Privacy Policy
1. Controller & Contact
| Controller (Art. 4 No 7 GDPR) | Jonathan-Silvester Stone (Einzelunternehmer) |
| Trading Name | CMC - Context Modelling Capability |
| Mailing Address | Schonensche Straße 13, 10439 Berlin, Germany |
| legal@contextcapability.com | |
| Telephone | +49 173 2954198 |
| VAT ID (§ 27a UStG) | DE 815 206 962 |
| Data-Protection Officer | Not required under Art. 37 GDPR |
2. Scope
This policy covers processing of personal data when you:
- Visit https://contextcapability.com
- Complete the CMC (Context Modeling Capability) assessment
- Submit your email to receive assessment results
- Receive emails with your results and recommendations
Governed by GDPR, German BDSG, California CCPA/CPRA (where applicable).
3. Definitions (Art. 4 GDPR)
Terms like "personal data," "processing," "controller," "processor," etc., have the meanings given in Art. 4 GDPR.
4. Legal Bases (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Assessment submission & results delivery | Consent (Art. 6(1)(a)) |
| Fraud prevention, security logs, essential cookies | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies | Consent (Art. 6(1)(a) / § 25 TTDSG) |
| Lead generation & follow-up | Legitimate interest (Art. 6(1)(f)) |
No automated decision-making or profiling producing legal effects is performed.
5. Categories of Data
1. Data you provide
- Contact info: email, company name (optional), role (optional)
- Assessment responses: answers to CMC assessment questions
- Organizational context: industry, use case, timeline, company size
2. Data collected automatically
- Technical logs: IP address, device, browser, referrer, timestamp
- Assessment results: calculated CMC scores, bottleneck analysis, risk assessment
3. Third-party data
- Google Analytics 4 (if consented): anonymized pageviews, session duration, device/browser type, geographic region (country-level)
6. Purposes of Processing
- Assessment delivery – calculate CMC scores, identify bottlenecks, assess deployment risk
- Results communication – send personalized results via email
- Security & fraud defense – prevent abuse, retain security logs
- Product analytics – understand usage patterns (only with cookie consent)
- Lead generation – follow up on assessment results, provide consulting opportunities
7. Recipients & Processors (Art. 28)
| Category | Provider | Jurisdiction | Safeguard |
|---|---|---|---|
| Frontend Hosting | Vercel | US | DPA + SCCs |
| Database | Supabase | EU (Germany) | DPA (eu-central-1) |
| Email Delivery | Resend | US | DPA + SCCs |
| Analytics | Google Analytics 4 | US | DPA + SCCs + DPF |
| Internal Notifications | Slack (Salesforce) | US | DPA + SCCs |
All processors are bound by written DPAs; sub-processing only with prior authorization. Slack receives email address, company name, role, and submission type for internal lead notification purposes only.
DPA documentation is available at /legal or on request via legal@contextcapability.com.
8. International Transfers (Art. 44 ff.)
Data is primarily stored in the EU (Germany, eu-central-1). Some processors operate in the US. International transfers rely on:
- Standard Contractual Clauses (2021/914 EU) with TLS & AES-256 encryption
- EU-US Data Privacy Framework (where applicable)
Copies of SCCs/DPF certifications available at /legal or on request: legal@contextcapability.com
9. Cookies & Tracking (§ 25 TTDSG)
| Type | Name / Provider | Purpose | Storage |
|---|---|---|---|
| Essential | cookieyes-consent | Store cookie preferences | 12 months |
| Analytics* | Google Analytics 4 (_ga, _ga_*) | Pageviews, session duration, device type, country | _ga: 2 years; _ga_*: 2 years |
*Only after you "Accept" on our cookie banner; withdraw consent anytime via cookie settings.
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law.
| Data Set | Retention Period |
|---|---|
| Assessment data & results | Indefinite (for research & product improvement) or until deletion requested |
| Email addresses | Until unsubscribe or deletion requested |
| Server logs (technical) | 12 months |
| Cookie consents | 12 months or until withdrawn |
11. Security Measures (Art. 32)
- TLS 1.3 encryption in transit, AES-256 at rest
- Regular security updates and patches
- Access controls and authentication
- 72-hour breach notification (Art. 33 GDPR)
12. Your Rights
You may at any time exercise:
- Access, correction, deletion, restriction, portability, objection (Art. 15–21)
- Withdraw consent (future processing only)
- Request export or deletion of your assessment data
- Opt out of marketing emails via unsubscribe link
Requests: legal@contextcapability.com - we reply within 30 days; ID verification may be required.
13. California Privacy Notice (CCPA/CPRA)
We do not "sell" or "share" personal info for cross-context behavioral ads.
California residents may request:
- Disclosure of categories & specific data
- Deletion or correction
Via legal@contextcapability.com. No discriminatory treatment for exercising rights.
14. Supervisory Authority
You have the right to lodge a complaint with:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin, Germany
Website: https://www.datenschutz-berlin.de/
15. Changes
Material changes (new processors or legal bases) announced 30 days in advance via email and banner; consent renewed if required.
16. Contact
Data-protection queries: legal@contextcapability.com
Postal address: Schonensche Straße 13, 10439 Berlin, Germany
Last Updated: 09 February 2026
← Back to Home