Privacy Policy

Nulegal GmbH · Version 1.0 · Effective 28 May 2026

This English version is a courtesy translation. In case of any inconsistency with the German original, the German version prevails.

1. Introduction and Scope

The protection of your personal data is important to us. With this privacy policy, we inform you how we process your personal data when you use our website at nulegal.eu (hereinafter “Website”).

Personal data is any information relating to an identified or identifiable natural person.

This privacy policy applies exclusively to the use of our website. A separate privacy policy applies to our web application; you can find it at app.nulegal.de/datenschutz.

2. Controller and Contact Details

Controller within the meaning of the General Data Protection Regulation (GDPR) is:

Nulegal GmbH
Represented by Managing Director Bork Morfaw
Babelsberger Str. 16
14473 Potsdam
Germany

Commercial register: Amtsgericht Potsdam, HRB 42127 P

For questions regarding data protection, you may contact us at [email protected].

3. General Information on Data Processing and Legal Bases

We process your personal data only insofar as this is necessary for the provision of our website, the performance of a contract with you, compliance with legal obligations or the protection of our legitimate interests, or if you have consented to the processing.

Where we obtain your consent for specific processing operations, this is generally done through an explicit consent request on the website (for example, via a cookie/consent banner or a consent statement when signing up to one of our lists). You may withdraw a granted consent at any time with effect for the future. Further information can be found in the section “Your Rights as a Data Subject”.

Where we process data to protect legitimate interests pursuant to Art. 6(1)(f) GDPR, we do so only where our interests are not overridden by yours. Examples of such legitimate interests include in particular:

  • ensuring the security and stability of our website and IT systems,
  • preventing misuse or fraud,
  • efficient handling and documentation of enquiries that reach us by electronic means.

4. Your Rights as a Data Subject

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You have the right to obtain information on the personal data we process about you and to receive additional information about the processing.
  • Right to rectification (Art. 16 GDPR): You may request the rectification of inaccurate personal data or the completion of incomplete personal data.
  • Right to erasure (Art. 17 GDPR): You may request the erasure of your personal data, provided no retention obligations or other legal grounds prevent this.
  • Right to restriction of processing (Art. 18 GDPR): In certain cases, you may request that the processing of your data be restricted.
  • Right to data portability (Art. 20 GDPR): In certain cases, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and to transmit such data to another controller.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw a consent given by you at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

Right to object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

If we process your personal data for direct marketing purposes, you also have the right to object at any time and without stating reasons to the processing for this purpose, including profiling related to direct marketing.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

Our competent supervisory authority is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow

To exercise your rights, you may contact us at any time using the contact details provided in section 2.

5. Recipients of Data / Processors / Transfers to Third Countries

5.1 Recipients of Data

We disclose your personal data to third parties only where this is necessary for the provision of our website, the performance of a contract with you, compliance with legal obligations or the protection of our legitimate interests, or if you have consented.

Some service providers are contractually bound by our instructions and process personal data exclusively for the agreed purposes on our behalf.

In certain cases, we may also be a joint controller within the meaning of Art. 26 GDPR with other companies. We may further cooperate with companies that process personal data under their own data protection responsibility. These recipients are also subject to the requirements of the GDPR and other applicable data protection rules.

Potential recipients of your data include in particular:

  • IT service providers we use for the operation, maintenance and support of our website and IT systems (e.g. hosting providers, cloud service providers);
  • providers of communication services (e.g. e-mail delivery);
  • other service providers we engage as processors within the meaning of Art. 28 GDPR.

5.2 Processors

Where we engage service providers as processors, they process data on the basis of a data processing agreement pursuant to Art. 28 GDPR. These service providers are contractually obliged to take appropriate technical and organisational measures to protect your personal data.

5.3 Transfers to Third Countries

A transfer of personal data to recipients in countries outside the European Union (EU) or the European Economic Area (EEA) (“third countries”) takes place only if (i) there is an adequacy decision of the European Commission within the meaning of Art. 45 GDPR for the relevant third country, (ii) appropriate safeguards under Art. 46 GDPR are in place, in particular the Standard Contractual Clauses adopted by the European Commission, or (iii) one of the exceptions provided for in Art. 49 GDPR applies.

6. Storage Period and Erasure

Personal data is processed and stored only for as long as is necessary for the purposes for which it was collected or as required by statutory retention obligations.

Once the relevant processing purpose ceases or statutory retention periods expire, the personal data is erased or its processing is restricted in accordance with statutory requirements.

Where statutory retention obligations apply, storage periods may, in particular, be up to ten years (for example, under commercial and tax law).

In individual cases, storage beyond these periods may be necessary for the establishment, exercise or defence of legal claims.

7. Obligation to Provide Personal Data

When using our website, you are generally not obliged to provide personal data. However, certain functions require the processing of certain personal data. It is, for example, not possible to use a contact form, to sign up to our waitlist or to request product access without processing the mandatory information requested for that purpose.

If you do not provide the data marked as required for the respective purpose, you may be unable to use the corresponding function of the website, or we may be unable to enter into or perform a contract with you.

Where we are legally required to process personal data (for example, on the basis of commercial or tax law), the provision of the necessary data is likewise required. In such cases, failure to provide the data may mean that a business relationship cannot be entered into or continued.

8. Data Security

We take appropriate technical and organisational measures to protect your personal data against loss, destruction, unauthorised access, unauthorised alteration or unauthorised disclosure. These include in particular measures to secure our IT systems and to restrict access to personal data to authorised persons.

When transmitting data via our website, we use transport encryption (TLS/SSL) to protect your data during transmission between your device and our servers.

Our security measures are regularly reviewed and adapted as needed, in line with technological developments, the relevant risks and statutory requirements.

9. Minors

Our website is directed at adults and not specifically targeted at children or adolescents under 16 years of age. We do not knowingly process personal data of persons below this age. Should we become aware that a minor has provided us with personal data, we will erase that data without undue delay, unless statutory retention obligations prevent us from doing so.

10. Automated Decision-Making, including Profiling

We do not use decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (automated decision-making within the meaning of Art. 22 GDPR).

Profiling within the meaning of the GDPR does not take place.

11. Processing Activities in Detail

The following sections describe the typical situations in which we process personal data when you use our website. For each processing activity, we explain the categories of data concerned, the purposes for which the data is used, the legal basis for the processing, the recipients to whom the data may be disclosed and the period for which the data is stored.

Where we use artificial intelligence systems in connection with a processing activity, we specifically point this out in the description of the respective processing.

11.1 Provision of the Website and Server Log Files

Each time our website is accessed, the browser on your device automatically transmits information to the server hosting our website. This information is temporarily stored in what are known as server log files. The processing of this data is technically necessary to display the website to you and to ensure the stability and security of our systems.

Categories of personal data: IP address of the requesting device, date and time of access, sub-pages accessed, browser type and version, operating system used, referrer URL.

Purposes of processing: ensuring a smooth connection and convenient use of the website, safeguarding system security and stability, and defending against attacks.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the technically error-free provision of the website and in the security of our IT systems.

Recipients of data: In connection with this processing, we use a cloud hosting provider that delivers the website via a global edge network. The provider acts as a processor within the meaning of Art. 28 GDPR. The website is delivered via the provider’s global edge network. In the course of this, personal data may be transferred to edge locations outside the European Union, in particular in the United States. Appropriate safeguards under Art. 46 GDPR are in place in the form of EU Standard Contractual Clauses.

Storage period: Server log files are stored for 30 days. Where longer storage is necessary to investigate security-relevant events or for the establishment, exercise or defence of legal claims, the data is retained for that purpose and period only. In such cases, the data is blocked for any other purpose.

11.2 Cookies and Comparable Technologies

We use cookies and comparable technologies on our website that store information on, or read information from, your end device (e.g. computer, smartphone, tablet).

Comparable technologies include cookies, Local Storage, Session Storage, pixel technologies and similar browser-based methods. We refer to these collectively as “cookies and comparable technologies”.

Legal bases for access to your end device

Where we access information stored on your end device or store information there, we rely on § 25 of the German TDDDG (Telecommunications-Telemedia Data Protection Act):

  • § 25(2)(2) TDDDG: where the access or storage is strictly necessary to provide a service expressly requested by you, this is carried out without consent.
  • § 25(1) TDDDG: in all other cases, we obtain your consent through our consent management tool (cookie banner) before access or storage. You may withdraw this consent at any time with effect for the future.

The subsequent processing of personal data collected by these means is governed by the GDPR and the respective legal bases described in the following sections.

Categories of cookies and comparable technologies used

(1) Strictly necessary cookies and comparable technologies — required for the operation of the website, for example to ensure core functions, authentication or the storage of security-relevant settings. Set without consent (§ 25(2)(2) TDDDG): cookie storing your language selection (where you actively choose a language), cookie storing your cookie consent.

(2) Functional cookies and comparable technologies — enable convenience-related functions but are not strictly necessary. Used on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. (Currently not in use.)

(3) Analytics cookies and comparable technologies — used to analyse the use of our website and improve our services. Used on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. Further details can be found in the “Web analytics” section: Google Analytics 4 (provider: Google Ireland Limited) and a product-analytics service with servers in the European Union.

(4) Marketing and advertising cookies and comparable technologies — used to deliver and evaluate advertising, including across services. Used on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. In use: Google Ads (conversion tracking and remarketing); see the section 'Google Ads and Google Tag Manager' for details.

Withdrawal of consent and management of your choices

You may withdraw a granted consent at any time with effect for the future or change your selection by re-opening our consent management tool (cookie banner). You can access it at any time via the .

Alternatively, you may block the setting of cookies in your browser settings or delete cookies already set. This may result in certain functions of the website being unavailable or only partially available.

Detailed information on the cookies used

The specific names, providers, purposes and storage periods of the cookies and comparable technologies we use can be found in our consent management tool (cookie banner), which you can access at any time via the .

Storage period

Cookies and comparable technologies are stored for different periods: session cookies are deleted as soon as you close your browser; permanent cookies are stored on your end device for a defined period. The specific storage period of the cookies and comparable technologies we use can be found in our consent management tool (cookie banner).

11.3 Contact Form

You may contact us in various ways, in particular via a contact form on our website, by e-mail or by telephone. We process the data submitted in this context solely to handle your enquiry.

Categories of personal data: the data requested in the contact form, in particular name and e-mail address, and the content of your message.

Purposes of processing: handling and responding to your enquiry and communicating with you in connection with your enquiry.

Legal bases:

  • Art. 6(1)(b) GDPR, where your enquiry concerns the conclusion or performance of a contract;
  • Art. 6(1)(f) GDPR for the protection of legitimate interests, in particular efficient handling of enquiries and appropriate documentation of the communication, in all other cases.

Recipients of data: In connection with this processing, we transmit the data to our backend server, operated with a cloud provider whose servers are located in the European Union. The provider acts as a processor within the meaning of Art. 28 GDPR. The contact form is delivered via the global edge network of our hosting provider. In the course of this, personal data may be transferred to edge locations outside the European Union, in particular in the United States. Appropriate safeguards under Art. 46 GDPR are in place in the form of EU Standard Contractual Clauses. The subsequent storage of your input takes place on our backend servers in the European Union.

Storage period: stored until your enquiry has been fully handled. Where longer storage is necessary to fulfil statutory obligations or for the establishment, exercise or defence of legal claims, retention may be longer in individual cases.

11.4 Waitlist

You can sign up to a waitlist on our website to be notified about the availability of our web application and, subject to availability, to be granted access.

Categories of personal data: when you sign up to the waitlist, we process your e-mail address and, where you provide them, your role, your interest and the source via which you became aware of us.

Purposes of processing: to inform you about the availability of our web application, to send you updates on the product launch, and to offer you access to the web application once it becomes available.

Legal basis: Art. 6(1)(b) GDPR for the implementation of pre-contractual measures taken at your request. You may have your waitlist entry deleted at any time by contacting us using the contact details in section 2.

Recipients of data: In connection with this processing, we transmit the data to our backend server, operated with a cloud provider whose servers are located in the European Union. The provider acts as a processor within the meaning of Art. 28 GDPR. The sign-up form is delivered via the global edge network of our hosting provider. In the course of this, personal data may be transferred to edge locations outside the European Union, in particular in the United States. Appropriate safeguards under Art. 46 GDPR are in place in the form of EU Standard Contractual Clauses. The subsequent storage of your input takes place on our backend servers in the European Union.

Storage period: data processed in connection with your waitlist entry is stored until you withdraw your entry or until you are admitted to the web application.

11.5 Request Access

You can request access to our web application on our website. We use your request to provide you with access and to coordinate the steps required for this with you.

Categories of personal data: the data requested in the access-request form, in particular name, e-mail address and information about your company and your interest in our web application.

Purposes of processing: to assess your request, to grant you access to our web application and to contact you regarding the steps required for this.

Legal basis: Art. 6(1)(b) GDPR for the implementation of pre-contractual measures taken at your request.

Recipients of data: In connection with this processing, we transmit the data to our backend server, operated with a cloud provider whose servers are located in the European Union. The provider acts as a processor within the meaning of Art. 28 GDPR. The request form is delivered via the global edge network of our hosting provider. In the course of this, personal data may be transferred to edge locations outside the European Union, in particular in the United States. Appropriate safeguards under Art. 46 GDPR are in place in the form of EU Standard Contractual Clauses. The subsequent storage of your input takes place on our backend servers in the European Union.

Storage period: data processed in connection with your access request is stored until access has been provided or until your request has been rejected. Where a contractual relationship arises from the request, the retention obligations and storage rules of our web application’s privacy policy apply in addition.

11.6 Web Analytics (Google Analytics 4)

We use web analytics services on our website to evaluate the use of our website and continuously improve our offering.

Where, for the purposes described below, we access information stored on your end device or store information there (e.g. cookies, Local Storage), we obtain your prior consent pursuant to § 25(1) TDDDG. The subsequent processing of personal data collected in this way is assessed in accordance with the following rules.

Categories of personal data: IP address (truncated through IP anonymisation), date and time of access, sub-pages accessed, click behaviour, device and browser information, pseudonymous usage identifiers.

Purposes of processing: evaluation of the use of our website, statistical analysis of the reach and performance of our content and continuous improvement of our offering.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future by re-opening our consent management tool (cookie banner). Where access to information stored on your end device or its storage requires consent, that access is based on § 25(1) TDDDG.

Services used: Google Analytics 4 (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Further information on the data processing by the respective provider can be found in its privacy notices at policies.google.com/privacy.

Recipients of data: the provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as our processor under Art. 28 GDPR. The processing involves a transfer to the United States to Google LLC. This transfer is safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 GDPR and by Google LLC’s certification under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023).

Storage period: pseudonymous usage data is stored for 14 months and is then automatically deleted; analysis results are kept exclusively in aggregated form without any personal reference.

11.7 Product Analytics

We use a product-analytics tool on our website to better understand the use of our features and continuously improve our offering.

Categories of personal data: pseudonymous usage identifier, features used, click events, timestamps, browser and device information, anonymised error information.

Purposes of processing: analysis of the use of our features, statistical evaluation of performance and continuous improvement of our offering.

Legal basis: Art. 6(1)(a) GDPR, exclusively on the basis of the consent you have given via the consent banner. You may withdraw a granted consent at any time with effect for the future.

Recipients of data: categories of recipients: providers of product-analytics services with servers in the European Union. The provider used is engaged as a processor on the basis of a contract pursuant to Art. 28 GDPR. Processing takes place on an EU instance of the provider. As a rule, no transfer of personal data to countries outside the European Union takes place; access from third countries in the context of the provider’s support cannot be ruled out and is safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

Storage period: pseudonymous usage data is stored for 12 months; analysis results are kept exclusively in aggregated form without any personal reference.

11.8 Job Applications

If you apply to us through the application form on our careers page (nulegal.eu/careers) or by e-mail, we process the data you submit in order to carry out the application process.

Categories of personal data: first and last name, e-mail address and your availability; where you provide them, also your LinkedIn profile, field of study, planned weekly hours and an optional message; your application documents, in particular your CV and any optionally uploaded academic records (e.g. school leaving or Bachelor's certificate, transcript of records). In addition, we process technical data of the submission (IP address, browser and device information, time of submission).

Purposes of processing: carrying out the application process, assessing your suitability, communicating with you, and preparing and deciding on entering into an employment relationship. Where you separately consent to this, we also process your data for inclusion in a talent pool and consideration for suitable future roles. We process submission data to prevent spam and abuse.

Legal bases: § 26(1) BDSG in conjunction with Art. 88 GDPR and Art. 6(1)(b) GDPR (pre-contractual); additionally Art. 6(1)(a) GDPR insofar as you consent to the longer storage of your application data for the talent pool; Art. 6(1)(f) GDPR for the technical submission data and for a limited further storage after conclusion of the process, insofar as this is necessary for the establishment, exercise or defence of legal claims.

Recipients of data: in connection with this processing we transmit your data to our backend service, operated by a cloud provider with server location in the European Union. The provider acts as a processor within the meaning of Art. 28 GDPR; your application documents (CV, academic records) are also stored there within the European Union. Access to your application data is restricted to authorised members of our team. Where, in an individual case, a transfer to recipients in third countries takes place, appropriate guarantees pursuant to Art. 46 GDPR, in particular EU Standard Contractual Clauses, are in place.

Automated decision-making: no decision based solely on automated processing within the meaning of Art. 22 GDPR takes place.

Storage period: stored for the duration of the process; if no hire results, deletion once the data is no longer required for the process and for any establishment, exercise or defence of legal claims, as a rule within six months of conclusion, unless statutory retention obligations apply or consent to longer storage for the talent pool exists. In the event of a hire, the data is transferred to the personnel file.

11.9 Appointment Booking (Calendly)

We embed an online appointment-booking tool on our website that lets you schedule a call with us directly.

Categories of personal data: the data entered in the booking form (in particular name and email address), the selected appointment, and technical data processed when the embedded tool loads (IP address, device and browser information), and, where applicable, the provider's cookies.

Purposes of processing: scheduling, managing, and conducting appointments with you.

Legal bases: Art. 6(1)(b) GDPR for pre-contractual measures and handling the appointment. Where the embedded tool sets non-essential cookies or stores information on your end device, this is based on your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR.

Services used / recipients: Calendly (provider: Calendly LLC, 271 17th Street NW, Atlanta, GA 30363, USA). The processing involves a transfer to the United States, safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

Storage period: appointment data is stored for the duration of handling the appointment and beyond, as long as necessary for communication with you or to comply with legal obligations.

11.10 Google Ads and Google Tag Manager

We use Google Ads, Google's online advertising service, to promote our offerings and measure the success of our advertising campaigns. The tags used for this are embedded and managed via Google Tag Manager.

Categories of personal data: online identifiers and cookie IDs, IP address, information about your interaction with our website and our ads (e.g. clicks, pages visited, conversions), and device and browser information.

Purposes of processing: measuring the effectiveness of our ads (conversion tracking), re-engaging visitors to our website (remarketing), and optimising and delivering our advertising campaigns.

Legal basis: Art. 6(1)(a) GDPR (consent); for accessing or storing information on your end device, § 25(1) TDDDG. The tags are activated only after your consent; without consent, no such cookies are set and no advertising data is transmitted. You may withdraw your consent at any time with effect for the future via the consent management tool (cookie banner).

Services used / recipients: Google Ads and Google Tag Manager (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The processing involves a transfer to the United States to Google LLC, safeguarded by EU Standard Contractual Clauses pursuant to Art. 46 GDPR and Google LLC's certification under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023). Further information can be found in Google's privacy notices at policies.google.com/privacy.

Storage period: the cookies set by Google Ads have varying lifetimes; conversion and remarketing cookies are generally stored for several months. Once the respective cookie lifetime expires or you withdraw your consent, the data is deleted or processing is stopped.

12. Changes to this Privacy Policy

We adapt this privacy policy if legal requirements or processing operations change. The current version is available on our website at nulegal.eu/en/legal/privacy. We will inform you separately of material changes (e.g. by e-mail or by a notice on the website).