Privacy Policy

We (How To Study German LLC) take data protection seriously. This notice explains what personal data we process when you use our website, on which legal bases (GDPR), for which purposes, and how you can exercise your rights.

1) Controller & Contact

Controller:
How To Study German LLC
30 N Gould St Ste N, Sheridan, WY 82801, United States
Email: in**@**************an.com

EU Representative (Art. 27 GDPR):
EXCHANGENB OÜ, Männimäe 1, Pudisoo küla, 74626 Kuusalu vald, Harju maakond, Estonia
Email: in**@**************an.com

2) Legal Bases

• Art. 6(1)(b) GDPR – performance of a contract or steps prior to entering into a contract.
• Art. 6(1)(a) GDPR – consent (e.g. analytics, newsletters, embedded media).
• Art. 6(1)(f) GDPR – legitimate interests (security, fraud prevention, website operation).
• Art. 6(1)(c) GDPR – legal obligations (tax and accounting).

3) What We Process & Why

• Server access data (IP address, timestamp, referrer, user agent) for security and stability.
• Contact data (name, email, message) when you contact us.
• Order and payment data for digital products (see Paddle).
• Quiz and interaction data to display results and improve content.
• Newsletter data (email address, first name) if you subscribe.
• Security Logs of logged-in users to prevent unauthorized access.
• Cookies and Local Storage as described below.

4) Cookies, Local Storage & Consent

Real Cookie Banner:
We use Real Cookie Banner to manage consent for cookies and external services. Essential cookies are required for the operation and security of the website. Non-essential cookies (e.g. analytics, embedded media) are used only after consent. You can change or withdraw your consent at any time via the cookie settings link on our website.

Local Storage (Functional Elements):
We use the so-called “Local Storage” of your browser to save technical status information (e.g., whether you have already seen or closed a promotional popup/sticky bar). This ensures that popups are not displayed to you repeatedly within a certain timeframe.

This data is stored locally on your device, contains no personal identifiers, and is not transferred to third parties.

Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in usability) and § 25(2) No. 2 TTDSG (Technical necessity).

5) Third-Party Services & Plugins

5.1 Security & Bot Protection – Cloudflare

We use Cloudflare as a security and performance service to protect our website against malicious traffic, bots, and attacks (e.g. DDoS).
Cloudflare processes technical connection data such as IP addresses, request metadata, and security-related information.
This processing is essential to protect the website and is based on Art. 6(1)(f) GDPR (legitimate interest in security and abuse prevention).
Privacy policy: https://www.cloudflare.com/privacypolicy/

5.2 Payments – Paddle (Merchant of Record)

Payments for digital products are handled by Paddle as Merchant of Record.
Paddle processes payment and billing data independently as controller.
Legal basis: Art. 6(1)(b) and Art. 6(1)(c).
https://www.paddle.com/legal/privacy

5.3 Anti-Spam – CleanTalk

We use CleanTalk Anti-Spam and CleanTalk Security to protect forms, logins, and the website from spam and attacks.
Technical data such as IP addresses and request patterns may be processed.
Legal basis: Art. 6(1)(f) GDPR.

5.4 Security – Wordfence

We use the security plugin Wordfence, provided by Defiant, Inc. (1700 Westlake Ave N Ste 200, Seattle, WA 98109, USA), to protect our website against cyberattacks, malicious traffic, and brute-force logins. For this purpose, your IP address and website activity data are processed.

The legal basis for this processing is our legitimate interest in maintaining the security and integrity of our website according to Art. 6(1)(f) GDPR.

Since data is transferred to the USA, the provider guarantees an adequate level of data protection by using EU Standard Contractual Clauses (SCCs). For more information, please refer to the Wordfence Privacy Policy: https://www.wordfence.com/privacy-policy/

5.5 Google Site Kit (Analytics & Search Console)

If enabled, Google Analytics is used only after your consent via the cookie banner.
Data may include page views, device information, and approximate location.
Legal basis: Art. 6(1)(a) GDPR.

5.6 Forms – WPForms & Contact Form 7

When you submit a generic contact form, we process the data to handle your request.

5.7 Newsletter (SendFox)

We use SendFox (a service by Sumo Group Inc., 1305 E. 6th St #3, Austin, TX 78702, USA) to manage our subscriber list and send emails.
Registration & Double Opt-In:
If you subscribe to our newsletter, we process your email address and name. Registration takes place via a so-called double opt-in procedure (you will receive a confirmation email asking you to confirm your registration). This prevents misuse of your email address.
Legal Basis:

• The sending of the newsletter is based on your consent (Art. 6(1)(a) GDPR).
• The technical provision of the sign-up form and the processing of data to ensure the security of our system (spam protection) is based on our legitimate interest (Art. 6(1)(f) GDPR) in offering a secure and user-friendly newsletter system.

Data Transfer to the USA:
Data is transferred to SendFox in the USA. We ensure appropriate data protection guarantees through Standard Contractual Clauses (SCCs).
You can unsubscribe at any time via the link in every email.
Privacy Policy SendFox: https://sendfox.com/privacy

5.8 Hosting & Page Builder – Elementor Cloud

Our website is hosted via Elementor Cloud Hosting.
Technical and usage data may be processed on Elementor servers under a GDPR-compliant DPA.
https://elementor.com/dpa

5.9 Embedded Videos (YouTube)

Embedded YouTube videos are loaded only after consent. Google may receive technical data such as IP address.

5.10 Security Activity Logs

To ensure the security of our website and defend against bot attacks or unauthorized access, we log administrative actions and login attempts of logged-in users.
Data processed includes IP address, username (public display name), timestamp, and the specific action performed.

Retention: These logs are automatically deleted after 3 months.

Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in website security and error diagnosis).

6) Retention

We store personal data only as long as necessary for the stated purposes or as required by law.
Security logs are retained for up to 3 months.

7) International Transfers

Where data are transferred outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses are used.

8) Security

We apply technical and organizational security measures such as encryption, firewalls, access controls, and backups.

9) Your Rights

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent (Art. 7(3) GDPR)

To exercise your rights, contact us at info [at] howtostudygerman [dot] com.

10) Changes to This Policy

We may update this Privacy Policy to reflect legal or technical changes.
Last updated: 25 February 2026