Privacy Policy

Last updated: 02 February 2026

"At Miriclest, privacy is an engineering principle. We practice 'Privacy by Architecture' and minimize data collection. The following detailed policy explains exactly how your data flows through our secure, European-hosted infrastructure. "

1. Controller & Scope

The controller responsible for data processing is: Miriclest UG (haftungsbeschränkt) Graf-Adolf-Platz 15 40213 Düsseldorf Germany Email: datenschutz@miriclest.com Website: www.miriclest.com Scope of this Policy: This policy applies specifically to the corporate website and the scheduling/contact platforms provided at this domain. Please note that our specific in-house digital products (SaaS solutions, APIs, etc.) are governed by their own dedicated privacy policies and Terms of Service, which can be found on their respective product portals.

2. Infrastructure & Data Sovereignty

We operate a sovereign stack where possible. We do not sell data. * Cloud Infrastructure: Our platform is hosted on Google Cloud Platform (GCP). We mandate that data storage, platform resource allocation, and primary processing occur on servers located within the European Union (Frankfurt/Belgium regions, etc.). Strict access controls ensure that only authorized engineers can access the production environment. * Global Security Providers: While our storage is European, we use Google reCAPTCHA to validate that you are human. As a global security service, it may process metadata globally to detect botnets. This transfer is protected by the EU-US Data Privacy Framework (DPF).

3. Technical Data & Security Logs

3.1. Server Logs (90 Days)

* Data Collected: To ensure system stability, our servers capture technical metadata: IP address, browser type (User-Agent), operating system, timestamp, referring URL, request status code, etc. * Purpose: These logs are strictly isolated from application data. We use them to detect DDoS attacks, identify scanning bots, and analyze system errors. * Retention: We retain raw security logs for 90 days to allow for forensic analysis of slow-moving threats. Flagged incident data is kept for 24 months. * Legal Basis: Legitimate Interest in Network Security (Art. 6(1)(f) GDPR).

4. Meeting Requests & Communication

When you submit a request: * Data: Name, Email, Company, Message, Transaction Metadata, preferred time slots, etc. * Purpose: To evaluate your request and establish a business relationship. * Legal Basis: Pre-contractual measures (Art. 6(1)(b) GDPR).

5. Analytics (Privacy-First)

5.1. Session Analytics (With Consent)

* Mechanism: If you grant permission via our banner, we use First-Party Cookies to stitch interactions together into a session. This helps us understand user journeys (e.g., how long a user stays on a page, entry pages, etc.). * Strict Limitations: Even with consent, we do not link this data to Google Accounts, we do not enable ad personalization, and IP addresses are anonymized by default. * Retention: Analytics data is automatically deleted after 14 months. * Legal Basis: Your explicit consent (Art. 6(1)(a) GDPR).

6. Retention Policy (Summary)

We practice strict storage limitation: * Security Logs: 90 Days. * Analytics Data: 14 Months (automatically deleted by the system). * Meeting/Contact Data: 24 Months (for business continuity and security audit trails). * Client Contracts & Invoices: 10 Years (as required by German Tax Law/HGB, etc.).

7. Security Measures

We treat data security as an engineering challenge, not just a policy. We employ end-to-end TLS encryption, database encryption at rest, and strict IAM (Identity and Access Management) roles to ensure that your data is seen only by systems and staff that require it.

8. Your Rights

You have the right to Access, Rectification, Erasure, and the Right to Object (Art. 21) to processing. Contact us at datenschutz@miriclest.com.