Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

CCX Consulting
David Lesnik
Gewerbegebiet Ost 15
91085 Weisendorf
Germany

Email: info@meilen-koenig.de

2. Overview of processing operations

Types of data processed

  • Master data (e.g. name)
  • Contact data (e.g. email address)
  • Usage data (e.g. pages visited, access time)
  • Meta/communication data (e.g. IP address, browser type)
  • Payment data (transmitted directly to Stripe)

Categories of data subjects

  • Visitors and users of the website
  • Newsletter subscribers
  • Buyers of digital products (Premium Handbook, AudioBook, Bundle)
  • Users of the MEILENKÖNIG AI assistant (free and premium access)
  • Coaching customers

Purposes of processing

  • Provision of the website and its functions
  • Sending of the free guide and newsletter
  • Processing of purchases and payments
  • Provision of the MEILENKÖNIG AI assistant (chat processing, profile management)
  • Performance of coaching services (video calls)
  • Ensuring IT security

Legal bases (Art. 6 GDPR)

  • Art. 6 (1) lit. a GDPR - Consent (e.g. newsletter)
  • Art. 6 (1) lit. b GDPR - Performance of a contract (e.g. order processing)
  • Art. 6 (1) lit. f GDPR - Legitimate interests (e.g. IT security)

3. Hosting

We host our website with the following provider:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Server location: Germany (EU)

Data processed: IP address, browser type and version, operating system, referrer URL, hostname of the accessing computer, time of the server request.

Storage period: Server logs are automatically deleted after 7 days.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in a secure and efficient provision of the website).

A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Hetzner. Hetzner's privacy policy: https://www.hetzner.com/de/legal/privacy-policy

4. SSL encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL encryption (HTTPS).

You can recognize an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://" and by the lock symbol in your browser bar.

5. Newsletter / Free Guide

When you request the free guide offered on the website, the following data is processed:

Data processed: First name, email address

Purpose: Sending the free guide by email and, where applicable, occasional information about our products

Legal basis: Art. 6 (1) lit. a GDPR (consent). Upon signing up, you expressly consented to the data processing.

Storage period: Until you withdraw your consent.

Right of withdrawal: You can withdraw your consent at any time, e.g. by email to info@meilen-koenig.de or via the unsubscribe link in every email.

6. Email delivery

For sending emails (free guide, purchase confirmations, download links) we use a self-hosted solution.

Email management: Listmonk (self-hosted on Hetzner Cloud, Germany)

SMTP delivery: Hetzner Konsole H (mail.your-server.de, Germany)

Server location: Germany (EU) – no transfer to third countries

Data processed: Email address, first name, sign-up date

Purpose: Transactional emails (purchase confirmations, download links) and newsletter delivery

A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Hetzner.

7. Email automation

We send automated follow-up emails to inform you about our products.

Timing of the automated emails:

  • Free guide subscribers: Day 3 (follow-up) and Day 7 (premium reminder)
  • Premium buyers: Day 2 (usage tips) and Day 14 (feedback request)

Stored data: Flags in the subscriber profile (e.g. sent_followup_3d, sent_reminder_7d) to avoid duplicate sending

Legal basis: Art. 6 (1) lit. a GDPR (consent). Upon signing up, you expressly consented to receiving emails.

Unsubscribe: You can unsubscribe at any time via the unsubscribe link in every email or by email to info@meilen-koenig.de.

8. Object storage (PDF downloads)

The PDF files (free guide and Premium Handbook) are provided in secure object storage.

Service provider: Hetzner Object Storage (location: Nuremberg, Germany)

Purpose: Secure storage and delivery of the PDF downloads

Technical implementation: Download links are generated as pre-signed URLs that are valid for 72 hours.

Data protection: No personal data is stored in the object storage itself – only the PDF files.

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract – provision of the purchased/requested content)

9. Coaching / Video calls

For 1:1 coaching appointments we use Microsoft Teams.

Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Data processed: Name, email address, video and audio data during the call, chat messages (if used)

Purpose: Performance of the booked coaching session

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)

Transfer to third countries: Microsoft is certified under the EU-U.S. Data Privacy Framework. Data is processed primarily in EU data centers.

Microsoft's privacy policy:
https://privacy.microsoft.com/de-de/privacystatement

10. Payment processing (Stripe)

For payment processing we use the Stripe service.

Service provider: Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA

Data processed: Payment data (e.g. credit card number), email address, name

Important: Your full payment data (e.g. credit card number) is transmitted directly to Stripe and never stored on our servers.

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)

Transfer to third countries: Stripe is certified under the EU-U.S. Data Privacy Framework, which ensures an adequate level of data protection for transfers to the USA (adequacy decision of the EU Commission of 10 July 2023).

Stripe's privacy policy: https://stripe.com/de/privacy

11. Cookies

This website uses cookies and similar technologies. You can change your cookie settings at any time via the "Cookie settings" link in the footer of this website.

Cookie categories

Category Name Purpose Storage period
Necessary cookie-consent Stores your cookie settings (localStorage) Unlimited (until deleted)
Statistics - Umami Analytics (cookieless, only with consent) No cookies
Marketing - Not used -

Legal bases:

  • Necessary cookies: Art. 6 (1) lit. f GDPR (legitimate interest), § 25 (2) TTDSG
  • Statistics cookies: Art. 6 (1) lit. a GDPR (consent), § 25 (1) TTDSG

12. Web analytics (Umami)

To improve our website we use Umami Analytics - a privacy-friendly, cookieless analytics solution operated on our own servers.

Service provider: Self-hosted on Hetzner (Germany, EU)

Data processed:

  • Page views and pages visited
  • Browser type and operating system
  • Country (derived, not exact geolocation)
  • Referrer (where you came from)
  • Screen resolution

NOT processed:

  • IP addresses (are not stored or processed)
  • Personal data
  • Cross-site tracking
  • Cookies or persistent identifiers

Legal basis: Art. 6 (1) lit. a GDPR (consent). Analysis only takes place if you have consented to the "Statistics" category in the cookie settings.

Right of withdrawal: You can withdraw your consent at any time by changing the cookie settings in the footer.

13. Privacy-friendly design

To protect your privacy, we deliberately do without external services that transmit data to third parties:

  • Fonts: All fonts are hosted locally (no Google Fonts)
  • Analytics: Self-hosted Umami Analytics (no data transfer to third parties)
  • Social media: No social media plugins or share buttons
  • Tracking: No use of Google Analytics, Facebook Pixel or similar tracking services

14. Your rights (data subject rights)

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR): You can request information about the data we have stored about you.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided that no statutory retention obligations conflict with this.
  • Restriction of processing (Art. 18 GDPR): You can request the restriction of processing.
  • Data portability (Art. 20 GDPR): You can request to receive your data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data.
  • Withdrawal of consent (Art. 7 (3) GDPR): You can withdraw consent given at any time.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact: info@meilen-koenig.de

15. Supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Website: https://www.lda.bayern.de

16. Storage period

We only store your data for as long as is necessary for the respective purposes or for as long as statutory retention obligations exist:

  • Newsletter/guide data: Until you withdraw your consent
  • Purchase data: 10 years (statutory retention obligation under HGB/AO)
  • Server logs: 7 days
  • Stripe data: In accordance with Stripe's privacy policy

17. AI chat (OpenAI)

We offer an AI-supported chat assistant that advises you on questions about miles and points.

Service provider: OpenAI, Inc., 3180 18th Street, San Francisco, CA 94110, USA

Data processed:

  • Your chat messages (for conversation and analysis, see below)
  • Randomly generated session ID (to distinguish conversations)
  • Anonymized IP hash (for abuse prevention, see below)

IP-based abuse protection:

  • Maximum of 20 messages per IP address within 24 hours
  • After reaching the limit: 48-hour cooldown
  • IP addresses are stored as anonymized hashes
  • IP hashes are automatically deleted after 48 hours
  • Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest – protection against API abuse)

Chat analysis (Umami):

  • Your chat messages are stored anonymized in our self-hosted analytics tool (Umami)
  • Purpose: Improving our service and understanding frequent questions
  • No link to your email address or other personal data
  • Storage location: Our own EU server (Hetzner, Germany)
  • Legal basis: Art. 6 (1) lit. a GDPR (consent at chat start)

NOT processed:

  • No link to your other data (email, name, etc.)
  • No use for training AI models (in accordance with the OpenAI API ToS)

Purpose: Answering your questions about miles and points strategies

Legal basis: Art. 6 (1) lit. a GDPR (consent). You expressly consent to the data processing before first using the chat.

Transfer to third countries: OpenAI is certified under the EU-U.S. Data Privacy Framework, which ensures an adequate level of data protection for transfers to the USA (adequacy decision of the EU Commission of 10 July 2023).

Storage period: Your messages are stored only in the browser memory (sessionStorage) for the duration of the browser session and are automatically deleted when the browser is closed.

Right of withdrawal: You can stop using the chat at any time. To delete previous messages, simply close the browser or delete the website data in your browser settings.

OpenAI's privacy policy: https://openai.com/policies/privacy-policy

20. Changes to the privacy policy

We reserve the right to adapt this privacy policy so that it always complies with the current legal requirements or in order to implement changes to our services.

The new privacy policy will then apply to your next visit.

19. MEILENKÖNIG AI assistant

Data processing in the AI chat

When you use the MEILENKÖNIG AI assistant (ki.meilen-koenig.de), your chat messages are transmitted to the Anthropic API (Claude) in order to generate a response. Your messages are:

  • Processed to answer your question
  • Stored in your chat session (for the chat history)
  • NOT used to train AI models
  • NOT passed on to third parties

Profile data

When registering for the AI assistant, we optionally store: email address (for authentication), selected credit cards, estimated spending and travel destinations (for personalized advice). You can delete this data at any time.

Data processing (AI provider)

Service provider: Anthropic, PBC, 548 Market St., PMB 90375, San Francisco, CA 94104, USA

We use the Anthropic API (Claude) to process your questions. Anthropic processes the data on the basis of a data processing agreement (DPA). Anthropic does not store API data and does not use it for training (Zero Data Retention Policy).

Transfer to third countries (USA): The data transfer to the USA takes place on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) lit. c GDPR, which have been agreed with Anthropic. In addition, Anthropic has implemented technical and organizational measures that ensure the protection of the transmitted data (Transfer Impact Assessment carried out).

Purpose: Processing of user inquiries to provide personalized advice on miles, points and credit cards

Legal bases:

  • Performance of a contract (Art. 6 (1) lit. b GDPR) for chat processing for paying customers
  • Consent (Art. 6 (1) lit. a GDPR) for the processing of optional profile data
  • Legitimate interest (Art. 6 (1) lit. f GDPR) for fair-use monitoring and abuse prevention

Storage period

  • Chat messages: Until deletion by the user or 12 months after last activity
  • Profile data: Until deletion by the user or cancellation of the subscription
  • Usage data (fair use): 30 days
  • At Anthropic: No storage (Zero Data Retention Policy)

Cookies (AI assistant)

The AI assistant uses exclusively technically necessary cookies (session token for the login status). No tracking or third-party cookies are used.

Your rights

You can delete your chat histories and profile data yourself at any time. In addition, you are entitled to the data subject rights listed in section 14. To exercise your rights, please contact info@meilen-koenig.de.

As of: April 2026