© 2026 LIGHT and STORIES. All rights reserved.
Legal Notice | Privacy Policy

Privacy Policy

Privacy Policy

1. Controller

Controller within the meaning of Art. 4 No. 7 GDPR:

Konstantinos Zacharopoulos
LIGHT and STORIES
Kennedyallee 48
60596 Frankfurt am Main
Germany
Email: hello@lightandstories.com

A data protection officer has not been appointed, as there is no legal obligation pursuant to Art. 37 GDPR.

2. Hosting

This website is hosted by:

IONOS SE
Elgendorfer Str. 57
56410 Montabaur
Germany

IONOS processes personal data on our behalf pursuant to Art. 28 GDPR (Data Processing Agreement).

Server Log Files

When you access this website, the hosting provider automatically collects and stores information in server log files. The following data may be collected:

  • IP address
  • Date and time of access
  • Requested page/file
  • Referrer URL
  • Browser type and version
  • Operating system

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s device.

Processing serves the purposes of:

  • Ensuring technical stability and system security
  • Preventing and investigating misuse or cyberattacks
  • Maintaining proper website operation

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in secure, stable, and technically reliable website operation).

Server log data is stored only as long as necessary for the purposes described above and is deleted in accordance with applicable legal requirements and the hosting provider’s retention policies.

3. Contact Form

When you contact us via the contact form, the following personal data is processed:

  • Name
  • Email address
  • Subject
  • Message content

Purpose of Processing

  • Responding to your inquiry
  • Initiating or performing pre-contractual communication
  • Maintaining efficient and secure communication with website visitors

Legal Basis

  • Art. 6(1)(b) GDPR (pre-contractual measures)
  • Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries and maintaining communication)

Providing this data is voluntary. However, without the required information (e.g., name and email address), we may not be able to process or respond to your request.

If your inquiry does not result in a contractual relationship, personal data will generally be deleted within 12 months after final processing of the request, unless further retention is required for legal or evidentiary reasons.

If a contractual relationship is established, data may be retained in accordance with statutory retention obligations under German commercial and tax law (generally 6 or 10 years pursuant to HGB and AO).

Data transmission via the contact form is encrypted using SSL/TLS.

4. Email Communication

If you contact us by email, the data you transmit (including metadata) will be stored for the purpose of processing your request.

Legal basis:

  • Art. 6(1)(b) GDPR
  • Art. 6(1)(f) GDPR

Email correspondence is retained only as long as necessary to process the inquiry and comply with statutory retention obligations.

5. Recipients of Personal Data

Personal data may be processed by:

  • Hosting provider (IONOS SE)
  • IT service providers involved in maintaining and operating the website
  • Email service infrastructure used for communication

Where legally required, such service providers act as processors under Art. 28 GDPR and are contractually bound to process personal data only in accordance with our instructions.

Personal data is not sold, rented, or shared with third parties for marketing purposes.

6. International Data Transfers

Data processing generally takes place within the European Union.

If, in individual cases, personal data is transferred to a third country outside the EU/EEA, such transfer will occur exclusively in compliance with Art. 44 et seq. GDPR and based on appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or an adequacy decision pursuant to Art. 45 GDPR.

7. Cookies and Local Storage

This website uses only strictly necessary cookies and comparable technologies required for the secure and functional operation of the website.

The storage of information on your end device or access to information already stored is based on the German Telecommunications-Telemedia Data Protection Act (TTDSG) and the ePrivacy framework, insofar as applicable.

Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in ensuring website functionality, stability, and security).

No tracking, profiling, analytics, or marketing cookies are used.

No consent management tool is required, as no consent-based technologies are implemented.

8. Storage Duration

Personal data is stored only for as long as necessary to fulfill the respective purpose of processing.

Where statutory retention periods apply (e.g., under German commercial or tax law), data may be retained for 6 or 10 years.

After expiry of the applicable retention period, data is deleted in accordance with legal requirements.

9. Data Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

10. Your Rights Under the GDPR

You have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object pursuant to Art. 21 GDPR

If processing is based on Art. 6(1)(f) GDPR, you have the right to object on grounds relating to your particular situation.

To exercise your rights, please contact: hello@lightandstories.com

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU/EEA, in particular in your Member State of residence, place of work, or place of the alleged infringement.

Competent supervisory authority for Hesse, Germany:

The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany

12. No Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.