1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Mäx & Mäleon GmbH

Kaiserstr. 32

63065 Offenbach am Main

Germany

Email: hello@maeleon.info
Website: https://maxandmaeleon.com

2. Principles of data processing

We process personal data only when legally permitted or you have consented. We collect only data needed for the specific purpose (data minimisation).

Legal bases for processing under Art. 6 GDPR:

  • Art. 6(1) lit. a GDPR – Consent (e.g., marketing cookies)
  • Art. 6(1)(b) GDPR – Contract fulfillment or pre‑contractual measures (e.g., handling inquiries)
  • Art. 6 Abs. 1 lit. f DSGVO – Legitimate interest (e.g., safety, Missbrauchsprävention)

3. Hosting & technical infrastructure

3.1 Web hosting (WordPress)

Our website runs on a WordPress server. The hosting provider is IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). When our site is accessed, the following data are automatically stored in the server log:

  • IP address (anonymized)
  • Date and time of access
  • accessed page
  • Browser and operating system

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the technical provision of the website).

3.2 Server-side data processing

We run our own server at Hetzner Online GmbH (Germany) in an EU data centre. This server acts as a technical processing hub for form data.

Function: When you submit a form on our website, the übermittelten data are technically processed on our server and forwarded to the following systems:

  • our CRM system
  • Google Ads (only with consent, hashed)
  • Meta / Facebook (only with consent, hashed)

All data remain on servers within the EU. No transfer to third countries occurs.

Retention period: Processing logs are automatically deleted after a maximum of 7 days. Permanent data storage takes place exclusively in our CRM system.

Legal basis: Art. 6(1) lit. b GDPR (contract performance / pre‑contractual measures) and Art. 6(1) lit. f GDPR (legitimate interest in efficient processing of inquiries).

Data processing agreement: A data processing agreement with Hetzner Online GmbH exists pursuant to Art. 28 GDPR.

4. Contact forms & product configurators

4.1 Which forms exist

On our website you’ll find the following forms:

  • Product configurators (Passenger & Transporter): complete bike configuration with quote request
  • Test Ride-request: Appointment request für a test ride
  • Consultation forms: Inclusion consulting, leasing consulting
  • Contact forms (German & English)
  • Special edition request

4.2 What data we collect

We collect, depending on the form:

  • Name, email address, phone number
  • Residence / ZIP code (for Test Ride planning)
  • Bike configuration (model, variant, equipment, total price)
  • Desired next action (e.g., Test Ride, order, consultation)
  • Free-text fields for requirements and messages
  • Purchase motives (anonymous, from selection fields)

4.3 Purpose and legal basis

Purpose: Handling your request, creating a quote, scheduling, CRM maintenance.

Legal basis: Art. 6(1) lit. b GDPR (pre‑contractual measures) and Art. 6(1) lit. f GDPR (legitimate interest in handling purchase inquiries).

Retention period: Your request is stored in our CRM (Odoo). We delete leads that have not resulted in a purchase after 2 years. Buyer records are deleted after the tax-related retention periods (10 years).

4.4 Automatic lead scoring

Incoming inquiries are automatically scored based on request attributes (e.g., purchase intent and product interest). This score is used solely for internal prioritization by our sales team and does not affect prices or offer content.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient sales management). No fully automated decision is made within the meaning of Art. 22 GDPR.

5. CRM – Odoo

We use Odoo as our Customer Relationship Management system. Odoo is operated by Odoo S.A. (Chaussée de Namur 40, 1367 Grand-Rosière, Belgium). Your data are stored on Odoo S.A. servers within the EU.

Stored in Odoo:

  • Contact details (Name, Email, Phone)
  • Bike configuration and total price
  • Purchase intent and inquiry content
  • Attribution (origin channel of your request, e.g., Google Ads, organic search)
  • Lead Score

Legal basis: Art. 6 Para. 1 lit. b GDPR.

Data processing agreement: With Odoo S.A. there is a data processing agreement pursuant to Art. 28 GDPR.

6. Attribution & source tracking

If you visit our website via a link from an advertisement or a search engine, we store in a first‑party cookie (valid for 90 days) where you came from. We capture the following:

  • First Touch: the source of your very first visit to our website
  • Last Touch: the source shortly before your request

These data help us understand which marketing actions generate inquiries. They are stored in Odoo together with your form request.

Captured attributes: traffic source (e.g., „google“), medium (e.g., „cpc“ for paid ads), campaign name, and — if you come via a Google ad — a technical identifier for the ad click.

Legal basis: Art. 6(1) lit. f GDPR (legitimate interest in advertising effectiveness measurement).

7. Google services

7.1 Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The Tag Manager itself sets no cookies and processes no personal data. It controls loading of the remaining Google tags.

Legal basis: Art. 6(1) lit. f GDPR.

7.2 Google Ads Remarketing

When you visit our site and accept the marketing cookie, Google Ads Remarketing records your visit to later display relevant ads on other sites or in Google Search.

A technical tracking cookie is set, linking your visit to a possible preceding Google ad click.

Provider: Google Ireland Limited
Google Privacy: https://policies.google.com/privacy
Legal basis: Art. 6 Abs. 1 lit. a DSGVO (Consent).
Opt-out: Über the cookie banner on our website or at https://adssettings.google.com

7.3 Google Ads Enhanced Conversions

If you submit a form on our website and have consented to marketing cookies, übermitteln we transmit server‑side conversion data to Google Ads (Enhanced Conversions).

The following data are irreversibly hashed (SHA‑256) before transmission:

  • Email address
  • Phone number

Additionally, a technical identifier of your previous Google ad click is transmitted. Google compares this data with its own systems to measure the effectiveness of our ads.

No transmission on opt-out: If you reject marketing cookies, none of this data will be transmitted to Google.

Provider: Google Ireland Limited
Legal basis: Art. 6(1)(a) GDPR (consent).

7.4 Google Consent Mode v2

Our website uses Google Consent Mode v2. This mechanism tells Google the consent status of a visitor before tracking technologies become active. If marketing cookies are declined, no personal data is transmitted to Google übermittelt.

8. Meta / Facebook Services

8.1 Meta Pixel (client-side)

If you have consented to marketing cookies, the Meta Pixel (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) is active on our website. The pixel records page views and — upon form submission — a „Lead“ event.

The pixel sets technical cookies for visitor and click identification (valid for up to 90 days).

The Meta Pixel is loaded only after your explicit consent. Without consent, no data is transferred to Meta.

Purpose: Measuring advertising effectiveness, building target audiences for retargeting.

Meta privacy: https://www.facebook.com/privacy/policy/
Legal basis: Art. 6(1)(a) GDPR (consent).
Opt-out: Über the cookie banner on our website

8.2 Meta Conversions API (CAPI, server-side)

If you submit a form and in Marketing-Cookies have consented, we additionally transmit server‑side conversion data to Meta. This serves deduplication and improves measurement quality.

The following data are irreversibly hashed (SHA‑256) before transmission:

  • Email address
  • Phone number
  • First name

Additionally, technical cookie values are transmitted for visitor and click identification.

No Ü transmission on opt‑out: If you reject marketing cookies, none of this data will be transmitted to Meta übermittelt.

Provider: Meta Platforms Ireland Limited
Legal basis: Art. 6(1) lit. a GDPR (Consent).

9. Statistics & Analysis

9.1 Plausible Analytics

We use Plausible Analytics (Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia) to evaluate our website usage.

Plausible is deliberately privacy‑friendly designed: No cookies are set, no IP addresses are stored and no cross‑device profiles are created. The analysis is based solely on aggregated, anonymized data.

No consent required: Since Plausible does not collect personal data and does not set cookies, this service does not require a cookie consent.

Plausible privacy: https://plausible.io/privacy
Legal basis: Art. 6(1) lit. f GDPR (legitimate interest in the anonymized analysis of website behavior).

9.2 WooCommerce (Backend Management)

We use the WordPress plugin WooCommerce exclusively for internal product and inventory management in the backend. No online transactions or payments are processed via WooCommerce. Visitors to our website do not have access to the WooCommerce shop frontend.

Legal basis: Art. 6(1) lit. f GDPR.

10. Functional services (with consent)

10.1 YouTube

Some pages embed YouTube videos (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). We use the enhanced privacy mode: videos load without cookies until you play them.

When activated (click Play) YouTube sets cookies and transfers data to Google/YouTube. Legal basis: Art. 6(1) a GDPR.

10.2 Vimeo

On some pages Vimeo videos are embedded (Vimeo Inc., 330 West 34th Street, New York, NY 10001, USA). When played, data is transferred to Vimeo servers. Legal basis: Art. 6(1)(a) GDPR. Vimeo is certified under the EU‑US Data Privacy Framework.

10.3 Spotify

On some pages, Spotify content is embedded (Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden). When interacting, data is transferred to Spotify übertragen. Legal basis: Art. 6(1) lit. a GDPR.

10.4 OpenStreetMap

On some pages we embed OpenStreetMap project maps (OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, Großbritannien). When the map loads, your IP address is sent to OpenStreetMap servers. Legal basis: Art. 6(1)(a) GDPR.

10.5 Instagram

On some pages, Instagram content is embedded (Meta Platforms Ireland Limited). When interacting, data is transferred to Meta. Legal basis: Art. 6(1) lit. a GDPR.

10.6 Gravatar

If you leave comments, your profile picture may be loaded from Gravatar (Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA). Your email address (hashed) is sent to Gravatar. Legal basis: Art. 6(1)(a) GDPR.

11. Security Plugins

11.1 Wordfence

We use Wordfence (Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA) as a security plugin for our WordPress installation. Wordfence protects our website from unauthorized access, malware and spam. In doing so, access data (IP address, timestamp) may be processed.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in securing our website).

11.2 Akismet

Comments on our website are Akismet (Automattic Inc.) checked for spam. Comment data is then transferred to Akismet servers in the USA. Automattic is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1) lit. f GDPR.

12. Additional Plugins

12.1 Elementor

Our website was built with the page‑builder plugin Elementor (Elementor Ltd., Hayarkon 136, Tel Aviv, Israelstraße) created. Elementor itself does not process any personal data of visitors and does not set tracking cookies.

12.2 Polylang

We use Polylang for multilingual support on our website. The plugin stores your preferred language in a functional cookie. Legal basis: Art. 6(1) lit. f GDPR.

12.3 Real Cookie Banner

We use Real Cookie Banner (devowl.io GmbH, Am Anger 7, 85614 Kirchseeon, Germany) to manage cookie consents (Consent Management). Your consent decision is stored locally in your browser.

13. Microsoft Clarity

We use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) to analyze user behavior on our website (heatmaps, session recordings). This can capture mouse movements, clicks and scroll behavior.

Microsoft Clarity is loaded only after your explicit consent. Without consent, no data is transferred to Microsoft.

Legal basis: Art. 6 para. 1 lit. a GDPR (Consent).
Microsoft privacy: https://privacy.microsoft.com/
Microsoft is certified under the EU-US Data Privacy Framework.

14. Cloudflare Turnstile

In our forms we use the „Turnstile“ service from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Turnstile checks whether a form is filled out by a human and protects us from automated entries by bots (spam, abusive submissions). The service runs exclusively in our forms, not on the rest of the website.

Turnstile processes technical signals from your device and browser, especially your IP address, user agent, a TLS fingerprint, as well as site key and request origin. The check runs in the background – you don’t need to solve a captcha. Turnstile uses no cookies and creates no persistent user profile.

The legal basis is our legitimate interest in protecting our forms from abuse (Art. 6(1)(f) GDPR). The signals may be processed via Cloudflare's global network, which also includes servers in the USA. Cloudflare is certified under the EU‑US Data Privacy Framework and has additionally signed EU standard contractual clauses.

More on this in the Turnstile Privacy Addendum: https://www.cloudflare.com/turnstile-privacy-policy/

15. Your Rights

You have the following rights regarding your personal data:

  • Information (Art. 15 DSGVO): You can request information über the data we store.
  • Correction (Art. 16 GDPR): You can request correction of inaccurate data.
  • Deletion (Art. 17 GDPR): You can request the deletion of your data, provided no legal retention obligations apply.
  • Einschränkung (Art. 18 GDPR): You can request the restriction of processing.
  • Data portability (Art. 20 GDPR): You can receive your data in a structured format.
  • Objection (Art. 21 GDPR): You can object to processing based on legitimate interest.
  • Withdrawal of consent (Art. 7 para. 3 GDPR): Consents can be withdrawn at any time with effect for the future — via the cookie banner on our website.

To exercise your rights, contact: hello@maeleon.info

You also have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is determined by your place of residence.

16. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy in case of technical or legal changes. You will always find the current version on this page.

Date: June 2026

STAY UPDATED!

By submitting you confirm our privacy policy.

WordPress Cookie Plugin by Real Cookie Banner