1. Data Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Mäx & Mäleon GmbH
Kaiserstr. 32
63065 Offenbach am Main
Germany
Email: hello@maeleon.info
Website: https://maxandmaeleon.com
2. Principles of data processing
We process personal data only when legally permitted or you have consented. We collect only data needed for the specific purpose (data minimisation).
Legal bases for processing under Art. 6 GDPR:
- Art. 6(1) lit. a GDPR – Consent (e.g., marketing cookies)
- Art. 6(1)(b) GDPR – Contract fulfillment or pre‑contractual measures (e.g., handling inquiries)
- Art. 6 Abs. 1 lit. f DSGVO – Legitimate interest (e.g., safety, Missbrauchsprävention)
3. Hosting & technical infrastructure
3.1 Web hosting (WordPress)
Our website runs on a WordPress server. The hosting provider is IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). When our site is accessed, the following data are automatically stored in the server log:
- IP address (anonymized)
- Date and time of access
- accessed page
- Browser and operating system
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the technical provision of the website).
3.2 Server-side data processing
We run our own server at Hetzner Online GmbH (Germany) in an EU data centre. This server acts as a technical processing hub for form data.
Function: When you submit a form on our website, the übermittelten data are technically processed on our server and forwarded to the following systems:
- our CRM system
- Google Ads (only with consent, hashed)
- Meta / Facebook (only with consent, hashed)
All data remain on servers within the EU. No transfer to third countries occurs.
Retention period: Processing logs are automatically deleted after a maximum of 7 days. Permanent data storage takes place exclusively in our CRM system.
Legal basis: Art. 6(1) lit. b GDPR (contract performance / pre‑contractual measures) and Art. 6(1) lit. f GDPR (legitimate interest in efficient processing of inquiries).
Data processing agreement: A data processing agreement with Hetzner Online GmbH exists pursuant to Art. 28 GDPR.
4. Contact forms & product configurators
4.1 Which forms exist
On our website you’ll find the following forms:
- Product configurators (Passenger & Transporter): complete bike configuration with quote request
- Test Ride-request: Appointment request für a test ride
- Consultation forms: Inclusion consulting, leasing consulting
- Contact forms (German & English)
- Special edition request
4.2 What data we collect
We collect, depending on the form:
- Name, email address, phone number
- Residence / ZIP code (for Test Ride planning)
- Bike configuration (model, variant, equipment, total price)
- Desired next action (e.g., Test Ride, order, consultation)
- Free-text fields for requirements and messages
- Purchase motives (anonymous, from selection fields)
4.3 Purpose and legal basis
Purpose: Handling your request, creating a quote, scheduling, CRM maintenance.
Legal basis: Art. 6(1) lit. b GDPR (pre‑contractual measures) and Art. 6(1) lit. f GDPR (legitimate interest in handling purchase inquiries).
Retention period: Your request is stored in our CRM (Odoo). We delete leads that have not resulted in a purchase after 2 years. Buyer records are deleted after the tax-related retention periods (10 years).
4.4 Automatic lead scoring
Incoming inquiries are automatically scored based on request attributes (e.g., purchase intent and product interest). This score is used solely for internal prioritization by our sales team and does not affect prices or offer content.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient sales management). No fully automated decision is made within the meaning of Art. 22 GDPR.
5. CRM – Odoo
We use Odoo as our Customer Relationship Management system. Odoo is operated by Odoo S.A. (Chaussée de Namur 40, 1367 Grand-Rosière, Belgium). Your data are stored on Odoo S.A. servers within the EU.
Stored in Odoo:
- Contact details (Name, Email, Phone)
- Bike configuration and total price
- Purchase intent and inquiry content
- Attribution (origin channel of your request, e.g., Google Ads, organic search)
- Lead Score
Legal basis: Art. 6 Para. 1 lit. b GDPR.
Data processing agreement: With Odoo S.A. there is a data processing agreement pursuant to Art. 28 GDPR.
6. Attribution & source tracking
If you visit our website via a link from an advertisement or a search engine, we store in a first‑party cookie (valid for 90 days) where you came from. We capture the following:
- First Touch: the source of your very first visit to our website
- Last Touch: the source shortly before your request
These data help us understand which marketing actions generate inquiries. They are stored in Odoo together with your form request.
Captured attributes: traffic source (e.g., „google“), medium (e.g., „cpc“ for paid ads), campaign name, and — if you come via a Google ad — a technical identifier for the ad click.
Legal basis: Art. 6(1) lit. f GDPR (legitimate interest in advertising effectiveness measurement).
7. Google services
7.1 Google Tag Manager
We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The Tag Manager itself sets no cookies and processes no personal data. It controls loading of the remaining Google tags.
Legal basis: Art. 6(1) lit. f GDPR.
7.2 Google Ads Remarketing
When you visit our site and accept the marketing cookie, Google Ads Remarketing records your visit to later display relevant ads on other sites or in Google Search.
A technical tracking cookie is set, linking your visit to a possible preceding Google ad click.
Provider: Google Ireland Limited
Google Privacy: https://policies.google.com/privacy
Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent).
Opt-out: Über the cookie banner on our website or at https://adssettings.google.com
7.3 Google Ads Enhanced Conversions
If you submit a form on our website and have consented to marketing cookies, übermitteln we transmit server‑side conversion data to Google Ads (Enhanced Conversions).
The following data are irreversibly hashed (SHA‑256) before transmission:
- Email address
- Phone number
Additionally, a technical identifier of your previous Google ad click is transmitted. Google compares this data with its own systems to measure the effectiveness of our ads.
No transmission on opt-out: If you reject marketing cookies, none of this data will be transmitted to Google.
Provider: Google Ireland Limited
Legal basis: Art. 6(1)(a) GDPR (consent).
7.4 Google Consent Mode v2
Our website uses Google Consent Mode v2. This mechanism tells Google the consent status of a visitor before tracking technologies become active. If marketing cookies are declined, no personal data is transmitted to Google übermittelt.
8. Meta / Facebook Services
8.1 Meta Pixel (client-side)
If you have consented to marketing cookies, the Meta Pixel (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) is active on our website. The pixel records page views and — upon form submission — a „Lead“ event.
The pixel sets technical cookies for visitor and click identification (valid for up to 90 days).
The Meta Pixel is loaded only after your explicit consent. Without consent, no data is transferred to Meta.
Purpose: Measuring advertising effectiveness, building target audiences for retargeting.
Meta privacy: https://www.facebook.com/privacy/policy/
Legal basis: Art. 6(1)(a) GDPR (consent).
Opt-out: Über the cookie banner on our website
8.2 Meta Conversions API (CAPI, server-side)
If you submit a form and in Marketing-Cookies have consented, we additionally transmit server‑side conversion data to Meta. This serves deduplication and improves measurement quality.
The following data are irreversibly hashed (SHA‑256) before transmission:
- Email address
- Phone number
- First name
Additionally, technical cookie values are transmitted for visitor and click identification.
No Ü transmission on opt‑out: If you reject marketing cookies, none of this data will be transmitted to Meta übermittelt.
Provider: Meta Platforms Ireland Limited
Legal basis: Art. 6(1) lit. a GDPR (Consent).
9. Statistics & Analysis
9.1 Plausible Analytics
We use Plausible Analytics (Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia) to evaluate our website usage.
Plausible is deliberately privacy‑friendly designed: No cookies are set, no IP addresses are stored and no cross‑device profiles are created. The analysis is based solely on aggregated, anonymized data.
No consent required: Since Plausible does not collect personal data and does not set cookies, this service does not require a cookie consent.
Plausible privacy: https://plausible.io/privacy
Legal basis: Art. 6(1) lit. f GDPR (legitimate interest in the anonymized analysis of website behavior).
9.2 WooCommerce (Backend Management)
We use the WordPress plugin WooCommerce exclusively for internal product and inventory management in the backend. No online transactions or payments are processed via WooCommerce. Visitors to our website do not have access to the WooCommerce shop frontend.
Legal basis: Art. 6(1) lit. f GDPR.
10. Functional services (with consent)
10.1 YouTube
Some pages embed YouTube videos (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). We use the enhanced privacy mode: videos load without cookies until you play them.
When activated (click Play) YouTube sets cookies and transfers data to Google/YouTube. Legal basis: Art. 6(1) a GDPR.
10.2 Vimeo
On some pages Vimeo videos are embedded (Vimeo Inc., 330 West 34th Street, New York, NY 10001, USA). When played, data is transferred to Vimeo servers. Legal basis: Art. 6(1)(a) GDPR. Vimeo is certified under the EU‑US Data Privacy Framework.
10.3 Spotify
On some pages, Spotify content is embedded (Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden). When interacting, data is transferred to Spotify übertragen. Legal basis: Art. 6(1) lit. a GDPR.
10.4 OpenStreetMap
On some pages we embed OpenStreetMap project maps (OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, Großbritannien). When the map loads, your IP address is sent to OpenStreetMap servers. Legal basis: Art. 6(1)(a) GDPR.
10.5 Instagram
On some pages, Instagram content is embedded (Meta Platforms Ireland Limited). When interacting, data is transferred to Meta. Legal basis: Art. 6(1) lit. a GDPR.
10.6 Gravatar
If you leave comments, your profile picture may be loaded from Gravatar (Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA). Your email address (hashed) is sent to Gravatar. Legal basis: Art. 6(1)(a) GDPR.
11. Security Plugins
11.1 Wordfence
We use Wordfence (Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA) as a security plugin for our WordPress installation. Wordfence protects our website from unauthorized access, malware and spam. In doing so, access data (IP address, timestamp) may be processed.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in securing our website).
11.2 Akismet
Comments on our website are Akismet (Automattic Inc.) checked for spam. Comment data is then transferred to Akismet servers in the USA. Automattic is certified under the EU-US Data Privacy Framework.
Legal basis: Art. 6(1) lit. f GDPR.
12. Additional Plugins
12.1 Elementor
Our website was built with the page‑builder plugin Elementor (Elementor Ltd., Hayarkon 136, Tel Aviv, Israelstraße) created. Elementor itself does not process any personal data of visitors and does not set tracking cookies.
12.2 Polylang
We use Polylang for multilingual support on our website. The plugin stores your preferred language in a functional cookie. Legal basis: Art. 6(1) lit. f GDPR.
12.3 Real Cookie Banner
We use Real Cookie Banner (devowl.io GmbH, Am Anger 7, 85614 Kirchseeon, Germany) to manage cookie consents (Consent Management). Your consent decision is stored locally in your browser.
13. Microsoft Clarity
We use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) to analyze user behavior on our website (heatmaps, session recordings). This can capture mouse movements, clicks and scroll behavior.
Microsoft Clarity is loaded only after your explicit consent. Without consent, no data is transferred to Microsoft.
Legal basis: Art. 6 para. 1 lit. a GDPR (Consent).
Microsoft privacy: https://privacy.microsoft.com/
Microsoft is certified under the EU-US Data Privacy Framework.
14. Cloudflare Turnstile
In our forms we use the „Turnstile“ service from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Turnstile checks whether a form is filled out by a human and protects us from automated entries by bots (spam, abusive submissions). The service runs exclusively in our forms, not on the rest of the website.
Turnstile processes technical signals from your device and browser, especially your IP address, user agent, a TLS fingerprint, as well as site key and request origin. The check runs in the background – you don’t need to solve a captcha. Turnstile uses no cookies and creates no persistent user profile.
The legal basis is our legitimate interest in protecting our forms from abuse (Art. 6(1)(f) GDPR). The signals may be processed via Cloudflare's global network, which also includes servers in the USA. Cloudflare is certified under the EU‑US Data Privacy Framework and has additionally signed EU standard contractual clauses.
More on this in the Turnstile Privacy Addendum: https://www.cloudflare.com/turnstile-privacy-policy/
15. Your Rights
You have the following rights regarding your personal data:
- Information (Art. 15 DSGVO): You can request information über the data we store.
- Correction (Art. 16 GDPR): You can request correction of inaccurate data.
- Deletion (Art. 17 GDPR): You can request the deletion of your data, provided no legal retention obligations apply.
- Einschränkung (Art. 18 GDPR): You can request the restriction of processing.
- Data portability (Art. 20 GDPR): You can receive your data in a structured format.
- Objection (Art. 21 GDPR): You can object to processing based on legitimate interest.
- Withdrawal of consent (Art. 7 para. 3 GDPR): Consents can be withdrawn at any time with effect for the future — via the cookie banner on our website.
To exercise your rights, contact: hello@maeleon.info
You also have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is determined by your place of residence.
16. Changes to this Privacy Policy
We reserve the right to adapt this privacy policy in case of technical or legal changes. You will always find the current version on this page.
Date: June 2026