Book A Call

Privacy Policy

Privacy Policy

Privacy Policy for the Website and Online Shop of Johannes Mallow

Last updated: 30 June 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is: Johannes Mallow Breiter Weg 267, 39104 Magdeburg, Germany Email: johannes.mallow@googlemail.com This Privacy Policy explains which personal data we process when you visit this website, use the WooCommerce shop, purchase live webinars, coaching sessions or digital products, use contact forms, book appointments, participate in online meetings or interact with the services integrated into this website.

2. General information on data processing

We process personal data only to the extent necessary to provide a functional website, operate the online shop, process orders, communicate with you, provide digital products, organise appointments and live webinars, process payments, comply with legal obligations or on the basis of your consent.

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, name, address, email address, IP address, order data, payment information, communication contents, appointment details and technical usage data.

We disclose personal data to third parties only where this is necessary for contract performance, where we are legally obliged to do so, where you have given your consent, or where we have a legitimate interest in the disclosure and your interests, fundamental rights and freedoms do not override that interest.

3. Legal bases for processing

Where we obtain consent for processing operations, the legal basis is Art. 6(1)(a) GDPR. This applies in particular to analytics cookies, Google Analytics 4, embedded third-party content and comparable services, unless they are technically necessary.

Where processing is necessary for the performance of a contract or for pre-contractual measures, the legal basis is Art. 6(1)(b) GDPR. This applies in particular to WooCommerce orders, payment processing, delivery of digital products, live webinar participation and appointment bookings.

Where processing is necessary to comply with a legal obligation, the legal basis is Art. 6(1)(c) GDPR. This applies in particular to tax and commercial retention obligations, invoices and documentation duties.

Where processing is necessary to protect legitimate interests, the legal basis is Art. 6(1)(f) GDPR. Legitimate interests may include the secure operation of the website, prevention of misuse and spam, technical administration, fraud prevention, and the establishment, exercise or defence of legal claims.

For access to information stored on your device, in particular cookies, local storage or similar technologies, the German Telecommunications Digital Services Data Protection Act (TDDDG) may also apply. Non-essential access generally takes place only after prior consent.

4. Hosting by STRATO

This website is hosted by STRATO. When the website is accessed, the hosting provider processes technically necessary data in order to deliver the website, ensure stability and security, detect attacks or misuse and maintain server operation. The data processed may include, in particular, the IP address, date and time of access, requested page or file, amount of data transferred, browser type and version, operating system, referrer URL, host name of the accessing device and status messages.

The processing is based on Art. 6(1)(f) GDPR. Our legitimate interest is the secure, stable and efficient provision of the website.

Where processing is necessary for contract performance or pre-contractual measures, it is additionally based on Art. 6(1)(b) GDPR.

Where STRATO processes personal data on our behalf, we have concluded a data processing agreement pursuant to Art. 28 GDPR.

5. SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption.

You can usually recognise an encrypted connection by 'https://' and the lock symbol in the address bar of your browser.

If SSL/TLS encryption is activated, data that you transmit to us cannot easily be read by third parties. However, data transmission on the internet may still have security vulnerabilities; complete protection cannot be guaranteed technically.

6. Cookies, local storage and CookieYes

This website uses cookies and similar technologies. Cookies are small files stored on your device. They may be technically required for the website to function or may serve optional purposes such as statistics, analytics, convenience functions or embedded content.

We use CookieYes to manage consent. CookieYes enables us to obtain, document and manage your consent choices.

This may involve processing information such as your consent selection, timestamp, technical browser information and a pseudonymous consent ID.

Technically necessary cookies and comparable storage are used on the basis of Section 25(2) TDDDG and Art. 6(1)(f) GDPR. Our legitimate interest is to provide a functional and secure website. Non-essential cookies and services are used only on the basis of your consent pursuant to Section 25(1) TDDDG and Art. 6(1)(a) GDPR.

You can change or withdraw your consent at any time with effect for the future. A cookie banner or a link for changing cookie settings is provided on the website.

7. WordPress, Elementor Pro and TranslatePress

This website is based on WordPress. WordPress is used as the technical content management system for providing and managing website content.

Technically necessary data may be processed in order to display pages, ensure security, manage forms or process orders.

Elementor Pro is used to design and display pages, forms, layouts and design elements. To the extent personal data is processed in connection with Elementor Pro, this processing serves the technical provision of the website and the functions requested by users.

TranslatePress is used to provide multilingual content. It enables the website to be displayed in different languages. In the context of an order, the selected language may be stored as order information so that content, notices and order-related information can be processed in the relevant language.

The processing is based on Art. 6(1)(f) GDPR where it is necessary for the technical provision of the website and on Art. 6(1)(b) GDPR where it is necessary for contract performance.

8. WooCommerce shop without customer accounts

We use WooCommerce to provide our online shop. The shop can be used to purchase live webinars, individual coaching sessions, digital content such as PDFs and other digital products. We do not offer customer accounts; orders are placed as guest orders.

When you place an order, we process the data required to conclude and perform the contract. This includes, in particular, name, billing address, email address, ordered products, order date, payment method, payment status, invoice data, tax-relevant information and technical order-related data.

The processing is carried out for the performance of the purchase contract and for the provision of digital products, webinar information or booking links on the basis of Art. 6(1)(b) GDPR. Where invoice data must be stored due to tax or commercial law obligations, the processing is additionally based on Art. 6(1)(c) GDPR.

Order data is stored for as long as necessary for contract processing, documentation duties, tax and commercial retention obligations and the establishment, exercise or defence of legal claims.

9. Digital products, live webinars and coaching sessions

If you purchase a digital product, we process your order data in order to provide the purchased product, document the order and payment and send you order-related information.

If you purchase a live webinar, we process your order data in order to register you for the relevant webinar, provide access information and communicate important information about the event. The webinars are scheduled live events. Our Zoom webinars or meetings are password-protected and are not recorded.

If you book an individual coaching session, we process the data required for appointment coordination, communication and performance of the coaching service. Appointment scheduling is handled through Calendly, as described below.

The legal basis is Art. 6(1)(b) GDPR. Where legal documentation and retention duties apply, the processing is additionally based on Art. 6(1)(c) GDPR. Where communication is necessary to organise the service, we may also rely on our legitimate interest under Art. 6(1)(f) GDPR.

10. Invoices and PDF Invoices & Packing Slips

Invoices may be created and sent using the plugin PDF Invoices & Packing Slips for WooCommerce. The plugin is used to generate invoice documents for orders and, where configured, attach them to WooCommerce emails.

For this purpose, order, billing and customer data stored in WooCommerce are used. This includes, in particular, name, billing address, email address, order number, invoice number, order date, purchased products, prices, taxes and payment information.

The processing is based on Art. 6(1)(b) GDPR where it is necessary for contract performance and on Art. 6(1)(c) GDPR where it is necessary for legal accounting and tax obligations.

11. Transactional emails

After an order, we may send transactional emails such as order confirmations, payment confirmations, completed order emails, invoices, webinar notices or information about digital products. These emails are necessary for contract performance and are not newsletters.

We currently do not offer a newsletter. If newsletters or marketing emails are introduced in the future, this Privacy Policy must be updated accordingly and, where required, a separate consent process must be implemented.

The legal basis for transactional emails is Art. 6(1)(b) GDPR where the emails are necessary for contract performance and Art. 6(1)(c) GDPR where legally required information is transmitted.

12. Contact Form 7

Contact forms are provided through Contact Form 7. If you contact us via a form, the information you enter is transmitted to us and processed for the purpose of handling your request.

This may include your name, email address, message content, time of submission, IP address and technical transmission data, depending on the specific form configuration.

The processing is based on Art. 6(1)(b) GDPR where your request relates to a contract or pre-contractual measures. In all other cases, it is based on Art. 6(1)(f) GDPR. Our legitimate interest is to respond to inquiries. If consent is requested in individual cases, the processing is based on Art. 6(1)(a) GDPR.

13. Google reCAPTCHA v3

Google reCAPTCHA v3 may be used to protect forms and website functions from misuse, automated submissions and spam. reCAPTCHA analyses whether input is made by a human or an automated system.

For this purpose, Google may process technical data such as IP address, browser information, referrer URL, interaction behaviour and other usage data. reCAPTCHA v3 works in the background and may evaluate user behaviour across website interactions. The legal assessment of reCAPTCHA depends on the technical configuration and consent management. Where reCAPTCHA is used as a technically necessary security measure, the legal basis may be Art. 6(1)(f) GDPR and Section 25(2) TDDDG. Where it is not strictly necessary or involves non-essential access to the user's device, prior consent may be required pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

Google may process data in the United States or other third countries. Appropriate safeguards such as standard contractual clauses or other mechanisms under the GDPR may apply.

14. Google Analytics 4

This website uses Google Analytics 4 (GA4), the current version of Google Analytics, provided by Google. Google Analytics 4 helps us analyse how visitors use the website, which pages are accessed and how users interact with content and shop functions. Google Analytics 4 may process data such as page views, session duration, interactions, technical device information, approximate location, browser and operating system information, referrer information and pseudonymous identifiers. Google Analytics 4 generally uses event-based measurement. Google Analytics 4 is used only on the basis of your prior consent, unless a legally permissible configuration without consent applies.

The legal basis is Art. 6(1)(a) GDPR and Section 25(1) TDDDG. You may withdraw your consent at any time with effect for the future via the cookie settings.

Google may process data in the United States or other third countries. The transfer is based on the mechanisms provided under the GDPR, such as an adequacy decision where applicable, standard contractual clauses or other appropriate safeguards.

15. YouTube videos

YouTube videos may be embedded on this website. YouTube is a service provided by Google.

When you play or load an embedded video, personal data may be transmitted to Google and YouTube.

This may include your IP address, browser and device information, referrer URL, time of access and information about video interaction. If you are logged into a Google account, Google may associate the interaction with your account.

Where technically possible, YouTube videos should be embedded in privacy-enhanced mode and/or blocked until consent is given.

The legal basis for loading non-essential embedded content is generally your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

Google may process data in third countries, including the United States. Appropriate transfer mechanisms under the GDPR may apply.

16. Payment processing: Stripe, credit card, Google Pay and Sofort

Payments by credit card, Google Pay and Sofort may be processed via the WooCommerce Stripe Gateway and Stripe. Stripe processes the payment data required for the chosen payment method.

Depending on the selected payment method, processed data may include name, billing address, email address, payment amount, order details, transaction ID, payment status, device information, IP address, card or account-related information and fraud prevention data.

The processing is carried out for payment processing and contract performance on the basis of Art. 6(1)(b) GDPR. Where fraud prevention, security or compliance checks are carried out, processing may also be based on Art. 6(1)(f) GDPR or legal obligations under Art. 6(1)(c) GDPR.

Stripe may act partly as an independent controller and partly as a processor, depending on the processing activity.

Stripe may process data in the United States or other third countries on the basis of appropriate GDPR transfer mechanisms.

17. PayPal

If you choose PayPal as a payment method, payment data will be transmitted to PayPal for payment processing.

PayPal may also offer additional payment methods or wallet-based payments depending on availability and configuration.

The data transmitted may include name, email address, billing address, order amount, order details, IP address, transaction ID and payment status.

PayPal may process the data for payment processing, fraud prevention, compliance and its own legal obligations.

The legal basis for the transmission of data to PayPal is Art. 6(1)(b) GDPR because the processing is necessary for payment processing. Additional processing by PayPal may be based on PayPal's own legal bases and privacy notices.

PayPal may process data in countries outside the EU/EEA in accordance with the mechanisms described in PayPal's privacy information.

18. Amazon Pay

If you choose Amazon Pay as a payment method, payment and order-related data are transmitted to Amazon Pay for payment processing.

This may include name, email address, billing and payment information, order amount, order details, transaction ID and technical data. Amazon Pay may process data for payment processing, fraud prevention, compliance and its own legal obligations.

The legal basis for the transmission to Amazon Pay is Art. 6(1)(b) GDPR. Additional processing by Amazon Pay is governed by Amazon Pay's own privacy information.

19. Calendly

Calendly is used for appointment scheduling. We only request your name and email address through Calendly.

Calendly enables users to select available appointment slots and receive appointment-related communication. The data processed may include name, email address, selected appointment, time zone, communication settings, technical access data and, where applicable, information contained in appointment notes or calendar invitations.

The processing is carried out for appointment scheduling and contract performance or pre-contractual measures on the basis of Art. 6(1)(b) GDPR. Where Calendly is used for general communication or organisational purposes, processing may also be based on Art. 6(1)(f) GDPR. Our legitimate interest is efficient scheduling. Calendly may process data in the United States or other third countries. Appropriate safeguards such as standard contractual clauses or other mechanisms under the GDPR may apply.

20. Zoom live webinars and online meetings

Zoom is used to conduct live webinars and online meetings. Our Zoom webinars are password-protected and are not recorded. When using Zoom, personal data may be processed, including name, email address, meeting metadata, IP address, device and connection information, chat contents if used, audio and video data if activated by the participant, and technical diagnostic information.

The processing is carried out for the performance of the webinar or online meeting on the basis of Art. 6(1)(b) GDPR where participation is part of a purchased service. For organisational and security purposes, processing may also be based on Art. 6(1)(f) GDPR.

We do not record webinars or meetings. If recordings are introduced in the future, participants must be informed separately and this Privacy Policy must be amended accordingly. Zoom may process data in the United States or other third countries. Appropriate GDPR transfer mechanisms may apply.

21. Product reviews

Customers may submit reviews for products. If you submit a review, the data entered by you may be stored and displayed on the website in connection with the reviewed product.

This may include the review text, rating, displayed name, time of submission and technical metadata. Please do not include sensitive personal data or confidential information in product reviews.

The processing is based on Art. 6(1)(f) GDPR. Our legitimate interest is to provide customers with authentic product feedback and improve transparency. If consent is requested in individual cases, the processing is based on Art. 6(1)(a) GDPR.

Reviews may remain published until they are deleted, unless legal retention or documentation interests require longer storage.

22. Social media links

The website contains links to social media profiles on Facebook, Instagram, X/Twitter and YouTube. These are exclusively static links.

When you visit our website, no direct connection to these platforms is established solely by the presence of such links, unless additional social media plugins or embedded content are used.

If you click on a social media link, you leave our website and are redirected to the respective platform. The platform provider is then responsible for the processing of your personal data. Please refer to the privacy information of the respective provider.

If, in the future, social media feeds, pixels, tracking functions or interactive plugins are embedded directly on the website, this Privacy Policy must be updated accordingly and consent management may be required.

23. No newsletter

We currently do not offer a newsletter and do not maintain a newsletter mailing list. Order-related emails, payment notifications, invoice emails, webinar access emails and appointment-related emails are transactional communications required to perform the contract and are not newsletters. If newsletters or marketing emails are introduced in the future, this Privacy Policy must be updated and, where required, a separate consent mechanism must be implemented.

24. Recipients and categories of recipients

Personal data may be transmitted to service providers and recipients to the extent necessary for the purposes described above. These recipients may include hosting providers, technical service providers, payment service providers, appointment scheduling providers, webinar providers, analytics providers, cookie consent providers, email and IT service providers, tax advisors and legal advisors.

Data is disclosed only where there is a legal basis, in particular contract performance, legal obligation, consent or legitimate interest. Where service providers process personal data on our behalf, we have concluded data processing agreements pursuant to Art. 28 GDPR.

25. Transfers to third countries

Some of the services used are based outside the European Union or the European Economic Area or may process personal data there. This applies in particular to services provided by Google, Stripe, Calendly, Zoom and possibly other providers with affiliated companies or subprocessors in third countries such as the United States.

Where personal data is transferred to third countries, this is done only if the requirements of Art. 44 et seq. GDPR are met. Appropriate safeguards may include adequacy decisions, standard contractual clauses of the European Commission, additional technical and organisational measures or other legally recognised mechanisms.

For consent-based services and non-essential third-party services, processing generally takes place only after your consent. Please note that third countries may not provide a level of data protection fully equivalent to that of the EU.

26. Retention periods

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations. Once the purpose no longer applies, data will be deleted or its processing restricted unless legal obligations or legitimate interests prevent deletion.

Order, invoice and payment data are generally stored for 6 years (e.g., business letters) or 10 years (e.g., invoices and accounting records) in accordance with German commercial and tax law requirements. Contact inquiries are stored for as long as necessary to process the inquiry and for documentation purposes. Technical server log data is stored only for as long as necessary for security, troubleshooting and misuse detection.

Consent records, for example through CookieYes, may be stored in order to prove whether and when consent was given or withdrawn.

27. Obligation to provide personal data

The provision of certain personal data is required if you want to use this website, place an order, book an appointment, participate in a webinar or contact us. Without the required data, we cannot provide the respective service or cannot provide it completely.

For an order, in particular name, billing address, email address and payment information are required. For Calendly appointments, your name and email address are required. For Zoom webinars, name, email address and technical participation data may be required.

The provision of voluntary information is not mandatory. Please provide voluntary information only if it is necessary for your request.

28. No automated decision-making

We do not use solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

Payment service providers may use automated procedures for fraud prevention, risk assessment or payment checks within their own responsibility. Details can be found in the privacy information of the respective payment service provider.

29. Your rights

Subject to the statutory requirements, you have the following rights: right of access to your personal data (Art. 15 GDPR), right to rectification of inaccurate data (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to data portability (Art. 20 GDPR) and right to object to certain processing operations (Art. 21 GDPR).

Where processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future. The lawfulness of processing carried out before the withdrawal remains unaffected.

To exercise your rights, you can contact us at the email address stated above.

30. Right to object under Art. 21 GDPR

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.

If you object, we will no longer process the affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If personal data were processed for direct marketing purposes, you would have the right to object at any time to processing for such marketing.

We currently do not operate a newsletter or engage in direct marketing.

31. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

You may contact, in particular, the supervisory authority of your habitual residence, place of work or the place of the alleged infringement. For Saxony-Anhalt, the competent authority is generally the State Commissioner for Data Protection of Saxony-Anhalt.

32. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy if legal, technical or organisational changes make this necessary. The current version is available on this website.

en_USEN_US
en_USEN_US de_DEDE