Big Rock Intelligence Privacy Policy

Last updated: 29 June 2026

This privacy policy informs you under Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) about the processing of personal data on bigrock-intel.ai and in the course of our business relationships. Big Rock Intelligence ("BRI", "we", "us") is committed to handling your data lawfully, transparently, and only as needed.

1. Controller

Controller within the meaning of GDPR Article 4(7):

Big Rock Intelligence, Owner: James Edward Cameron, Sorbenstr. 2, 60437 Frankfurt am Main, Germany.

Phone: +49 1511 0515 242. Email: contact@bigrock-intel.ai.

Full legal information: see Impressum.

2. Data Protection Contact

For any data protection matter, including the rights below, contact privacy@bigrock-intel.ai.

BRI is a sole proprietorship below the threshold that requires the appointment of a Data Protection Officer (§ 38 BDSG). Where a DPO becomes mandatory in future, this section will be updated.

3. Categories of Personal Data

Contact and identity data: name, email address, phone number, company, job title.

Communication data: messages, meeting requests, attachments you provide.

Engagement and service data: information provided in the course of consulting, advisory, or contractual delivery.

Web usage data: pseudonymized analytics events, page paths, referrer, browser type, approximate region. No raw IP addresses are stored.

Cookie state: your consent choices (necessary, analytics, marketing) and timestamp.

4. Processing Purposes and Legal Bases

Operating the website and providing strictly necessary functions: GDPR Article 6(1)(b) (contract / pre-contract) and Article 6(1)(f) (legitimate interest in a functioning, secure site).

Responding to inquiries and providing services: Article 6(1)(b).

Legal and tax retention obligations: Article 6(1)(c) (e.g. §§ 147 AO, 257 HGB record-keeping).

Security, abuse and fraud prevention, server log analysis: Article 6(1)(f).

Analytics, performance measurement, and marketing tools: Article 6(1)(a) (your explicit consent given via the cookie banner). You may withdraw consent at any time via "Cookie Settings" in the footer.

5. Recipients and Processors

Personal data is shared with service providers acting under Article 28 GDPR data processing agreements:

Vercel Inc. (USA) — website hosting, edge delivery, analytics (only on consent), speed insights (only on consent).

Microsoft Ireland Operations Ltd. (Ireland) / Microsoft Corporation (USA) — email and calendar via Microsoft 365.

HubSpot Ireland Ltd. (Ireland) / HubSpot Inc. (USA) — CRM, contact forms, marketing automation (only on consent for non-essential categories).

Google Ireland Ltd. (Ireland) / Google LLC (USA) — fonts and analytics (analytics only on consent).

Tax advisor, banks, payment service providers — only where contractually or legally required for invoicing and accounting.

Authorities — only where legally required.

6. Transfers to Third Countries

Some processors operate infrastructure in the United States. Transfers to the USA rely on the EU-US Data Privacy Framework adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795) where the recipient is certified, and otherwise on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by additional safeguards.

No transfer takes place to countries without one of these legal bases.

7. Cookies and Tracking

On first visit a consent banner is displayed. Until you choose, only strictly necessary cookies are set.

Strictly necessary cookies (always active, § 25(2) TTDSG): locale preference (NEXT_LOCALE, 30 days), session tokens, security tokens, and your consent state.

Analytics cookies (opt-in): Vercel Analytics, Vercel Speed Insights, HubSpot analytics.

Marketing cookies (opt-in): HubSpot forms and banner.

You may change your selection at any time via "Cookie Settings" in the footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Your consent record (status, categories, timestamp) is stored locally in your browser for demonstrability under Article 7(1) GDPR.

8. Server Logs

When you visit the website the hosting provider automatically processes IP address, user agent, referring URL, timestamp, and requested resource for the purpose of operating the service and detecting abuse.

Legal basis: Article 6(1)(f) (security and stability of the service). Storage: typically no longer than 14 days unless required to investigate a specific incident.

9. Contact and Booking

If you contact us via email, contact form, or booking link, the data you provide is processed to handle your request (Article 6(1)(b) and (f)).

Booking is handled via Microsoft Bookings. Form submissions are routed through HubSpot under a data processing agreement.

10. Storage Periods

Inquiry and contact data: typically up to 24 months after last interaction, unless a longer business relationship requires retention.

Contract and invoicing data: up to 10 years pursuant to § 147 AO and § 257 HGB.

Consent records: as long as the consent decision is active in your browser, plus an internal audit record for the legal limitation period.

Analytics events: aggregated and pseudonymized; raw events typically retained no longer than 12 months.

Backups: standard backup retention may extend operational retention; data is restored only in disaster scenarios.

11. Your Rights

You have the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and to object to processing based on legitimate interest (Article 21).

Where processing is based on consent (Article 6(1)(a)), you have the right to withdraw consent at any time without affecting the lawfulness of past processing.

To exercise any of these rights, email privacy@bigrock-intel.ai. We respond without undue delay and in any case within one month.

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work, or place of the alleged infringement.

The competent supervisory authority for BRI is the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit), Postfach 3163, 65021 Wiesbaden, Germany.

13. Automated Decision-Making and Profiling

BRI does not use automated decision-making within the meaning of Article 22 GDPR. No decisions producing legal effects or similarly significantly affecting you are made on a fully automated basis.

No profiling for marketing personalization is performed beyond the consent-gated analytics described above.

14. Data Security

BRI applies technical and organizational measures appropriate to the risk, including TLS in transit, encrypted storage where applicable, access controls, and supplier due diligence.

No system is fully impenetrable; you are responsible for keeping access credentials confidential.

15. Obligation to Provide Data

Providing personal data is generally voluntary. Where data is required to enter into or perform a contract, this is indicated at the point of collection. Without that data we may not be able to deliver the requested service.

16. Changes to This Policy

BRI may update this policy to reflect new processing activities or legal changes. The latest version is always posted at this URL with the "Last updated" date above.

For material changes, we will surface a notice on the site.

17. Contact

For any question about this policy or your data: privacy@bigrock-intel.ai.

For all other matters: contact@bigrock-intel.ai.