(In case of discrepancies, the German version shall prevail.)
1. Controller
The controller responsible for data processing on this website is:
MT onroad Alexander Meller e.K.
Waldstraße 11, 97659 Schönau an der Brend, Germany
Tel.: +49 151 20211155
E-mail: [email protected]
Website: mtonroad.com
Data Protection Officer (DPO): Since fewer than 20 persons in our company are engaged in automated processing of personal data and no high-risk core processing is carried out, the appointment of a data protection officer is currently not legally required pursuant to § 38 BDSG.
Irrespective of § 38 BDSG, we continuously assess whether an appointment obligation arises under Art. 37 GDPR (e.g., due to the nature, scope and purposes of processing).
As soon as a statutory obligation exists, we will appoint a data protection officer and update this privacy policy.
2. Hosting and Infrastructure
Hosting: Our website is hosted by “Hosting Ukraine”, whereby the physical server locations are, according to the provider, in Germany. A data processing agreement (DPA/AVV) pursuant to Art. 28 GDPR has been concluded.
Cloudflare: For protection against DDoS attacks and to improve loading times we use Cloudflare (Cloudflare Inc.). IP addresses are routed via Cloudflare servers. As Cloudflare is US-based, safeguards are provided via the EU–US Data Privacy Framework (DPF) as well as additional Standard Contractual Clauses (SCCs) in order to ensure an adequate level of data protection. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).
Cloudflare privacy terms:
https://www.cloudflare.com/cloudflare-customer-dpa/
Cloudflare DPF Participant: https://www.dataprivacyframework.gov/participant/5666
Server log files: Each time you access our website, technically necessary data are processed (e.g., IP address, date/time, page/file accessed, referrer URL, browser/operating system information, status codes).
Purpose: Provision of the website, IT security, error analysis and abuse prevention.
Legal basis: Art. 6(1)(f) GDPR.
Retention: Log files are stored for a limited period and then deleted, unless security-relevant incidents require longer retention.
3. Telephone Communication and Call Recording
Enquiries: If you call us, we process your telephone number and the information provided during the call to handle your request (Art. 6(1)(b) GDPR).
Recordings: If you have given your explicit consent at the beginning of the call (Art. 6(1)(a) GDPR), we record the call to document assistance provided and for quality assurance.
Note: Recording takes place only with prior explicit consent of all call participants; otherwise no recording is made (cf. § 201 StGB).
Storage: Recordings are stored exclusively on our company-owned servers (Synology) in Germany and are not passed on to third parties unless necessary for contract performance. Deletion takes place after the purpose has been fulfilled or upon withdrawal of your consent. Data transmission is encrypted (SSL/TLS), and access is protected by a strict authorisation concept and technical and organisational measures (TOM).
4. Contact Forms and Price Calculator
Data you enter into forms or the price calculator are processed to prepare an offer or to respond to your enquiry (Art. 6(1)(b) GDPR).
• Retention: Enquiries are stored for the duration of processing and—if no contract is concluded—for an additional 6 months to enable consistent responses in case of follow-up questions.
5. Messenger Communication (SendPulse, WhatsApp, Telegram)
We use SendPulse to handle communication via WhatsApp and Telegram.
• Consent / Channel selection: By contacting us via WhatsApp/Telegram you choose this communication channel. We process the data generated in this context to handle your enquiry and/or perform the contract.
• Legal bases: As a rule Art. 6(1)(b) GDPR (handling your enquiry/contract). Where processing is necessary for security and evidence purposes, Art. 6(1)(f) GDPR. If, in individual cases, we ask for explicit consent (e.g., recordings or reference/marketing use), processing is based on Art. 6(1)(a) GDPR.
• Data transfer: SendPulse and Meta (WhatsApp) may transfer data to third countries (USA). This is safeguarded by DPA/AVV, SCCs and the DPF. Processing by SendPulse takes place pursuant to their DPA with SCCs for any third-country transfers; subprocessors primarily in the EU, with SCCs for non-EU. We recommend not sending sensitive data (e.g., credit card details) via messenger unless this is strictly necessary for roadside assistance (e.g., location).
• SendPulse data processing agreement: https://sendpulse.com/de/legal/processing
6. E-mail Marketing and B2B Outreach (Snov.io)
For B2B acquisition we use Snov.io and LinkedIn.com.
• Legal basis: Where the requirements of § 7(3) UWG are met, advertising to existing customers may take place. For initial contacts we rely on Art. 6(1)(f) GDPR (legitimate interest in B2B communication) and document a legitimate interest assessment (LIA). Processing by Snov.io is carried out pursuant to their DPA with EU SCCs for third-country transfers; subprocessors partly in the EU.
• Data sources: We use only professional contact data from publicly accessible sources or from data providers that make such data available.
• Objection: You may object to the use of your data for advertising purposes at any time by e-mail to [email protected].
• Snov.io privacy/DPA: https://snov.io/dpa , LinkedIn DPA: https://www.linkedin.com/legal/l/dpa
7. Analytics and Marketing (Consent-based)
Analytics and marketing services are activated only after your consent via the cookie banner. This involves both GDPR (consent) and the device-access rules under § 25 TDDDG (formerly § 25 TTDSG).
The following services are activated only after your consent in the cookie banner (Art. 6(1)(a) GDPR):
• Google Analytics 4 (GA4): analyses user behaviour. Provider: Google Ireland Limited. Data transfer to the USA is safeguarded via the EU–US DPF.
https://privacy.google.com/businesses/processorterms/
• Google Ads – details on data transfers:
https://business.safety.google/adsprocessorterms/
• Meta Pixel & LinkedIn Insight Tag: measure the success of advertisements. Data transfer to the USA via EU–US DPF and SCC; subprocessors:
https://www.facebook.com/legal/terms/data_processing_terms#sub-processors
• Google Tag Manager: manages these scripts.
• Withdrawal: You can adjust or withdraw your consent at any time via the cookie settings on our website.
When visiting our social media presences, joint controllership (Art. 26 GDPR) exists with the respective provider.
8. Fonts (Google Fonts)
We use fonts locally on our own server. A connection to Google servers does not take place by default. If, for technical reasons, an external embedding is necessary, this is done on the basis of Art. 6(1)(f) GDPR (consistent presentation) or only with consent.
9. Payments via SumUp
For payment processing we redirect to external pages of SumUp. We conclude a data processing agreement (DPA/AVV) with SumUp for this purpose. Data processing is carried out there under the sole responsibility of SumUp Payments Limited as controller in accordance with their privacy policies:
https://www.sumup.com/en-gb/terms/dpa
SumUp Privacy: https://www.sumup.com/en-gb/privacy/
10. Your Rights
You have the following rights regarding your personal data:
• Right of access (Art. 15 GDPR)
• Right to rectification or erasure (Art. 16/17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to lodge a complaint with a supervisory authority, in particular with the BfDI (BfDI contact) or the state data protection authority (Art. 77 GDPR): https://www.lda.bayern.de/
We usually respond to requests within one month.
11. International Data Transfers
Transfers of personal data to third countries (e.g., USA) take place, where necessary, with appropriate safeguards such as the EU–US Data Privacy Framework (DPF), Standard Contractual Clauses (SCC) and a Transfer Impact Assessment (TIA) to maintain the level of data protection. Details on these measures can be found in the providers’ DPAs (see above).
More information on the DPF: https://www.dataprivacyframework.gov/.
For risk assessments (TIA), please contact us