Privacy Policy

Last updated: 27.04.2026

1. Introduction
This privacy policy explains what personal data we collect when you visit debiaslab.com, how we use it, and the rights you have under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Debias is a brand of Dr. Nina Weber, Einzelunternehmen, based in Berlin, Germany. Our full contact details are in the imprint.
We have written this policy to be readable. If anything is unclear, please contact us at contact@debiaslab.com and we will explain.

2. Controller
The controller responsible for processing your personal data on debiaslab.com is:
Dr. Nina Weber, Einzelunternehmen, trading as Debias
Lepsiusstr. 14
12163 Berlin
Germany
E-Mail: contact@debiaslab.com

3. Data we collect
We only collect data that you provide voluntarily, plus the technical data necessary to deliver and secure the website.
3.1 Server log data
When you visit the website, our hosting provider (IONOS SE, Germany) automatically collects technical information for security and operational reasons. This typically includes:
• IP address (in shortened form where possible)
• Date and time of the request
• Pages requested
• HTTP status code and amount of data transferred
• Referring URL (the page you came from)
• Browser type and operating system
This data is necessary to deliver the website and protect against abuse. It is not combined with other data to identify individual visitors.
3.2 Contact form data
If you fill in a contact form (on the consulting or workshops page), we collect:
• Your name
• Your email address
• The category you selected (e.g. type of workshop, type of consulting goal)
• The content of your message
• Your consent to processing (recorded with timestamp)
We use this data only to reply to your enquiry and, if relevant, to discuss possible engagements.
3.3 Newsletter signup data
If you subscribe to our newsletter, we collect:
• Your email address
• Your consent to receive the newsletter (recorded with timestamp)
You can unsubscribe at any time using the link at the bottom of every newsletter, or by contacting us.
3.4 Cookies and similar technologies
The website uses cookies. You can review and manage your cookie preferences via our cookie consent banner (powered by CookieYes) at any time by clicking the “cookie settings” link in the footer.
We distinguish between:
• Strictly necessary cookies, which are required for the website to function (for example, to remember your cookie preferences). These are set without consent on the basis of our legitimate interest in providing a working website.
• Optional cookies (analytics), which are only set after you give explicit consent through the cookie banner.
A full list of cookies in use, including their purpose and retention period, is available inside the cookie banner.

4. How we use your data and the legal basis
We process your data only for the purposes set out below. Each purpose is supported by a legal basis under Art. 6(1) GDPR.
• Delivering and securing the website (server logs): Art. 6(1)(f) GDPR – legitimate interest in operating a working, secure website.
• Responding to contact form submissions: Art. 6(1)(a) GDPR – your consent (the consent checkbox); and Art. 6(1)(b) where the contact relates to a potential contract.
• Sending the newsletter: Art. 6(1)(a) GDPR – your consent.
• Analytics (where consent is given): Art. 6(1)(a) GDPR – your consent via the cookie banner.
• Complying with legal obligations (e.g. tax records): Art. 6(1)(c) GDPR – legal obligation.

5. Third-party processors and recipients
To operate the website we use the following service providers. Each one processes data on our behalf under a Data Processing Agreement (DPA) where applicable.
5.1 IONOS SE (Germany) – hosting
The website is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. IONOS processes server log data described in section 3.1.
Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy
5.2 Web3Forms (USA) – contact form processing
Submissions from the contact forms on consulting and workshops pages are processed by Web3Forms (Web3Forms LLC, United States), which forwards them to our email inbox.
Legal basis: Art. 6(1)(a) GDPR (your consent on the form) and Art. 6(1)(f) GDPR (legitimate interest in receiving and replying to enquiries).
Data transferred: name, email, message content, category selection, timestamp, IP address.
This involves a transfer of data to the United States. We rely on EU Standard Contractual Clauses to safeguard this transfer.
Privacy policy: https://web3forms.com/legal/privacy-policy
5.3 Brevo (France) – newsletter delivery
Newsletter signups are processed by Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France).
Legal basis: Art. 6(1)(a) GDPR (your consent at signup).
Data transferred: email address, consent timestamp, technical data needed to deliver the email (e.g. opens and clicks).
Privacy policy: https://www.brevo.com/legal/privacypolicy/
5.4 Calendly (USA) – call booking
When you click a “Book a free call” link, you are taken to a separate booking page operated by Calendly (Calendly LLC, United States). Calendly processes whatever booking information you choose to provide there. We receive the booking confirmation and any details you submit during booking.
Legal basis: Art. 6(1)(b) GDPR (steps taken at your request prior to entering a contract) and Art. 6(1)(f) GDPR (legitimate interest in scheduling calls efficiently).
This involves a transfer of data to the United States. We rely on EU Standard Contractual Clauses.
Privacy policy: https://calendly.com/privacy
5.5 Google LLC (USA) – fonts, analytics, calendar embed
The website loads:
• Google Fonts (Playfair Display and Inter) from Google’s content delivery network. When the fonts load, your IP address is transferred to Google.
• Google Analytics (only after your consent via the cookie banner). IP addresses are anonymised before processing.
• Google Calendar embed on the workshops page, which displays our public workshop calendar. When this embed loads, your IP address and browser data are transferred to Google.
Operator: Google Ireland Ltd. (EU representative) and Google LLC (USA).
Legal basis for Fonts and Calendar embed: Art. 6(1)(f) GDPR (legitimate interest in presenting our content with consistent typography and showing workshop dates).
Legal basis for Analytics: Art. 6(1)(a) GDPR (your consent).
Transfers to the USA are safeguarded by EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
Privacy policy: https://policies.google.com/privacy
5.6 No sale or unrelated use of data
We do not sell, rent, or trade your personal data. We share data only with the processors listed above, only for the purposes described, and only to the extent necessary to deliver the website and our services.

6. International data transfers
Some of the processors above are based in the United States. Whenever data is transferred outside the European Economic Area (EEA), we rely on legal safeguards under Chapter V of the GDPR, including:
• EU Standard Contractual Clauses (SCCs) approved by the European Commission, and
• where applicable, adequacy decisions such as the EU-US Data Privacy Framework.
You can request more information about the specific safeguards in place by contacting us at contact@debiaslab.com.

7. Data retention
We keep personal data only for as long as we need it for the purpose it was collected, or for as long as we are legally required to.
• Server logs are kept for 7 days, then automatically deleted.
• Contact form data is kept for the duration of the conversation, plus a reasonable period afterwards (typically up to 12 months), unless a longer retention is needed for an active engagement or legal reasons.
• Newsletter data is kept until you unsubscribe or request deletion.
• Tax-relevant records (where applicable) are kept for 10 years, as required under § 147 AO.
When data is no longer needed, we delete or anonymise it.

8. Your rights under GDPR
You have the following rights regarding your personal data. Many of these can be exercised by emailing us at contact@debiaslab.com. We will respond within 30 days, in line with Art. 12(3) GDPR. We may need to verify your identity before disclosing personal data.
• Right of access (Art. 15 GDPR): you can ask what personal data we hold about you.
• Right to rectification (Art. 16): you can ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17), the “right to be forgotten”: you can ask us to delete data we no longer need or that we hold without a valid legal basis. Note that we may have to keep some data to meet legal obligations (e.g. tax records).
• Right to restrict processing (Art. 18): you can ask us to pause processing in specific circumstances (e.g. while we verify a correction).
• Right to data portability (Art. 20): you can ask for a copy of data you provided to us in a structured, machine-readable format.
• Right to object (Art. 21): where we process data based on legitimate interest, you can object and we will stop unless we have compelling grounds that override your rights.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint (Art. 77): you can complain to a supervisory authority. The competent authority for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), https://www.datenschutz-berlin.de.

9. Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours under Art. 33 GDPR. If the breach is likely to result in a high risk to your rights, we will also inform affected individuals directly under Art. 34 GDPR.

10. Children’s privacy
The website is aimed at adult professionals and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@debiaslab.com and we will delete it.

11. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. For significant changes affecting how we process your personal data, we will give reasonable advance notice.

12. Contact
For privacy questions or to exercise your rights, please contact us:
Dr. Nina Weber, Einzelunternehmen, trading as Debias
Lepsiusstr. 14
12163 Berlin
Germany
E-Mail: contact@debiaslab.com
The supervisory authority for data protection complaints is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
https://www.datenschutz-berlin.de

Behavioural design, in your inbox.

New articles, product updates, and subscriber-only discounts.

© 2026 Debias. All rights reserved.