Version 4.0 – January, 2023
I. Data Controller
The Data Controller of LeastAuthority.com and its associated services is Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany .
II. Collecting, Processing and Storing of Personal Data and Purpose of the Usage of Personal Data
We operate this website in order to provide you with information about our products and services, and keep you up to date about Least Authority.
- Our Website
You may use our website for purely informational purposes without disclosing your identity. In order to display the website to you, only access data is transmitted to our provider.
The Least Authority website is currently hosted on WP Engine servers which are based in the European Union. When using our website, WP Engine collects the following data:
- IP address (Unfortunately, WP Engine collects logs which include full IP addresses with no option to anonymize this data.),
- Browser type/browser version,
- Operating system used,
- Language and version of the browser software,
- Host name and accessing terminal,
- Website from which the request comes,
- Content of the request (specific page),
- Date and time of the server request,
- Access statuts/HTTP status code,
- Referrer URL (the previously visited page),
- Amount of data transmitted,
- Time zone difference from Greenwich Mean Time (GMT).
Least Authority uses an open-source web analytics program with a strong privacy focus, called Matomo. It informs us about how visitors use our website. Least Authority collects anonymous statistical data about the use of its website to optimize its online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are being stored which makes it harder (i) to link your current visit to this website to future visits, and (ii) to determine your exact location.
The information Matomo (https://matomo.org/) collects is:
- 2 byte masked user IP address
- Date and time of the request,
- Title of the page being viewed (Page title)
- URL of the page being viewed (Page URL),
- URL of the page that was viewed prior to the current page (Referrer URL),
- Screen resolution being used,
- Time in local user’s timezone,
- Files that were clicked and downloaded (Download),
- Links to an outside domain that were clicked (Outlink),
- Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user: Page speed),
- Main Language of the browser being used (Accept-Language header),
- User Agent of the browser being used (User-Agent header).
You can opt-out of visitor data collection by Matomo by enabling the Do-Not-Track option in your browser. Visit to learn how.
The legal basis for the processing of the data listed above is our legitimate interest to ensure the functionality, the integrity and security of the website (Article 6 para. 1 (f) GDPR).
The access data will be deleted as soon as they are no longer required for the purpose of their processing.
The technically necessary cookies we use are only applicable for administrators.
3. Social Media
On our website we do not use social network plug-ins. However, we have a social media presence that can be accessed by clicking on the respective social media logo (e.g., Github, Linkedin, Twitter, Youtube) on our website. No personal data is sent to the social networks before you click on the logos or links which take you to the social network’s website.
In addition, you can also “share” certain contents of our website on social networks. If you click on the “share” logo on our website, the logos of the various social networks will appear. If you click on one of these logos, you will be redirected to the website of the corresponding social network. There – if you have an account and are logged in, or if you log in – you can share the desired content from our website.
We have no influence on the collected data and data procedure of any social network. Further information on the purpose and scope of data collection and processing of the respective network can be found in the data protection declaration of the respective network. There you will also find further information on your rights and settings to protect your privacy, when using social networks. Please note that personal data is processed by social networks not only if you are logged in, but personal data, such as your IP address can also be processed if you do not have a social media account. We process your data with the utmost care, but assume no liability for the behavior of the operators of the social networks or third parties.
4. Mailing List
Through the MailerLite Dashboard, the information we have access to about each subscriber, is their email address and the IP address with which they signed up and with which they opted in, and the date & time of sign-up and opt-in. In addition, for newsletters that we send out through MailerLite, we have access to the information if and when subscribers opened the newsletter email, and if and when subscribers clicked on links in the email.
The email address you provide for the mailing list is not shared or transferred to any other parties besides MailerLite.
The legal basis for this processing is your consent (Article 6 para. 1 (a) GDPR) and, in order to prevent the misuse of your personal data, our legitimate interest in the prevention of fraud(Article 6 para. 1 (f) GDPR). If you no longer wish to receive our emails you can unsubscribe from our mailing lists at any time using the link at the bottom of any email sent using MailerLite, or contact us at email@example.com. We remove people that have unsubscribed from the mailing list of MailerLite on a monthly basis. Afterwards, it will take MailerLite another month to delete your data from the platform. We process the data until you exercise your right of revocation by canceling the mailing list subscription.
5. Contacting Us, Scheduling a Call
You can contact us via our email address, by filling out a form on our website, or by scheduling a call with us. If you contact us via email or a form, your personal data transmitted with the email or a form will be saved, but only used for the procession of the information or conversation.
We delete the collected data that we collect when you contact us, after the processing is no longer necessary, which is usually when we properly addressed the issue or, if applicable, after the expiry of the legally binding storage obligations, or if you object to further processing. For example, the data required under commercial and tax law, we store for the legally specified periods, usually ten years (see Section 257 HGB, Section 147 AO)
The legal basis for processing these data is your consent, as outlined in Article 6 para. 1 (a) GDPR. You may withdraw your consent given to these data processing at any time.
The legal basis for the processing of data transmitted in the course of sending an email or scheduling a call is our legitime interest in the operation of our business (Article 6 para. 1 (f) GDPR), or, if intended by the contact, the performance of a contract(Article 6 para. 1 (b) GDPR).
6. Consultancy Services for Clients
If you request our consultation services, we collect your name, contact information and other information given to us by you in the process of communicating about the desired services. Providing your personal data is required in order to send proposals and contracts for signing.
The personal data we collect in the process of concluding a contract or fulfilling a contract will be deleted as soon as they are not required to achieve the purpose for which they were collected and after expiry of the applicable legally binding storage obligations. For example, the data required under commercial and tax law, we store for the legally specified periods, usually ten years (see Section 257 HGB, Section 147 AO).
The legal base for the processing is necessary for the performance of a contract is provided in Article 6 para. 1 (b) GDPR, for the processing necessary to comply with legal obligations in Article 6 para. 1 (c) GDPR, and for the processing necessary for the purposes of the legitimate interests in Article 6 para. 1 (f) GDPR.
7. Job Applications
If you email us a job application (for employment, a freelancer position or an internship), we will process the data you provided to us (such as your name, contact information, birth date, professional background, certificates, references etc.) for the process of your job application.
The legal basis for processing your personal data in connection with the establishment of an employment relationship is primarily § 26 BDSG (German Data Protection Law – Bundesdatenschutzgesetz) which permits the processing of data required in connection with the decision to establish an employment relationship. The legal basis for processing your job application data in order to establish a working relationship between us, is also provided in Article 6 para. 1 (b) GDPR. In case that the data processing is necessary to protect our legitimate interest, in particular if the data are required for legal actions after the application procedure has been completed, the legal basis for processing your job application data is Article 6 para. 1 (f) GDPR. Job application data saved at our storage will be deleted 6 months after the end of the job application process unless we have conflicting legal obligations. If you agree, we keep your job application data at our storage for longer. Then, your data will be deleted after your revocation.
III. Transfer to Third Parties
We only transfer personal data to third parties if we have a legal permission to do so, in particular if you have given consent to such a transfer, if the transfer is necessary for the provision of our services, if the transfer is required by law in this context, or if we have a necessary legitimate interest (see Article 6 para. 1 (a), (b), (c), (f) GDPR).
Here are some examples of digital service providers we use to perform our work. Please note that we might change our third party digital service providers at our discretion any time without notice.
- We use DocuSign for the signing of our contracts. DocuSign has received approval for its application for Binding Corporate Rules (BCRs) from the EU Data Protection Authorities (DPA).You can find more info about how DocuSign protects privacy here https://www.docusign.com/trust/privacy.
- Internally, we use Google Workspace for our email service, calendar and internal document management. To learn more about Google’s data protections commitments under https://workspace.google.com/security/.
IV. Transfer to Recipients Outside the EU
We may also transfer your data to recipients outside the EU. We only do this in accordance with the legal requirements for transfers to third countries. So we only process or have the data processed in third countries when it is ensured that the third country or the recipient of the data in the third country guarantees an adequate level of data protection according to Article 44 to 49 GDPR and no compelling interest prevents the data transfer. This may take the form of an “adequacy decision” of the European Commission which ensures that an adequate level of data protections has been ascertained overall for a certain third country. Alternatively, we can also transfer data on the basis of “EU standard contractual clauses. Information on EU standard contractual clauses can be found under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and information on adequacy decisions under
V. Children’s Privacy
Least Authority does not provide services directly to children or proactively collect their information. If we discover that a child has provided us with personal Information, we will promptly delete such information from our systems.
VI. Data Subjects’ Rights
You can request from Least Authority at any time
- Information as whether or not personal data concerning you are being processed, and, where that is the case, access to these personal data (Art. 15 GDPR);
- Rectification of inaccurate personal data concerning you, subject to relevant legal requirements (Article 16 GDPR);
- Erasure of personal data concerning you unless there are conflicting interests (Article 17 GDPR);
- Restriction of the processing of your personal data where one of the following applies:
- You contest the accuracy of your personal data,
- The processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
- We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
- You have objected to processing pursuant to Article 21 para. 1 GDPR pending the verification whether our legitimate grounds override those of you (Article 18 GDPR).
- To receive the personal data that you provided to us, in a structured, common and machine-readable format or requesting transmission to another controller (Article 20 GDPR). In this case, please contact us at firstname.lastname@example.org and specify the information or processing activities to which your request relates. We will carefully consider your request and discuss with you how it can best fulfil it.
You can revoke your consent once given to us at any time. As a result we stop the data processing based on this consent in the future (Article 7 para. 3 GDPR).
If we process your data pursuant to a legitimate interest or a legitimate interest of a third party (Article 6 para. 1 (f) GDPR), you can exercise your right to objections in accordance with Article 21 GDPR. Please direct any such request to email@example.com.
You have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for Berlin, Germany is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, with its address Friedrichstr. 219, 10969 Berlin, Germany, and its phone: 030/138 89-0. Please find its homepage here: http://www.datenschutz-berlin.de
If you have any questions or complaints about data protection at Least Authority, we encourage you to contact us at firstname.lastname@example.org.
VII. Links to other Websites
VIII. Ensuring Compliance
We are committed to protecting the information that we receive from you. We take appropriate security measures to protect your information against unauthorised access to or unauthorised alteration, disclosure or destruction of data.
Least Authority has to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Berlin. For this reason we may have to collect, process and retain your details for an extended period of time as a legal obligation (see Article 6 (1) (c), GDPR).
We delete your personal data as soon as they are no longer required for the purposes pursued by the processing and as long as there are no conflicting legal storage obligations.
IX. Our Products are Built for Privacy and Security
At Least Authority we develop usable products that advance digital security and preserve privacy as a fundamental human right.y. Since the inception of the company, we have been continuously working to build products and provide services that protect your data and your right to privacy.
Consistent with Article 25 of GDPR (“Data protection by design and by default”), we believe in security by design and security by default. Our software designs are inspired by end-to-end security and the “principle of least authority” (PoLA) , a security best practice requiring system components to only have the privilege necessary to complete their intended function and not more.
XI. Contact Information
Version 4.0 – January, 2023