Privacy Policy Version 3

Version 3.0 – July 4, 2022

Read Version 2.0 – December 18, 2019
Read Version 1.0 – October 8, 2018


Least Authority TFA GmbH (“Least Authority”, “we”, “us”) is committed to protecting your privacy while you use Least Authority’s website, products and/or services. We want you to understand what information we collect about you, how we collect it,  how that information is used and what choices you have with respect to the information. Below is our Privacy Policy which applies to all the interactions you have with Least Authority.  However, this Privacy Policy does not apply to any third-party applications or software that integrate with our services through our website, or any other third-party products, services or businesses.

I. Data Controller

The Data Controller of and its associated services is Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany .

II. Collecting, Processing and Storing of Personal Data and Purpose of the Usage of Personal Data

We operate this website in order to provide you with information about our products and services, and keep you up to date about Least Authority.

1. Our Website

You may use our website for purely informational purposes without disclosing your identity. In order to display the website to you, only access data is transmitted to our provider. 

The Least Authority website is currently hosted on WP Engine servers which are based in the European Union. When using our website, WP Engine collects the following data: 

  • IP address (Unfortunately, WP Engine collects logs which include full IP addresses with no option to anonymize this data.)
  • Browser type/browser version,
  • Operating system used,
  • Language and version of the browser software,
  • Host name and accessing terminal,
  • Website from which the request comes,
  • Content of the request (specific page)
  • Date and time of the server request,
  • Access statuts/HTTP status code
  • Referrer URL (the previously visited page)
  • Amount of data transmitted,
  • Time zone difference from Greenwich Mean Time (GMT).

Read more about WP Engine’s privacy policy here: .

Least Authority uses an open-source web analytics program  with a strong privacy focus, called Matomo. It informs us about how visitors use our website. Least Authority collects anonymous statistical data about the use of its website to optimize its online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are being stored which makes it harder (i) to link your current visit to this website to future visits, and (ii) to determine your exact location.

The information Matomo ( collects is:

  • 2 byte masked user IP address 
  • Date and time of the request
  • Title of the page being viewed (Page Title)
  • URL of the page being viewed (Page URL)
  • URL of the page that was viewed prior to the current page (Referrer URL)
  • Screen resolution being used
  • Time in local user’s timezone
  • Files that were clicked and downloaded (Download)
  • Links to an outside domain that were clicked (Outlink)
  • Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user: Page speed)
  • Main Language of the browser being used (Accept-Language header)
  • User Agent of the browser being used (User-Agent header)

The Matomo software runs exclusively on the server of our website. A storage of the personal data of the users only takes place there. The data will not be passed on to other third parties. Please read Matomo’s full privacy policy here:

You can opt-out of visitor data collection by Matomo by enabling the Do-Not-Track option in your browser. Visit to learn how.

The legal basis for the processing of the data listed above is provided in Art. 6 para. 1 (f) GDPR. Our legitimate interest is to ensure the functionality, the integrity and security of the website. 

The access data will be deleted as soon as they are no longer required for the purpose of their processing. 

You can object to the processing at any time on grounds relating to your particular situation. You can send us your objections via the contact data mentioned at the end of this Privacy Policy.

2. Cookies 

The  technically necessary cookies we use are only applicable for administrators.

3. Social Media 

On our website we do not use social network plug-ins. However, we have a social media presence that can be accessed by clicking on the respective social media logo (e.g., Github, Linkedin, Twitter, Youtube) on our website.  No personal data is sent to the social networks before you click on the logos or links which take you to the social network’s website.

In addition, you can also “share” certain contents of our website on social networks. If you click on the “share” logo on our website, the logos of the various social networks will appear. If you click on one of these logos, you will be redirected to the website of the corresponding social network. There – if you have an account and are logged in or if you log in – you can share the desired content from our website.

We have no influence on the collected data and data procedure of any social network. Further information on the purpose and scope of data collection and processing of the respective network can be found in the data protection declaration of the respective network. There you will also find further information on your rights and settings to protect your privacy, when using social networks. Please note that personal data is processed by social networks not only if you are logged in, but personal data, such as your IP address can also be processed if you do not have a social media account.  We process your data with the utmost care, but assume no liability for the behavior of the operators of the social networks or third parties.

4. Mailing List

If you have expressly consented to subscribe to our mailing list, we use your email address to regularly send you updates about our work. To sign up for the mailing list, providing us with an email address is sufficient. To manage our mailing list, we use MailerLite. To inform yourself about MailerLite compliance with data protection rules please read and to inform you about MailerLite`s security please read MailerLite`s Privacy Policy can be found here, explaining what information MailerLites is collecting. 

Through the MailerLite Dashboard, the information we have access to about each subscriber, is their email address and the IP address with which they signed up and with which they opted in, and the date & time of sign-up and opt-in. In addition, for newsletters that we send out through MailerLite, we have access to the information if and when subscribers opened the newsletter email, and if and when subscribers clicked on links in the email.

The email address you provide for the mailing list is not shared or transferred to any other parties besides MailerLite. 

The legal basis for this processing is your consent, Art. 6 para. 1 (a) GDPR and, in order to prevent the misuse of your personal data, our legitimate interest in the prevention of fraud, Art. 6 para. 1 (f) GDPR. If you no longer wish to receive our emails you can unsubscribe from our mailing lists at any time using the link at the bottom of any email sent using MailerLite, or contact us at We remove people that have unsubscribed from the mailing list of MailerLite on a monthly basis. Afterwards, it will take MailerLite another month to delete your data from the plattform. We process the data until you exercise your right of revocation by canceling the mailing list subscription.

You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data mentioned at the end of this Privacy Policy.

5. Contacting Us, Scheduling a Call 

You can contact us via our email address or by scheduling a call with us. If you contact us via email, your personal data transmitted with the email will be saved, but only used for the procession of our conversation.

If you schedule a call via our homepage, we use Calendly to book appointments with you.  When you use Calendly to schedule a call with Least Authority, you voluntarily give Calendly certain information. This can include your name, email address and phone number; email addresses of other people; subject of the meeting; and any other information you provide them. Please inform yourself about Calendly’s privacy policy here  

We delete the collected data that we collect when you contact us, after the processing is no longer necessary, which is usually after the expiry of the legally binding storage obligations, or if you object to further processing.  For example, the data required under commercial and tax law, we store for the legally specified periods, usually ten years (see Section 257 HGB, Section 147 AO)

The legal basis for processing these data is your consent, as outlined in Art. 6 para. 1 (a) GDPR. You may withdraw your consent given to these data processing at any time. 

The legal basis for the processing of data transmitted in the course of sending an email or scheduling a call is provided in Article 6 para. 1 (f) GDPR, or in Article 6 para. 1 (b) GDPR, if the contact is for the performance of a contract. 

You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data mentioned at the end of this Privacy Policy.

6. Consultancy Services for Clients 

If you request our consultation services, we collect your name, contact information and other information given to us by you in the process of communicating about the desired services. Providing your personal data is required in order to send proposals and contracts for signing.

The personal data we collect in the process of concluding a contract or fulfilling a contract will be deleted as soon as they are not required to achieve the purpose for which they were collected and after expiry of the applicable legally binding storage obligations.  For example, the data required under commercial and tax law, we store for the legally specified periods, usually ten years (see Section 257 HGB, Section 147 AO).

The legal base for the processing necessary for the performance of a contract is provided in Article 6 para. 1 (b) GDPR), for the processing necessary to comply with legal obligations in Article 6 para. 1 (c)  GDPR, and for the processing necessary for the purposes of the legitimate interests in Article 6 para. 1 (f) GDPR. 

You can revoke any consent you may have given at any time.You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data mentioned at the end of this Privacy Policy.

7. Job Applications

If you email us a job application, we will process the data you provided to us (such as your name, contact information, birth date, professional background, certificates, references etc.) for the process of your job application.

The legal basis for processing your personal data in connection with the establishment of an employment relationship is primarily § 26 BDSG (German Data Protection Law – Bundesdatenschutzgesetz) which permits the processing of data required in connection with the decision to establish an employment relationship. In case that the data processing is necessary to protect our legitimate interest, in particular if the data are required for legal actions after the application procedure has been completed, the legal basis for processing your job application data is Art. 6 para. 1 (f) GDPR. Job application data saved at our storage will be deleted 6 months after the end of the job application process unless we have conflicting legal obligations. If you agree, we keep your job application data at our storage for longer. Then, your data will be deleted after your revocation.

Insofar as the processing is based on Art. 6 para. 1 (f)  GDPR, you have the right to object to the processing of your job application data on grounds relating to your particular situation. You can send us your objections via the contact data mentioned at the end of this Privacy Policy.

III. Transfer to Third Parties 

We will never sell, rent, or lease your personal data to a third party, but we may share collected information for the purposes described in this Privacy Policy with third parties that help us to provide, improve, promote or support our services, that help with our business operations and assist in the delivery of our services, for example, payment processors, hosting services, analytics, content delivery services, CRM, etc., in a manner that is consistent with this Privacy Policy. We may also share information with third parties if required to do so by law or if you violate our contractual relationship. Our service providers have a legal obligation to ensure compliance with all data protection rules. and they are often also bound by further contractual provisions on data protection

We only transfer personal data to third parties if we have a legal permission to do so, in particular if you have given consent to such a transfer, if the transfer is necessary for the provision of our services, if the transfer is required by law in this context, or if we have a necessary legitime interest (see Art. 6 para. 1 (a), (b), (c), (f) GDPR).

Here are some examples of digital service providers we use to perform our work. Please note that we might change our third party digital service providers at our discretion any time without notice.

  • We use DocuSign for the signing of our contracts. DocuSign has received approval for its application for Binding Corporate Rules (BCRs) from the EU Data Protection Authorities (DPA).You can find more info about how DocuSign protects privacy here
  • We use Slack to internally communicate as a team to improve our services and be responsive to our clients’ needs.  You can learn more about Slack`s data security under and Slack`s GDPR compliance under Slack`s privacy policy can be found under
  • Internally, we use Google Workspace for our email service, calendar and internal document management. To learn more about Google’s data protections commitments under
  • For billing purposes, data collected by us might be transferred Suite CRM, which we use for invoices. Suite CRM`s privacy policy can be found here To learn more about Suite CRM and compliance with GDPR please read here  

Insofar as the processing is based on Art. 6 para. 1 (f)  GDPR, you have the right to object to the processing. You can revoke any consent you may have given at any time. You can send us your objections or revocation of your consent via the contact data mentioned at the end of this Privacy Policy.


IV. Transfer to Recipients Outside the EU

We may also transfer your data to recipients outside the EU. We only do this in accordance with the legal requirements for transfers to third countries. So we only process or have the data processed in third countries when it is ensured that the third country or the recipient of the data in the third country guarantees an adequate level of data protection according to Art. 44 to 49 GDPR and no compelling interest prevents the data transfer. This may take the form of an “adequacy decision” of the European Commission which ensures that an adequate level of data protections has been ascertained overall for a certain third country. Alternatively, we can also transfer data on the basis of “EU standard contractual clauses. Information on EU standard contractuall clauses can be found under, and information on adequacy decisions under .  

Insofar as the processing is based on Art. 6 para. 1 (f)  GDPR, you have the right to object to the processing. You can revoke any consent you may have given at any time. You can send us your objections or revocation of your consent via the contact data mentioned at the end of this Privacy Policy.


V. Children’s Privacy

Least Authority does not provide services directly to children or proactively collect their information. If we discover that a child has provided us with personal Information, we will promptly delete such information from our systems.


VI.  Data Subjects’ Rights

You can request from Least Authority at any time 

  • Information as whether or not personal data concerning you are being processed, and, where that is the case, access to these personal data (Art. 15 GDPR);
  • Rectification of inaccurate  personal data concerning you, subject to relevant legal requirements (Art. 16 GDPR);
  • Erasure of personal data concerning you unless there are conflicting interests (Art. 17 GDPR);
  • Restriction of the processing of your personal data where one of the following applies:
    • you contest the accuracy of your personal data, 
    • the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead; 
    • we no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
    • you have objected to processing pursuant to Article 21 para. 1 GDPR pending the verification whether our legitimate grounds override those of you (Art. 18 GDPR).
  • To receive the personal data that you provided to us, in a structured, common and machine-readable format or requesting transmission to another controller (Art. 20 GDPR).  In this case, please contact us at and specify the information or processing activities to which your request relates. We will carefully consider your request and discuss with you how it can best fulfill it

You can revoke your consent once given to us at any time. As a result we stop the data processing based on this consent in the future (Art. 7  para. 3 GDPR). 

If we process your data pursuant to a legitimate interest or a legitimate interest of a third party (Art. 6 para. 1 (f) GDPR), you can exercise your right to objections in accordance with Art. 21 GDPR. Please direct any such request to

You have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for Berlin, Germany is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, with its address Friedrichstr. 219, 10969 Berlin, Germany, and its phone: 030/138 89-0. Please find its homepage here:

If you have any questions or complaints about data protection at Least Authority, we encourage you to contact us at

VII. Links to other Websites

Least Authority’s website may contain links to third party websites (companies or organizations other than Least Authority). Least Authority is not responsible for the privacy policy or the content of the website of any third party. We would strongly recommend carefully reading the privacy statements of third parties’ websites.

VIII. Ensuring Compliance 

We are committed to protecting the information that we receive from you. We take appropriate security measures to protect your information against unauthorized access to or unauthorized alteration, disclosure or destruction of data.

Least Authority has to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Berlin. For this reason we may have to collect, process and retain your details for an extended period of time as a legal obligation (see Art. 6 (1) (c), GDPR). 

We delete your personal data as soon as they are no longer required for the purposes pursued by the processing and as long as there are no conflicting legal storage obligations.

IX. Our Products are Built for Privacy and Security

At Least Authority we develop usable products that advance digital security and preserve privacy as a fundamental human right.y. Since the inception of the company, we have been continuously working to build products and provide services that protect your data and your right to privacy.

Consistent with Article 25 of GDPR (“Data protection by design and by default”), we believe in security by design and security by default. Our software designs are inspired by end-to-end security and the “principle of least authority” (PoLA) , a security best practice requiring system components to only have the privilege necessary to complete their intended function and not more.

X. Changes to this Privacy Policy

We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the bottom of this page. Each visit or interaction with our services will be subject to the new privacy policy. We will record past versions of this policy through an archive on this page. We encourage you to review our privacy policy whenever you use our services to stay informed about our policies. By using our services, you acknowledge and agree that it is your responsibility to review our privacy policy to be aware of modifications.

XI. Contact Information

Least Authority is dedicated to continuous improvement of all parts of the service If you have any questions or feedback on this Privacy Policy, please let us know by sending an email to [or ]


Version 3.0 – July 4, 2022