Privacy policy

Last updated: 9 June 2026. This policy explains, in plain language, which personal data Christoph Backhaus IT processes when you use our website, our academy pages, contact and lead forms, the PWA, the meeting functions or the automation billing portal. This is a translation; the German version at /datenschutz is the authoritative version for legal purposes.

1. Privacy at a glance

We process data only when we need it for the website, a request, a course, a meeting, billing or the security of our systems. Advertising and analytics with Google are loaded only if you consent beforehand.

• Without contacting us, we generally see only technical server data.
• When you submit a form, we store your details to handle the request.
• Google Ads and analytics stay off without consent.
• Meeting media runs preferably directly between participants via WebRTC. In doing so, participants' IP addresses can become visible to one another.
• Meeting recordings are off by default and are only started visibly and with consent.
• The PWA can store files in the browser so the site loads faster and works better offline.
• Processors that handle data on our behalf (e.g. IONOS, Microsoft 365) are used only under a data processing agreement.

2. Controller

The controller responsible for this website is:

Christoph Backhaus
Christoph Backhaus IT
Am Markt 1
47229 Duisburg
Germany

Phone: +49 (0) 20 65 / 709 84 29
Email: christoph.backhaus@nadooit.de

3. Your rights

You can ask at any time which data we store about you. You can request rectification, deletion or restriction of processing. Where we process data based on your consent, you can withdraw that consent with future effect.

• Access: Art. 15 GDPR
• Rectification: Art. 16 GDPR
• Erasure: Art. 17 GDPR
• Restriction: Art. 18 GDPR
• Data portability: Art. 20 GDPR
• Objection: Art. 21 GDPR

You may also object to processing based on a legitimate interest. You have the right to lodge a complaint with a supervisory authority. For North Rhine-Westphalia this is the State Commissioner for Data Protection and Freedom of Information NRW, Kavalleriestraße 2-4, 40213 Düsseldorf, www.ldi.nrw.de.

4. Hosting, server logs and security

This website is hosted by IONOS (IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany). When the website is accessed, technical server logs are created, for example IP address, time of the request, requested URL, browser, operating system, referrer, status code and amount of data transferred.

We need this data so the website is available, attacks can be detected and errors can be fixed. The legal basis is our legitimate interest in secure and stable operation under Art. 6(1)(f) GDPR. Where data is required for contracts or legal obligations, we also process it under Art. 6(1)(b) or Art. 6(1)(c) GDPR.

IONOS processes this data solely as a processor on our behalf, for example in connection with server logs, backups, support and administrative access. The basis for this is a data processing agreement under Art. 28 GDPR. Processing takes place on servers in Germany. This website is delivered over encrypted HTTPS.

5. Contact by email, phone and form

If you contact us by email, phone or form, we process the data you give us. This may include name, email address, phone number, company, message, the subject of the request and technical form metadata. We use this data to answer your request, prepare an offer, plan courses or discuss a project. The legal basis is Art. 6(1)(b) GDPR for a contract or pre-contractual steps, otherwise our legitimate interest under Art. 6(1)(f) GDPR.

Lead forms on Google Ads and academy pages send the request to our API, where it is stored server-side. Stored fields can include name, email, company, phone, message, lead type, page, language, timestamp, a chosen appointment slot, form details and your privacy confirmation. Advertising attribution is stored only if you have consented to Google Ads and analytics.

Appointment booking and capacity planning

If you choose an appointment for an initial consultation, we store the chosen time with your request and reserve a slot so the same time is not double-booked. The legal basis is Art. 6(1)(b) GDPR (pre-contractual steps). For capacity and staff planning we reconcile bookings with our internal operations software (Launchpad) via a protected interface.

Academy requests and course materials

On the academy pages you can learn about courses, open handouts and send course requests. For a course request we process the details you enter, for example name, email, company, phone, preferred course format, learning goal and message. The legal basis is Art. 6(1)(b) (pre-contractual steps) or Art. 6(1)(f) GDPR. A course request does not automatically subscribe you to a newsletter.

Pre-filled email links (mailto)

For an email request, the link can automatically write the context of the page you visited into the email draft, for example landing page, offer, campaign or keyword. This does not collect any additional data; it merely passes existing information into the draft. You see this text in your email client before sending and can change or delete it. The legal basis for this technical transfer is our legitimate interest under Art. 6(1)(f) GDPR. The underlying campaign parameters (e.g. UTM parameters, gclid, gbraid, wbraid) are stored permanently only after your consent (see the Google Ads section).

6. Applications and internship requests

If you apply to us or request an internship (for example via the internship page, by email or via a form), we process the data you submit for this purpose, such as name, contact details, cover letter, CV, references, qualifications, availability and other information from your application. We use this data solely to decide on your application or internship request and to run the application process.

The legal basis is Art. 6(1)(b) GDPR (initiation of an employment or internship relationship) in conjunction with Section 26(1) BDSG. If no contract is concluded, we generally store your application documents for up to six months after the application process ends and delete them afterwards, unless a longer storage period is legally required or you have expressly consented to longer storage (for example a talent pool).

7. Newsletter

If you subscribe to a newsletter, we process your email address and, if provided, your name and selected topics. Subscription uses double opt-in: after submitting, you receive a confirmation email, and the subscription only becomes active after confirmation. The legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw consent at any time with future effect.

Technical process and proof of consent

• Confirmation and newsletter emails are sent via Microsoft 365 / Exchange Online.
• Subscriptions are managed in our internal operations software (Launchpad/CRM) where personal data is stored there.
• We log the double opt-in process (e.g. time of sign-up, confirmation link and time of confirmation) in order to demonstrate consent.

We store your newsletter data until you unsubscribe. After unsubscribing, we keep the data required to prove consent for a reasonable period for legal defence and then delete it.

8. Google Ads, Google Analytics and consent

We may use Google Ads, Google Analytics 4 and Google Tag Manager to understand which campaigns lead to requests. These services are loaded only if you consent in the consent banner. Without consent the website remains usable.

Without consent

• Google tags stay disabled.
• Consent Mode starts with the value denied.
• Campaign parameters are not stored permanently for attribution.
• Our backend stores no campaign attribution with your request without consent.

With consent

If you consent, the following data may be processed: visited page, referrer, device and browser data, time, clicks on contact or course requests, form success, UTM parameters, campaign details and Google click identifiers such as gclid, gbraid or wbraid. Google may use its own identifiers, cookies or comparable technologies. The legal basis is your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

Google Ireland Limited provides the Google services in Europe. Depending on the service, data may also be transferred to Google LLC in the USA. For this transfer Google relies on its certification under the EU-U.S. Data Privacy Framework and, additionally, on the standard contractual clauses under Art. 46 GDPR. Google describes its processing at policies.google.com/privacy. See also the section on international data transfers.

9. Cookies, local storage and service worker

The website can be installed as a Progressive Web App. The browser may then cache files such as HTML, CSS, JavaScript, images, the app manifest or audiobook data, so the app loads faster and can work even on a poor connection. The service worker stores static website files; API responses, meeting WebSockets and live meeting content are not cached for offline use.

Legal basis for storing and reading on your device

Where we use local storage, session storage or comparable technologies solely to provide the website and PWA, the meeting functions, authentication or security, storing and reading is technically necessary. The legal basis is Section 25(2) TDDDG in conjunction with our legitimate interest under Art. 6(1)(f) GDPR.

NADOOIT sets no tracking cookies of its own. Storage for marketing, analytics or campaign purposes (for example UTM parameters, gclid, gbraid, wbraid and the cookies of the Google services) takes place only after your prior consent. The legal basis is then Art. 6(1)(a) GDPR and Section 25(1) TDDDG (see the Google Ads section). You can delete this data via your browser or operating system settings.

10. Audiobook, documents and downloads

When you open the audiobook, PDFs, handouts or other documents, the server processes technical access data as with any page request. Your browser may cache media files or documents. We collect access counts only for operational and optimisation purposes and do not use these requests to profile individuals without cause or to analyse their behaviour individually. The legal basis is our legitimate interest in providing and improving this content under Art. 6(1)(f) GDPR.

11. NADOO Meetings, WebRTC and messaging

The NADOOIT website can provide its own meeting, messaging and pairing functions. Depending on the server configuration, these may be enabled or disabled. When you use them, we process data required to establish the connection and take part: display name, meeting or room ID, role, session token, peer ID, join link, WebSocket connection data, ICE candidates, device and browser data, connection status, join and expiry times and WebRTC signaling messages. If recording functions are used, we also process consent status, recording status, start and stop times, pauses, technical recording metadata and the storage location of the recording.

When we send a targeted invitation link, that link can be associated with an invitation and thus with a person or organisation (e.g. email address, customer or staff reference, role, send time, expiry time and deactivation status). The link is therefore a personal means of access and should not be passed on to unauthorised persons.

Audio, video and latency

Audio, video and screen sharing run preferably directly between participants via WebRTC. Depending on the network, STUN or TURN servers are used. With TURN, media traffic can technically pass through a relay server, which we operate ourselves. This relay server only transports content and does not evaluate it for other purposes.

Visibility of IP addresses in peer-to-peer mode

In a direct peer-to-peer connection over WebRTC, participants' devices exchange connection information. As a result, participants' IP addresses can become technically visible to one another. This is inherent to direct connections and cannot be fully avoided. If you do not want this, the connection can be routed through our relay server (TURN); the other participants then see the relay's address instead of yours. We point out this characteristic before participation so you can decide on an informed basis.

Recordings

Participation is possible via browser or PWA. For moderated meetings, a Launchpad desktop application may also be used as an operator and recorder interface. Launchpad can then appear as a visible recorder participant in the room and record audio locally on the operator or host computer if recording has been enabled for the appointment and the required consents are in place.

Recordings are off by default. A recording must not run covertly. If audio recording, transcription or later screen/desktop recording is used, we indicate this in the meeting. Audio recording, transcription and video or screen recording are handled separately. If you do not consent or withdraw consent, the respective recording is not started, is paused, or is ended for you, as far as this is technically and organisationally possible for the specific appointment.

The legal basis is Art. 6(1)(b) GDPR where the meeting serves to perform a contract or pre-contractual talks. For technical provision, security, stability, abuse prevention and moderation we rely on Art. 6(1)(f) GDPR. Voluntary recordings or additional functions take place only with consent under Art. 6(1)(a) GDPR. The specific retention periods for the meeting system are set out in the Retention section.

Planned: video hosting and P2P delivery

We plan to offer our own video hosting and a peer-to-peer distribution of videos in future. Once these functions are used productively, we will extend this privacy policy accordingly, in particular regarding video files, access data, IP addresses, streaming metadata, P2P connection data and peer IP addresses. We will only offer participation in a P2P distribution after transparent information for users.

12. Automation billing and customer portal

The automation billing portal is used to manage customers, users, API keys, automations, executions, saved time and invoices. The page is not intended for search engines but may be reachable via the server route. It can process customer name, legal company name, billing email, billing address, contact email, VAT ID, user email, display name, user code, role, passkey data, session token hashes, invite token hashes, API key hashes, automation names, execution data, saved seconds, invoice values, payment status and technical metadata.

API keys, enrollment tokens and invite tokens are not stored in plain text but as hashes. Passkeys are processed for passwordless login. Execution data may be stored longer for billing and proof where this is contractually or fiscally required.

13. Planned AI processing of emails and AI-assisted drafts

We plan to support incoming emails and similar workflows with AI functions in future, for example to sort, summarise or prepare replies. We will only use these functions productively once the data protection requirements are met, and we will adapt this policy beforehand.

Phase 1: local AI systems

Where processing takes place entirely locally on our own systems and no data is transferred to third parties, we base the processing on our legitimate interest under Art. 6(1)(f) GDPR or, where it concerns the performance of a contract, on Art. 6(1)(b) GDPR.

Phase 2: external AI providers

Should we use external AI providers, before going live we will in particular review the conclusion of a data processing agreement, the provider's storage and training rules, any international transfers, the transparency obligations towards data subjects and the necessary update of this policy. The specific legal basis depends on the use case; where required, we obtain consent under Art. 6(1)(a) GDPR.

AI-assisted drafts and offers

Where we use AI to prepare drafts or offers, the results are always reviewed and released by humans. We do not make decisions producing legal effects solely by automated means.

14. External links

Our website links to external sites, for example LinkedIn, Twitch or Google privacy pages. When you click these links, you leave our website and the privacy rules of the respective provider apply.

15. Recipients and processors

We share data only where this is necessary for the respective purpose, where we are legally obliged to, or where you have consented. Where processors handle personal data on our behalf, we conclude data processing agreements with them under Art. 28 GDPR.

• IONOS – hosting, servers and server logs.
• Microsoft 365 / Exchange Online – email communication and newsletter delivery.
• Launchpad / internal CRM – internal management of requests, appointments, customers and newsletter sign-ups.
• Google services – only after your consent (Google Ads, Google Analytics 4, Google Tag Manager).
• TURN/relay server – only for media transmission in meetings. We operate the TURN/relay server ourselves on our own infrastructure (as part of this web service); there is no additional external processor for it.
• Future AI providers – only after a separate review and contract (see the AI section).
• Tax advisor and authorities – where legally required.

16. International data transfers

We operate our infrastructure within the European Union. A transfer of personal data to a third country (outside the EU/EEA) currently takes place essentially in connection with the Google services, and only if you have consented beforehand. Google bases the transfer to the USA on its certification under the EU-U.S. Data Privacy Framework and, additionally, on standard contractual clauses under Art. 46 GDPR.

Should we integrate further international providers or external AI services in future, we will document the associated transfers separately in this policy, including the recipients, the safeguards and the legal basis of the transfer under Art. 44 et seq. GDPR.

17. Retention

We store data only as long as we need it for the respective purpose. Server logs are kept only as long as they are needed for security, error analysis and operation. Requests are stored as long as needed for handling, follow-up, contracts or legal obligations.

Production rule for technical logs

• Web server access and error logs are kept as short as possible.
• The deploy default is rotation with about 7 days of retention.
• Longer retention only occurs in a concrete security, error or abuse case.

Meeting system (NADOO Meet)

The meeting system is designed for data-minimising, short-lived operation. The following periods are upper limits; data is usually deleted sooner:

• WebSocket and pairing tokens: expire after a short time; pairing codes after 10 minutes at the latest.
• Participant data (display name, peer ID, connection status): removed from memory immediately after leaving the room.
• Chat messages in the meeting: not stored permanently; passed through only for the live session.
• Invitation links / join secrets: lose validity on expiry or deactivation; related invitation metadata kept for at most 30 days.
• Room data: removed on closure or expiry; related administrative data for at most 30 days.
• Creator tokens (hash only): up to 12 months after withdrawal or deactivation, for proof.

Further periods

• Applications and internship requests: generally up to 6 months after the process ends (see the Applications section).
• Newsletter: until you unsubscribe; proof of consent for a reasonable period thereafter for legal defence.

Lead files, customer data, billing data and invoice data may be stored longer where commercial or tax retention obligations apply. Recordings, transcripts, screen recordings and meeting notes derived from them are stored only where needed for the specific appointment, contract, support case, project history or legal obligations; the specific period is set before or when the respective recording function is used.

18. No solely automated decision-making

We do not make decisions producing legal effects based solely on automated processing of your website behaviour. We use Google Ads and analytics values, where you consent, to measure campaigns and improve our offering. AI-assisted drafts or offers are always reviewed and released by humans.

19. Changes to this policy

We update this privacy policy when the website, PWA, meeting system, academy offerings, lead funnel or the processors we use change. The current version is always available at https://nadooit.de/en/privacy. The German version at /datenschutz is the authoritative version for legal purposes.