tiger&monkey logo
LEGAL

Datenschutz.

Privacy Policy (GDPR)

Effective date: 12 November 2025

Controller: tiger&monkey GbR, Humboldtstraße 97–99, 40237 Düsseldorf, Germany
Contact: hi@tigerandmonkey.agency, +49 (0) 211 875 240 30
Supervisory authority: LDI NRW, Düsseldorf.

1) What we process

  • Server logs (hosting): IP address, date/time, URL/referrer, user agent, HTTP status, bytes transferred — for operation/security.
  • Contact/CRM: name, company, role, email, phone, messages, project history.
  • Client & supplier data: contracts, billing, creative assets, approvals.
  • Applicants: CV, portfolio links, references, interview notes.
  • Social media: interactions on Instagram and LinkedIn.

2) Cookies & tracking

We use no analytics, no marketing pixels, and no non-essential cookies. Under § 25 TDDDG, device access for non-essential purposes requires consent; as we don’t deploy such technologies, no consent banner is needed.

3) Purposes & legal bases (Art. 6 GDPR)

Website operation & security (Art. 6(1)(f)); responding to inquiries and pre-contract steps (Art. 6(1)(b)); contract performance & administration (Art. 6(1)(b)); legal duties incl. tax retention (Art. 6(1)(c)); recruitment (Art. 6(1)(b); talent-pool retention with consent, Art. 6(1)(a)); IT security/claims defence (Art. 6(1)(f)).

4) Hosting & processors

Website hosting by STRATO (Germany). According to STRATO, visitor IPs in server logs are stored for a maximum of seven days to detect/defend attacks, then deleted/anonymised. Other processors (e.g., for secure file transfer or invoicing) receive only what’s necessary under data-processing agreements.

5) Social media (Instagram & LinkedIn)

We receive aggregated Page/Account Insights. For these Insights we act as joint controllers with Meta (Instagram) and LinkedIn under their controller addenda; the platforms generally handle data-subject requests related to Insights data.

6) International transfers

We do not intentionally transfer website-visitor data outside the EU/EEA. Social platforms may process data outside the EU under their own safeguards and terms.

7) Retention

  • Inquiries: 12 months after last interaction.
  • Applicants: 6 months after process end; with consent, 24 months in our talent pool.
  • Client/project & billing data: statutory retention (typically 6–10 years).
  • Server logs (host): 7 days unless needed longer for security.

8) Your rights

Access, rectification, erasure, restriction, portability, and objection (esp. to processing based on legitimate interests or for direct marketing). You may withdraw consent at any time with future effect. You can lodge a complaint with a supervisory authority.

9) Security & encryption

We apply appropriate technical/organisational measures (e.g., TLS/SSL, access controls, backups) to protect personal data.

10) Children

Our website and services are not directed to children; we do not knowingly collect children’s data.

11) Automated decision-making

We do not use automated decision-making or profiling producing legal or similarly significant effects (Art. 22 GDPR).

12) Updates

We may update this notice; the current version is shown by the effective date above.