Privacy Policy
As of: May 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data-protection regulations for the offering at translations.koch.legal is:
Email:
Phone:
VAT identification number: DE303689805
(Hereinafter: "Provider")
Further information (in particular concerning the supervisory authority under the German rules of professional conduct for lawyers) can be found in the Imprint.
2. Principles of data processing
The Provider processes personal data only to the extent necessary to provide a functional website and the services offered. Personal data is processed only on the basis of legal permission or with the express consent of the data subject.
The website is implemented as a static single-page application; it uses no analytics, tracking or advertising services, no social-media plugins and no third-party fonts (the Montserrat font is served by the Provider's own server).
3. Hosting and server logs
The website is operated on a server located within the Federal Republic of Germany.
Each access to the website automatically records technical access data (server log files). This includes:
- browser type and version
- operating system used
- referrer URL (previously visited page)
- IP address of the requesting device
- date and time of access
- page / file accessed and amount of data transferred
- HTTP status code
Purpose: Ensuring the trouble-free operation of the website and the detection and prevention of attacks.
Legal basis: Art. 6(1)(f) GDPR (the Provider's legitimate interest in secure and functional website operation).
Storage period: Log files are automatically deleted after no more than 14 days, unless longer retention is required for security reasons in individual cases.
All content is transmitted exclusively in encrypted form via HTTPS (TLS) using a Let's Encrypt certificate.
4. Static assets and fonts (first-party delivery)
All files required to render the website — HTML, stylesheets, JavaScript components (in particular the quote-request form component), and the self-hosted Montserrat font family — are delivered exclusively from the website's own server at the domain translations.koch.legal.
With the following exception: the conversion-tracking script of Google Ireland Ltd. (Google Tag, gtag.js, loaded from www.googletagmanager.com) is loaded on every page. It does not, however, set any cookies until the visitor consents, and without consent it transmits no personal data to Google. Embedding follows Google Consent Mode v2 with default-denied configuration. See Section 7 (Google Ads conversion tracking) for details.
Otherwise, no external content-delivery network (CDN), third-party script, tracker, analytics tool, or external web font (e.g. Google Fonts) is integrated.
Purpose: Delivery of the website interface.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient website provision).
Third-country transfer: None in connection with delivery of static assets. For third-country transfer in connection with gtag.js, see Section 7.
5. Quote-request form
Visitors can use the form on the home page to request a non-binding quote. The following data is processed:
| Field | Required | Content |
|---|---|---|
| Email address | yes | for the response |
| Name | no | for personal salutation |
| Firm / company | no | optional context |
| Phone number | no | for callbacks |
| Translation direction | no | DE→EN or EN→DE |
| Document type | no | e.g. contract, certificate |
| Certification required | no | yes/no |
| Desired delivery date | no | standard or expedited processing |
| Free-text message | no | further notes |
| File attachments | no | up to 25 MB per file (max. 5 files, 50 MB total; PDF, DOCX, ODT, JPG, PNG, TIFF only) |
| Request token (signed timestamp) | technically required | protection against automated submissions |
Optional file attachments (e.g. documents to be translated) are used exclusively to prepare the quote and, where applicable, for subsequent processing of the order. Please note that personal or particularly sensitive data may also be contained in optional fields or in uploaded files; please send only the information necessary for your enquiry.
Transmission is encrypted (TLS) to the Provider's server and from there as an email to . Email delivery is via the mail server box.koch.legal (SMTP over SSL/TLS, port 465). The email remains stored in the Provider's mailbox.
Spam protection: Incoming submissions are checked server-side against simple technical signals (honeypot field, signed short-lived request token, origin and rate-limit checks). No third-party services, no CAPTCHA and no tracking are used. The IP addresses processed in this context are stored under Section 3 server-log retention (14 days).
Purpose: Processing your enquiry and, where applicable, subsequent contract initiation and performance.
Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures or performance of a contract). For enquiries without a contractual relationship, additionally Art. 6(1)(f) GDPR (legitimate interest in processing incoming enquiries).
Storage period: The data will be deleted as soon as the enquiry has been finally processed and the purpose of storage no longer applies. Statutory retention obligations, in particular under commercial and tax law (regularly 6 or 10 years), remain unaffected.
6. Cookies and local storage
This website sets cookies only with your consent for the purpose of measuring Google Ads campaign performance. Details on the cookies set, their retention and purpose are in Section 7 (Google Ads conversion tracking). Without your consent, no cookies are set.
In your browser's local storage (localStorage), two entries are stored — even without consent: (a) your last selected language preference (key kt_lang, value de or en), so that your language selection is preserved on your next visit, and (b) your cookie decision itself (key kt_consent, value granted or denied), so that you are not asked the consent question again on every visit. Both entries are not transmitted to the server and contain no personal reference. You can delete them in your browser at any time.
Legal basis: For advertising cookies under Section 7: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. For the two localStorage entries: § 25(2)(2) TDDDG (strictly necessary to provide the service expressly requested by the user) or Art. 6(1)(f) GDPR.
7. Google Ads conversion tracking
The website embeds the Google Tag (gtag.js) of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Purpose: measuring the performance of Google Ads campaigns we run — we learn how many visitors who clicked one of our ads actually submitted the quote-request form (a conversion). Domains contacted: www.googletagmanager.com (script hosting), www.google.com and googleads.g.doubleclick.net (pixel / beacon).
Cookies set with your consent (in particular):
_gcl_au— Google Ads click identifier, retention 90 days_gcl_aw— click attribution for Search ads, retention 90 days_gcl_dc— click attribution for Display ads, retention 90 days
Data processed: IP address (according to Google, truncated), click identifier (gclid URL parameter from the ad), conversion timestamp, pages visited within the session, technical browser and device attributes.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. Without consent, no cookies are set; the gtag script runs in Google Consent Mode v2 default-denied mode in which no personal data is transmitted to Google.
Third-country transfer: Google processes data partly on servers in the United States. Google LLC (USA, parent of Google Ireland Ltd.) is certified under the EU-U.S. Data Privacy Framework; the transfer is based on the corresponding adequacy decision of the European Commission of 10 July 2023 (Art. 45 GDPR).
Storage period of the conversion data at Google: up to 540 days, per Google Ads default settings.
Withdrawal: You can withdraw your consent at any time using the "Cookie settings" link in the footer of this website — cookies will then no longer be set on subsequent page loads; cookies already set can be deleted in your browser or will expire after the retention periods listed above. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
8. Disclosure to third parties
With the exception of the processors mentioned in Section 3 (hosting), Section 5 (email delivery) and Section 7 (Google Ads conversion tracking), the Provider does not pass on your data to third parties unless:
- you have expressly consented,
- there is a legal obligation to disclose (e.g. to law-enforcement authorities or courts), or
- disclosure is necessary for the performance of a contract with you.
Contracts under Art. 28 GDPR exist with processors.
9. Security
The Provider takes appropriate technical and organisational measures to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. These include in particular:
- exclusively encrypted transmission via HTTPS (TLS) with Let's Encrypt certificate,
- Subresource Integrity hashes for externally embedded scripts,
- delivery via an up-to-date web server with hardened configuration and security headers set,
- encrypted SMTP connection for the email delivery of contact-form data.
Our security measures are continuously adjusted in line with the state of the art.
10. Rights of data subjects
As a data subject, you have the following rights vis-à-vis the Provider:
- Right of access (Art. 15 GDPR): You can request information about the data stored about you.
- Right to rectification (Art. 16 GDPR): You can request the rectification of inaccurate data.
- Right to erasure (Art. 17 GDPR): You can request the erasure of your data, provided no statutory retention obligations apply.
- Right to restriction of processing (Art. 18 GDPR): In certain cases, you can request the restriction of processing.
- Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used and machine-readable format.
- Right to object (Art. 21 GDPR): You can object to the processing of your data insofar as this is based on a legitimate interest (Art. 6(1)(f) GDPR).
- Right to withdraw consent (Art. 7(3) GDPR): You can withdraw consent at any time with effect for the future.
To exercise your rights, please contact the address given in Section 1.
11. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint about the processing of your personal data with the competent data-protection supervisory authority (Art. 77 GDPR). The competent authority for the Provider is:
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2–4
40213 Düsseldorf, Germany
Web: www.ldi.nrw.de
A list of all German data-protection supervisory authorities is available at bfdi.bund.de.
12. Currency and changes to this privacy policy
The Provider reserves the right to amend this privacy policy if changes in the legal situation, services or data-processing operations make this necessary. The current version is always available at translations.koch.legal/en/privacy. It is recommended to consult the privacy policy regularly.