Privacy Policy

Last updated: February 2026

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy listed below.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the "Controller" section of this privacy policy.

How do we collect your data?
Your data is collected when you provide it to us. This could be data you enter in a contact form, for example. Other data is collected automatically or with your consent when you visit the website by our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of page access).

What do we use your data for?
Part of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data will also be processed for contract offers, orders, or other inquiries.

What rights do you have regarding your data?
You have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances.

2. Controller

The controller responsible for data processing on this website is:

Dennis Rolea
Geffelbachstraße 1
79576 Weil am Rhein
Germany

Phone: +49 1520 6900518
Email: hello@theroleas.com

The controller is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

3. Hosting

We host the contents of our website with the following provider:

Cloudflare Pages

The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (hereinafter "Cloudflare").

When you visit our website, your personal data is processed on Cloudflare's servers. Personal data may also be transferred to Cloudflare's headquarters in the USA. Cloudflare also stores cookies that are necessary for displaying the site and ensuring security (necessary cookies).

The use of Cloudflare is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: Cloudflare Privacy Policy.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law that ensures that this provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

4. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

We would like to point out that data transmission over the Internet (e.g., when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.

Storage Duration

Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will take place after these reasons no longer apply.

General Information on the Legal Basis for Data Processing

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data are processed according to Art. 9(1) GDPR. In the case of explicit consent to the transfer of personal data to third countries, data processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device (e.g., via device fingerprinting), data processing is additionally based on § 25(1) TDDDG. Consent can be revoked at any time.

If your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required to fulfill a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Recipients of Personal Data

In the course of our business activities, we work with various external parties. In some cases, the transfer of personal data to these external parties is necessary. We only disclose personal data to external parties if this is necessary for the performance of a contract, if we are legally obligated to do so (e.g., disclosure of data to tax authorities), if we have a legitimate interest pursuant to Art. 6(1)(f) GDPR, or if another legal basis permits the data disclosure.

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Object to Data Collection in Special Cases (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to Lodge a Complaint with the Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

Information, Correction and Deletion

Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipients, and the purpose of data processing and, if applicable, a right to correction or deletion of this data at any time. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

5. Data Collection on This Website

Cookies

Our website uses so-called "cookies". Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device.

When you first visit our website, a cookie banner allows you to select which cookie categories you wish to accept:

  • Necessary – Essential for website functionality (always active). Includes Cloudflare security cookies.
  • Analytics – Google Analytics, Google Tag Manager, and Hotjar. Help us understand how visitors use our website.
  • Marketing – Meta Pixel and Google Ads. Used for advertising and conversion tracking.

You can set your browser to inform you about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. You can change your cookie settings at any time by deleting your browser's cookies and revisiting the website.

Legal basis: The storage of necessary cookies is based on Art. 6(1)(f) GDPR (legitimate interest). For all other cookies, we obtain your consent (Art. 6(1)(a) GDPR).

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of their website – for this purpose, server log files must be collected.

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR).

The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Inquiry by Email, Phone, or WhatsApp

If you contact us by email, phone, or WhatsApp, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR).

6. Analytics and Advertising

The following analytics and advertising tools are only activated after you have consented via our cookie banner.

Cloudflare Zaraz

This website uses Cloudflare Zaraz to manage and deploy third-party tools (such as Google Analytics, Meta Pixel, and Hotjar). The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Zaraz loads the services described below server-side via the Cloudflare network, rather than executing them directly in the user's browser. This means less data is transmitted directly to third-party providers. Zaraz itself processes technical data (IP address, user agent, page views) to supply the integrated tools with the required information.

The use of Zaraz for essential functions is based on Art. 6(1)(f) GDPR (legitimate interest in the secure and performant integration of third-party tools). For the analytics and marketing tools loaded via Zaraz: these are only activated after your consent (Art. 6(1)(a) GDPR).

For more information, see the Cloudflare Privacy Policy.

Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, duration of visit, operating systems used, and origin of the user. This data is summarized in a user profile and assigned to the respective end device of the user.

Google Analytics uses technologies that enable recognition of the user for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the USA and stored there.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: Google Standard Contractual Clauses.

For more information on how Google Analytics handles user data, please see Google's privacy policy: Google Analytics Privacy.

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform independent analyses. It is only used to manage and deploy the tools integrated through it.

Use is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Hotjar

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta (website: hotjar.com).

Hotjar is a tool for analyzing your user behavior on this website. With Hotjar, we can record your mouse and scroll movements and clicks, among other things. Hotjar can also determine how long you stayed with your mouse pointer on a certain spot. From this information, Hotjar creates so-called heatmaps, which can be used to determine which areas of the website are preferred by website visitors.

We can also determine how long you stayed on a page and when you left it. We can also determine at what point you abandoned your entries in a contact form (so-called conversion funnels).

In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator's web offerings.

Hotjar uses technologies that enable recognition of the user for the purpose of analyzing user behavior (e.g., cookies or use of device fingerprinting).

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

For more information, please see Hotjar's privacy policy: Hotjar Privacy Policy.

Meta Pixel (formerly Facebook Pixel)

This website uses the visitor action pixel from Meta for conversion measurement. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

This allows the behavior of site visitors to be tracked after they have been redirected to the provider's website by clicking on a Meta ad. This allows the effectiveness of Meta ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous for us as operators of this website; we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Meta so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes in accordance with the Meta data usage policy.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission's Standard Contractual Clauses. Details can be found here: Meta EU Data Transfer Addendum.

For more information, please see Meta's privacy policy: Meta Privacy Policy.

7. Integrated Services and Content

Adobe Fonts (Typekit)

This website uses Adobe Fonts for font rendering. The provider is Adobe Inc., 345 Park Avenue, San Jose, CA 95110-2704, USA.

When the website loads, a connection to Adobe's servers is established to retrieve the required fonts. Your IP address is transmitted to Adobe in this process.

This is based on Art. 6(1)(f) GDPR (legitimate interest in an appealing presentation of the website). For more information, see Adobe's Privacy Policy.

YouTube

Videos from YouTube are embedded on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit a page with embedded YouTube videos, a connection to YouTube's servers is established. The YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to associate your browsing behavior directly with your personal profile.

The use of YouTube is in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. For more information, see Google's Privacy Policy.

Cal.com

We use Cal.com for online appointment scheduling. The provider is Cal.com, Inc., USA. When you use a booking calendar on our website, an embedded widget from Cal.com is loaded. Your IP address and browser data are transmitted to Cal.com. When booking an appointment, the data you enter (name, email address, desired appointment) is processed by Cal.com.

Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient appointment management). For more information, see Cal.com's Privacy Policy.

Data Processing via Own Servers (n8n)

Contact form submissions are processed through our self-hosted automation platform (n8n), which runs on a server controlled by us in Germany. The submitted data does not leave our infrastructure and is not shared with third parties. Processing is based on Art. 6(1)(b) GDPR (contract initiation).

8. Newsletter / Email Marketing

If you subscribe to our newsletter, we will use the data required for this purpose or separately provided by you to regularly send you our email newsletter. Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to hello@theroleas.com or via an unsubscribe link in the newsletter.

Processing is based on your consent (Art. 6(1)(a) GDPR). You can revoke the consent you have given to store the data, the email address, and its use for sending the newsletter at any time.

9. Social Media

Instagram

Links to our Instagram profile are integrated on our website. We operate a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

When you click on the corresponding link, you will be redirected to our Instagram profile. Your IP address will be transmitted to Instagram.

For details, please refer to Instagram's privacy policy: Instagram Privacy Policy.

10. Client Galleries (galleries.theroleas.com)

We operate an online gallery platform at galleries.theroleas.com, through which our clients and their wedding guests can view, favorite, and download photos and videos.

Registration and Login

Using the galleries requires registration. The following data is collected:

  • Client access: Name, email address, password (stored encrypted)
  • Guest access: Name, email address, password (stored encrypted)

Alternatively, you can sign in via Google Sign-In (OAuth). In this case, we receive your name, email address, and profile picture from Google. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, see Google's Privacy Policy.

Processing is based on Art. 6(1)(b) GDPR (contract performance for our clients) and Art. 6(1)(a) GDPR (consent for guest registration and Google OAuth).

Usage Data in the Gallery

When using the galleries, we process the following data:

  • Favorites: Photos you mark as favorites are associated with your account
  • Downloads: Downloaded files are logged
  • Session data: For authentication, we use JWT tokens stored as cookies (validity: 7 days)

This processing is based on Art. 6(1)(b) GDPR (provision of the gallery service) and Art. 6(1)(f) GDPR (legitimate interest in platform functionality).

Hosting and Storage

The gallery platform is hosted on Cloudflare Pages. Photos and videos are served via Cloudflare R2 (object storage). The information provided in Section 3 (Hosting) regarding Cloudflare applies accordingly.

Retention Period

  • Gallery accounts (clients): Until deletion by the client or 12 months after delivery of final images
  • Gallery accounts (guests): Until deletion by the guest or 12 months after the wedding date
  • Photos and videos: 12 months after delivery to the client
  • Favorites and usage data: Deleted together with the account

Rights of Data Subjects

Clients and guests can request the deletion of their gallery account and all associated data at any time by contacting us at hello@theroleas.com.

11. Automated Decision-Making

We do not use automated decision-making including profiling that has legal effect on you or similarly significantly affects you.

12. Retention Periods

We store your personal data only for as long as is necessary to fulfill the purposes for which it was collected:

  • Contact form inquiries: Until your inquiry is fully processed, maximum 6 months after completion
  • Booking data: 10 years (legal retention obligation under HGB/AO)
  • Invoice data: 10 years (legal retention obligation)
  • Email correspondence: 6 years after termination of the business relationship
  • Server logs: 7 days

13. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit.