📜 Privacy Policy

TR DE EN
Son güncelleme: 11.05.2026

Privacy Policy — mentorde.com

[DRAFT: This Privacy Policy was prepared on the basis of the technology stack actually used by mentorde.com. Before publication, items in brackets (commercial register, VAT ID, managing director name) must be filled in with actual data and the entire document must be reviewed by a qualified data protection lawyer or DPO. The legally authoritative version for German supervisory authorities is the German Datenschutzerklärung. Status: April 2026.]

1. Name and Contact Details of the Controller

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Horizon STS GmbH (hereinafter "mentorde.com" or "we") Herwigstraße 24 35683 Dillenburg Germany

Phone: +49 157 84218282 Email: info@mentorde.com Website: www.mentorde.com

Managing Director: Halil Aktas Commercial Register: Local Court (Amtsgericht) Wetzlar, HRB 9127 VAT ID: DE 999 999 999 (sample — to be replaced with the actual number)

2. Data Protection Officer

Under current circumstances, the appointment of a Data Protection Officer is not mandatory for our company pursuant to Section 38(1) of the German Federal Data Protection Act (BDSG), as fewer than 20 persons are continuously engaged in the automated processing of personal data, and we do not carry out processing activities that require a Data Protection Impact Assessment under Art. 35 GDPR.

For data protection inquiries, please contact: info@mentorde.com

3. General Information on Data Processing

3.1 Scope of Processing of Personal Data

We process the personal data of our users only to the extent necessary to provide a functional website and to deliver our content and services. Processing of personal data of our users only takes place regularly with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

3.2 Legal Basis for Processing Personal Data

Where we obtain consent from the data subject for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis.

In the case of processing personal data necessary for the performance of a contract to which the data subject is a party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or of a third party, and the interests, fundamental rights, and freedoms of the data subject do not override that interest, Art. 6(1)(f) GDPR serves as the legal basis.

For the processing of special categories of personal data (e.g., health data), Art. 9 GDPR applies as the legal basis, in particular based on explicit consent under Art. 9(2)(a) GDPR.

3.3 Data Erasure and Storage Duration

The personal data of the data subject will be erased or restricted as soon as the purpose of storage no longer applies. Storage may continue if provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject.

In particular, the following retention periods apply:

4. Provision of the Website and Creation of Log Files

4.1 Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

This data is stored in the log files of our hosting provider. This data is not stored together with other personal data of the user.

4.2 Legal Basis and Purpose of Processing

The legal basis for the temporary storage of the data and log files is Art. 6(1)(f) GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. Storage in log files is carried out to ensure the functionality of the website, to evaluate system security and stability, and for administrative purposes. These purposes also constitute our legitimate interest.

4.3 Duration of Storage

The data is erased as soon as it is no longer required for the purpose for which it was collected. In the case of data collected to provide the website, this is when the respective session ends. In the case of data stored in log files, this is after seven days at the latest.

5. Hosting

Our website is hosted by an external service provider with servers located in Germany. Personal data collected on this website is stored on the servers of this hoster.

Our hoster is:

ALL-INKL.COM — Neue Medien Münnich Inh. René Münnich Hauptstraße 68 02742 Friedersdorf Germany Website: www.all-inkl.com

Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in the secure, fast, and efficient provision of our online offering). We have entered into a data processing agreement with our hoster pursuant to Art. 28 GDPR. The servers are located in Germany; no data transfer to third countries takes place in the context of hosting.

6. Cookies and Similar Technologies

6.1 General Information

Our website uses cookies. Cookies are small text files that are stored in the internet browser or by the internet browser on the user's computer system.

6.2 Types of Cookies

Strictly necessary cookies: These cookies are required to use the basic functions of our website (e.g., login session, CSRF protection, language preference). The legal basis is Section 25(2)(2) TDDDG in conjunction with Art. 6(1)(f) GDPR.

Functional cookies: These cookies enable extended functionality and personalization (e.g., design selection, dark mode preference). The legal basis is your consent under Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Analytics cookies: These cookies are used to improve our product and are set exclusively after your consent. The legal basis is your consent under Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. We currently do not use any third-party marketing or advertising cookies.

6.3 Consent and Withdrawal (Cookie Banner)

When you first visit our website, you will be informed about the use of cookies via a cookie banner and asked for your consent. You can withdraw or adjust your consent at any time with effect for the future by accessing the cookie settings via the corresponding link in the footer of our website.

7. Contact and Contact Form

7.1 Description of Data Processing

Our website provides a contact form that can be used for electronic communication. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. This data includes:

Alternatively, you may contact us via the email address provided or via WhatsApp.

7.2 Legal Basis

The legal basis for processing the data is Art. 6(1)(a) GDPR if the user has given consent. The legal basis for processing data transmitted in the course of contact for the initiation or performance of a contract is Art. 6(1)(b) GDPR.

7.3 WhatsApp Communication

When communicating via WhatsApp, personal data may be transmitted to Meta Platforms Ireland Ltd. and to servers in the United States. We point out that WhatsApp processes communication metadata (phone number, timestamps). The transfer to the United States is based on the EU-U.S. Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023). For sensitive matters, we recommend contacting us by email.

8. Mentoring and Consulting Services

In the context of our mentoring and consulting services, we process the following categories of personal data of our clients:

The legal basis for processing this data is Art. 6(1)(b) GDPR (performance of contract). The processing of special categories of personal data is carried out exclusively on the basis of your explicit consent under Art. 9(2)(a) GDPR.

Recipients of this data may include: German universities and educational institutions, Uni-Assist e. V., German diplomatic missions abroad (consulates), immigration offices (Ausländerbehörden), health insurance companies, providers of blocked accounts (e.g., Expatrio, Coracle, Fintiba), student housing providers, and our cooperation partners in Türkiye (see Section 13.1).

9. Newsletter

We currently do not operate an automated newsletter. Should we set up a newsletter in the future, we will update this Privacy Policy accordingly and use a double opt-in procedure. The legal basis would be your consent under Art. 6(1)(a) GDPR.

10. Web Analytics — PostHog

We use PostHog to analyze user behavior on our website with the aim of improving our offering. The provider is PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. We use PostHog with the EU Cloud region (server location: Frankfurt am Main, Germany), so that processing of your data takes place within the European Union.

Data collected:

Legal Basis: The use of this analytics tool is based exclusively on your express consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be revoked at any time via the cookie banner.

Third-Country Transfer: Even though processing takes place in the EU, support and maintenance requests may involve access by the US parent company. EU Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR have been concluded with PostHog Inc.

Storage Duration: Maximum 14 months. Data is then automatically deleted.

We currently do not use Google Analytics, Google Ads, or Meta Pixel (Facebook Pixel).

11. Payment Processing — Stripe

For online payment processing (consulting fees, service packages), we use the payment service provider Stripe. The provider for users in the EU is Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

When making a payment, the necessary data (name, billing address, payment method, card data or bank details) is transmitted directly to Stripe and processed by Stripe under its own data protection responsibility. We only receive a transaction ID and payment status, but no full card data.

Legal Basis: Art. 6(1)(b) GDPR (performance of contract). Stripe's privacy policy is available at: https://stripe.com/privacy.

Third-Country Transfer: Stripe may transfer data to its US affiliate Stripe, Inc. for fraud prevention and compliance purposes. The transfer is based on the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses under Art. 46(2) GDPR.

12. Email Sending — Resend

For the sending of transactional emails (e.g., confirmations, password resets, session reminders, invoices), we use the service Resend. The provider is Resend, Inc., 2261 Market Street, San Francisco, CA 94114, USA.

Data transmitted: email address, recipient name, subject, and content of the message.

Legal Basis: Art. 6(1)(b) GDPR (notifications related to performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery).

Third-Country Transfer (USA): The transfer to the USA is based on the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses under Art. 46(2) GDPR. A Data Processing Agreement (DPA) under Art. 28 GDPR has been concluded with Resend. The provider's privacy policy is available at: https://resend.com/legal/privacy-policy.

13. AI-Powered Services (AI Labs)

In the context of our internal AI assistant ("MentorDE AI Labs") as well as public AI features (e.g., the FAQ assistant at /sss), we process text inputs and queries using large language models. The providers are:

Data transmitted: content of the request (prompt), any documents or texts provided, and a pseudonymized session ID.

Legal Basis:

Third-Country Transfer (USA): Requests are processed via the respective API interfaces. The transfer to the USA is based on the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses under Art. 46(2) GDPR. Data Processing Agreements (DPAs) under Art. 28 GDPR have been concluded with all providers.

Important: The providers have contractually assured us that submitted content will not be used to train their models (zero-retention/opt-out arrangements). We nevertheless recommend not entering particularly sensitive personal data of third parties in AI requests.

14. Appointment and Calendar Integration — Google Calendar

For the management of consultation appointments, appointments may optionally be synchronized with Google Calendar. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Data transmitted: appointment title, date/time, participant email addresses, optional notes.

Legal Basis: Art. 6(1)(b) GDPR (performance of contract — appointment organization).

This feature is optional; consultation is also possible without calendar synchronization.

15. Embedded Content and Tools

15.1 Fonts (Self-Hosted)

Our website uses the open-source fonts "Plus Jakarta Sans" and "DM Serif Display" for consistent typography. These fonts are served exclusively from our own servers (self-hosting). No connection is established with Google servers; your IP address is not transmitted to Google.

This approach complies with the requirements of the Munich Regional Court (judgment of 20.01.2022, case no. 3 O 17493/20).

15.2 YouTube (Extended Privacy Mode)

On individual sub-pages of our website (in particular for city portraits of German university cities), we embed videos from the YouTube platform. The provider is Google Ireland Limited. We use YouTube in extended privacy mode (youtube-nocookie). According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they actively watch the video.

Legal Basis: Art. 6(1)(a) GDPR (consent via cookie banner) or Art. 6(1)(f) GDPR when using extended privacy mode.

16. Social Media Presence

Where active, we maintain profiles or pages on the following social networks: [Insert active platforms, e.g., Instagram, LinkedIn, YouTube — delete inactive platforms.]

When you visit one of these social networks or interact with our content, personal data is transmitted to the respective provider and processed there. The respective provider and we are joint controllers within the meaning of Art. 26 GDPR.

The legal basis for the processing of your personal data is our legitimate interest in effective external presentation and communication with potential clients under Art. 6(1)(f) GDPR. If you have given the respective providers consent to data processing, the legal basis is Art. 6(1)(a) GDPR.

No social media plugins are embedded on our website that automatically establish connections to third-party servers. Links to social networks are provided exclusively as static hyperlinks.

17. International Data Transfers

A transfer of data to countries outside the European Union (EU) or the European Economic Area (EEA) – so-called third countries – takes place in the context of the services described above (in particular USA for Resend, AI providers, Stripe corporate transfers; Türkiye for mentoring cooperation).

Processing only takes place in compliance with the requirements of Art. 44 et seq. GDPR on the basis of:

17.1 Data Transfers to Türkiye

In the context of our consulting services, we work with cooperation partners (consulting offices, law firms) in Türkiye. Where personal data is transferred to Türkiye for this purpose, this is carried out on the basis of:

Türkiye does not have an adequacy decision from the European Commission. We point out that Turkish data protection law (KVKK) is generally aligned with European standards but may differ in the level of protection.

18. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

18.1 Right of Access (Art. 15 GDPR)

You may request confirmation from the controller as to whether personal data concerning you is processed by us, and information about the processing purposes, categories of data, recipients, and planned storage period.

18.2 Right to Rectification (Art. 16 GDPR)

You have a right to rectification and/or completion if the processed personal data concerning you is inaccurate or incomplete.

18.3 Right to Restriction of Processing (Art. 18 GDPR)

Under certain conditions, you may request the restriction of the processing of personal data concerning you.

18.4 Right to Erasure (Art. 17 GDPR)

You may request the controller to erase the personal data concerning you without undue delay if one of the reasons listed in Art. 17(1) GDPR applies and processing is not necessary (e.g., to fulfill commercial and tax retention obligations).

18.5 Right to Notification (Art. 19 GDPR)

If you have asserted the right to rectification, erasure, or restriction of processing, the controller is obliged to notify all recipients to whom the personal data has been disclosed.

18.6 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format.

18.7 Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR.

18.8 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

18.9 Automated Decision-Making in Individual Cases (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you. No such automated decision-making takes place on our website.

18.10 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you infringes the GDPR.

The supervisory authority responsible for us — based on the company seat in Hesse — is:

The Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit) Postfach 3163 65021 Wiesbaden, Germany Phone: +49 611 1408-0 Email: poststelle@datenschutz.hessen.de Website: www.datenschutz.hessen.de

19. Data Security (Art. 32 GDPR)

Within the website visit, we use the widely used SSL/TLS procedure in conjunction with the highest level of encryption supported by your browser. You can recognize an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the lock symbol in your browser bar.

In addition, we implement the following technical and organizational measures (TOMs):

The detailed technical and organizational measures (TOM document under Art. 32 GDPR) are kept internally and can be reviewed by supervisory authorities upon justified request.

20. Status and Amendment of this Privacy Policy

This Privacy Policy is currently valid and was last updated: April 2026.

As our website and services evolve, or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed and printed at any time on the website at www.mentorde.com/privacy.

21. Governing Language

This Privacy Policy is provided in English for the convenience of international visitors. The legally authoritative version for German supervisory authorities is the German version (Datenschutzerklärung), available at www.mentorde.com/datenschutz. In the event of any discrepancy between the English and German versions, the German version shall prevail.