Privacy Notice
in the version dated July 31, 2025
Content
Thank you for your interest in Mainly Rechtsanwalts-GmbH ("MAINLY", "we" or "us"). With this privacy notice, we would like to inform you comprehensively as a data subject ("you", "client" or "user") about how we handle your personal data.
Definitions
"Personal data" means all information by which a natural person can be identified directly or indirectly or which is suitable for making a person identifiable. By way of example, a person can be identified by reference to an identifier such as a name, an identification number, location data, or by reference to individual physical, physiological, economic or cultural identity characteristics. For a personal reference, it is sufficient that individualization by means of "sorting out" is possible. It may therefore be that we process personal data without knowing your identity (e.g., when we process purely technical data such as your IP address).
"Processing" of personal data means any operation or set of operations performed on personal data or groups of personal data. It does not matter whether the data processing is automated or not. Processing can therefore be, for example, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure and destruction of personal data.
II. Scope
This privacy notice applies to the processing of your personal data if
you visit our website https://www.mainly-law.com or our social media presences,
you contact us by mail, email, Threema or telephone,
we process your personal data in connection with handling a matter (e.g., as a party to proceedings or other person) without you being a client (in this case you will receive a separate privacy notice at the start of the matter),
we advertise to you (e.g., online, mail or telephone advertising), or
we process your personal data in the course of ordinary business.
B. General information
Controller
We are in control of the processing of personal data described in this privacy notice. This means that MAINLY as controller determines the purposes and means of processing your personal data.
For privacy inquiries, you can contact us as follows:
Mainly Rechtsanwalts-GmbH
Heilbronner Str. 150
70191 Stuttgart
Germany
Phone:
+ 49 711 252 485 90
E-Mail:
compliance@mainly-law.com
II. Purposes and legal bases of processing
The purposes and legal bases for the processing of your personal data may vary on a case-by-case basis. Often the purposes are connected to the legal bases under the General Data Protection Regulation ("GDPR") and the Federal Data Protection Act ("BDSG"), which we briefly explain here:
Performance of a contract or in preparation of a contract
We process your personal data to fulfill contractual or contract-like obligations towards you, or to provide you with information upon your request in preparation for a possible contract conclusion, e.g., to advise you regarding our services or to answer inquiries. The legal basis for processing is Art. 6 (1) lit. b GDPR.
Fulfillment of a legal obligation
We are subject to some legal obligations for the fulfillment of which the processing of your personal data is necessary. For example, there are professional, commercial and tax law obligations to store certain personal data for specified periods. The legal basis for processing is Art. 6 (1) lit. c GDPR.
Legitimate interests
We also process your personal data when we pursue legitimate interests. These can be our own interests or those of third parties (such as our clients). Legitimate interests can be of different natures (such as legal or economic interests). Legitimate interests can legitimize processing if they outweigh your opposing interests or fundamental rights and freedoms that require the protection of your personal data. The legal basis for processing is Art. 6 (1) lit. f GDPR.
Consent
In some cases, we process your personal data on the basis of your consent. If we require your consent, we will inform you in advance which personal data we want to use and how we will use it. If you have given us your consent to the collection, use or disclosure of your personal data in a specific way, you have the right to withdraw your consent at any time with effect for the future. You are not obliged to give us your consent. Please note that without your consent, we may not be able to provide certain services for which data processing is necessary. The legal basis for your consent is Art. 6 (1) lit. a GDPR.
If we process special categories of personal data based on your consent, the legal basis is Art. 9 (2) lit. a GDPR.
Detailed information on the respective purposes for processing can be found in the individual processing activities under Section C.
III. Retention duration
We process your personal data only for as long as necessary to fulfill the purposes for which it was collected. This also includes the fulfillment of our legitimate interests or statutory retention and documentation obligations that we must observe. When determining the retention period required in individual cases, we consider the scope, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personal data, and the applicable legal provisions.
The statutory retention and documentation obligations are generally between two and ten years and result, for example, from § 147 of the German Tax Code, § 50 of the Federal Lawyers' Act, or § 257 of the German Commercial Code.
We will carry out the deletion ourselves within a certain cycle, unless there is a special interest in continued storage in individual cases, e.g., in the event of cyberattacks.
Insofar as statutory retention and documentation obligations or the protection of our legitimate interests require longer retention, for example in the case of legal disputes, your personal data will also be stored and processed for a longer period.
IV. Disclosure to third parties
As is customary in the course of business, we also disclose your personal data to third parties depending on the processing:
Service providers
We share your personal data with contractors and service providers who need your personal data to provide their services. These service providers act on our behalf and follow our instructions regarding your personal data. We conclude appropriate confidentiality and non-disclosure agreements with service providers. Service providers include, for example, web hosting and maintenance providers, software and technology support providers, email communication providers, analytics providers, data storage providers, shipping service providers, and developers.
Consultants
In some cases, we also use the services of providers who perform their services independently and are not strictly bound by our instructions. This is the case, for example, with regard to tax advisors, attorneys, banks and payment service providers and similar entities. They process your personal data themselves as controllers.
Business partners
In some cases, we share your personal data with our business partners who also use it for their own purposes. This is the case, for example, with regard to our partners for online advertising, such as LinkedIn and Google. Although these business partners are also active on our behalf, they pursue additional interests with the data beyond this. They are also independent controllers.
Public authorities
We disclose your personal data occasionally to courts, enforcement authorities, law enforcement agencies as well as other authorities and government agencies and other public authorities. This occurs either when legally required or when we may reasonably assume that such a measure is necessary to
comply with applicable laws and respond to requests from enforcement authorities,
detect or respond to possible civil or criminal violations, such as breaches of agreements or laws, or
otherwise protect the rights, property or personal safety of us, our team members or other persons.
With your consent
We may disclose or publish your personal data to third parties if you give your consent. For example, with your consent, we may reproduce your testimonial on our website or in service-related publications.
Detailed information about the service providers we commission can be found in the Appendix.
V. Origin of personal data
In most cases, we collect personal data directly from you, e.g., when you visit our website, use our services or contact us by email. As with most digital platforms, we and our third-party providers collect your personal data automatically when you use our services.
We may receive personal data from our business partners, such as clients or service providers, to whom you have given permission to share personal data with us, or who have a legitimate interest in sharing data with us.
In some cases, we collect your personal data from third parties, for example when your employer provides us with your contact details as a contact person.
VI. Third country transfers
In principle, we ensure that your personal data is kept as local as possible. However, in order to offer you and our clients the best possible service, we also use service providers and business partners who process data in so-called third countries or access it from such a country (for example, to perform maintenance work). Third countries are countries outside the European Economic Area.
For some of these third countries, an adequacy decision from the European Commission exists. This can be either for the entire country (e.g., the United Kingdom) or for the respective company (e.g., companies certified under the EU-US Data Privacy Framework). With such a decision, the European Commission determines that a data protection level essentially equivalent to that in the EU can be expected.
You can find an overview of the adequacy decisions here.
Where no such adequacy decision exists, we ensure that your personal data is nevertheless subject to an appropriate level of protection by applying one or more of the following safeguards:
We conclude the Standard Contractual Clauses issued by the European Commission; where appropriate in conjunction with suitable additional measures.
The transfer takes place within the framework of appropriate safeguards, such as binding corporate rules.
VII. Obligation to provide your personal data
There is neither a contractual nor legal obligation to provide us with your personal data. However, insofar as you wish to contact us or use our services or avail yourself of services, certain information may be required for us to process your request.
VIII. Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, if
the decision is not necessary for the conclusion or performance of a contract,
is not prescribed by mandatory legal provisions, or
is not based on your explicit consent.
MAINLY does not use automated decision-making procedures including profiling, unless we have explicitly informed you about such procedures.
C. Information on specific processing activities
We collect and process various personal data from you depending on the specific processing situations.
Website (log data)
When you visit our website or receive, open or otherwise use emails from us, we collect log data.
Categories of personal data
Internet protocol address (IP),
Technical information, such as operating system, browser details such as type, ID and configuration, individual identifiers, device type and version (e.g., manufacturer, device, screen size, resolution, operating system, browser and its version), your internet speed or the referring URL)
Date and time of your visit, the time you spent using our services
Errors that may occur during your visit to our services
Processing purposes
To ensure smooth functionality of our website
To analyze errors
To ensure that users can use the website comfortably, including improvement of the website (including content)
For analysis and better understanding of user behavior regarding the website
Ensuring the security and stability of our website
For further administrative purposes
Legal base(s)
Our legitimate interest in the above-mentioned purposes.
Retention period (storage period)
The log data is anonymized after 24 hours.
II. Communication
If you contact us – by any means of communication – or if you request a quote, we process your personal data as follows:
Categories of personal data
Always
Information you have provided to us to contact us (such as the content of your message)
Name and salutation
Date and time of communication
Information about the company
Additionally, depending on the mode of communication
Via E-Mail
E-mail-address
Log data (as described above)
Via phone
Phone number
Via postal mail
Sender address
Threema
Threema-ID
if applicable, profile picture, status and further information shared in the profile
Social Media
Profile information (see below)
Note: We generally advise against sending confidential information, such as matter-related information, via social media.
Processing purposes
Processing your inquiry
Conducting communication
Analysis of errors and optimization of our products
Prevention of spam
Legal base(s)
Depending on the reasons for which you contact us:
The processing is necessary for the performance of a contract or in preparation of a contract at your request,
or
our legitimate interests, namely processing your inquiry and conducting communication
Retention period (storage period)
Up to three years after your inquiry has been answered.
If the inquiry is part of a matter, until the end of the sixth year after the end of the engagement.
If the inquiry has tax or commercial law relevance, up to 10 years.
III. Web analysis
We use technical means on our website to measure the number of visitors as well as the movements of our visitors on our website. We are not concerned with the individual person, but with a general understanding of how our website is used. This works as follows: The system takes two identifiers of a visitor on the server side – the IP address and the user agent (browser identifier) – and combines these with a daily changing "salt" (cryptographic additional value). This combination is then converted into a unique "fingerprint" by a hash function. However, this value is highly pseudonymized and no directly identifying data is stored. The salt is a secret value that is automatically regenerated every day. The old salt is completely deleted in the process. This means that the same visitor generates different hash values on different days, even if the IP address and user agent remain identical. At the end of each day, the respective data is thus completely anonymized.
Categories of personal data
IP-address
User agent
Processing purposes
Understanding of our website, visitor numbers and the effectiveness of any advertising campaigns taking place
Improvement of the content of our website through better understanding of interests
Anonymization of data at the end of the day
Legal base(s)
Our legitimate interest in the above-mentioned purposes.
Retention period (storage period)
Until the end of the respective day.
IV. Social Media
To present ourselves and our brand in a contemporary way, we use social media. In doing so, we also process personal data from you.
As operators of these pages, we are joint controllers with the respective operators of the social media networks with regard to the analysis of your use of our pages. There is separate responsibility for the content (us) and the subsequent use, including for personalized advertising (network operators).
LinkedIn: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland, in the following: "LinkedIn",
Instagram: Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4 Irland, in the following: "Instagram" or "Meta"
We have concluded an agreement with the network operators that regulates, among other things, the conditions for the use of pages and similar presences. You can find the respective regulations here:
LinkedIn:
Data processing agreement (DPA) of LinkedIn,
supplemented by the Page Insights Joint Controller Addendum.
The Terms of Use apply.
Instagram:
The Terms of Use of Instagram,
Facebook's Terms of Use (Instagram like Facebook, is an offering from Meta, so these Terms of Use also apply), and the
For the purposes of joint controllership, the operators of the social media networks also use tracking technologies. A general description of tracking technologies can be found below in Section E. The specific technologies used are provided by the respective operators of the social media networks.
According to the agreements mentioned, the respective operators of the social media networks are your contact persons for data subject rights. However, for the activities that fall under joint controllership, you can also exercise your rights towards us. We will then forward your request accordingly.
Categories of personal data
Your name (according to profile)
Profile information such as profile picture, information in your profile that is visible to other users
Your posts
Your interaction with our content, such as visits to our page, reactions (such as "likes"), comments, sharing, etc.
Demographic and geographic information
Log data and unique identifiers
Processing purposes
For us
Presentation of our law firm
Interaction with other users of the respective social media networks
Advertising
Analytics to measure reach and effectiveness
For the respective social media operators
Improvement of the effectiveness of placed advertising (e.g., through personalization)
Better understanding of your behavior
Legal base(s)
Our legitimate interest in the above-mentioned purposes.
Retention period (storage period)
The respective personal data is not stored by us, but by the respective social networks. Please inform yourself with the respective social network regarding the retention period.
V. Involvement in proceedings of one of our clients
It is possible that we process your personal data because you are involved in proceedings or otherwise in an activity of one of our clients that we support
Categories of personal data
The specific personal data that we process from you depends on the matter and may vary. Frequently, the following personal data is involved:
Name, first name
Address data including email, telephone numbers
Online identifiers
Your relationship to our client
Your behavior towards our client
Processing purposes
Provision of our services to our client
Fulfillment of our legal obligations, e.g., with regard to conflict checks
Legal base(s)
Where a legal obligation exists, the fulfillment of legal obligations,
or
our legitimate interests, namely the provision of our services to our clients.
Retention period (storage period)
We store your personal data for as long as necessary to process the matter. As a rule, we are subject to a legal retention period of six years after the end of the respective matter.
Note: Due to attorney-client privilege, your data protection rights, particularly rights of access, may be limited.
VI. Ordinary course of business
If you work with us in the ordinary course of business, e.g., because you or your employer provide services to us or we are subject to reporting obligations, we process your personal data.
Categories of personal data
Name
Address, including email and telephone numbers
Employer and position
Communication
Type of collaboration
Information related to the collaboration
If applicable, further relevant data
Processing purposes
Initiation and performance of contracts, including receipt of services and payment
Legal base(s)
If statutory retention obligations exist:
Fulfillment of a legal obligation
If the personal data is processed for the performance of a contract with you or in preparation at your request:
Contract
In all other cases:
Our legitimate interest in fulfilling the stated purpose.
Retention period (storage period)
If statutory retention periods exist, until the expiration of these periods. Otherwise: Until the end of the year in which the contract ends, plus three years. |
VII. Advertising
To promote ourselves, our brand and our services, we place advertising through various channels. This can be online advertising, mail advertising or telephone inquiries.
In the area of online advertising, we work with partners who process your personal data as independent controllers. We only provide rough target criteria (e.g., demographic information or search terms). Our partners include, among others:
LinkedIn: LinkedIn Ireland Unlimited, Company Wilton Place, Dublin 2, Ireland
Google: Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland
Meta (e.g., Instagram): Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, Ireland
Categories of personal data
Name
Address, including email and telephone numbers
Employer and position
Communication
For online advertising additionally
Log data
Online identifiers
Processing purposes
Promotion of our services and our company
Invitation to events
Legal base(s)
If you have consented to advertising:
Your consent
Otherwise:
Our legitimate interest in fulfilling the stated purposes.
Retention period (storage period)
For the duration of the existing business relationship plus four years.
If no business relationship exists, for a period of four years after the last contact.
Opt-out lists are stored permanently, unless you wish to receive advertising from us after all.
We assess on a case-by-case basis whether you might have a business interest in the services we advertise based on the information available to us (presumed consent).
If we have contacted you and you no longer wish to receive advertising directly from us in the future, please inform us briefly and informally at the following email address: compliance@mainly-law.com. We will then take your wishes into account for future advertising campaigns.
VIII. Legal enforcement
If it should be necessary, we use the personal data processed by us to enforce our rights or the rights of third parties.
Categories of personal data
Potentially all personal data mentioned above.
Processing purposes
Assertion, defense or enforcement of claims by us, our employees and third parties.
Legal base(s)
Our legitimate interest in fulfilling the stated purpose. |
Retention period (storage period)
Until the legally binding conclusion of the proceedings (including any enforcement), plus three years.
D. Your data subject rights
Below you will find a list of your rights regarding the processing of your personal data.
Please note that personal data that we process on the basis of a matter may be subject to restrictions. For example, attorney-client privilege may affect the extent to which we can provide information or delete data.
Right of access
According to Art. 15 GDPR, you have the right to request from us confirmation as to whether personal data concerning you is being processed by us. If this is the case, you have the right to access this personal data, in particular
information on the categories of personal data, the purposes of processing and information on how we determine retention and storage periods,
information on the recipients or categories of recipients to whom we disclose your personal data, especially recipients in third countries, and
under certain circumstances, to obtain a copy of the personal data that is the subject of processing.
II. Right to rectification
According to Art. 16 GDPR, you have the right to request from us the immediate rectification of inaccurate personal data concerning you.
III. Right to erasure
According to Art. 17 GDPR, you have the right to request from us the immediate erasure of your personal data if
the personal data is no longer necessary for the purposes for which it was collected or otherwise processed,
your personal data is processed on the basis of your consent, and you withdraw it,
you have objected to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Art. 21(2) GDPR,
your personal data is processed unlawfully, or
the erasure of your personal data is required to fulfill a legal obligation to which we are subject.
IV. Right to restriction of processing
According to Art. 18 GDPR, you have the right to request restriction of processing. This means that you can request from us the limitation of the purposes of processing. A right to restriction exists if
you have contested the accuracy of the personal data,
the processing is unlawful and you refuse the deletion of your personal data, but demand the restriction of processing instead,
the personal data is no longer needed by us for the purposes of processing, but we need the personal data, e.g., for the assertion, exercise or defense of legal claims, or
if you have objected to the processing pursuant to Art. 21 (1) GDPR, as long as it is not yet established whether our legitimate grounds override yours.
V. Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority against the processing of your personal data or any other decision by MAINLY.
The supervisory authority responsible for us is the
Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Postfach 10 29 32
70025 Stuttgart
Phone:
0711 615541-0
VI. Contact
To exercise your data subject rights, you can contact us informally by mail or email using the contact details provided in Section 2.
Right to object pursuant to Art. 21 GDPR
Objection for reasons relating to your particular situation
According to Art. 21(1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data if this processing is carried out for the purpose of our legitimate interests, including profiling based thereon (e.g., for creditworthiness assessment). Your personal data will then no longer be processed, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.
You also have the right to object at any time to processing for direct marketing purposes.
Contact
You can declare your objection informally by mail or email, addressed to:
Mainly Rechtsanwalts-GmbH
Heilbronner Str. 150
70191 Stuttgart
Germany
Phone:
+ 49 711 252 485 90
E-Mail:
compliance@mainly-law.com
E. Tracking & Cookies
In our online offering, we use so-called tracking technologies.
General description
There are a variety of different technologies that allow website operators or software providers to individualize an end user and track their online behavior. The best known of these technologies are so-called "cookies". Below you will find some explanations that exemplify some of these technologies for you
Cookies
Definition and functionality of cookies
Cookies are small text files that are automatically stored on your device (computer, laptop, tablet or smartphone) when you visit a website. Your internet browser downloads these files and stores them locally on your device.
If a cookie is not automatically deleted (for example, directly after leaving the website), the stored information is transmitted back to the website when you visit the same website again with the same device or browser. This allows the website to identify you as a returning visitor.
Distinction by origin
First-party cookies are created directly by the website you visit. Third-party cookies, on the other hand, come from external providers or partner services that work with the visited website.
Purpose and use of cookies
Through the use of cookies, websites can provide various functions. They enable your preferences to be stored, your usage behavior to be analyzed and the displayed content to be adjusted accordingly. In this way, an individualized and more user-friendly website experience is made possible, but advertising can also be personalized to you.
Categorization by purpose of use
Functional cookies
Functional cookies are necessary for the proper provision of basic website functions. These cookies are used to:
Ensure the basic functions of the website
Store your cookie settings temporarily
Ensure the technical functionality of the website
Without the use of functional cookies, the website would not be usable or would only be usable with significant functional limitations.
Non-functional cookies
Non-functional cookies are not required for the basic operation of the website, but can offer additional functions and improvements. This category includes:
Analytics cookies: For evaluating user behavior and optimizing website performance
Convenience cookies: For improving the user experience, for example by integrating external video content
Marketing cookies: For providing targeted advertising content based on your interests
These cookies are optional and serve to optimize your website experience, but are not necessary for the basic functionality of the website.
Tracking pixel
Tracking pixels (also called web beacons, counting pixels or clear GIFs) are tiny, usually transparent graphic files with a size of only 1x1 pixel that are embedded in websites or emails. These invisible image elements are automatically loaded by your browser when you visit a website or open an email containing such a pixel.
When loading the tracking pixel, a request is automatically sent to the provider's server, whereby various information about your visit or interaction can be transmitted. Since the pixel is virtually invisible to the human eye, users usually do not notice its presence.
Fingerprinting
Fingerprinting (also called browser fingerprinting or device fingerprinting) is a tracking method in which various technical properties and configurations of your device and browser are collected and combined into a unique digital "fingerprint". Unlike cookies, no files are stored on your device.
This technique exploits the fact that the combination of hardware properties, software configuration, installed components and browser settings is slightly different for each user. By capturing and analyzing these characteristics, an almost unique profile can be created that is used for recognition on future visits.
II. Cookies on our website
We currently do not use cookies on our website.
Note: The two headings "https://framer.com" and "https://mainly-law.com" in the Cookies section are merely containers. These relate to website infrastructure from our service provider Framer, but not to cookies.
We update this privacy notice from time to time. For material changes, we update the date at the beginning of this notice. Changes to this privacy notice take effect when they are published on the website.
G. How to contact us
Please contact us at compliance@mainly-law.com if you have any questions, comments or other concerns regarding this privacy notice.