Privacy Policy
Bonanza Design GmbH — Last updated: February 18, 2026
1. Data Controller
The data controller responsible for this website is:
Bonanza Design GmbH
% The Delta Campus, Donaustrae 44
12043 Berlin, Germany
Managing Director: Abbas Mirafshar
Email: contact@bonanza.design
Registered at District Court of Berlin (Charlottenburg): HRB 240659 B
VAT ID: DE 352551404
2. Overview
This Privacy Policy explains how Bonanza Design GmbH (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you visit our website at www.bonanza-studios.com (the “Website”) and any subdomains or proxied pages served under that domain, including pages hosted on bonanza-website-2025.vercel.app.
We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
3. What Data We Collect
3.1 Server Access Logs
When you visit our Website, our hosting providers automatically collect:
- IP address (anonymized where possible)
- Date and time of access
- Pages visited and resources requested
- Referring URL
- Browser type and version
- Operating system
Lawful basis: Legitimate interest (GDPR Article 6(1)(f)) in ensuring website security, stability, and performance.
Retention: Server logs are retained for up to 30 days and then automatically deleted.
3.2 Email Address (Download and Marketing)
When you request a downloadable resource through our lead magnet pages, we collect:
- Your email address
- Your marketing consent preference (opt-in checkbox)
This email is used to:
- Send a one-time verification email to confirm your identity
- Deliver the download link upon successful verification
- If you opt in: send periodic updates about new toolkit releases, skill library updates, and related resources
Lawful basis:
- Download delivery: Consent (GDPR Article 6(1)(a)). You voluntarily provide your email to receive the download.
- Marketing updates: Separate, explicit consent (GDPR Article 6(1)(a)) via opt-in checkbox. Marketing consent is optional and does not affect your ability to download resources.
Retention:
- Email addresses and verification tokens are stored in our database.
- Verification tokens expire after 24 hours.
- Email records for download fulfillment are retained for up to 12 months for fraud prevention and to avoid duplicate requests.
- Marketing consent records (including consent date and method) are retained for as long as consent is active. Upon withdrawal of consent, the marketing flag is removed. The email record may be retained for up to 12 months for download-related purposes.
Withdrawal of consent: You may withdraw marketing consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at contact@bonanza.design. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
3.3 Website Analytics (Cookie-Free)
We use Umami Cloud (https://cloud.umami.is/) for privacy-friendly website analytics. Umami collects:
- Page views and referrer URLs
- Browser type, operating system, and device type
- Country-level geolocation (derived from IP, not stored)
Umami is designed to be GDPR-compliant by default:
- No cookies are set
- No personal data is collected or stored
- No cross-site tracking or fingerprinting
- IP addresses are not logged
- Data is aggregated and anonymous
Because Umami does not process personal data or use cookies, no consent banner is required under GDPR or TTDSG.
Lawful basis: Legitimate interest (GDPR Article 6(1)(f)) in understanding website usage to improve content and user experience.
3.4 Calendly Bookings
Our Website contains links to Calendly (calendly.com) for scheduling consultations. On most pages, Calendly opens in a new browser tab. On our 404 error page, a Calendly widget is embedded directly.
When you book a call through Calendly — whether via link or embed — your data (name, email, and any information you provide) is processed by Calendly Inc. under their own privacy policy.
We are a joint controller with Calendly only to the extent that we receive booking data. For Calendly’s data practices, please refer to: https://calendly.com/privacy
Lawful basis: Consent (GDPR Article 6(1)(a)) and pre-contractual measures (GDPR Article 6(1)(b)).
3.5 No Additional Tracking
As of the date of this policy, this Website does not use:
- Tracking pixels or advertising tags
- Social media tracking scripts
- Fingerprinting or cross-site tracking
- Third-party analytics cookies
If we introduce additional tracking in the future, this policy will be updated and a cookie consent mechanism will be implemented before any tracking begins.
4. Cookies
This Website uses only strictly necessary cookies required for basic site functionality (e.g., session handling by the web framework). These cookies:
- Do not track you across websites
- Do not contain personal data
- Are not shared with third parties
- Are exempt from consent requirements under the ePrivacy Directive and TTDSG Section 25(2)
Our analytics provider (Umami) does not set any cookies. We do not set any marketing, analytics, or preference cookies.
5. Sub-Processors and Third-Party Services
We use the following third-party service providers who may process personal data on our behalf:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel Inc. | Application hosting (Next.js) | IP addresses, access logs, request metadata | USA (SCCs) |
| Cloudflare Inc. | CDN, DDoS protection, reverse proxy | IP addresses, TLS data, request headers | USA/EU (SCCs) |
| Webflow Inc. | Website hosting (main site) | IP addresses, access logs, page views | USA (SCCs) |
| Neon Inc. | Database hosting (PostgreSQL) | Email addresses, verification tokens, consent records | EU (Frankfurt) |
| Resend Inc. | Email delivery (transactional & marketing) | Email addresses, email content | USA (SCCs) |
| Umami Cloud | Privacy-friendly website analytics | Aggregated, anonymous usage data (no personal data) | EU |
| Calendly LLC | Appointment scheduling | Name, email, booking details | USA |
All US-based providers operate under EU Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure adequate data protection for transfers outside the EU/EEA. Our database (Neon) is hosted within the EU (Frankfurt, Germany), ensuring email addresses and consent data do not leave the European Economic Area.
6. Data Transfers Outside the EU/EEA
Personal data may be transferred to the United States through our sub-processors listed in Section 5. These transfers are protected by:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission
- Additional technical and organizational measures implemented by each provider
Our primary data store (Neon PostgreSQL) is located in the EU (AWS eu-central-1, Frankfurt), meaning core personal data (email addresses, consent records) remains within the EEA.
You can request a copy of the applicable safeguards by contacting us at contact@bonanza.design.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- TLS/SSL encryption for all data in transit
- Cloudflare DDoS protection and WAF (Web Application Firewall)
- Access controls limiting data access to authorized personnel
- Verification tokens with 24-hour expiration to minimize exposure
- No storage of passwords, payment data, or sensitive personal categories
- Database hosted in EU (Frankfurt) with encrypted connections
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Server access logs | Up to 30 days | Security and stability |
| Email addresses (download verification) | Up to 12 months | Fraud prevention, duplicate avoidance |
| Verification tokens | 24 hours (auto-expire) | Functional necessity |
| Marketing consent records | Until consent withdrawn | Consent documentation |
| Umami analytics data | Aggregated, no personal data | Not applicable (anonymous) |
| Calendly booking data | Per Calendly’s retention policy | Contractual relationship |
After the retention period, data is permanently deleted or anonymized.
9. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you |
| Right to Rectification (Art. 16) | Request correction of inaccurate personal data |
| Right to Erasure (Art. 17) | Request deletion of your personal data (“right to be forgotten”) |
| Right to Restriction (Art. 18) | Request limitation of processing of your personal data |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to Object (Art. 21) | Object to processing based on legitimate interest |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing |
To exercise any of these rights, contact us at:
Email: contact@bonanza.design
Post: Bonanza Design GmbH, Donaustrae 44, 12043 Berlin, Germany
We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Bonanza Design GmbH is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
(Berlin Commissioner for Data Protection and Freedom of Information)
Friedrichstrae 219
10969 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de
11. California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect.
- Right to Delete: You may request deletion of personal information we have collected.
- Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise these rights, contact us at contact@bonanza.design.
12. Children’s Privacy
This Website is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at contact@bonanza.design and we will delete the data promptly.
13. Email Marketing Compliance
Transactional Emails
Emails sent through our download verification system are transactional in nature (delivering a requested resource). They do not require marketing consent.
Marketing Emails
If you opt in via the checkbox on our download forms, we may send you periodic updates about new toolkit releases and resource updates. These emails:
- Are sent only with your explicit, separate consent
- Include a clear and functioning unsubscribe link in every email
- Identify the sender as Bonanza Design GmbH
- Include our physical mailing address
- Will cease immediately upon unsubscribe or consent withdrawal
We comply with:
- GDPR: Explicit opt-in consent obtained before sending marketing emails
- CAN-SPAM Act: All emails identify the sender and include our physical address and unsubscribe mechanism
- CASL (Canada): Marketing emails sent only with express consent; transactional emails (download delivery) qualify under CASL Section 6(6)
14. Google Fonts
This Website uses the Questrial font from Google Fonts. The font files are self-hosted on our own servers (served via next/font on Next.js pages and from Webflow’s CDN on Webflow pages). No requests are made to Google’s servers when you visit our Website, and no data is transmitted to Google through font loading.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The “Last updated” date at the top of this policy indicates when the most recent revision was made.
We encourage you to review this page periodically. Material changes will be communicated through a notice on our Website.
16. Contact
For any questions about this Privacy Policy or our data practices, contact:
Bonanza Design GmbH
% The Delta Campus, Donaustrae 44
12043 Berlin, Germany
Email: contact@bonanza.design
This privacy policy is provided for informational purposes and has been drafted to reflect current operations and applicable regulations. Consult with a qualified attorney specializing in EU/German data protection law for legal advice specific to your situation.
