Controller (Art. 4 No. 7 GDPR)
The controller responsible for the processing of personal data under the General Data Protection Regulation and the national data-protection laws of the EU member states is:
Korsawe Consulting GmbH
Maximilianstraße 2, 80539 Munich, Germany
Managing Director: Lea Marie Korsawe
Email: info@korsaweconsulting.com
The full provider identification is set out in the legal notice (Impressum).
Data-protection officer
Korsawe Consulting GmbH is not required to appoint a data-protection officer under section 38 of the Federal Data Protection Act (BDSG). Data-protection queries should be addressed directly to the contact details in the legal notice.
Legal bases (Art. 6 (1) GDPR)
The processing of personal data through the valuation tool rests on the following legal bases:
lit. a (consent): sending the complete report after successful double opt-in and, separately and only if actively selected, sending the quarterly newsletter.
lit. b (contract or pre-contractual measures): provision of the requested valuation results and the complete report.
lit. f (legitimate interest): running the application, keeping server logs, defending against abusive use, and ensuring IT security. Also based on the legitimate interest are answering and assessing an inquiry and pointing out advisory services of the provider relevant to it, towards businesses. The legitimate interest is weighed against the rights and freedoms of the data subject in each case. Processing for direct-marketing purposes can be objected to at any time with effect for the future (Art. 21 GDPR).
Processing on the basis of lit. c (legal obligation) or lit. d (vital interests) does not occur in connection with the valuation tool.
Categories of data processed
The valuation tool processes the following categories of data:
Calculator inputs: revenue, EBITDA, net debt, sector, sub-segment, country, EBITDA trend, owner dependence, and share of recurring revenue. These inputs are first processed only in the browser; they are stored only once the complete report by email has been actively requested.
Lead data: email address, name, company, double-opt-in status, report-request status, newsletter status, accepted Terms version, and timestamps for the relevant acceptances.
Consent evidence: exact consent text, versions, purposes, language, form source, timestamp, truncated user-agent string, and hashed IP address.
Technical data: IP address, user-agent string, timestamp, referrer; written to the server logs of the hosting platform Vercel. To defend against abusive use, a hashed IP value with a timestamp is also stored briefly in the database when a report request is submitted and is deleted automatically no later than the following day (legal basis: Art. 6 (1) lit. f GDPR).
Purposes of processing
The categories listed above are processed for the following purposes:
Calculator inputs: calculation of the indicative valuation range in the browser and storage of a minimal calculation snapshot after the complete report has been requested.
Lead data: dispatch of the confirmation email, assignment of the confirmed request, delivery of the complete report, answering the inquiry and pointing out relevant advisory services, and management of the optional newsletter consent.
Consent evidence: proof of consent and Terms acceptance.
Technical data: running the application, security, abuse defence, and error analysis.
Processors and service providers (Art. 28 GDPR)
The service providers below are engaged to operate the valuation tool. Data-processing agreements under Art. 28 GDPR are in place where personal data is in scope.
6.1 Supabase
Purpose: database back end for lead data, consent evidence, and calculation snapshots, plus briefly stored hashed IP values for abuse prevention.
Provider: Supabase, Inc. (USA).
Place of processing: Germany (Amazon Web Services, region eu-central-1, Frankfurt am Main).
Third-country transfer: the data is stored in Frankfurt. Where access from the USA is possible for operations or support, it is covered by the data-processing agreement and EU standard contractual clauses.
6.2 Resend
Purpose: transactional email for double opt-in, report delivery, and optional newsletter communication.
Provider: Plus Five Five, Inc. (Resend), San Francisco, USA.
Sending domain: notifications.mittelstandswert.de (dedicated subdomain).
Place of processing: Ireland (region eu-west-1).
Third-country transfer: email delivery is processed in Ireland. Where access from the USA occurs, it is covered by the EU-US Data Privacy Framework, under which Resend is certified, and, in addition, by EU standard contractual clauses.
6.3 Vercel
Purpose: application hosting, edge delivery, server logs.
Provider: Vercel Inc., Covina, California, USA.
Place of processing: Germany (Frankfurt region, fra1). Vercel Inc. is a US company.
Third-country transfer: function execution and delivery take place in Frankfurt. Where access from the USA occurs, it is covered by the EU-US Data Privacy Framework, under which Vercel is certified, and, in addition, by EU standard contractual clauses.
6.4 Sanity
Purpose: headless content-management system for editorial content such as multiples, copy, and disclaimers.
Provider: Sanity Inc. (USA).
Place of processing: Belgium (Google Cloud Platform, region europe-west1).
Note: no personal client data is stored here; only public editorial content and reference data.
Third-country transfers (Art. 44 ff. GDPR)
Processing takes place entirely within the EU: Supabase and Vercel in Frankfurt, Resend in Ireland, Sanity in Belgium. The providers Supabase, Vercel, and Resend are US companies. Where their US parent companies can access data in operations or support, this rests on suitable safeguards, in particular the EU-US Data Privacy Framework and EU standard contractual clauses, together with supplementary technical and organisational measures.
Double opt-in flow
Email addresses are collected when the data subject, after completing the calculator inputs, actively requests the complete report by email. Collection happens in two steps:
1. The data subject enters the email address in the form.
2. The data subject confirms the address by clicking the verification link in a separately delivered confirmation email.
Only after this second step is the request marked confirmed and the complete report sent. The confirmation link is valid for 72 hours. Data captured before confirmation is deleted automatically no later than 21 days after collection if no confirmation arrives. Optional newsletter consent is separate from the report and can be withdrawn at any time with effect for the future.
Retention
Personal data is retained only for as long as necessary for the relevant purpose or as required by statutory retention obligations.
Unconfirmed leads: until confirmation, and no longer than 21 days from collection; deleted automatically thereafter.
Confirmed report requests: until withdrawal or deletion, and no longer than 24 months from the last contact.
Newsletter status: until withdrawal; a minimal suppression or evidence record may be retained to honour the withdrawal.
Server logs (Vercel): depending on the plan, no longer than 30 days.
Abuse prevention (hashed IP values, Supabase): deleted automatically no later than the following day.
Calculation snapshots (Supabase): for as long as needed for the requested report, and no longer than the retention period of the associated confirmed lead.
Data-subject rights
Every data subject has the right, subject to the statutory conditions, to access, rectification, erasure, restriction of processing, data portability, and objection. These rights are exercised informally, by writing to the contact address set out in the legal notice.
Withdrawal of consent (Art. 7 (3) GDPR): Any consent given may be withdrawn at any time with effect for the future, informally, by writing to the contact address set out in the legal notice. The lawfulness of processing carried out before withdrawal remains unaffected.
Objection to direct marketing (Art. 21(2) GDPR): Where personal data is processed for direct-marketing purposes, you may object at any time without giving reasons. The data will then no longer be processed for those purposes.
Right to lodge a complaint (Art. 77 GDPR): data subjects may lodge a complaint with a supervisory authority. The competent supervisory authority is Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, www.lda.bayern.de.
Cookies and similar technologies
In its current build, the valuation tool sets only strictly necessary cookies, such as session identifiers and locale preferences. No consent under section 25 (1) TDDDG is required for this; the processing rests on section 25 (2) TDDDG. No third-party trackers, no marketing cookies, no analytics cookies.
Security of processing (Art. 32 GDPR)
The controller takes technical and organisational measures to ensure a level of security appropriate to the risk. These include TLS transport encryption, access restrictions, role-based permissions, data minimisation, separation of production and editorial systems, and periodic review of data-processing agreements.
Updates to this notice
This privacy notice is updated whenever the processing, the services engaged, or the legal framework changes. The version in force at the time of collection governs.