1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Michel Köster
BAREON Studios
Gretchenbrink 18
31789 Hameln
Germany
Phone: +49 176 70458712
Email: contact@bareonstudios.com
Website: http://bareonstudios.com/
2. General Information on Data Processing
The protection of your personal data is important to us. We process personal data exclusively in accordance with applicable legal provisions, in particular the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications and Digital Services Data Protection Act (TDDDG).
Personal data refers to any information relating to an identified or identifiable natural person. This includes, in particular, your name, contact information, IP address, communication content, and any information you provide to us in connection with an inquiry or job application.
We process personal data only to the extent that there is a legal basis for doing so. The respective purposes, legal bases, and retention periods are set forth in the following sections.
3. Accessing the Website, Hosting, and Technical Provision
When you access our website, your device’s browser automatically transmits information to the server or to the hosting infrastructure we use. In particular, the following data is processed:
• IP address
• Date and time of access
• Page or file accessed
• Referrer URL
• Browser type and browser version
• Operating system used
• Hostname of the accessing computer
• Name of the access provider
This data is processed to technically provide the website, ensure stability and security, and detect and prevent misuse.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and functional provision of our website.
To the extent that further storage occurs in server log files, this data is generally deleted after no later than 7 days, unless longer retention is necessary to investigate security incidents or to assert, exercise, or defend legal claims.
We use Framer as our website builder and hosting provider for the technical development and operation of the website. Framer may process personal data on our behalf, in particular technical access data and, where applicable, form content. This processing is carried out on the basis of a data processing agreement in accordance with Article 28 of the GDPR, to the extent that Framer acts as a data processor.
Provider: Framer B.V., Netherlands. Framer provides further information at https://www.framer.com/legal/privacy-statement/ and https://www.framer.com/legal/data-processing-addendum/.
Framer uses a globally distributed hosting infrastructure. It cannot therefore be ruled out that personal data may also be transferred to third countries, in particular the United States. To the extent that a transfer to a third country takes place, it is based on an adequacy decision, appropriate safeguards within the meaning of Art. 44 et seq. of the GDPR, in particular EU Standard Contractual Clauses, or another legal basis.
4. Framer Analytics and Reach Measurement
Framer may provide technical and statistical information regarding website usage through its platform. According to Framer, Framer Analytics operates without cookies or persistent identifiers; the IP address and user agent are hashed using a salt that changes daily to generate daily values. This is not intended to identify individual visitors.
To the extent that personal data is processed in this context, such processing is carried out for the technical evaluation and improvement of the website based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in analyzing the reach and technically optimizing our website. If analysis or marketing services requiring consent are used in the future, their use will only occur with prior consent.
5. Contacting Us via Email, Phone, or the Contact Form
If you contact us via email, phone, or the contact form provided on the website, we will process the personal data you provide to handle your inquiry and communicate with you. This includes, in particular:
• Name
• Email address
• Phone number, if provided
• Company, if provided
• Content of your message
• Technical metadata of the transmission, to the extent that this is necessary for the provision and security of the form
Required fields are necessary for us to process your inquiry. Additional information is voluntary.
The legal basis is Article 6(1)(b) of the GDPR, insofar as your inquiry is aimed at initiating or performing a contract, and Article 6(1)(f) of the GDPR, insofar as your inquiry is of a different nature. Our legitimate interest lies in the proper processing of inquiries directed to us. In the exceptional case where consent is obtained, the legal basis is Article 6(1)(a) of the GDPR.
The data will be deleted as soon as your inquiry has been fully processed and there are no legal retention obligations or legitimate interests in further storage. As a rule, deletion occurs once the purpose of processing no longer applies, but no later than after 3 years, unless longer retention is required.
6. Applications and Job Postings
If you apply to us via our job postings, by email, through an application form, or via a platform we use, we will process the personal data you provide for the purpose of conducting the application process. This may include, in particular, the following data:
• Name and contact information
• Resume, cover letter, portfolio, and other application documents
• Information regarding education, qualifications, professional experience, and skills
• Communication data and interview notes
• Links to professional profiles or work samples, if applicable
• Other data you provide to us as part of the application
The legal basis is Article 6(1)(b) of the GDPR in conjunction with Section 26(1) of the BDSG, insofar as the processing is necessary for the decision regarding the establishment of an employment or freelance relationship. If you voluntarily provide us with special categories of personal data within the meaning of Article 9(1) of the GDPR, processing will only take place to the extent that this is necessary for the application process or you have given your consent. The legal bases in these cases may be Article 9(2)(b) of the GDPR, Section 26(3) of the BDSG, or Article 9(2)(a) of the GDPR.
If the application is submitted via an external platform, the respective platform operator also processes personal data in accordance with its own privacy policy.
In the event of a successful application, the data may be transferred to a personnel or contract file and further processed for the purpose of carrying out the employment or contractual relationship. In the event of a rejection, we generally delete application data no later than 6 months after the conclusion of the application process, unless longer storage is necessary to assert, exercise, or defend legal claims. Longer inclusion in a talent pool occurs only with your consent; you may revoke this consent at any time with future effect.
7. Fonts
This website uses fonts. The fonts are embedded locally or within the project. They are processed solely for the purpose of ensuring a consistent and user-friendly presentation of the website. No fonts from external third-party providers are loaded.
The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the appealing, consistent, and technically efficient presentation of our website.
8. Cookies and Similar Technologies
Our website may use technically necessary cookies or similar technologies that are required to provide the website and enable basic functions.
To the extent that information is stored or retrieved on your device via cookies or similar technologies, this is done for technically necessary processes in accordance with Section 25(2) of the German Telecommunications Data Protection Act (TDDDG). The subsequent processing of personal data is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in the technical provision and security of the website.
We use cookies, tracking technologies, or similar services that are not technically necessary only with your consent. The legal basis for this is Section 25(1) of the TDDDG and Article 6(1)(a) of the GDPR.
To the best of our knowledge, we currently do not use any cookies or external tracking services that are not technically necessary. If such services are integrated in the future, this privacy policy will be updated and, where necessary, a consent mechanism will be provided.
9. Online Presence on Social Networks and Platforms
We maintain an online presence on LinkedIn, Instagram, and Upwork to showcase our company and our services, communicate with prospective clients, customers, and other users, and increase our visibility and reach. To the extent that users contact us via these platforms or interact with our content, we process the data transmitted to us in this context—in particular, usernames, profile information, message content, and interaction data—to handle the respective inquiry and to promote our company’s public image.
The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in communicating with users, promoting our company, and maintaining business contacts. To the extent that contact is made for the purpose of concluding or performing a contract, the additional legal basis is Article 6(1)(b) of the GDPR.
Please note that when you visit our profiles, personal data is also processed by the respective platform operator. We have only limited influence over the nature, scope, and purposes of this data processing by the platform operators. The platform operators regularly process usage data for their own purposes as well, in particular to provide the platform, to analyze user behavior, and for security and marketing purposes. In this regard, the privacy policies of the respective providers apply.
9.1 LinkedIn
We maintain a company profile on LinkedIn. When you visit our LinkedIn page, LinkedIn processes users’ personal data. When LinkedIn provides us with so-called Page Insights for our page, LinkedIn processes the personal data of members who visit, follow, or interact with our page. Under LinkedIn’s terms and conditions, LinkedIn Ireland Unlimited Company and the respective page operator share joint responsibility for the processing of Page Insights. The Page Insights provided to us typically consist of aggregated data. For more information, please refer to LinkedIn’s Privacy Policy and LinkedIn’s Page Insights Joint Controller Addendum.
LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy
LinkedIn Page Insights Joint Controller Addendum: https://www.linkedin.com/legal/l/page-joint-controller-addendum
9.2 Direct Contact via LinkedIn
When we contact individuals via LinkedIn in a professional context, we process the personal data necessary for this purpose, including, in particular, name, professional profile details, company, position, publicly visible profile information, and communication data. The purpose of this processing is to initiate and maintain business contacts, as well as to determine whether there is a relevant connection to our services.
The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in targeted business outreach in the B2B sector. To the extent that the communication leads to the initiation of a contract, Article 6(1)(b) of the GDPR serves as an additional legal basis. You may object to the processing of your data for the purpose of direct outreach at any time. In this case, we will no longer contact you for this purpose, unless there are compelling legitimate grounds for further processing that outweigh your interests.
The admissibility of advertising communications under competition law remains unaffected by this. Advertising communications are only made in compliance with legal requirements, in particular the UWG.
9.3 Instagram
We maintain a business profile on Instagram. When you visit our Instagram profile, the platform operator processes users’ personal data in accordance with its own privacy policy. This may include, in particular, profile data, usage data, communication data, and interaction data. For more information on Instagram’s processing of personal data, please refer to Instagram’s or Meta’s privacy policy.
Instagram Privacy Policy: https://privacycenter.instagram.com/policy/
9.4 Upwork
We also maintain a company or provider profile on Upwork. Upwork processes users’ personal data in accordance with its own Privacy Policy, in particular to provide the platform, enable user interactions, and offer security and communication features. Further information can be found in Upwork’s Privacy Policy.
Upwork Privacy Policy: https://www.upwork.com/legal/privacy/
To the extent that we receive personal data via the aforementioned platforms and process it ourselves, we generally delete it as soon as the purpose of the processing no longer applies and no legal retention obligations or legitimate interests preclude deletion. We have no complete control over the storage period and data deletion by the respective platform operators.
10. Recipients of Data
We only disclose personal data to third parties if this is permitted by law or if you have given your consent. Recipients may include, in particular:
• Technical service providers and hosting providers
• IT and maintenance service providers
• Communication service providers
• Platform operators, to the extent that communication takes place via social networks or platforms
• Consultants, attorneys, or government authorities, to the extent necessary to protect our rights or to fulfill legal obligations
To the extent that external service providers process personal data on our behalf, this is done on the basis of a data processing agreement in accordance with Article 28 of the GDPR.
11. Transfers to Third Countries
When using certain services, particularly hosting, communication, or platform services, the transfer of personal data to countries outside the European Union or the European Economic Area cannot be ruled out. To the extent that such transfers to third countries take place, they are carried out solely on the basis of Articles 44 et seq. of the GDPR, in particular on the basis of an adequacy decision, EU Standard Contractual Clauses, or other appropriate safeguards.
12. Retention Period
We store personal data only for as long as is necessary for the respective processing purposes. The data is subsequently deleted unless there are legal retention obligations or legitimate interests in further storage. Legal retention obligations may arise, in particular, from commercial or tax law provisions.
13. Your Rights
In accordance with legal provisions, you have the following rights in particular:
• Right of access pursuant to Art. 15 GDPR
• Right to rectification pursuant to Art. 16 GDPR
• Right to erasure pursuant to Art. 17 GDPR
• Right to restriction of processing pursuant to Art. 18 GDPR
• Right to data portability pursuant to Art. 20 GDPR
• Right to object pursuant to Art. 21 GDPR
• Right to withdraw consent with future effect pursuant to Art. 7(3) GDPR
• Right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR
If your personal data is processed on the basis of Article 6(1)(f) of the GDPR, you have the right to object to the processing at any time on grounds relating to your particular situation.
The competent supervisory authority may, in particular, be the State Commissioner for Data Protection of Lower Saxony. Further information: https://www.lfd.niedersachsen.de/
14. Obligation to Provide Data
The provision of personal data is generally not required by law. However, the provision of certain data may be necessary for the use of specific features of our website, particularly for contacting us or submitting an application. Without this data, we may not be able to process your inquiry or application.
15. Automated Decision-Making
Automated decision-making, including profiling within the meaning of Article 22 of the GDPR, does not take place.
16. Validity and Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy as necessary to ensure it always complies with current legal requirements or to reflect changes to our website, our online presence, or our services.
As of: May 2026