Privacy Policy
Last updated: July 2026
1. 1. Controller
The controller responsible for data processing within the meaning of data protection laws, in particular the GDPR, is:
Blue Moon Virtual GmbH Managing Director: Moritz Mergener Grunewaldstraße 39b 12165 Berlin Germany Phone: +49 30 233 27927 E-Mail: info@bm-3d.com
2. 2. General information on data processing
We process personal data only insofar as this is necessary to provide this website, respond to inquiries, initiate or fulfill contractual relationships, and to analyze and market our website.
The information obligations and typical contents of a privacy policy primarily follow from Article 13 GDPR.
3. 3. Legal bases
Unless stated otherwise, we base the processing of personal data on one of the following legal bases:
Consent pursuant to Art. 6(1)(a) GDPR, for example for cookies, tracking, and embedded third party content, where consent is required. Contract or pre contractual measures pursuant to Art. 6(1)(b) GDPR, for example for quote requests, customer login, file uploads, or support via chat. Legitimate interests pursuant to Art. 6(1)(f) GDPR, for example for technically necessary provision of the website, IT security, and error analysis.
In addition, in Germany, the placing and reading of information on end user devices, for example cookies, is generally governed by the TTDSG. Tracking and marketing technologies are typically subject to prior consent and are controlled via a consent banner.
4. 4. Hosting, website delivery, and server logs
5. 4.1 Hosting with Hetzner
Our website is hosted by Hetzner Online GmbH. To deliver the website and ensure security, technically necessary data is processed, in particular IP address, date and time of access, pages accessed, referrer URL, browser information, and system messages.
Hetzner typically retains web server logs for 7 days by default, unless configured otherwise.
The legal basis is our legitimate interest in the secure and stable provision of the website (Art. 6(1)(f) GDPR). Where Hetzner processes personal data on our behalf, we conclude a data processing agreement pursuant to Art. 28 GDPR.
6. 4.2 DNS via Cloudflare
We use Cloudflare for DNS and technical delivery functions. Depending on use and configuration, technical metadata may be processed, for example IP address and request metadata. Cloudflare provides a data processing addendum and describes its processing activities for its services.
The legal basis is Art. 6(1)(f) GDPR (security, performance, stability).
7. 5. Contact, quote requests, and CRM
8. 5.1 Quote request form
If you contact us via the form, we process the data you submit, typically name, company, address, email address, and, where applicable, phone number and the content of your request.
The purpose is to handle your request and initiate or perform a contract. The legal basis is Art. 6(1)(b) GDPR, and additionally Art. 6(1)(f) GDPR (efficient processing of inquiries).
9. 5.2 Processing in Monday CRM
We use Monday to organize and process inquiries. In this context, contact data and communication content may be processed in Monday. Monday provides a DPA and describes its data protection measures and sub processors.
The legal basis is Art. 6(1)(b) GDPR (pre contractual measures) or Art. 6(1)(f) GDPR (CRM organization).
10. Email dispatch via Amazon SES
For sending emails from the contact form we use Amazon Simple Email Service (SES) of Amazon Web Services EMEA SARL with processing in the EU region (Stockholm). The data you enter in the form (name, email address, optionally phone number and company name, and your message) is transmitted for the purpose of handling your enquiry. Legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in reliable communication).
11. Embedded content (two-click solution)
External content on this website is embedded via a two-click solution: when a page loads, only a locally hosted preview image is shown. Only when you actively start a piece of content is a connection to the respective third-party provider established, which technically transmits your IP address.
12. Kuula (360° tours)
Virtual 360° tours are provided via kuula.co (Kuula LLC, USA). When you start a tour, connection data (including IP address and browser information) is transmitted to Kuula; Kuula may set its own cookies. Transfer to the USA is based on your consent expressed by actively starting the content (Art. 6(1)(a), Art. 49(1)(a) GDPR).
13. Cloudflare Workers (3D viewer)
Walkable 3D scans (Gaussian splatting) are provided via a viewer we operate on Cloudflare Workers infrastructure (Cloudflare, Inc.). When started, connection data (including IP address) is processed by Cloudflare. Legal basis is your consent expressed by actively starting the content (Art. 6(1)(a) GDPR).
14. Fonts
All fonts on this website are served locally from our own server. No connection to Google Fonts or other external font services is established.
15. Cookies and tracking
This website uses technically necessary storage for your consent settings and sets analytics cookies only after you consent. For web analytics we use Google Analytics 4 by Google Ireland Limited. Google Analytics helps us understand which pages are used and how we can improve content, navigation, and performance. Google Analytics is loaded only if you accept analytics cookies in the consent banner; if you reject them, no Google Analytics cookies are set and existing analytics cookies are deleted. Legal basis is Art. 6(1)(a) GDPR together with the rules on access to end-user devices. You can withdraw or change your consent at any time via Cookie settings in the footer.
16. 10. Recipients, processors, and international transfers
We disclose personal data only if this is necessary to fulfill the purposes, you have consented, or there is a legal obligation.
Service providers may include in particular: Hetzner, Cloudflare, Monday, Google, OpenAI.
Some of these providers may process data outside the EU or EEA, in particular in the United States. Where required, we rely on appropriate safeguards such as EU Standard Contractual Clauses or an adequacy decision, for example under the EU US Data Privacy Framework.
17. 11. Storage periods
We generally store personal data only as long as necessary for the respective purposes. Thereafter, the data is deleted unless statutory retention obligations apply.
Server logs: typically short term; with Hetzner, the default is 7 days unless configured otherwise. Inquiries and CRM data: generally for the duration of processing and beyond to the extent necessary for documentation, follow up communication, or legal obligations. Customer account and file uploads: generally for the duration of the contractual relationship.
18. 12. Your rights
Under the GDPR, you have the following rights, depending on the specific case:
Right of access (Art. 15 GDPR) Right to rectification (Art. 16 GDPR) Right to erasure (Art. 17 GDPR) Right to restriction of processing (Art. 18 GDPR) Right to data portability (Art. 20 GDPR) Right to object to processing based on legitimate interests, in particular to direct marketing (Art. 21 GDPR) Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR)
You also have the right to lodge a complaint with a data protection supervisory authority.
19. 13. Data security
We implement appropriate technical and organizational security measures to protect your data against loss, misuse, and unauthorized access. This includes encrypted transmission via TLS.
20. 14. Changes to this privacy policy
We will update this privacy policy if the website, the tools we use, or legal requirements change.