Legal

Privacy Policy

Status: July 2026

1. Controller

The controller responsible for processing personal data within the meaning of the General Data Protection Regulation (“GDPR”) is:

Stella Maria Sorg-Nünke Begasstr. 28 12623 Berlin Germany

Email: contact@cmo-studios.com

2. Scope of This Privacy Policy

This privacy policy explains how we process personal data when you visit our website, contact us, subscribe to our newsletter, use our content or enter into a business relationship with us.

Personal data is any information relating to an identified or identifiable natural person.

This privacy policy applies in particular to the website snacked.ai and to the services, communication channels and newsletter services connected with it.

3. Categories of Data Processed

Depending on how you interact with us, we may process the following categories of personal data:

  • Technical and usage data, such as IP addresses, browser type, operating system, device type, accessed pages, date and time of access, referring website and log data
  • Contact data, such as name, email address, telephone number and postal address
  • Content data, such as messages, inquiries, feedback and other information provided by you
  • Newsletter data, such as email address, name, subscription status and interactions with newsletters
  • Contract and business data, such as information relating to inquiries, projects, services, invoices and business relationships
  • Communication and procedural data, such as the date and content of communications and information required to process an inquiry

4. Purposes of Processing

We process personal data for the following purposes:

  • Providing and operating our website
  • Ensuring the security, stability and functionality of our website
  • Measuring website reach and improving our content
  • Responding to inquiries and communicating with users, clients and business partners
  • Sending and managing our newsletter
  • Providing contractual and pre-contractual services
  • Organising workshops, educational services, consulting services and other offers
  • Fulfilling legal obligations
  • Establishing, exercising or defending legal claims

5. Legal Bases

We process personal data on the following legal bases:

Consent

Where you have given us your consent, processing is based on Art. 6 para. 1 sentence 1 lit. a GDPR.

You may withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Contractual Performance and Pre-Contractual Measures

Where processing is necessary to provide a service, perform a contract or respond to a request made before entering into a contract, processing is based on Art. 6 para. 1 sentence 1 lit. b GDPR.

Legal Obligations

Where processing is necessary to comply with a legal obligation, processing is based on Art. 6 para. 1 sentence 1 lit. c GDPR.

Legitimate Interests

Where processing is necessary to protect our legitimate interests or those of a third party, processing is based on Art. 6 para. 1 sentence 1 lit. f GDPR, provided that the interests, fundamental rights and freedoms of the data subject do not override those interests.

Our legitimate interests include, in particular:

  • Providing a secure, stable and user-friendly website
  • Protecting our systems against misuse and security threats
  • Understanding the general use of our website
  • Improving our content and services
  • Efficiently managing inquiries and business relationships
  • Establishing and defending legal claims

6. Security Measures

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures include, where appropriate:

  • Encryption of data during transmission
  • Access controls
  • Secure passwords and account protection
  • Regular software updates
  • Restricted access to personal data
  • Data minimisation
  • Secure hosting and infrastructure
  • Procedures for responding to security incidents and data subject requests

No method of transmission or storage is completely secure. We therefore continuously review our security measures and adapt them where appropriate.

7. Recipients of Personal Data

We may share personal data with service providers and other recipients where this is necessary to provide our website, newsletter, services or communication channels.

Recipients may include:

  • Hosting and infrastructure providers
  • Newsletter and communication providers
  • IT and technical service providers
  • Professional advisers, such as tax advisers, legal advisers or accountants
  • Public authorities, courts or other institutions where required by law
  • Business partners or subcontractors where required to provide an agreed service

Where service providers process personal data on our behalf, they are generally engaged as processors in accordance with Art. 28 GDPR.

We only share personal data where a legal basis permits us to do so.

8. International Data Transfers

Some of the service providers we use are located outside the European Union or the European Economic Area or use subprocessors located in third countries.

Where personal data is transferred to a country for which the European Commission has not issued an adequacy decision, we rely on appropriate safeguards in accordance with Art. 44 et seq. GDPR.

These safeguards may include:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements
  • Adequacy decisions
  • Other legally recognised transfer mechanisms

Despite these safeguards, data processed in third countries may be subject to local laws and access rights of public authorities that do not provide the same level of protection as European data protection law.

9. Hosting and Website Delivery via Vercel

We use Vercel to host and deliver our website.

The service provider is:

Vercel Inc. 440 N Barranca Avenue #4133 Covina, CA 91723 United States

When you access our website, Vercel processes technical connection and usage data required to deliver the website and operate the underlying infrastructure.

This data may include:

  • IP address
  • Requested page or file
  • Date and time of the request
  • Referring website
  • Browser type and browser version
  • Operating system
  • Device and system information
  • Information about the success or failure of the request
  • Log and security data

The processing is necessary to deliver the website to your device, maintain the stability and security of the infrastructure, prevent misuse, defend against attacks and diagnose technical errors.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the secure, reliable and efficient provision of our website.

Where Vercel processes personal data on our behalf, Vercel acts as a processor. The processing is governed by a data processing agreement in accordance with Art. 28 GDPR.

Vercel may also process service-generated data for its own operational, security and service-related purposes in accordance with its own privacy notice.

Data may be processed in the United States and in other countries in which Vercel or its subprocessors operate. Where required, international transfers are protected by the European Commission’s Standard Contractual Clauses and other appropriate safeguards.

Technical connection and log data is retained only for as long as necessary to operate and secure the website, investigate technical errors or security incidents, comply with legal obligations or establish and defend legal claims.

Further information is available in Vercel’s Privacy Notice and Data Processing Addendum.

10. Web Analytics

We currently do not use web analytics services on our website.

If we introduce a web analytics service in the future, we will update this privacy policy accordingly and describe the service used, the data processed, the purposes and the legal basis. Where the applicable configuration requires consent, the relevant processing will only take place after consent has been given.

11. Cookies and Similar Technologies

Our website does not use advertising cookies or cross-website tracking technologies.

Technically necessary technologies may be used where they are required to provide a function expressly requested by the user, maintain security, remember privacy settings or operate the website.

Where information is stored on or accessed from a user’s device and this is not strictly necessary for providing the requested service, we will obtain consent in accordance with applicable data protection and telecommunications law.

Consent may be withdrawn at any time with effect for the future through the privacy settings provided on the website, where applicable.

Users can also configure their browsers to restrict or delete cookies. Disabling technically necessary cookies may affect the functionality of the website.

12. Contact and Inquiry Management

When you contact us by email or another communication channel, we process the information you provide in order to respond to and manage your inquiry.

The data processed may include:

  • Name
  • Email address
  • Telephone number
  • Company or organisation
  • Content of the inquiry
  • Date and time of the communication
  • Other information voluntarily provided by you

Where the inquiry relates to a possible or existing contract, processing is based on Art. 6 para. 1 sentence 1 lit. b GDPR.

For general inquiries, communication management and the organisation of our business activities, processing is based on Art. 6 para. 1 sentence 1 lit. f GDPR.

Our legitimate interest lies in responding to inquiries, maintaining business communication and managing our services efficiently.

We retain inquiry data for as long as necessary to process the respective request. Data may be retained for a longer period where statutory retention obligations apply or where the data is required to establish, exercise or defend legal claims.

13. Newsletter via Substack

We use Substack to manage subscriptions and send our newsletter.

The service provider is:

Substack Inc. 548 Market Street PMB 72296 San Francisco, CA 94104 United States

When you subscribe to our newsletter, we process the personal data required to manage the subscription and send the newsletter.

This may include:

  • Email address
  • Name, where voluntarily provided
  • Subscription status
  • Date and time of registration
  • Date and time of confirmation, where applicable
  • IP address and technical registration data
  • Newsletter delivery information
  • Information about newsletter openings, clicks and interactions
  • Browser and device information
  • Information about unsubscriptions and communication preferences

We use this data to:

  • Register and manage newsletter subscriptions
  • Send newsletters and other electronic communications
  • Document registrations and consent
  • Prevent misuse and unauthorised registrations
  • Manage unsubscriptions
  • Understand how our newsletters are used
  • Improve our newsletter content and communication

The legal basis for sending the newsletter is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

You may withdraw your consent at any time with effect for the future. You can unsubscribe using the unsubscribe link included in each newsletter or by contacting us.

The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Substack may use technical methods such as tracking pixels and tracked links to measure whether newsletters have been delivered or opened and whether links have been clicked.

Where such measurement relates to an identifiable recipient or otherwise requires consent, processing is based on Art. 6 para. 1 sentence 1 lit. a GDPR. Where we only receive anonymous or aggregated statistics, the processing is based on our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in improving our newsletter content and understanding its general use.

The logging of newsletter registrations and unsubscriptions may be based on our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in documenting legally valid consent, preventing misuse and defending against legal claims.

Substack processes newsletter and subscriber data on our behalf as a processor where it provides newsletter delivery, subscriber management and related services to us.

Substack may act as an independent controller for certain processing activities relating to the operation of the Substack platform, Substack accounts, platform security, recommendations, fraud prevention and Substack’s own services. Substack’s own privacy policy applies to these processing activities.

When you use a Substack registration form, follow a link to our Substack publication or interact directly with the Substack platform, technical and usage data may also be processed by Substack.

Substack is based in the United States. Personal data may therefore be processed in the United States and other countries outside the European Union or European Economic Area.

Substack’s Publisher Agreement includes a data processing agreement and the European Commission’s Standard Contractual Clauses for relevant transfers of personal data.

Subscriber data is generally retained for the duration of the newsletter subscription.

After an unsubscription, we or Substack may retain limited information where this is necessary to:

  • Document a previously given consent
  • Honour an objection or unsubscription
  • Prevent future unwanted communication
  • Comply with legal obligations
  • Establish, exercise or defend legal claims

Further information is available in Substack’s Privacy Policy and Publisher Agreement.

14. Business and Contractual Relationships

When you request or purchase consulting, workshops, educational services or other services from us, we process the data required to prepare, enter into and perform the respective contract.

This may include:

  • Name and contact information
  • Company information
  • Project and service information
  • Contractual correspondence
  • Billing and payment information
  • Information required to provide the agreed service

The processing is based on Art. 6 para. 1 sentence 1 lit. b GDPR.

Where we are legally required to retain invoices, accounting records or other business documents, processing is based on Art. 6 para. 1 sentence 1 lit. c GDPR.

We may also process business data on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR where this is necessary for proper business administration, risk management or the establishment and defence of legal claims.

15. External Links

Our website may contain links to websites, publications or profiles operated by third parties, including Substack or social media platforms.

When you click an external link, you leave our website. The operator of the external service is responsible for the processing of personal data on that service.

We have no control over the data processing activities of external providers. Please review the privacy policy of the respective provider before using its services.

16. Storage and Deletion

We retain personal data only for as long as necessary for the purposes for which it was collected.

Personal data is deleted or anonymised when:

  • The purpose of processing no longer applies
  • Consent has been withdrawn and no other legal basis applies
  • A justified objection has been made
  • The data is no longer required for contractual or business purposes

Data may be retained for a longer period where:

  • Statutory retention obligations apply
  • The data is required for tax or commercial law purposes
  • The data is required to establish, exercise or defend legal claims
  • The data is required to investigate security incidents or prevent misuse

During a legally required retention period, processing is restricted to the respective retention purpose.

17. Rights of Data Subjects

Under the GDPR, you may have the following rights:

Right of Access

You have the right to request information about whether and how we process personal data concerning you and to receive a copy of that data.

Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

Right to Erasure

You have the right to request the deletion of personal data where the legal requirements are met.

Right to Restriction of Processing

You have the right to request that the processing of personal data be restricted where the legal requirements are met.

Right to Data Portability

Where processing is based on consent or a contract and carried out by automated means, you have the right to receive personal data provided by you in a structured, commonly used and machine-readable format.

Right to Withdraw Consent

You have the right to withdraw consent at any time with effect for the future.

Right to Object

Where personal data is processed on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing on grounds relating to your particular situation.

Where personal data is processed for direct marketing purposes, you have the right to object at any time without giving reasons.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

18. Exercising Your Rights

To exercise your rights or ask questions about this privacy policy, please contact:

Stella Maria Sorg-Nünke Begasstr. 28 12623 Berlin Germany

Email: contact@cmo-studios.com

We may request additional information where this is reasonably necessary to verify your identity and protect personal data against unauthorised access.

19. Changes to This Privacy Policy

We may update this privacy policy where changes to our website, services, service providers or legal requirements make this necessary.

The current version is always available on our website. The date shown at the beginning of this privacy policy indicates when it was last updated.