PRIVACY POLICY

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Mäx & Mäleon GmbH

Kaiserstr. 32

63065 Offenbach am Main

Deutschland

Email: hello@maeleon.info
Website: https://maxandmaeleon.com

2. Principles of Data Processing

We process personal data only where permitted by law or where you have given your consent. We collect only the data necessary for the respective purpose (data minimisation).

Legal bases for processing under Art. 6 GDPR:

  • Art. 6(1)(a) GDPR – Consent (e.g. marketing cookies)
  • Art. 6(1)(b) GDPR – Performance of a contract or pre-contractual measures (e.g. handling enquiries)
  • Art. 6(1)(f) GDPR – Legitimate interests (e.g. security, fraud prevention)

3. Hosting & Technical Infrastructure

3.1 Web Hosting (WordPress)

Our website runs on a WordPress server. Hosting provider is IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). When you visit our website, the following data is automatically stored in the server log:

  • IP address (anonymised)
  • Date and time of access
  • Page accessed
  • Browser and operating system

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing the website technically).

3.2 Server-Side Data Processing

We operate our own server with Hetzner Online GmbH (Germany) in a data centre within the EU. This server is used as a technical processing hub for form data.

Function: When you submit a form on our website, the submitted data is technically processed on our server and forwarded to:

  • our CRM system
  • Google Ads (only with consent, hashed)
  • Meta / Facebook (only with consent, hashed)

All data remains on servers within the EU. No transfer to third countries takes place.

Retention: Processing logs are automatically deleted after a maximum of 7 days. Permanent data storage takes place exclusively in our CRM system.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient processing of enquiries).

Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner Online GmbH.

4. Contact Forms & Product Configurators

4.1 Available Forms

Our website includes the following forms:

  • Product configurators (Passenger & Transporter): full bicycle configuration with quote request
  • Test ride request: appointment request for a test ride
  • Consultation forms: inclusion consultation, leasing consultation
  • Contact forms (German & English)
  • Special Edition enquiry

4.2 Data Collected

Depending on the form, we collect:

  • Name, email address, phone number
  • Home location / postcode (for test ride planning)
  • Bicycle configuration (model, variant, equipment, total price)
  • Desired next action (e.g. test ride, order, consultation)
  • Free-text fields for requirements and messages
  • Purchase motivations (anonymous, from selection fields)

4.3 Purpose and Legal Basis

Purpose: Processing your enquiry, preparing a quote, scheduling appointments, CRM management.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in handling purchase enquiries).

Retention: Your enquiry is stored in our CRM (Odoo). Leads that did not result in a purchase are deleted after 2 years. Customer records are deleted after the statutory retention period (10 years).

4.4 Automated Lead Scoring

Incoming enquiries are automatically assigned a score based on characteristics of the enquiry (e.g. purchase intent and product interest). This score is used solely for internal prioritisation by our sales team and has no effect on prices or offer content.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient sales management). No fully automated decision-making within the meaning of Art. 22 GDPR takes place.

5. CRM – Odoo

We use Odoo as our customer relationship management system. Odoo is operated by Odoo S.A. (Chaussée de Namur 40, 1367 Grand-Rosière, Belgium). Your data is stored on Odoo S.A. servers within the EU.

Data stored in Odoo includes:

  • Contact details (name, email, phone)
  • Bicycle configuration and total price
  • Purchase intent and enquiry content
  • Attribution (the source channel of your enquiry, e.g. Google Ads, organic search)
  • Lead score

Legal basis: Art. 6(1)(b) GDPR.

Data processing agreement: A data processing agreement pursuant to Art. 28 GDPR is in place with Odoo S.A.

6. Attribution & Source Tracking

When you visit our website via a link from an advertisement or search engine, we store in a first-party cookie (valid for 90 days) where you came from. We record:

  • First Touch: the source of your very first visit to our website
  • Last Touch: the source immediately before your enquiry

This data helps us understand which marketing activities lead to enquiries. It is stored in Odoo together with your enquiry.

Attributes captured: traffic source (e.g. “google”), medium (e.g. “cpc” for paid ads), campaign name, and — if you arrived via a Google ad — a technical identifier for the ad click.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring advertising effectiveness).

7. Google Services

7.1 Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The Tag Manager itself does not set cookies and does not process personal data. It controls the loading of the other Google tags.

Legal basis: Art. 6(1)(f) GDPR.

7.2 Google Ads Remarketing

If you visit our website and have consented to marketing cookies, Google Ads Remarketing records your visit so that we can show you relevant ads on other websites or in Google Search at a later time.

A technical tracking cookie is set that associates your visit with a preceding Google ad click, if applicable.

Provider: Google Ireland Limited
Google Privacy Policy: https://policies.google.com/privacy
Legal basis: Art. 6(1)(a) GDPR (consent).
Opt-out: Via the cookie banner on our website or at https://adssettings.google.com

7.3 Google Ads Enhanced Conversions

When you submit a form on our website and have consented to marketing cookies, we transmit conversion data server-side to Google Ads (Enhanced Conversions).

The following data is irreversibly hashed (SHA-256) before transmission:

  • Email address
  • Phone number

Additionally, a technical identifier from your preceding Google ad click is transmitted. Google compares this data with its own systems to measure the effectiveness of our advertising.

No transmission on opt-out: If you decline marketing cookies, none of this data is transmitted to Google.

Provider: Google Ireland Limited
Legal basis: Art. 6(1)(a) GDPR (consent).

7.4 Google Consent Mode v2

Our website uses Google Consent Mode v2. This mechanism informs Google of a visitor’s consent status before tracking technologies become active. If marketing cookies are declined, no personal data is transmitted to Google.

8. Meta / Facebook Services

8.1 Meta Pixel (client-side)

If you have consented to marketing cookies, the Meta Pixel (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) is active on our website. The Pixel records page views and — upon form completion — a “Lead” event.

The Pixel sets technical cookies for visitor and click identification (valid for up to 90 days).

The Meta Pixel is loaded exclusively after your explicit consent. Without consent, no data is transmitted to Meta.

Purpose: Measuring advertising effectiveness, building audiences for retargeting.

Meta Privacy Policy: https://www.facebook.com/privacy/policy/
Legal basis: Art. 6(1)(a) GDPR (consent).
Opt-out: Via the cookie banner on our website.

8.2 Meta Conversions API (CAPI, server-side)

When you submit a form and have consented to marketing cookies, we additionally transmit conversion data server-side to Meta. This serves deduplication and improves measurement quality.

The following data is irreversibly hashed (SHA-256) before transmission:

  • Email address
  • Phone number
  • First name

Technical cookie values for visitor and click identification are also transmitted.

No transmission on opt-out: If you decline marketing cookies, none of this data is transmitted to Meta.

Provider: Meta Platforms Ireland Limited
Legal basis: Art. 6(1)(a) GDPR (consent).

9. Statistics & Analytics

9.1 Plausible Analytics

We use Plausible Analytics (Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia) to analyse our website usage.

Plausible is deliberately designed with privacy in mind: it sets no cookies, stores no IP addresses, and creates no cross-device profiles. Analysis is based exclusively on aggregated, anonymised data.

No consent required: As Plausible does not collect personal data and sets no cookies, no cookie consent is required for this service.

Plausible Privacy Policy: https://plausible.io/privacy
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the anonymised analysis of website behaviour).

9.2 WooCommerce (Backend Administration)

We use the WordPress plugin WooCommerce exclusively for internal product and inventory management in the backend. No online transactions or payments are processed via WooCommerce. Website visitors have no access to the WooCommerce shop frontend.

Legal basis: Art. 6(1)(f) GDPR.

10. Functional Services (with Consent)

10.1 YouTube

Some pages embed YouTube videos (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). We use the enhanced privacy mode: videos load without cookies until you play them.

When activated (clicking Play), YouTube sets cookies and transmits data to Google/YouTube. Legal basis: Art. 6(1)(a) GDPR.

10.2 Vimeo

Some pages embed Vimeo videos (Vimeo Inc., 330 West 34th Street, New York, NY 10001, USA). When played, data is transmitted to Vimeo servers. Legal basis: Art. 6(1)(a) GDPR. Vimeo is certified under the EU-US Data Privacy Framework.

10.3 Spotify

Some pages embed Spotify content (Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden). When interacted with, data is transmitted to Spotify. Legal basis: Art. 6(1)(a) GDPR.

10.4 OpenStreetMap

Some pages embed maps from the OpenStreetMap project (OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom). When the map loads, your IP address is transmitted to OpenStreetMap servers. Legal basis: Art. 6(1)(a) GDPR.

10.5 Instagram

Some pages embed Instagram content (Meta Platforms Ireland Limited). When interacted with, data is transmitted to Meta. Legal basis: Art. 6(1)(a) GDPR.

10.6 Gravatar

If you leave comments, your profile picture may be loaded from Gravatar (Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA). Your email address (hashed) is transmitted to Gravatar. Legal basis: Art. 6(1)(a) GDPR.

11. Security Plugins

11.1 Wordfence

We use Wordfence (Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA) as a security plugin for our WordPress installation. Wordfence protects our website from unauthorised access, malware and spam. Access data (IP address, timestamp) may be processed in this context.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in securing our website).

11.2 Akismet

Comments on our website are checked for spam by Akismet (Automattic Inc.). Comment data is transmitted to Akismet servers in the USA. Automattic is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR.

12. Further Plugins

12.1 Elementor

Our website was designed using the Elementor page builder plugin (Elementor Ltd., Hayarkon 136, Tel Aviv, Israel). Elementor itself does not process personal data from visitors and does not set tracking cookies.

12.2 Polylang

We use Polylang for the multilingual functionality of our website. The plugin stores your preferred language in a functional cookie. Legal basis: Art. 6(1)(f) GDPR.

12.3 Real Cookie Banner

We use Real Cookie Banner (devowl.io GmbH, Am Anger 7, 85614 Kirchseeon, Germany) to manage cookie consents (consent management). Your consent decision is stored locally in your browser.

13. Microsoft Clarity

We use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) to analyse user behaviour on our website (heatmaps, session recordings). Mouse movements, clicks and scrolling behaviour may be recorded.

Microsoft Clarity is loaded exclusively after your explicit consent. Without consent, no data is transmitted to Microsoft.

Legal basis: Art. 6(1)(a) GDPR (consent).
Microsoft Privacy Policy: https://privacy.microsoft.com/
Microsoft is certified under the EU-US Data Privacy Framework.

14. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You may request information about the data we hold about you.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction (Art. 18 GDPR): You may request restriction of processing.
  • Right to data portability (Art. 20 GDPR): You may receive your data in a structured format.
  • Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): Consents may be withdrawn at any time with effect for the future — via the cookie banner on our website.

To exercise your rights, contact: [datenschutz@maxandmaeleon.com]

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence.

15. Changes to This Privacy Policy

We reserve the right to update this privacy policy in response to technical or legal changes. The current version is always available on this page.

Last updated: April 2026

STAY UP TO DATE!

WIR MACHEN FRÜHJAHRSPUTZ ...

… und passen zum Saisonstart unsere Preise  an.
Bestellungen bis 01.03.2026 erhalten noch die aktuellen Konditionen!

JETZT KONFIGURIEREN
WordPress Cookie Plugin by Real Cookie Banner