Sequator
EN
Start a project

Privacy Policy

Scope

This policy covers the Sequator corporate website at sequator.com. Individual Sequator products publish their own product-specific privacy policies.

Controller

The controller within the meaning of the GDPR and other national data protection laws is:

Sequator GmbH
Gladbacher Str. 31A
52525 Heinsberg
Nordrhein-Westfalen
Germany
Email: hello@sequator.com

Data Protection Officer

A data protection officer is not legally required and has not been appointed. For data protection questions, please contact hello@sequator.com.

Hosting and Website Delivery

This website is hosted on the infrastructure of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA ("Cloudflare"), using Cloudflare Workers and Cloudflare Assets. Whenever you access the site, Cloudflare technically necessarily processes the following data to deliver the page, protect against attacks, and ensure availability:

  • IP address of the requesting device
  • HTTP headers (e.g. user agent, referrer, language)
  • timestamp of the request
  • requested URL and HTTP method
  • amount of data transferred and HTTP status code

Legal basis: Art. 6 (1) (f) GDPR. Our legitimate interest is the secure, stable, and performant delivery of the website and the defence against attacks.

Transfer to a third country: Cloudflare is based in the USA. The transfer is based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR and additionally on Cloudflare's certification under the EU-US Data Privacy Framework (adequacy decision of the European Commission). A Data Processing Addendum with Cloudflare (currently version 6.3 of 20 June 2025) pursuant to Art. 28 GDPR is in place. For details, see www.cloudflare.com/privacypolicy and www.cloudflare.com/cloudflare-customer-dpa.

Server Logs

Cloudflare logs the request data mentioned under "Hosting" in server logs.

  • Purpose: operational security, abuse prevention (e.g. detection of DDoS attacks and automated crawlers), error analysis.
  • Legal basis: Art. 6 (1) (f) GDPR.
  • Legitimate interest: secure and stable operation of the website.
  • Retention period: according to Cloudflare documentation, raw per-request Workers logs are retained for up to 7 days on the Workers Paid plan (Free plan: up to 3 days) and then deleted automatically. In addition, Cloudflare provides aggregated statistics (e.g. request counts, status codes, top countries) without reference to individual log lines for up to six months. The data is not combined with other sources and is not used to create user profiles.

Email Communication and Email Hosting

If you send us an email at hello@sequator.com, we process the content of your message, your sender address, and any other personal data contained in the email in order to handle your request.

Our mailbox is operated as part of Google Workspace by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processing by affiliated companies in the USA (Google LLC) cannot be ruled out.

  • Purpose: handling and responding to your inquiry.
  • Legal basis: Art. 6 (1) (b) GDPR for pre-contractual and contractual inquiries; Art. 6 (1) (f) GDPR for other inquiries (legitimate interest in communicating with prospects and customers).
  • Transfer to a third country: transfers to the USA are based on the EU Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR. A data processing agreement with Google pursuant to Art. 28 GDPR is in place.
  • Retention period: emails are deleted as soon as they are no longer required for the purpose for which they were collected. Statutory retention obligations, in particular under § 257 HGB (German Commercial Code) and § 147 AO (German Fiscal Code) — as a rule six or ten years — remain unaffected.

Web Analytics with Plausible Analytics (self-hosted)

To analyse the use of this website we run Plausible Analytics, a privacy-friendly, cookieless open-source web analytics tool. We operate Plausible on our own infrastructure; the provider is not Plausible Insights OÜ — data processing takes place exclusively on a server we control. The tracking script is served from the subdomain t.sequator.com.

  • Hosting of the analytics instance: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Servers are located in data centres in Germany. A data processing agreement with Hetzner pursuant to Art. 28 GDPR is in place. No transfer to third countries outside the EU takes place.
  • Processed data: requested URL, referrer, browser, operating system, device type, and approximate geographic location at country level (derived from the IP address). The IP address itself is not stored — it is only used in memory to compute a daily-rotating, pseudonymous hash that lets us recognise returning visitors within the same day. Re-identification of individuals is not possible.
  • What Plausible does not do: it sets no cookies, stores or reads no information on your device, performs no cross-site tracking, uses no fingerprinting, and transfers no personal data to third parties.
  • Purpose: understanding usage statistics (e.g. page views, time on page, country of origin, popular content) for continuous improvement of content and performance.
  • Legal basis: Art. 6 (1) (f) GDPR. Our legitimate interest is a reach analysis without profiling. Consent under § 25 (1) TDDDG (German implementation of the ePrivacy Directive) is not required because Plausible neither stores information on your device nor accesses information already stored there (exemption under § 25 (2) No. 2 TDDDG).
  • Retention period: aggregated statistics are stored indefinitely. The daily-rotating recognition hash is discarded automatically after 24 hours.
  • Right to object: since no personal data is processed and no cookies are set, a separate opt-out is technically unnecessary. You may nevertheless block the script at any time using a tracking blocker or the Do-Not-Track signal of your browser.
  • More information about how Plausible works: plausible.io/data-policy.

Google Analytics 4 (consent-based)

In addition, only with your explicit consent, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Processing by the affiliated company Google LLC in the USA cannot be ruled out.

  • Measurement ID: G-M8G8KJ18CL
  • Processed data: truncated IP address, device and browser information, screen resolution, referrer, requested URLs, click and scroll events, session and device pseudonyms, and a randomly generated user ID that is stored in cookies in your browser (in particular _ga and _ga_<container-id>, typically with a lifetime of up to 24 months).
  • Purpose: analysis of usage behaviour for the optimisation of content, performance, and marketing.
  • Legal basis: Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (German implementation of the ePrivacy Directive) — consent obtained via our cookie banner. Without your consent, GA4 is not loaded and no GA4 cookies are set.
  • Withdrawal of consent: you may withdraw your consent at any time with effect for the future by reopening the cookie settings and disabling the "Analytics" category. Processing carried out before withdrawal remains lawful.
  • Transfer to a third country: data is transferred to the USA. The transfer is based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR and on Google LLC's certification under the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023). A data processing agreement with Google pursuant to Art. 28 GDPR is in place, supplemented by Google's Ads Data Processing Terms.
  • Note on US authorities: despite the Data Privacy Framework, a residual risk remains that US security authorities may access the transferred data. We have no influence over this.
  • Retention period: the retention period for user- and event-level data in GA4 is configured to 14 months, after which the data is automatically deleted.
  • More information: Google privacy policy: policies.google.com/privacy; overview of cookies used by GA4: business.safety.google/adscookies.

Cookie Consent and Cookie Banner

On your first visit, we display a consent banner that informs you about the services requiring consent and lets you make your selection. We use the open-source library vanilla-cookieconsent for this purpose, served locally from our own server. Your selection is stored in a strictly necessary cookie (cc_cookie, lifetime up to 12 months) on your device so that the banner does not reappear on subsequent visits.

  • Legal basis: Art. 6 (1) (c) GDPR in conjunction with Art. 7 (1) GDPR (proof of consent) as well as § 25 (2) No. 2 TDDDG (cookie strictly necessary to provide the explicitly requested service).
  • Manage consent: you can reopen and change your cookie settings at any time via the "Cookie settings" link in the footer.

Cookies

Cookies are only set on this website where strictly necessary (cc_cookie for storing your consent decision) or where you have explicitly consented to optional cookies (e.g. those of Google Analytics 4). The Plausible Analytics reach measurement is fully cookieless.

Fonts

We use the "Geist" typeface. The font is delivered exclusively from our own server (via the npm package @fontsource-variable/geist). No connection is made to Google Fonts or any other external font CDN; your IP address is not transmitted to third parties for this purpose.

What we don't collect

  • No user accounts on this site.
  • No newsletter signups on this site.
  • No embedded third-party content (e.g. YouTube, Vimeo, social plugins) that transfers data to third parties.
  • No Meta Pixel, TikTok Pixel, or comparable marketing trackers.

Your rights

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR): where we process personal data on the basis of legitimate interests under Art. 6 (1) (f) GDPR, you may object to such processing at any time on grounds relating to your particular situation.
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Competent Supervisory Authority

The supervisory authority competent for us is the

State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Web: www.ldi.nrw.de

You may also contact any other data protection supervisory authority.

Contact

Privacy questions: hello@sequator.com