Privacy Policy

Controller

The controller responsible for personal data processed on this site is identified in the Legal Notice (Impressum). Contact the controller via the email address listed there.

What We Collect

Pactolio is a publicly-readable site that does not require account creation, payment, or any form of identification to browse. The categories of personal data we process are limited to:

• Server log data — IP address, user agent, referrer, timestamp, and requested URL. Stored by our edge / hosting provider (Cloudflare) for routine operations, abuse mitigation, and security analytics. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
• Usage analytics (Google Analytics 4) — loaded through Cloudflare Zaraz only after you give consent. When enabled, Google Analytics sets cookies (such as _ga and _ga_*) and processes a pseudonymous client identifier, your IP address (shortened by Google), device and browser information, and the pages you view, to produce aggregate usage statistics. This data is transmitted to Google LLC in the United States. Legal basis: Art. 6(1)(a) GDPR (consent), withdrawable at any time. Analytics is not loaded on your first visit and is never loaded if you decline.
• Inbound email — any personal data you include when you contact us via the addresses on the Contact page (your email address, name if provided, and message contents). Please do not send sensitive financial or personal information via email. Legal basis: Art. 6(1)(b) GDPR (pre-contractual / contractual) or Art. 6(1)(f) (legitimate interest), depending on the inquiry.

What We Do Not Collect

• No cookies are set on your first visit or at any time before you consent.
• No advertising or third-party retargeting pixels are loaded.
• No user accounts; no payment data.
• No personal data is sold or shared with marketers.

Cookies, Local Storage & Consent

The only non-essential cookies we use are analytics cookies set by Google Analytics 4. They are loaded exclusively through Cloudflare Zaraz and only after you actively consent via our cookie banner — no analytics cookie is written until you click “Accept”.

• _ga — distinguishes individual visitors. Duration: up to 2 years. Set by Google Analytics, only with your consent.
• _ga_* — preserves session state for Google Analytics 4. Duration: up to 2 years. Set only with your consent.
• zaraz-consent — stores your consent choice so you are not asked again. Strictly necessary to honour your decision; set regardless of the choice you make.
• hedge-theme (Local Storage) — stores your light/dark mode UI preference. This is strictly necessary to provide the feature you requested and does not track you.

Visitors in the EU / EEA, the United Kingdom, and Switzerland are asked to opt in before any analytics cookie loads. You can change or withdraw your choice at any time — open cookie settings — or use the “Cookie settings” link in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

International Data Transfers

When you consent to analytics, data is transmitted to Google LLC in the United States. Google LLC is certified under the EU–U.S. Data Privacy Framework, and transfers are additionally covered by the EU Standard Contractual Clauses (Art. 46 GDPR). Despite these safeguards, data transferred to the United States may under certain circumstances be subject to access by U.S. authorities; by consenting to analytics you also consent to this transfer (Art. 49(1)(a) GDPR).

Processors

• Cloudflare, Inc. — CDN, edge tag management (Zaraz consent and analytics loading), email routing for the addresses on the Contact page, and security. Data processing addendum: Cloudflare DPA. EU Standard Contractual Clauses apply.
• Hetzner Online GmbH — server hosting in Nuremberg, Germany. Data processing agreement in place.
• Google LLC — Google Analytics 4, loaded only after you consent. See the Google Privacy Policy. EU–U.S. Data Privacy Framework and Standard Contractual Clauses apply.

Retention

• Server and edge logs: retained only as long as necessary for security and operations and routinely deleted (within 30 days).
• Google Analytics user- and event-level data: retained for 14 months, then automatically deleted by Google. Aggregate reports may be kept longer in non-identifying form.
• Email correspondence: retained for the duration necessary to handle the inquiry plus any statutory retention period (typically 3-6 years for commercial correspondence under §257 HGB / §147 AO).

Your Rights

Under the GDPR you have the right to: (a) request access to your personal data (Art. 15), (b) request rectification (Art. 16), (c) request erasure (Art. 17, subject to statutory retention periods), (d) request restriction of processing (Art. 18), and (e) data portability (Art. 20).

Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on legitimate interests (Art. 6(1)(f) GDPR).

Where we rely on your consent (Art. 6(1)(a)), you may also withdraw it at any time using the “Cookie settings” link in the footer (Art. 7(3)). To exercise any of these rights, contact the controller via the address on the Legal Notice (Impressum).

You also have the right to lodge a complaint with a supervisory authority. In Germany, the competent authority is the data protection authority of the federal state in which the controller is established (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg — LfDI Baden-Württemberg).

External Links

Pactolio pages link to external sources for entity verification, primarily SEC EDGAR and Wikidata. Once you click an external link, the privacy policy of the destination site applies; we do not control how third parties handle your data.

Changes to This Policy

When material changes are made to this policy, the updated version is published at this URL with a new effective date below. Substantive changes are also reflected on the Changelog.

Last updated: 2026-06-07