Privacy Policy (Website incl. Blog)

Status: January 07, 2026

This privacy policy informs you about which personal data we process when you visit our website (including the blog) and use its functions (e.g., contact form), and which rights you are entitled to under the GDPR.

1. Controller

Dopamin Weddings Owner: Isabell Spieth St.-Veit-Str. 11a, 81673 Munich, Germany

Phone: +49 173 9532253 Email: info@dopamin-weddings.de

2. Overview of Processing Activities

We process personal data in particular for the following purposes:

Provision of the website (content retrieval, stability, security)
Contact / handling inquiries (contact form)
Reach measurement (Google Analytics - only with consent)
Security and abuse protection (Firebase App Check, rate-limiting)
Display of fonts (Google Fonts - hosted locally)
Social media linking (Instagram/LinkedIn; links only)
Communication (Microsoft 365: Exchange/Teams; WhatsApp upon user initiative)

3. Legal Bases

Unless stated otherwise, we process data based on the following legal grounds:

Consent (Art. 6(1)(a) GDPR), e.g., for analytics cookies.
Contract / pre-contractual measures (Art. 6(1)(b) GDPR), e.g., for inquiries via the contact form.
Legitimate interests (Art. 6(1)(f) GDPR), e.g., IT security, prevention of abuse, and ensuring technical operation.
Legal obligation (Art. 6(1)(c) GDPR), e.g., within the scope of statutory retention periods.

4. Hosting, Website Delivery, and Server Log Files (Firebase Hosting)

Our website is operated via Firebase Hosting. During every visit, technically necessary data is processed to deliver the website and ensure security/stability.

Types of data processed (typical):

IP address, date/time of access
Requested page/file, referrer URL
Browser type/version, operating system
Other technical log data where applicable

Purposes: Provision of the website, error analysis, security.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in safe, stable operation).

Note on data processing / third-country transfer: Firebase is a Google service. Depending on the specific service, transfers to third countries (e.g., USA) cannot be ruled out; please see the notes under sections 6/7 (Google).

We use a consent banner to store your Analytics choices and to ensure Google tags only run fully after the corresponding selection is made.

A cookie named "consent" is stored, containing the consent status (e.g., Analytics: yes/no) and a version number. The storage period is 180 days.

Essential: technically required (cannot be deselected)
Analytics: only upon consent

Legal basis:

Essential: Art. 6(1)(f) GDPR
Analytics: Art. 6(1)(a) GDPR

Withdrawal: You can withdraw your consent at any time with effect for the future, e.g., via the cookie settings in the footer or the banner.

Further details can be found in our Cookie Policy.

6. Google Tag Manager (Analytics deployment via GTM)

We use the Google Tag Manager (GTM) to manage tags centrally (including Google Analytics). GTM itself does not create its own user profiles; it serves the technical integration and control of tags.

We use Consent Mode so that, by default, no analytics storage occurs until consent is granted ("default denied" and subsequent "update" change).

Legal basis:

Operation/control of essential tag infrastructure: Art. 6(1)(f) GDPR
Triggering of analytics tags: Art. 6(1)(a) GDPR

Provider / Third-country transfer: Google services in the EU are usually provided via Google Ireland Limited. A transfer of personal data to Google companies in third countries (especially the USA) cannot be ruled out. The transfer takes place on the basis of the EU-US Data Privacy Framework and the Standard Contractual Clauses of the EU Commission.

We use Google Analytics 4 to measure and analyze the use of our online services (e.g., page views, duration of visit, interactions). The integration is carried out via Google Tag Manager.

Types of data processed (typical):

Usage data (events/interactions)
Device and browser information
IP-based location derivation (usually truncated or processed according to the mechanisms described by Google)

Legal basis: Consent (Art. 6(1)(a) GDPR).

Third-country transfer: When using Google services, a transfer to third countries (e.g., USA) cannot be ruled out. The transfer takes place on the basis of the EU-US Data Privacy Framework and the Standard Contractual Clauses of the EU Commission.

8. Google Fonts (locally hosted)

We use fonts ("Google Fonts") that are delivered from our own server or via our hosting, so that no connection to Google servers is required to retrieve the fonts.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a uniform, high-performance presentation).

9. Contact Form / Getting in Touch (incl. Firebase Cloud Functions & Firestore)

When you contact us via the contact form, we process the information provided by you to handle your inquiry.

9.1 What data is processed?

Name, email address, subject, topic (category)
Content of your message or details for a consultation call (preference, availability)
Wedding details if applicable (date / period / status "still open")
Technical metadata for abuse prevention and traceability (IP address, user agent, path; "raw" status as JSON if applicable)

9.2 Technical Processing (Firebase) & Retention/Deletion

The inquiry is processed via Firebase Hosting → Cloud Functions.

We use:

Firebase Cloud Functions (server logic, validation, dispatch)
Firebase Firestore (storage of the inquiry, abuse protection)
Firebase App Check (protection against automated access)

Firestore Storage (TTL): Contact inquiries are stored with a TTL (Time To Live) of 1 year. This TTL applies only to purely informational inquiries without a contract being concluded.

Statutory Retention Periods: If an inquiry results in a contract or documents are relevant for accounting, we store the data notwithstanding the TTL in accordance with legal requirements, in particular 6 years (German Commercial Code - HGB) or 10 years (German Tax Code - AO).

Legal bases:

Art. 6(1)(b) GDPR (pre-contractual / contract)
Art. 6(1)(f) GDPR (IT security)
Art. 6(1)(c) GDPR (legal obligation)

9.3 Sending Notification Emails (Mailjet)

Mailjet SAS, 4 rue Jules Lefebvre, 75009 Paris, France.

Name, email address, subject, and message content are processed.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

10. Firebase App Check (reCAPTCHA v3)

To protect our endpoints and prevent abuse, we use Firebase App Check in conjunction with reCAPTCHA v3.

Purpose & Scope: To determine whether an interaction on our website is performed by a human or an automated program (bot), hardware and software information (e.g., device data, browser properties) as well as IP addresses are transmitted to Google and evaluated there.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security of our IT systems and protection against spam).

11. Communication via Microsoft 365 (Exchange & Teams)

We use Microsoft 365, particularly Exchange and Teams, for email, telephone, and video communication.

Provider: Microsoft Ireland Operations Limited, Dublin, Ireland (Parent company: Microsoft Corp., USA)

Processed data: Communication content, name, email address, metadata, and, if applicable, image and sound tracks.

Legal basis: Art. 6(1)(b) GDPR as well as Art. 6(1)(f) GDPR.

Third-country transfer: EU-US Data Privacy Framework and Standard Contractual Clauses.

12. Communication via WhatsApp

If you contact us on your own initiative via WhatsApp, we process your mobile number and message content.

Provider: WhatsApp Ireland Limited, Dublin, Ireland (Parent company: Meta Platforms Inc., USA)

Notes:

WhatsApp has access to metadata; end-to-end encryption only protects the content.
Confidentiality: We point out that communication via WhatsApp is less suitable for highly sensitive, confidential information. For such matters, please use communication by email or mail.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(a) GDPR.

Third-country transfer: EU-US Data Privacy Framework and Standard Contractual Clauses.

13. Blog

When reading the blog, the general processing rules (hosting, log files) apply.

14.1 Links (Instagram & LinkedIn)

Our website contains simple links to our social media profiles. The privacy policies of the respective providers only apply once you click on the link.

14.2 Joint Controllership

If you visit our profiles on Instagram or LinkedIn, there is a joint responsibility (Joint Controllership according to Art. 26 GDPR) between us and the respective platform operator for the data processing that occurs there. Information on your data subject rights can be found directly in the privacy policies of the respective providers.

15. Recipients / Data Processing on Behalf

Recipients may include:

Google / Firebase
Mailjet
Microsoft
WhatsApp / Meta

Where necessary, Data Processing Agreements (DPAs) according to Art. 28 GDPR have been concluded with the relevant service providers.

16. Your Rights

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to withdraw consent (Art. 7(3) GDPR)