Last updated: February 2026
This Privacy Policy applies to the website shifu-marketing.com and the subdomain go.shifu-marketing.com.
Note: The processing of personal data in the context of our consulting services — e.g. meeting transcripts, project documentation, process analyses — is governed by separate data processing agreements forming part of our client engagement documentation. This Privacy Policy exclusively covers data processing in connection with the operation of this website.
The controller within the meaning of the GDPR is:
Name: Ralf Hug
Business designation: Hug Ventures
Brand: Shifu Marketing
Business type: Sole proprietorship (not registered in the Commercial Register / Handelsregister)
Imbrand 38
78730 Lauterbach (Schwarzwald), Germany
Email: info@shifu-marketing.com
Protecting your personal data is a core priority for us. We process personal data only to the extent necessary to provide our website and services, or where you have given us your explicit consent. All processing complies with the GDPR and applicable national data protection laws.
All non-essential scripts, cookies, and services are activated only after your explicit consent via our cookie consent tool (Complianz). You can withdraw your consent at any time via the cookie banner at the bottom of the screen.
Where processing is based on Art. 6(1)(f) GDPR (legitimate interests), our legitimate interest consists in ensuring the secure, efficient, and economically viable operation of our website and business activities — including IT security, communication with business partners, marketing of our services, and process optimization. We carefully assess and balance our interests against the fundamental rights and freedoms of data subjects in each case.
Abbreviations used in this Privacy Policy (DPF, SCCs, DPA) are defined in Section 19.
This website is hosted by DomainFactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany. Servers are located in Germany. Each time our website is accessed, the following data is automatically recorded in server log files: IP address, date and time of access, URL requested, referrer URL, browser type, and operating system. Log files are deleted after 30 days and evaluated only in cases of suspected misuse. A Data Processing Agreement (DPA / AVV) is in place with DomainFactory.
Legal basis: Art. 6(1)(f) GDPR.
Our legitimate interest lies in maintaining the technical stability and security of our website, including the detection, prevention, and investigation of misuse and security incidents.
We use Microsoft 365 (Microsoft Ireland Operations Ltd., Dublin 18, Ireland) and/or Google Workspace (Google Ireland Ltd., Dublin 4, Ireland) for sending and receiving emails. Both providers process email content and metadata on EU servers. Any transfer to the US is governed by SCCs; DPAs are in place with both providers.
Legal basis: Art. 6(1)(b) and (f) GDPR.
We use Complianz (Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands) to manage cookie consents. Complianz stores your consent decision as a technically necessary cookie locally in your browser. No personal data is transmitted to external servers.
All non-essential scripts are blocked until you provide consent. You can withdraw or change your consent at any time via the cookie banner or by clearing your browser storage for this domain.
Detailed information about the cookies used on this website, their purpose, storage duration, and categories can be found in our Cookie Policy.
Legal basis for technically necessary cookies: Art. 6(1)(f) GDPR.
For all other cookies: Art. 6(1)(a) GDPR.
We use Google Tag Manager (Google Ireland Ltd.) solely as a technical tag management system. It does not set cookies or collect personal data. It controls the loading of other tags that may collect data — these are only activated after your consent.
Legal basis: Art. 6(1)(a) GDPR.
With your explicit consent pursuant to Art. 6(1)(a) GDPR, we use Google Analytics 4 (Google Ireland Ltd.) to analyze website usage. IP anonymization is enabled by default in Google Analytics 4.
We have configured the following data retention settings in Google Analytics 4:
Data sharing with Google for advertising or benchmarking purposes is disabled. Google Signals is not activated. Data may be transferred to the US; Google is certified under the EU-U.S. Data Privacy Framework (DPF). You can withdraw your consent at any time via the cookie banner.
We use Google Fonts served locally from our own server. No connection to Google servers is established and no personal data is transferred to Google.
For internal business operations, we use Google Workspace (Google Ireland Ltd.) — including Gmail, Docs, Sheets, Slides, Drive, and Google Cloud — and Microsoft 365 (Microsoft Ireland Operations Ltd.) — including Outlook, Teams, Word, and Excel. Personal data (e.g., contact information from inquiries) may be temporarily stored in Google Sheets before being transferred to our CRM. Processing takes place on EU servers; any transfers to the US are covered by SCCs and DPF. DPAs are in place with both providers.
Legal basis: Art. 6(1)(f) GDPR.
Our legitimate interest lies in maintaining an efficient, secure, and scalable IT infrastructure for business communication, document management, and operational continuity.
With your consent, we embed YouTube videos (Google Ireland Ltd.) using privacy-enhanced mode. No cookies are set until you actively play a video. Upon playback, a connection to YouTube servers is established; any transfer to the US is based on SCCs.
Legal basis: Art. 6(1)(a) GDPR.
With your consent, we embed videos from Vimeo Inc. (555 West 18th Street, New York, NY 10011, USA). When a video is played, a connection to Vimeo servers is established; transfers to the US are based on SCCs.
Legal basis: Art. 6(1)(a) GDPR.
This website may feature AI-generated videos created using HeyGen (HeyGen Technology Inc., USA), including content with AI avatar and voice synthesis elements. HeyGen is used as an internal production tool; finished videos are delivered via our own servers or through a third-party platform (e.g. YouTube or Vimeo) — in which case the privacy notices of those platforms apply (see Section 10). No personal data of website visitors is processed directly by HeyGen.
Note: The technical integration of HeyGen video content is currently in the planning phase. This section will be updated with specific details once the embedding method has been determined.
Legal basis: Art. 6(1)(f) GDPR.
We use HubSpot (HubSpot Ireland Ltd., 1 Sir John Rogerson’s Quay, Dublin 2, Ireland) as our central CRM and marketing automation platform. HubSpot processes personal data on EU servers; transfers to the US are covered by DPF and SCCs. A DPA is in place with HubSpot.
With your consent, HubSpot sets tracking cookies to analyze visitor behavior on our website and optimize our marketing communications.
Legal basis: Art. 6(1)(a) GDPR.
We operate HubSpot-powered landing pages on the subdomain go.shifu-marketing.com for campaigns and lead generation. The same data protection principles apply as for the main domain.
When you submit a form, the data you enter — typically first name, last name, email address, company, area of interest, and optional comments — is transmitted to and stored in HubSpot. This data is used exclusively to handle your inquiry and, where you have consented, for marketing communications.
Legal basis: Art. 6(1)(b) and (a) GDPR.
For scheduling consultations, we use the HubSpot-integrated online calendar at go.shifu-marketing.com. We process your name, email address, desired time slot, and any message you provide. Data is stored in HubSpot and synchronized with Microsoft Outlook. Meetings are conducted via Microsoft Teams or Zoom (Zoom Video Communications Inc., San Jose, CA, USA); Zoom transfers to the US are based on SCCs.
Legal basis: Art. 6(1)(b) GDPR.
Outbound emails (transactional, campaigns, newsletters) are sent via HubSpot. Your email address is used solely for communications relating to our business relationship or based on your explicit consent. You can unsubscribe from marketing emails at any time via the unsubscribe link in each email.
Legal basis: Art. 6(1)(a) GDPR (newsletter) and (b) GDPR (transactional emails).
For online surveys, we use Tally (Tally So BV, Brusselsesteenweg 352, 9090 Melle, Belgium). When you participate in a survey, the data you provide — typically your email address and survey responses — is transmitted to Tally. Tally is an EU-based company; no third-country transfer takes place. A DPA is in place with Tally. Data collected via Tally is transferred via our n8n automation workflow to Google Sheets for further processing (see Sections 9 and 14).
Legal basis: Art. 6(1)(a) GDPR.
For internal process automation, we use n8n Cloud (n8n GmbH, Saarbrücker Str. 38a, 10405 Berlin, Germany). n8n acts as an orchestration layer between our tools — it transfers and transforms data but does not store it persistently. n8n GmbH is headquartered in Germany and its cloud infrastructure is EU-based. A DPA is in place with n8n.
Legal basis: Art. 6(1)(f) GDPR.
Our legitimate interest lies in the secure and efficient optimization of internal business processes while ensuring data minimization and controlled system integration.
Our website includes a link to the personal LinkedIn profile of Ralf Hug (LinkedIn Ireland Unlimited Company, Wilton Plaza, Gardner House 4-6, Dublin 2, Ireland). When you click this link, you are redirected to LinkedIn. We have no influence over that processing. For details: linkedin.com/legal/privacy-policy
We operate a LinkedIn company page. When you visit our page or interact with us via LinkedIn, personal data is processed by LinkedIn. LinkedIn and we are joint controllers pursuant to Art. 26 GDPR with regard to the processing of Page Insights data. The essence of the joint controllership arrangement is accessible at: https://legal.linkedin.com/pages-joint-controller-addendum — LinkedIn assumes primary responsibility for fulfilling data subject rights relating to Page Insights data.
Note: No LinkedIn Insight Tag is currently active on our website. Should this change, this Privacy Policy will be updated.
Legal basis: Art. 6(1)(f) GDPR.
Our legitimate interest lies in maintaining a professional online presence, communicating with business partners and prospects, and providing information about our services.
Our website may contain links to external websites operated by third parties — including blog posts, articles, tool references, and partner resources. When you click such a link, you will leave our website. We have no control over the data protection practices of those sites and accept no responsibility for them. We recommend reviewing the privacy policy of any external website before submitting personal data there.
We use AI-powered tools in our work. We distinguish between tools used to create website content and those used exclusively for internal purposes. The processing of personal data in the context of consulting engagements is governed by separate data processing agreements (see introductory note).
The following AI systems are used to create text, images, and video content published on this website. These tools do not process personal data of website visitors:
The following tools are used exclusively for internal purposes and are not part of published website content:
Legal basis: Art. 6(1)(f) GDPR.
Our legitimate interest lies in the efficient creation, optimization, and quality assurance of website content and business materials.
We have implemented the following measures pursuant to Art. 32 GDPR:
The following data processors act on our behalf. Data Processing Agreements (DPA / AVV) pursuant to Art. 28 GDPR are in place with all providers listed below:
| Auftragsverarbeiter / Processor | Zweck / Purpose | Sitz / Location | Grundlage |
| DomainFactory GmbH | Web hosting | Germany (EU) | Art. 6(1)(f) |
| Microsoft Ireland Operations Ltd. | M365, Outlook, Teams, email | Ireland (EU) / USA (SCCs) | Art. 6(1)(b)(f) |
| Microsoft 365 Copilot (Azure OpenAI) | AI text processing, document analysis, meeting summaries (internal) | Ireland (EU) / USA (SCCs) | Art. 6(1)(f) |
| Google Ireland Ltd. | Workspace, Analytics, GTM, YouTube, Cloud | Ireland (EU) / USA (DPF) | Art. 6(1)(a)(f) |
| HubSpot Ireland Ltd. | CRM, forms, calendar, email | Ireland (EU) / USA (DPF) | Art. 6(1)(a)(b) |
| Complianz B.V. | Cookie consent management | Netherlands (EU) | Art. 6(1)(f) |
| n8n GmbH | Workflow automation | Germany (EU) | Art. 6(1)(f) |
| Tally So BV | Online surveys / forms | Belgium (EU) | Art. 6(1)(a) |
| Zoom Video Communications Inc. | Video meetings | USA (SCCs) | Art. 6(1)(b) |
| Vimeo Inc. | Video embedding | USA (SCCs) | Art. 6(1)(a) |
| LinkedIn Ireland Unlimited | Social media | Ireland (EU) | Art. 6(1)(f) |
| HeyGen Technology Inc. | AI video production for website content | USA (SCCs) | Art. 6(1)(f) |
| Anthropic Inc. | AI creation: text, code, visual content (Claude API) | USA (SCCs) | Art. 6(1)(f) |
| OpenAI Ireland Ltd. / OpenAI Inc. | AI creation: text, code, visual content (API + ChatGPT Business) | Ireland (EU) / USA (SCCs + DPF) | Art. 6(1)(f) |
| Perplexity AI Inc. | AI-assisted research and content synthesis (API) | USA (SCCs) | Art. 6(1)(f) |
Abbreviations: DPA/AVV = Data Processing Agreement (Auftragsverarbeitungsvertrag, Art. 28 GDPR) | DPF = EU-U.S. Data Privacy Framework | SCCs = Standard Contractual Clauses (Standardvertragsklauseln, Art. 46(2)(c) GDPR)
Under the GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15 GDPR): You may request, free of charge, information about whether and which personal data we process about you, for what purposes, where it originates, to whom it is disclosed, and how long it is retained.
Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data concerning you.
Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where it is no longer necessary, consent has been withdrawn, an objection has been lodged, or processing was unlawful.
Right to restriction of processing (Art. 18 GDPR): Instead of deletion, you may request restriction of processing, for example where you dispute the accuracy of data or have lodged an objection.
Right to data portability (Art. 20 GDPR): For data you have provided yourself and which is processed on the basis of a contract or consent, you may request that it be provided in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR): Where processing is based on legitimate interests, you may object at any time on grounds relating to your particular situation. Where personal data is processed for direct marketing purposes, you have an unconditional right to object.
Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent at any time with effect for the future, without affecting the lawfulness of prior processing.
To exercise your rights, please contact us by email at info@shifu-marketing.com or at the address given in Section 1. We may request additional information to verify your identity before processing your request.
You also have the right to lodge a complaint with the competent supervisory authority:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart | https://www.baden-wuerttemberg.datenschutz.de
Text, images, and videos on this website may have been created in whole or in part using AI systems. We use AI as a tool — concept, curation, and quality control remain with us. For details on the AI tools we use, please refer to Section 17.
Unless otherwise stated in this Privacy Policy, personal data is retained only for as long as necessary for the respective processing purpose and in accordance with statutory retention obligations. After expiration of the applicable retention period, data is deleted or anonymized.
| Datenkategorie / Data Category | Speicherdauer / Retention | Grundlage / Basis |
| Server log files | 30 days | IT security; Art. 6(1)(f) GDPR |
| Contact form inquiries | 3 years after final communication | Limitation period (§ 195 BGB) |
| CRM contact data | Duration of business relationship + 3 years | Defense of legal claims |
| Newsletter subscribers | Until withdrawal of consent | Consent-based processing |
| Newsletter suppression records (opt-out) | 3 years after opt-out | Proof of consent management |
| Appointment booking data | Duration of business relationship + 3 years | Contract purpose; § 195 BGB |
| Survey data (Tally) | Maximum 24 months | Analytical lifecycle |
| Accounting and invoicing data | 10 years | § 147 AO / § 257 HGB |
| Google Analytics (user-level data) | 14 months (configured) | Statistical analysis; Art. 6(1)(a) GDPR |
| Cookie consent records | 3 years | Accountability obligation Art. 5(2) GDPR |
This Privacy Policy is current as of February 2026. We may update it as our services evolve or in response to changes in legal requirements. The current version will always be available on this page. We will notify you of material changes separately.