Privacy Policy
Quick summary
- We collect your contact and business details when you book a call or engage our services
- We use it to deliver the Exit Readiness Program and (if you opt in) send helpful insights on AI and exit readiness
- We do not sell your data. We never have and never will
- We use Bunny Fonts (EU-hosted) - not Google Fonts - to protect your privacy on every page load
- Analytics and marketing cookies require your explicit consent before activation (TDDDG §25)
- You can request access, correction, or deletion of your data at any time
- ExValu is below the threshold requiring a formal Data Protection Officer (BDSG §38 requires 20+ employees). Our privacy contact is [email protected]
Data Controller
1.1 Who is responsible for your data
The data controller responsible for processing your personal data is:
ExValu
Karl zu Ortenburg
Gstaller Weg 36
82166 Grafelfing
Federal Republic of Germany
Email: [email protected]
Phone: +49 (0) 89 83 999 089
Website: exvalu.com
1.2 Privacy contact
ExValu does not meet the threshold for mandatory appointment of a Data Protection Officer under BDSG §38 (which requires 20 or more employees regularly involved in automated data processing). All data protection enquiries should be directed to [email protected] with the subject line "Privacy - [Your Name]".
1.3 What we do
ExValu helps SME founders and owners prepare their businesses for exit by building operational independence, improving EBITDA quality, and creating documented, transferable systems. Services include the Exit Readiness Program, AI Voice Receptionist (Ava), email automation infrastructure, and advisory diagnostics. This work involves handling business and personal information in order to deliver results.
1.4 Geographic scope
ExValu primarily serves clients in the EU, EEA, UK, and DACH region. GDPR applies to all personal data we process regardless of where our clients are located. Clients outside the EU/EEA also benefit from GDPR-equivalent protections as our baseline standard.
Personal Data We Collect
2.1 Data you provide directly
When booking a call or completing a diagnostic form
- First and last name
- Email address and phone number
- Company name and website URL
- Role in the company (founder, owner, director, etc.)
- Annual revenue range and EBITDA estimate
- Exit planning timeline
- Decision-making authority
When engaging our services
- Business process documentation and internal workflows shared with us
- Team member contact details where relevant to project delivery
- Billing and invoicing details (processed by payment providers - not stored by ExValu)
- Goals, challenges, and strategic information discussed during the engagement
When contacting us
- Email correspondence
- Call recordings (only with your prior explicit consent - see Section 3.1)
- Support messages and feedback
2.2 Data we collect automatically
When you visit the ExValu website, we may collect the following data - subject to your cookie consent choices:
- IP address (anonymised for EU/EEA visitors)
- Browser type, device type, and operating system
- Pages visited, time on site, and referral source
- Geographic location at country/city level only
2.3 Business research from public sources
To prepare effectively for discovery calls and diagnostic sessions, we may research publicly available information about your business. This is limited to:
- Your company website and published content
- Public company registrations (Handelsregister, Companies House UK)
- LinkedIn company page (public information only)
- Public press releases and news mentions
- Industry benchmarks and publicly available financial filings
We do not access private social media profiles, purchase third-party consumer data, scrape private databases, or monitor your employees or customers.
2.4 Data we do not collect
- Special category data (health, ethnicity, religion, political opinions) - we have no legitimate purpose for this
- Data from individuals under 18 - our services are for business owners only
- Automated credit or financial scoring data
How and Why We Process Your Data
3.1 Lawful basis by processing activity
We process personal data only where we have a valid lawful basis under GDPR Article 6. The following table sets out each processing activity, its purpose, and the legal basis we rely on:
| Processing activity | Purpose | Lawful basis |
|---|---|---|
| Booking and call management | Process your appointment, send confirmations and reminders | Contract Art. 6(1)(b) |
| Service delivery | Deliver the Exit Readiness Program and all contracted services | Contract Art. 6(1)(b) |
| Invoicing and payment | Issue invoices, process payments, maintain accounting records | Contract Art. 6(1)(b) Legal Obligation Art. 6(1)(c) |
| Pre-call business research | Review public information to prepare relevant analysis | Legitimate Interest Art. 6(1)(f) |
| CRM contact management | Maintain relationship records for active prospects and clients | Legitimate Interest Art. 6(1)(f) |
| Security and fraud prevention | Protect our systems and services from misuse | Legitimate Interest Art. 6(1)(f) |
| Marketing emails and newsletters | Send insights on exit readiness and AI automation (opt-in only) | |
| Call recordings | Knowledge capture during project delivery sessions | |
| Analytics cookies | Understand website usage and improve content | |
| Tax and accounting retention | Comply with German tax law (7-year retention) | Legal Obligation Art. 6(1)(c) |
| Legal claims | Establish, exercise, or defend legal rights | Legitimate Interest Art. 6(1)(f) |
3.2 Legitimate interest balancing
Where we rely on legitimate interest (Art. 6(1)(f)), we have assessed that our interests are balanced against your interests and rights. Specifically: pre-call research is limited to publicly available information and is directly relevant to providing you with a useful, personalised service; CRM management enables us to follow up appropriately without pestering you; security processing protects both parties. You have the right to object to legitimate interest processing at any time - see Section 8.
3.3 Call recording consent
Where knowledge capture sessions are recorded, we obtain explicit consent before the recording begins. You will be informed verbally and/or in writing that the session is being recorded, the purpose of the recording, how long it will be retained, and your right to withdraw consent. Recordings are the property of the Client and are deleted from ExValu systems at engagement close or on request.
3.4 Marketing communications
If you opt in, we may send 1-2 emails per month covering exit readiness insights, AI automation case studies, industry benchmarks, and service announcements. We never send daily emails, share your address with advertisers, or send unsolicited SMS. You can unsubscribe at any time via the link in any email, by replying STOP to any SMS, or by emailing [email protected].
Who We Share Your Data With
We do not sell, rent, or trade personal data. We share data only with the trusted sub-processors listed below who help us operate our business. All sub-processors have signed Data Processing Agreements (DPAs) and are required to comply with GDPR and equivalent laws.
Data shared
Contact info, call notes, appointment history, email and SMS sequences, CRM records
Safeguards
GDPR-compliant, Standard Contractual Clauses (SCCs), SOC 2. EU data centre option used where available.
Data shared
Email correspondence, calendar invites, document storage for engagement materials
Safeguards
GDPR-compliant, EU data centres, ISO 27001, SCCs for any residual US transfers
Data shared
Font requests (IP address during page load only - not logged or stored by Bunny.net)
Safeguards
EU-hosted. Selected specifically as a GDPR-compliant alternative to Google Fonts. No data retained per Bunny.net privacy policy.
Data shared
No personal data shared. Avatar videos are public website content only.
Safeguards
GDPR-compliant, EU-hosted
Data shared
Billing information only. Not stored by ExValu. Processed directly by the payment provider.
Safeguards
PCI-DSS compliant, SCCs for US data transfers
Data shared
Anonymised IP, browser data, page views, session data. Only activated after explicit cookie consent.
Safeguards
IP anonymisation enabled, 14-month data retention, SCCs. Consent required under TDDDG §25 - not activated by default.
Data shared
Name, email, and call recordings where consent has been given for recording
Safeguards
GDPR-compliant, SCCs, end-to-end encryption available
4.1 Legal disclosures
We may disclose personal data where required by law, including in response to court orders, regulatory investigations, or lawful law enforcement requests. We review all such requests for legal validity, provide only the minimum data required, and notify you where legally permitted to do so.
4.2 Business transfers
In the event of a merger, acquisition, or sale of ExValu's business or assets, personal data may be transferred to the new owner as part of that transaction. You will be notified at least 30 days before any such transfer. The new owner will be required to honour this Privacy Policy. You may request deletion of your data before any transfer takes effect.
International Data Transfers
Some of our sub-processors are based outside the EU/EEA (primarily the USA). We ensure your data is protected through the following mechanisms:
- Standard Contractual Clauses (SCCs): Approved by the European Commission (Decision 2021/914). Legally binding agreements requiring equivalent data protection standards for all transfers to sub-processors in non-adequate countries.
- EU-US Data Privacy Framework: Where sub-processors have certified under the DPF (confirmed valid by the EU Court of First Instance, September 2025), this provides a further adequacy basis for US transfers.
- EU data centre preference: Where our sub-processors offer EU data centre options (Google Workspace, GoHighLevel), we use them to minimise cross-border transfers.
How Long We Keep Your Data
| Data category | Retention period | Lawful basis | Deletion method |
|---|---|---|---|
| Prospect data (no call booked) | 90 days from form submission | Legitimate interest | Automated CRM workflow |
| No-show or declined call | 90 days from scheduled date | Legitimate interest | Automated CRM workflow |
| Active prospect (in conversation) | 90 days from last interaction | Legitimate interest | Manual review then deletion |
| Marketing subscribers | Until unsubscribe + 30 days | Consent | Automatic suppression then deletion |
| Client project data | 7 years from project completion | Legal obligation (tax law) | Secure archival then deletion |
| Call and session recordings | 2 years or project end (sooner) | Consent | Secure deletion, certificate on request |
| Website analytics data | 14 months (Google Analytics setting) | Consent (TDDDG §25) | Automatic by Google |
| Payment and invoice records | 10 years (GoBD / German tax law) | Legal obligation | Secure archival by payment processor |
| Email correspondence | 3 years from last contact | Legitimate interest | Manual deletion on request or schedule |
"Last interaction" means: last email reply from you; last website visit (if tracked with consent); last scheduled call date; or last support activity - whichever is most recent.
Data Security
7.1 Technical measures
- SSL/TLS encryption for all data in transit between your browser and our systems
- AES-256 encryption for stored data at rest
- Role-based access controls and principle of least privilege for all team access
- Two-factor authentication (2FA) required for all accounts with access to personal data
- Encrypted backups stored in separate geographic locations
- Regular vulnerability assessments and security reviews
7.2 Organisational measures
- Annual data protection awareness training
- Confidentiality agreements for all personnel with data access
- Data minimisation - we collect only what is necessary for defined purposes
- Documented incident response procedures meeting GDPR Article 33 (72-hour breach notification requirement)
- Regular review and audit of sub-processor compliance
7.3 Data breach response
In the event of a personal data breach, ExValu will: immediately investigate and contain the breach; assess scope and risk to affected individuals; notify the relevant supervisory authority within 72 hours where required under GDPR Article 33; notify affected individuals without undue delay where the breach is likely to result in high risk under GDPR Article 34; and document the breach in our breach register. We will provide you with details of the nature of the breach, data affected, mitigation steps taken, and our contact information.
Your Rights Under GDPR
Under GDPR Articles 15-22 and applicable national data protection law, you have the following rights. All requests should be sent to [email protected] with the subject line "[Right Name] Request - [Your Name]". We respond within 30 days. There is no charge for reasonable requests.
Right of Access
Request a copy of all personal data we hold about you, including the categories, purposes, recipients, retention periods, and source of data.
Right to Rectification
Request correction of inaccurate or incomplete personal data. Include specific information to be corrected and supporting documentation where available.
Right to Erasure
Request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or processing is unlawful. Exceptions apply for legal retention obligations.
Right to Restrict Processing
Request that we limit how we use your data while we verify its accuracy, assess a legitimacy objection, or pending resolution of a legal claim.
Right to Data Portability
Receive your data in a machine-readable format (CSV, JSON, or PDF) where processing is based on consent or contract and is carried out automatically.
Right to Object
Object to processing based on legitimate interests at any time. Object to direct marketing at any time with immediate effect - no justification required.
Right to Withdraw Consent
Withdraw consent for any processing based on consent (marketing, recordings, analytics) at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Complain
File a complaint with a supervisory authority if you believe we have violated your rights. See supervisory authority contact details below.
8.1 How to exercise your rights
Email: [email protected]
Subject: "[Right Name] Request - [Your Name]"
Include: your full name, email address used with ExValu, the specific right you wish to exercise, and any relevant details.
To protect your privacy, we may ask you to verify your identity via email confirmation, last interaction date, or other reasonable means. No fee is charged for reasonable requests. Excessive or clearly unfounded requests may incur a fee under GDPR Article 12(5).
8.2 Automated decision-making and profiling
ExValu does not use fully automated decision-making with legal or similarly significant effects (GDPR Article 22). We use limited lead scoring in our CRM to prioritise follow-up based on company size, exit timeline, decision authority, and engagement level. This scoring does not produce legal effects, does not affect your ability to book a call or access our services, and is reviewed by our team before any action is taken. You may object to this profiling by emailing [email protected].
8.3 Supervisory authorities
Cookies and Tracking Technologies
9.1 Legal framework
Cookie use on this website is governed by TDDDG §25 (Germany's implementation of the EU ePrivacy Directive) and GDPR. Under TDDDG §25, consent is required before setting or reading non-essential cookies. The German Consent Management Ordinance (EinwV, effective April 1, 2025) sets additional requirements for how consent is collected and managed.
9.2 Cookie categories
Essential (always active - no consent required)
- Session management: maintains your session while you browse
- Form functionality: preserves form data during multi-step processes
- Security: prevents CSRF attacks and maintains site integrity
Analytics (consent required - TDDDG §25 + GDPR Art. 6(1)(a))
- Google Analytics with IP anonymisation: page views, session duration, bounce rate, referral source
- Retention: 14 months
- Only activated after your explicit consent via the cookie banner
- Opt-out: tools.google.com/dlpage/gaoptout
Marketing (consent required)
- Retargeting and campaign tracking (only enabled if you have opted in to marketing)
- Retention: 90 days
9.3 Fonts - why we use Bunny Fonts not Google Fonts
Google Fonts transmit your IP address to Google servers on every page load, creating a data transfer to the USA without consent. This has been held to violate GDPR by German courts. ExValu uses Bunny Fonts (hosted in the Netherlands by bunny.net) as a privacy-compliant alternative. Bunny Fonts does not log or store IP addresses and processes no personal data. No consent is required for font loading.
9.4 Managing your cookie preferences
You can change your cookie consent choices at any time via our cookie banner (accessible from the footer of every page). You can also manage cookies via your browser settings, though disabling essential cookies may impact site functionality. We honour browser Do Not Track (DNT) signals for analytics cookies.
Full details are in our Cookie Policy at exvalu.com/cookie-policy.
9.5 Children
ExValu's services are directed at business owners and are not intended for individuals under 18. We do not knowingly collect data from minors. If we discover we have inadvertently collected data from a minor, we will delete it immediately and notify any known guardian. Contact [email protected] if you have concerns.
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of any "sale" of personal information. ExValu does not sell personal information as defined by CCPA. To exercise your CCPA rights, email [email protected] with the subject "CCPA Request - [Your Name]". We will respond within 45 days. We will not discriminate against you for exercising your CCPA rights.
Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in applicable law, our services, or data practices. For material changes that affect your rights or how we process your data, we will notify active contacts by email at least 30 days before the change takes effect, and provide the option to withdraw consent if you disagree. Non-material clarifications or formatting changes will be made without direct notification; the "Effective Date" at the top of this page will be updated. We maintain a version history of this policy, available on request.
This Privacy Policy does not constitute a contract. It describes our current data protection practices. Continued use of our website or services after a material change constitutes acknowledgement of the updated policy, but not consent to any new processing that requires separate consent under GDPR.
Datenschutzerklarung - Deutsche Zusammenfassung
Dies ist eine Zusammenfassung der wichtigsten Punkte dieser Datenschutzerklarung auf Deutsch. Die vollstandige englische Version ist die rechtlich massgebliche Fassung. Bei Widerspruchen gilt die englische Version.
English summary
Controller
ExValu, Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing, Germany. Contact: [email protected].
No mandatory DPO
ExValu is below the 20-employee threshold for mandatory DPO appointment under BDSG §38. Privacy contact: [email protected].
Lawful bases
Contract (service delivery), Legitimate Interest (pre-call research, CRM), Consent (marketing, recording, analytics), Legal Obligation (tax records).
Your rights
Access, rectification, erasure, restriction, portability, objection, withdrawal of consent. Contact [email protected]. Supervisory authority: BfDI (bfdi.bund.de).
Cookies
Non-essential cookies require explicit consent under TDDDG §25. No analytics cookies are set before you consent.
Deutsche Zusammenfassung
Verantwortlicher
ExValu, Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing. E-Mail: [email protected].
Kein Datenschutzbeauftragter
ExValu unterschreitet die Schwelle von 20 Beschaftigten gemas BDSG §38 und ist nicht zur Bestellung eines DSB verpflichtet. Datenschutzkontakt: [email protected].
Rechtsgrundlagen
Vertrag (Leistungserbringung), berechtigte Interessen (Recherche, CRM), Einwilligung (Marketing, Aufzeichnungen, Analyse-Cookies), rechtliche Verpflichtung (Steuerunterlagen).
Ihre Rechte
Auskunft, Berichtigung, Loschung, Einschrankung, Ubertragbarkeit, Widerspruch, Widerruf der Einwilligung. Kontakt: [email protected]. Aufsichtsbehorde: BfDI (bfdi.bund.de).
Cookies
Nicht essentielle Cookies erfordern gemas TDDDG §25 eine ausdruckliche Einwilligung. Ohne Ihre Einwilligung werden keine Analyse-Cookies gesetzt.
Privacy Contact
All privacy enquiries
Karl zu Ortenburg
ExValu
Gstaller Weg 36
82166 Grafelfing, Germany
[email protected]
+49 (0) 89 83 999 089
Request types
Data access: "Access Request - [Name]"
Data deletion: "Erasure Request - [Name]"
Marketing opt-out: "Unsubscribe - [Name]"
General privacy: "Privacy Query - [Name]"
CCPA requests: "CCPA Request - [Name]"
Response time: 30 days (GDPR), 45 days (CCPA)
Innovation
Fresh, creative solutions.
Integrity
Honesty and transparency.
Excellence
Top-notch services.
FOLLOW US
COMPANY
CUSTOMER CARE
LEGAL
© 2026 ExValu All rights reserved. AI-Driven Exit Readiness for SMEs. Increase valuation, reduce founder dependency, exit successfully.