Legal

Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Dilara Loistl
Rainackerweg 8
80939 Munich
Email: dilara@moonletmethod.de

2. Collection and Processing of Personal Data

2.1 Contact Form

When you send us a message via the contact form on our website, the data you provide (name, email address, message) is stored and processed to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in communication). Data is deleted once the enquiry has been fully processed and no statutory retention obligations apply.

2.2 Course Bookings

When booking a course, we collect your name, email address and, optionally, phone number. This data is used exclusively for processing the booking, sending course details and internal administration. The legal basis is Art. 6(1)(b) GDPR. Data is deleted after the statutory retention periods expire (generally 10 years for tax-relevant records).

2.3 Server Log Files

When you visit our website, technical access data (IP address, date and time of access, page visited, browser type) is automatically stored in server log files. This data is not combined with other data sources. The legal basis is Art. 6(1)(f) GDPR. Logs are automatically deleted after a maximum of 7 days.

3. Cookies

This website currently does not use any tracking or analytics cookies. Only technically necessary session cookies are set, which are required for the website to function (e.g. for the admin area). These cookies contain no personal data and are automatically deleted at the end of the browser session. No consent is required for technically necessary cookies pursuant to § 25(2)(2) TTDSG (German Telecommunications Digital Services Act).

4. Email Communication

Emails you send to us are received and processed on our self-operated email server (Mailcow, hosted by Hetzner Online GmbH, Germany). We do not use external email service providers. Your email content is used solely to process your enquiry and is not shared with third parties.

5. AI Chatbot (FAQ Assistant)

Our website offers an AI-powered FAQ assistant. This is based on a language model (Llama 3.1) that runs entirely locally on our own server (Hetzner, Germany). No data is transmitted to external AI providers (such as OpenAI, Google, Anthropic, etc.).

Your questions are not stored in plain text. For security and abuse prevention purposes, only an anonymised hash (SHA-256) of your request is stored together with your IP address for a maximum of 60 minutes. Raw request data is not logged. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).

6. Payment Processing (Stripe)

We use Stripe for payment processing when booking courses.

  • Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland; Parent company: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA
  • Purpose: Secure payment processing for course bookings
  • Data processed: Name, email address, payment details (e.g. credit card data). Your payment data is transmitted directly to Stripe and is not stored on our servers.
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures)
  • Third-country transfer: Data may be transferred to the USA. Stripe participates in the EU-US Data Privacy Framework and additionally uses Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
  • Stripe privacy policy: stripe.com/privacy

7. Hosting

This website is hosted on a dedicated server operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). The server is located in Germany. Hetzner is contractually bound as a data processor pursuant to Art. 28 GDPR. Further information: hetzner.com/legal/privacy-policy.

8. SSL Encryption

This website uses SSL/TLS encryption to protect the security and confidentiality of data transmitted via the site. You can recognise an encrypted connection by the browser's address bar changing from "http://" to "https://".

9. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): You may request information about the data we hold about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR): You may object to the processing of your data on the basis of Art. 6(1)(f) GDPR.
  • Right to withdraw consent: Any consent given may be withdrawn at any time.

To exercise your rights, please contact us at the address above. You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Bavaria is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Last updated: April 2026