors
We do not sell your personal data. We share data only with service providers acting as processors under Art. 28 GDPR. The core processing of website, services, and app data takes place inside the European Union; residual non-EU flows are described in section 6.
| Processor | Context | Purpose | Data region |
|---|---|---|---|
| Vercel Inc. | Website, App | Hosting, edge delivery, server logs | EU (Frankfurt) origin; global edge CDN |
| Supabase Inc. | Website, App | Authentication and application database | EU |
| Sanity AS | Website | Headless CMS and image delivery (no account PII stored) | EU (Belgium); global image CDN |
| HubSpot Ireland Ltd. | Website, Services | CRM, contact form, quiz results | EU (Frankfurt); some sub-processors in the US |
| Google (Google Workspace / Google Ireland Ltd.) | Services, Website | Business email, calendar, documents; consultation booking link-out | EU with residual US transfers |
We have data-processing agreements in place with our processors in accordance with Art. 28 GDPR; copies are available on request. A complete, current list of sub-processors for the app will be maintained for app customers as part of their data-processing agreement.
6. International Data Transfers
The core processing of your data takes place in the European Union: website and app hosting with Vercel (Frankfurt region), authentication and database with Supabase (EU region), CRM with HubSpot (Frankfurt data residency), and the headless CMS with Sanity (Belgium). We select EU hosting regions wherever a provider offers them.
Certain residual flows may nonetheless reach the United States: (i) the global edge and image CDNs of Vercel and Sanity may serve cached responses from non-EU points of presence; (ii) HubSpot and Google rely on US-based sub-processors for parts of their service. Where recipients in the US process data, transfers are made primarily on the basis of the EU-U.S. Data Privacy Framework (adequacy decision of 10 July 2023, Art. 45 GDPR) and, in addition, on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
7. Cookies and Similar Technologies
This website sets technically necessary cookies for authentication when you sign in to the Knowledge Hub (Supabase). Pages that embed or link to third-party services may cause those services to set their own cookies and receive your IP address only after you interact with them. We do not currently use analytics or marketing cookies. If we introduce non-essential cookies, we will first obtain your consent through a consent banner.
| Name | Purpose | Lifetime | Category / Basis |
|---|---|---|---|
sb-<id>-auth-token | Knowledge Hub authentication | Session | Strictly necessary · §25(2) no. 2 TDDDG |
sb-<id>-refresh-token | Authentication token renewal | Until logout | Strictly necessary · §25(2) no. 2 TDDDG |
8. Data Retention
- Contact inquiries — up to 6 months, unless an ongoing business relationship is established.
- CRM / client records — for the duration of the business relationship and any applicable statutory retention periods (up to 10 years for commercial and tax records under German HGB and AO).
- Quiz data — retained until you withdraw consent or object.
- App account data — for the duration of the account, then deleted or anonymised subject to statutory retention duties.
- Server logs — short-term, for security and performance purposes only.
9. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR) — request a copy of the data we hold about you
- Right to rectification (Art. 16 GDPR) — request correction of inaccurate data
- Right to erasure (Art. 17 GDPR) — request deletion of your data
- Right to restriction (Art. 18 GDPR) — request limited processing of your data
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent you have given, with effect for the future
To exercise any of these rights, contact us at info@readysecgo.com.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority for North Rhine-Westphalia is:
Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf
www.ldi.nrw.de
11. Changes to This Policy
We may update this privacy policy from time to time. The current version is always available at this URL. Last updated: June 2026.