Privacy Policy

Convenience translation. This English version is provided for understanding only. The German version is the only legally binding text and serves as the basis for all translations. In case of any discrepancy, the German wording prevails.

Privacy Policy

1. General information and principles of data processing

We are pleased that you are visiting our website. The protection of your privacy and of your personal data when using our website is an important concern for us.

According to Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person. Processing within the meaning of Art. 4(2) GDPR always requires a legal basis or your consent.

2. Data controller

MX-Softnet Hard- Software Consulting
Owner Dirk Greineisen
Erich-M. Müller Str. 6
86655 Harburg, Germany

3. Server log files

When you use this website, we collect technically necessary data via server log files (IP address, date and time of request, retrieved file, referrer, browser type, operating system). The legal basis is Art. 6(1)(f) GDPR (legitimate interest).

4. Cookies

We use cookies. On your first visit, a cookie banner with two options appears:

  • Accept all: necessary + functional/statistics cookies are activated.
  • Necessary only: only technically necessary cookies are set.

Cookies in use: carving_session (session, necessary), cookie_consent (1 year, necessary), werk_like_* (1 year, only with consent).

5. Registration and user account

You can register as a carver or specialist dealer. We collect: first/last name, email address, password (bcrypt-encrypted), role. Optional profile data: artist name, address, phone, website, description, social media, awards, profile picture. The visibility of optional details can be controlled via your profile settings. Legal basis: Art. 6(1)(b) and (a) GDPR.

6. Contact form

You can contact us via a contact form. We collect name, email address, subject and message. Contact requests are automatically deleted after 90 days. Legal basis: Art. 6(1)(a) GDPR (consent).

7. Internal messaging system

Registered users can send messages to other users via an internal messaging system. The message text, sender, recipient and timestamp are stored. Legal basis: Art. 6(1)(b) GDPR.

8. Image uploads

Registered users can upload images. Permitted formats: JPG and PNG, max. 2 MB. All embedded metadata (EXIF, GPS, camera info) is automatically removed upon upload. Legal basis: Art. 6(1)(b) GDPR.

9. Q&A section

Registered users and visitors can post publicly visible questions. Unanswered questions are automatically deleted after 30 days. Legal basis: Art. 6(1)(f) GDPR.

10. Emails sent by the platform

We only send emails for: account activation, password reset, message notifications. We do not send newsletters. Legal basis: Art. 6(1)(b) GDPR.

11. External services

OpenStreetMap (maps): Map tiles are loaded directly from the servers of the OpenStreetMap Foundation. Your IP address is transmitted in the process. Legal basis: Art. 6(1)(f) GDPR.

Nominatim (geocoding): The query is performed server-side — your IP address is not passed on. Only postcode and city are transmitted.

Local libraries: All JavaScript/CSS libraries (Bootstrap, jQuery, Leaflet, Lightbox, Summernote, Chart.js, SortableJS) and fonts (Playfair Display, Source Sans 3) are hosted locally on our server. No data is transferred to external CDN services or to Google.

12. Tracking and analytics

We use our own, self-hosted statistics system. No data is transmitted to third parties. Your IP address is not stored — instead, a non-traceable SHA-256 hash with a daily salt is generated. Bots and administrators are not recorded. Data is only collected with your consent ("Accept all"). Legal basis: Art. 6(1)(a) GDPR.

13. Sponsor links

On the "Sponsors" page, partner logos are displayed. When clicking on a sponsor logo, you are redirected with rel="noreferrer", so the referrer header is not transmitted. We keep an anonymous click counter (only sums, no IP, no user IDs). The counter is incremented only with cookie consent ("Accept all").

14. Social media links on profiles

Carvers and dealers can optionally add social media links to their profile (Facebook, Instagram, YouTube, TikTok). These are displayed as simple text links — no widgets, no iframes, no scripts from the providers are embedded. rel="noopener noreferrer" is set, so the referrer header is not transmitted.

15. Data security

  • Encrypted transmission via SSL/TLS
  • Passwords stored as bcrypt hashes
  • CSRF protection in all forms
  • Prepared statements (SQL injection protection)
  • Automatic EXIF removal from uploaded images
  • IP addresses stored only as anonymised hash values

16. Your rights (Art. 15-22, 77 GDPR)

  • Right of access (Art. 15): confirm whether we process your data and obtain information.
  • Right to rectification (Art. 16): request correction of inaccurate data.
  • Right to erasure (Art. 17): have your data erased.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21).
  • Right to lodge a complaint with a supervisory authority (Art. 77).
  • Right to withdraw consent (Art. 7(3)) at any time, with effect for the future.

To exercise these rights, please contact the data controller (section 2).

17. Changes to this privacy policy

We reserve the right to update this policy at any time as required.

Status: April 2026

Notifications for interested visitors

Type of processing: email address, category selection (works, courses, events, accessories, general), country selection, language, pseudonymous IP hash (SHA-256) as consent proof.

Legal basis: Art. 6 (1) (a) GDPR (consent). Consent is given actively by ticking a checkbox and confirming a link sent to the provided email address (Double-Opt-In).

Purpose: information about new works, courses, events, accessory offers and platform news.

Settings changes: If you are already an active subscriber and want to change your categories or countries, the new values are stored briefly as a "pending change" with a one-time token and a validity of 48 hours. You will receive an email with two options ("Apply new settings" or "Keep old settings"). After your confirmation or after the 48 hours expire, the intermediate values are automatically removed. This additional processing only serves to verify the change of consent and has no other purpose.

Storage duration: until unsubscription. After unsubscribing, the record is kept in "unsubscribed" status to fulfill legal duties (consent proof, re-import protection). Alternatively, you can trigger full deletion (Art. 17 GDPR – right to erasure) yourself at any time: the unsubscribe page offers a "Delete data completely" button.

Right to withdraw (Art. 7 (3) GDPR): Withdrawal of your consent is possible at any time through three channels:

  • One-click unsubscribe link in every notification email
  • Footer link "Unsubscribe from notifications" on every page (email input, personal unsubscribe link sent by email)
  • Informal email to the address listed in the imprint

Recipients: no sharing with third parties. SMTP delivery runs through IONOS, covered by the existing data processing agreement.