Privacy Policy
This is a convenience translation. In case of discrepancies, the German version prevails for users in Germany and the European Union.
1. Controller
The controller responsible for data processing on this website and in related communication channels is BuonaLabs™ UG (limited liability), Maria-Goeppert-Straße 3, 23562 Lübeck, Germany.
Represented by: Domingo Buonamassa
Email: [email protected] — Phone: +49 (0) 451 406-07833
2. Data Protection Officer
We have not appointed a data protection officer. Under the GDPR and applicable German law, such an appointment is not required for our current scope and type of processing activities.
For all privacy-related inquiries, please contact us directly using the contact details in Section 1.
3. Overview of Processing and Legal Bases
We process personal data only where necessary to operate this website, respond to inquiries, provide our agency services, conduct permitted marketing, comply with legal obligations, and improve user experience.
Personal data means any information relating to an identified or identifiable natural person.
Where we process personal data, we rely on the following legal bases under Article 6(1) GDPR, as applicable:
Art. 6(1)(a) GDPR — consent (e.g. newsletter subscription, non-essential cookies, analytics, and marketing tags).
Art. 6(1)(b) GDPR — performance of a contract or steps prior to entering into a contract (e.g. handling project inquiries and client communication).
Art. 6(1)(c) GDPR — compliance with a legal obligation (e.g. tax and commercial record-keeping).
Art. 6(1)(f) GDPR — legitimate interests (e.g. website security, server log analysis, responding to general inquiries, and B2B relationship management), provided your interests do not override ours.
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
4. Hosting, CDN, and Server Log Files
Our website is hosted on infrastructure provided by Amazon Web Services (AWS). Content delivery and security services are provided by Cloudflare. When you visit our website, these providers automatically collect technical information transmitted by your browser or device, such as IP address, date and time of access, requested URL, referrer URL, browser type, operating system, and error messages.
This data is processed to ensure the secure, stable, and efficient operation of the website, to detect abuse, and to troubleshoot technical issues. Processing is based on our legitimate interest in operating a secure website (Art. 6(1)(f) GDPR) and, where applicable, on performance of a contract with our hosting providers.
Server and CDN log data are typically retained for up to 30 days unless longer retention is required for security investigations or legal obligations.
5. Contact Form and Email Communication
If you contact us via the contact form or by email, we process the data you provide, such as name, email address, company, location, and the content of your message.
We use this information solely to handle your inquiry and communicate with you. Processing is based on Article 6(1)(b) GDPR where related to a contract inquiry, otherwise Article 6(1)(f) GDPR based on our legitimate interest in responding to inquiries.
Contact form submissions are transmitted via secure SMTP (TLS-encrypted) through Zoho Mail to our designated mailbox. We do not sell contact data to third parties.
Contact inquiries are generally retained for up to 24 months unless a business relationship continues or legal obligations require longer storage.
6. Newsletter (Double Opt-In)
If you subscribe to our newsletter, we process your email address and, where provided, your name and related subscription metadata. Subscription requires double opt-in: after registration, you receive a confirmation email and are only added to our mailing list once you confirm.
We use your data to send the newsletter and related information about our services. Processing is based on your consent (Art. 6(1)(a) GDPR). You may unsubscribe at any time via the link in each email or by contacting us. After unsubscribe, we stop sending newsletters and delete or restrict your data unless statutory retention obligations apply.
7. Customer Relationship Management (CRM)
We use an in-house customer relationship management system to document inquiries, project communication, and business relationships. Depending on context, we may process contact details, correspondence, project-related notes, and contractual information.
Processing serves the initiation, execution, and administration of business relationships and is based on Article 6(1)(b) GDPR for contractual relationships or Article 6(1)(f) GDPR for pre-contractual and B2B relationship management.
CRM data is retained for the duration of the business relationship and thereafter in accordance with statutory retention periods, generally up to 10 years where commercial or tax law requires.
8. Cookies and Consent (TTDSG)
We use cookies and similar technologies on this website. Under Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), storing information on your device or accessing information already stored requires your consent, except where strictly necessary to provide a service you have explicitly requested.
Essential cookies are used for security, load balancing, language preference, and storing your cookie consent choice. Analytics and marketing technologies are loaded only after you consent via our cookie banner or settings.
For details on individual cookies, retention periods, and providers, please see our Cookie Policy.
9. Google Analytics 4
With your consent, we use Google Analytics 4 (measurement ID: G-ZLXBY0Q7Q4) to understand how visitors use our website. Google Analytics uses cookies and similar technologies to collect usage data such as pages viewed, session duration, approximate location (derived from IP address), device type, and referral source.
Analytics is never loaded before you consent. We configure Google Analytics to respect consent requirements, anonymize IP addresses where supported, and minimize unnecessary data collection.
Google may process data on servers outside the European Union, including in the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
You can withdraw consent at any time via our cookie settings. Further information is available in Google's privacy policy.
10. Meta Pixel and Google Ads Tags
With your consent, we may use Meta Pixel (Facebook/Instagram) and Google Ads conversion/remarketing tags to measure campaign performance and reach interested audiences.
These technologies may collect identifiers, device information, and interaction data. They are activated only after you provide consent through our cookie settings.
Meta and Google may process data outside the EU/EEA. Where required, appropriate safeguards such as Standard Contractual Clauses are used.
11. Embedded Content from Our Own Services
This website displays portfolio media (images and videos) served from our subdomain lab.buonalabs.com and blog previews from blog.buonalabs.com, which is operated with Ghost CMS. When this content loads, your browser transmits technical data (such as your IP address) to those servers.
We operate these services and process related technical data under this policy for the purpose of presenting our work and content.
12. Mobile Applications and SDKs
BuonaLabs and affiliated companies may offer mobile applications (including apps built with Expo/React Native). Those apps may use in-app analytics or advertising SDKs that process device identifiers, usage data, and, where permitted, advertising-related data.
Processing in mobile apps is governed by the respective app privacy notices and consent mechanisms. This website privacy policy applies to buonalabs.com and related web services, not to standalone app stores or separate product websites unless expressly stated.
13. Recipients and Processors
We share personal data with service providers only where necessary and under contractual data processing agreements, including:
Amazon Web Services (AWS) — hosting infrastructure;
Cloudflare — CDN, security, and performance services;
Zoho Mail — email delivery for contact form and business communication;
Google Ireland Ltd. / Google LLC — Google Analytics 4 and Google Ads, where consented;
Meta Platforms Ireland Ltd. / Meta Platforms Inc. — Meta Pixel, where consented;
Ghost Foundation — blog CMS hosting for blog.buonalabs.com.
Processors may only use data on our documented instructions and must implement appropriate security measures.
14. Transfers to Third Countries
Some of the providers listed above process data outside the European Economic Area, particularly in the United States. Where such transfers occur, we ensure appropriate safeguards under Chapter V GDPR, such as Standard Contractual Clauses, supplementary measures where required, and provider certifications where applicable.
You may request further information on safeguards by contacting us.
15. Retention Periods
We retain personal data only as long as necessary for the purposes described in this policy, unless longer retention is required by law.
Server and CDN logs: generally up to 30 days.
Contact inquiries: generally up to 24 months, unless a business relationship continues.
Newsletter data: until unsubscribe, plus limited retention for proof of consent where required.
CRM and contractual data: for the duration of the relationship and statutory retention periods (typically up to 10 years for commercial/tax records).
Cookie consent records: generally up to 12 months, aligned with consent validity.
16. Obligation to Provide Data
You are not legally obliged to provide personal data when visiting our website. However, if you wish to contact us or subscribe to our newsletter, we require the data marked as necessary to process your request. Without this data, we may be unable to respond or provide the requested service.
17. No Automated Decision-Making
We do not use personal data for automated decision-making or profiling within the meaning of Article 22 GDPR.
18. Your Rights
Under the GDPR, you have the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests (Art. 6(1)(f) GDPR).
Where processing is based on consent, you may withdraw consent at any time.
You have the right to object at any time to processing for direct marketing purposes, including profiling related to such marketing (Art. 21 GDPR).
You also have the right to lodge a complaint with a supervisory authority.
19. Supervisory Authority
The competent supervisory authority for Schleswig-Holstein is the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.
Website: https://www.datenschutzzentrum.de
20. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or misuse, including encrypted transport (HTTPS/TLS), access controls, secure handling of contact form submissions, and contractual safeguards with processors.
21. Changes
We may update this Privacy Policy from time to time. The current version is always available on this page.
Last updated: July 2026.