Privacy Policy
As of: May 2026
1. Introduction
We, Entropy CS GmbH, take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
This website is intended exclusively for companies and organizations (B2B). It is not intended for children under 16 years of age.
2. Controller
The controller responsible for data processing on this website within the meaning of the GDPR is:
Entropy CS GmbH
André Grabow (Managing Director)
Sunday Street 30
10245 Berlin, Germany
Phone: +49 30 863283641
Email: info@entropy-cybersecurity.com
3. Data Protection Officer
Entropy CS GmbH has not appointed a data protection officer, as the legal requirements for such an appointment under Section 38 of the BDSG are not currently met. For data protection inquiries, please contact the controller named under item 2 directly.
4. Collection and storage of personal data
a) When visiting the website
When you access our website, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file:
– IP address of the requesting computer
– Date and time of access
– Name and URL of the retrieved file
– Website from which the access originates (referrer URL)
– browser used and, if applicable, operating system, as well as the name of your access provider
The data mentioned are processed for the following purposes: ensuring a smooth connection setup to the website, ensuring convenient use, evaluating system security and stability, and for other administrative purposes.
The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest arises from the purposes listed above. Under no circumstances do we use the collected data for the purpose of drawing conclusions about your person. Processing takes place as part of the hosting by Framer (see section 5); the retention periods of our hosting provider apply to the storage period of the server log files.
b) When contacting us by email or contact form
For inquiries by email to info@entropy-cybersecurity.com as well as via the contact form on this website, we process the data you voluntarily provide (in particular name, company, email address, telephone number, and the content of your message) for the purpose of responding to your inquiry. The data processing is carried out on the basis of Art. 6(1)(b) GDPR (pre-contractual or contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to business inquiries).
Submissions from the contact form are technically processed by our hosting provider Framer (see section 5) and forwarded to our business email address. There, they are received and stored via Google Workspace (see section 7). As part of handling your inquiry, your contact details may also be transferred to our customer relationship management system HubSpot (see section 8).
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected, provided that no legal retention obligations prevent this.
c) For applications / unsolicited applications
On the "Careers" page, we offer the option to submit unsolicited applications by email to info@entropy-cybersecurity.com. We process the application documents and information you provide (e.g., name, contact details, CV, cover letter, qualifications, and, where applicable, references) solely for the purpose of reviewing your application and, if applicable, considering you for employment. Incoming application emails are received and stored via Google Workspace (see section 7) and may be stored in our customer relationship management system HubSpot (see section 8).
The legal basis for processing is Section 26(1), sentence 1 of the German Federal Data Protection Act (BDSG) in conjunction with Article 88 of the GDPR (data processing for the purposes of the employment relationship), as well as Article 6(1)(b) of the GDPR (pre-contractual measures). If special categories of personal data (e.g., health data, ethnic origin) are voluntarily included in your application, they will be processed on the basis of your consent pursuant to Article 9(2)(a) of the GDPR.
In the event of a rejection, your application documents will be deleted after no later than six months, unless a longer retention period is required to protect legitimate interests (in particular to defend against claims under the General Equal Treatment Act). If you are hired, the data required for the employment relationship will be further processed in accordance with the applicable statutory and contractual provisions.
5. Hosting and Provision of the Website
This website is hosted by Framer B.V., Singel 258, 1016 AB Amsterdam, Netherlands. Framer processes technical access data on our behalf to ensure the secure provision of the website.
Framer uses the infrastructure of Amazon Web Services (AWS), with its primary location in the United States, to provide our website; additionally, content is delivered via a globally distributed Content Delivery Network (CDN). Personal data is therefore transferred to the United States. Amazon Web Services is certified under the EU-U.S. Data Privacy Framework. In addition, Framer has entered into EU Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR (Implementing Decision (EU) 2021/914). Framer is certified according to ISO 27001:2022 and SOC 2 Type 2.
The legal basis for processing is Art. 6(1)(f) GDPR (legitimate interest in providing our website securely and with high performance). We have a data processing agreement with Framer in accordance with Art. 28 GDPR.
More information: https://www.framer.com/legal/privacy-policy/
6. Appointment booking (Google Calendar Appointment Scheduling)
On the “Free Risk Assessment” page, we offer you the option to book appointments via Google Calendar Appointment Scheduling. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
When booking an appointment, the data you provide (name, email address, any message, and preferred appointment time) is transmitted to Google and processed there. Transfer to the USA (Google LLC) cannot be ruled out. Google is certified under the EU-U.S. Data Privacy Framework.
The legal basis for processing is Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(a) GDPR (consent through use of the booking tool).
More information about privacy at Google: https://policies.google.com/privacy
7. Receiving Email (Google Workspace)
Incoming emails sent to our business address are processed and stored via Google Workspace (Google Ireland Limited). The processing serves business communication and is based on Art. 6(1)(f) GDPR (legitimate interest in efficient corporate communication). We have a data processing agreement with Google. Transfers to the USA are safeguarded on the basis of the EU-U.S. Data Privacy Framework and the EU Standard Contractual Clauses.
8. Customer Relationship Management (HubSpot)
We use the CRM system HubSpot from HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Ireland, to manage customer relationships, inquiries, and business correspondence. As part of processing inquiries via our contact form or by email, we may store and process the contact details provided (name, company, email address, telephone number, content of the message) as well as any further correspondence in HubSpot.
HubSpot hosts personal data within the EU. A data processing agreement exists with HubSpot in accordance with Art. 28 GDPR. The legal basis for processing is Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication and business processing) or Art. 6(1)(b) GDPR (initiation and performance of a contract). A transfer to the USA by HubSpot is not excluded and is carried out on the basis of the EU-U.S. Data Privacy Framework and the EU Standard Contractual Clauses.
More information: https://legal.hubspot.com/privacy-policy
9. Cookies and web analytics
Our website uses cookies and similar technologies. Cookies are small text files stored in your browser to ensure the website functions properly or to analyze its use. We distinguish between technically necessary cookies and cookies that require consent.
Technically necessary cookies are required for the operation and security of the website. This includes cookies set by embedded third-party services when actively used (e.g. Google Calendar Appointment Scheduling on the “Free Risk Assessment” page). These cookies cannot be disabled and are set on the basis of Section 25(2) of the TDDDG without consent.
With your consent, we use Google Analytics 4 to measure reach and statistically evaluate the use of our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Transfer to Google LLC in the USA cannot be ruled out.
Google Analytics 4 sets cookies that can be used to evaluate your use of the website. These include in particular the cookies _ga and _ga_<Container-ID>. The retention period for usage data in Google Analytics is limited to 2 months; after that, the data is automatically deleted.
To integrate Google Analytics, we use Google Tag Manager (provider: Google Ireland Limited). Google Tag Manager itself does not store any personal data, but it is used to load additional services such as Google Analytics.
The legal basis for the use of Google Analytics 4 and Google Tag Manager is your consent pursuant to Section 25(1) TDDDG as well as Article 6(1)(a) GDPR. International data transfers to the USA are carried out on the basis of the EU-U.S. Data Privacy Framework and supplementary EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR.
You can withdraw your consent at any time with effect for the future by reopening the cookie banner via the "Cookie Settings" link in the footer and adjusting your selection. Processing carried out up to the point of withdrawal remains lawful.
More information about privacy at Google: https://policies.google.com/privacy
10. Sharing of Data
Your personal data will not be transferred to third parties for purposes other than those stated in this notice. We will only pass on your data if:
– You have expressly consented (Art. 6(1)(a) GDPR)
– the disclosure is necessary for the assertion, exercise or defense of legal claims (Art. 6(1)(f) GDPR) and there is no overriding interest on your part
– there is a legal obligation (Art. 6 (1) lit. c GDPR)
– this is necessary for the performance of the contract (Art. 6(1)(b) GDPR)
11. International Data Transfer
If personal data is transferred to third countries outside the EU or EEA, this will only take place if an adequate level of data protection is ensured. This may result from an adequacy decision by the European Commission (e.g. the EU-US Data Privacy Framework), from Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, or from an exception under Art. 49 GDPR.
12. Data Subject Rights
You have the right:
– to request information about your personal data processed by us in accordance with Article 15 of the GDPR
– pursuant to Art. 16 GDPR, to request without delay the correction of inaccurate or the completion of your personal data stored by us
– pursuant to Article 17 of the GDPR, to request the deletion of your personal data stored by us, unless processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims
– under Article 18 of the GDPR, to request the restriction of the processing of your personal data
– pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller
– in accordance with Art. 7(3) GDPR, to withdraw your consent once given to us at any time
— in accordance with Article 77 of the GDPR, to lodge a complaint with a supervisory authority
The competent supervisory authority is:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219, 10969 Berlin
https://www.datenschutz-berlin.de
13. Right to object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided there are grounds for doing so arising from your particular situation.
If you wish to exercise your right to object, simply send an email to info@entropy-cybersecurity.com.
14. Data Security
We use the commonly used SSL/TLS method (Secure Socket Layer / Transport Layer Security) within your visit to our website, combined with the highest level of encryption supported by your browser. Whether a single page of our website is transmitted in encrypted form can be recognized by the closed padlock symbol in your browser’s status bar.
In addition, we use appropriate technical and organizational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
15. Updates and changes to this privacy policy
This privacy policy is currently valid and is dated May 2026. As our website and the services offered through it continue to develop, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. You can access and print the current privacy policy at any time on this website.