1. Information about the Collection of Personal Data

In the following, we inform you about the collection of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour.

The responsible party pursuant to Art. 4(7) GDPR is:

OFF THE ORDINARY GbR
Mr. Jost Bosse, Mr. Per Hagen
Bismarckstraße 10, 30989 Gehrden
Tel: +49 176 61450494
E-mail: hey@off-the-ordinary.com

2. Your Rights

You have the right to obtain information from us about the personal data concerning you (Art. 15 GDPR) that is processed by us. Furthermore, you have a right to rectification (Art. 16 GDPR), deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR) and a right to data portability (Art. 20 GDPR).

Furthermore, you have the right to lodge a complaint with the competent supervisory authority at any time. For this purpose, please contact the State Commissioner for Data Protection of Lower Saxony, Prinzenstr. 5, 30159 Hannover, Tel.: 0511 / 120-4500, e-mail: poststelle@lfd.niedersachsen.de.

3. Collection of Personal Data when Visiting our Website

When you contact us by e-mail, the data you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We delete the data occurring in this context once storage is no longer necessary, or restrict processing where legal retention obligations apply.

In the case of purely informational use of the website — i.e. if you do not register, log in, or otherwise actively transmit information to us — we collect only the data that your browser automatically transmits to our server. This data is technically necessary for us to display our website and to ensure its stability and security (legal basis: Art. 6(1)(f) GDPR):

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page accessed)
• Access status / HTTP status code
• Amount of data transmitted
• Website from which the request originated
• Browser type
• Operating system and its interface, language and version of the browser software

4. Collection of Personal Data from Customers, Clients and Business Partners

a) What sources and data do we use?

We process personal data collected in the course of pre-contractual and contractual dealings with you. This typically includes business contact details of the relevant contact persons at our customers and business partners. Where customers, business partners or data subjects are natural persons, account details and any information relating to their specific request may also be processed.

b) For what purposes and on what legal basis is your data processed?

Personal data is generally processed for the performance of a contract or for pre-contractual measures pursuant to Art. 6(1)(b) GDPR. Within the scope of our customer service, we may also process your data on the basis of your consent (Art. 6(1)(a) GDPR) or on the basis of our legitimate interest in balancing the protection of your personal data (Art. 6(1)(f) GDPR). Further processing may occur in fulfilment of the tasks of the data protection officer pursuant to Art. 39 GDPR and § 7 BDSG.

c) Who receives your data?

We do not pass on your data to unauthorised third parties. However, where necessary in the context of contract processing with natural persons, data may be disclosed to:

• Financial service providers (e.g. for payment transfers)
• External bodies at the request of the data subject
• Public authorities
• External contractors in accordance with Art. 28 GDPR

d) Will your data be transferred to a third country or international organisations?

In principle, we do not intend to transfer your data to third countries or international organisations. However, please note that our website infrastructure relies on service providers based in the United States (see Section 5). These transfers are lawful on the basis of the EU-US Data Privacy Framework, as further detailed in Section 5.

e) How long do we store your data?

Your personal data will be deleted upon expiry of the applicable statutory retention periods arising, for example, from the German Civil Code (BGB), the German Commercial Code (HGB) or the German Fiscal Code (AO). Data not subject to such retention obligations will be deleted once the purpose for which it was collected no longer applies.

5. Website Infrastructure and Content Distribution

a) Webflow

Our website is hosted and its content made accessible through services provided by Webflow, Inc., located at 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. As a consequence, any data arising from website activity passes through and is stored on this company's server infrastructure. To safeguard the personal information of those visiting our site, a formal data processing agreement is in place between us and Webflow. This agreement is legally binding and expressly forbids the provider from passing data on to unauthorised third parties.

Webflow has certified its participation in the EU-US Data Privacy Framework, a scheme recognised by the European Commission through an adequacy decision as offering a standard of data protection equivalent to that required under European law. This certification serves as the legal basis for any personal data transferred from the EU to the United States.

b) Cloudflare

Reliable and fast content delivery across our website is made possible through the use of a Content Delivery Network (CDN) operated by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA. By routing assets such as images, scripts, and other page elements through a wide network of servers positioned across different regions, load times are significantly reduced and overall site performance is enhanced. Our reliance on this service is grounded in Art. 6(1)(f) GDPR, reflecting our legitimate interest in maintaining a stable, high-performing web presence.

As with our hosting provider, a data processing agreement governs our relationship with Cloudflare, placing binding obligations on the company to protect visitor data and to refrain from any unauthorised onward transfer to third parties. Where data is transmitted to the United States in this context, the legal basis for such transfers rests on Cloudflare's adherence to the EU-US Data Privacy Framework — a mechanism validated by an adequacy decision of the European Commission confirming alignment with EU-level data protection requirements.

6. Use of Cookies

Cookies are small text files placed on your device during your visit to our website. They fall into two categories: session cookies, which are automatically removed once you close your browser, and persistent cookies, which remain on your device across multiple visits in order to save your preferences and settings. The retention period for persistent cookies can be reviewed in your browser's cookie settings.

Where cookies process personal data, the legal basis varies depending on context — either contractual necessity under Art. 6(1)(b) GDPR, your prior consent under Art. 6(1)(a) GDPR, or our legitimate interest in a technically reliable and user-friendly website under Art. 6(1)(f) GDPR.

Your browser settings give you control over cookie behaviour at any time. You may choose to be notified before cookies are set, block them selectively, or disable them altogether. Please be aware that doing so may limit the functionality of certain features on our website.

7. External Links

For your information, our website may contain links to third-party sites. Where this is not immediately apparent, we will indicate that the link leads to an external source. We have no influence over the content or design of these external pages and therefore refer you to the respective privacy policies of those providers. The data protection guarantees set out in this policy do not apply to those sites.

---

Data Protection Information for Customers and Business Partners

Information on the collection of personal data pursuant to Articles 13, 14 and 21 GDPR

1. Who is Responsible for Data Processing?

The responsible party is:

OFF THE ORDINARY GbR
Mr. Jost Bosse, Mr. Per Hagen
Bismarckstraße 10, 30989 Gehrden
Tel: +49 176 61450494
E-mail: hey@off-the-ordinary.com

2. What Sources and Data Do We Use?

We process personal data collected in the course of pre-contractual and contractual dealings with you. This includes business contact details of the relevant contact persons at our customers and other business partners. Where customers and business partners are natural persons, account details may also be processed in the course of business operations.

3. For What Purposes and on What Legal Basis is Your Data Processed?

At OFF THE ORDINARY, personal data arising from the fulfilment of a contract or pre-contractual measures is processed only to the extent necessary for those purposes — specifically, names and business contact details. The legal basis for this is Art. 6(1)(b) GDPR. Where applicable, data is also processed within the scope of our customer service on the basis of your consent (Art. 6(1)(a) GDPR) or on the basis of our legitimate interest in the protection of your personal data (Art. 6(1)(f) GDPR).

4. Who Receives Your Data?

We do not pass on your data to unauthorised third parties. However, where necessary in the context of contract processing with natural persons, data may be disclosed to:

• Financial service providers (e.g. for bank transfers)
• Public authorities (e.g. tax authorities)
• External contractors in accordance with Art. 28 GDPR

5. Is Your Data Transferred to a Third Country or International Organisations?

In principle, we do not intend to transfer your data to third countries or international organisations beyond the transfers described in Section 5 of the main privacy policy above (Webflow and Cloudflare), which are covered by the EU-US Data Privacy Framework.

6. How Long Do We Store Your Data?

Your personal data will be deleted upon expiry of the applicable statutory retention periods arising from the German Civil Code (BGB), the German Commercial Code (HGB) or the German Fiscal Code (AO). Data not subject to such retention obligations will be deleted once the purpose for which it was collected no longer applies.

7. What Data Protection Rights Do You Have?

You have the right to obtain information from OFF THE ORDINARY about your personal data (Art. 15 GDPR). Furthermore, you have a right to rectification (Art. 16 GDPR), deletion (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR). You also have the right to lodge a complaint with the competent supervisory authority at any time:

State Commissioner for Data Protection of Lower Saxony
Prinzenstr. 5, 30159 Hannover
Tel.: 0511 / 120-4500
E-mail: poststelle@lfd.niedersachsen.de

8. What Rights of Objection Do You Have?

Where you have given your consent to the processing of your data pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, you have the right to withdraw that consent at any time. You also have the right to object to the processing of your personal data pursuant to Art. 21 GDPR. Where an objection is raised, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or unless the processing is necessary for the establishment, exercise or defence of legal claims.

Please direct any such requests to OFF THE ORDINARY at the address stated above.

OFF THE ORDINARY — last updated: 2 June 2023