Privacy Policy

Status: January 12, 2026

Note: This is a translation of the German "Datenschutzerklärung". In case of discrepancies or legal disputes, the original German version shall prevail.

1. Introduction

This website is operated by: Erste Hello Storage GmbH.

It is very important to us to handle our website visitors' data trustfully and to protect it in the best possible way. For this reason, we make every effort to comply with the requirements of the GDPR (General Data Protection Regulation).

below, we explain how we process your data on our website. We use clear and transparent language so that you truly understand what happens with your data.

2. General Information

Processing of Personal Data and Terminology

Data protection applies to the processing of personal data. "Personal" refers to all data with which you can be personally identified. This includes, for example, the IP address of the device (PC, laptop, smartphone, etc.) you are currently using. Such data is "processed" whenever something happens to it. For instance, if the IP address is transmitted from the browser to our provider and automatically stored there, this constitutes processing (acc. to Art. 4 No. 2 GDPR) of personal data (acc. to Art. 4 No. 1 GDPR). These and other legal definitions can be found in Art. 4 GDPR.

Applicable Regulations / Laws – GDPR, BDSG, and TDDDG

The scope of data protection is regulated by law. In this case, these are the GDPR (General Data Protection Regulation) as a European regulation and the BDSG (Federal Data Protection Act) as national law. Furthermore, the TDDDG (Telecommunications Digital Services Data Protection Act) supplements the regulations of the GDPR regarding the use of cookies.

The Controller (Responsible Party)

The party responsible for data processing on this website is the "Controller" within the meaning of the GDPR. This is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data.

You can reach the Controller at: Erste Hello Storage GmbH Eifflerstraße 43 22769 Hamburg Germany Email: datenschutz@pandalocker.com

How Data is Processed on This Website

As mentioned, some data (e.g., IP address) is collected automatically. This data is primarily required for the technical provision of the homepage. Insofar as we use personal data beyond this or collect other data, we will inform you about it or ask for your consent. You provide other personal data to us consciously (e.g., via forms). Detailed information on this can be found below.

Your Rights

The GDPR grants you comprehensive rights. These include, for example, free information about the origin, recipient, and purpose of your stored personal data. Furthermore, you can request the correction, blocking, or deletion of this data or complain to the responsible data protection supervisory authority. You can revoke any consent given at any time. Details on how these rights look and how to exercise them can be found in the last section of this Privacy Policy.

Data Protection – Our Perspective

Data protection is more than just an annoying obligation for us! Personal data has great value, and careful handling of this data should be a matter of course in our digitized world. Furthermore, as a website visitor, you should be able to decide for yourself what, when, and by whom your data is processed. Therefore, we commit to complying with all legal regulations, collect only the data necessary for us, and treat it confidentially.

Transfer and Deletion

Data transfer and deletion are also important and sensitive topics.

• Transfer: Data is only transferred based on a legal basis and only when unavoidable. This may be the case, in particular, when a so-called processor is involved and a Data Processing Agreement (DPA) according to Art. 28 GDPR has been concluded.
• Deletion: We delete your data when the purpose and legal basis for processing no longer apply and no other legal obligations prevent deletion. Art. 17 GDPR provides a good overview of this.

3. Hosting

This website is hosted externally. The personal data collected on this website is stored on the hoster's servers. This includes automatically collected and stored log files (see below), as well as all other data provided by website visitors.

External hosting takes place for the purpose of a secure, fast, and reliable provision of our website and serves the fulfillment of contracts with our potential and existing customers. Legal Basis: Art. 6(1)(a), (b), and (f) GDPR, as well as § 25(1) TDDDG (regarding consent for cookies/access to information).

Our hoster processes only data necessary to fulfill its performance obligations and acts as our processor, meaning it is subject to our instructions. We have concluded a corresponding Data Processing Agreement (DPA) with our hoster.

We use the following hoster: Vercel Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA Privacy Policy: https://vercel.com/legal/privacy-policy

4. Legal Bases

The processing of personal data always requires a legal basis. The GDPR provides for the following possibilities in Art. 6(1) Sentence 1:

• a) Consent: The data subject has given consent to the processing of their personal data for one or more specific purposes.
• b) Contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• c) Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
• d) Vital Interests: Processing is necessary to protect the vital interests of the data subject or of another natural person.
• e) Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• f) Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

5. What Happens on Our Website

When you visit our website, we process your personal data. To protect this data against unauthorized access, we use SSL or TLS encryption. You can recognize this by the "https://" or the lock symbol in your browser address bar.

5.1 Data Collection When Accessing the Website (Server Logs)

When accessing the website, information is automatically stored in so-called server log files:

• Browser type and version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address

This data is temporarily required to display our website to you without problems (System security, stability, troubleshooting). Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in functionality and security). Storage: Data is pseudonymized if possible and deleted after the purpose is reached. Server log files are stored for a maximum of 14 days, unless a security-relevant event occurs (storage until clarification).

5.2 Cookies

General: This website uses cookies (small data records stored in your browser). They facilitate navigation. Rejecting Cookies: You can adjust your browser settings to prevent cookies. However, blocking cookies may restrict website functionality. Consent: You can manage your settings via our Cookie Consent Tool.

• Technically Necessary Cookies: Essential for the website to function error-free. Legal Basis: Art. 6(1)(b), (c), and/or (f) GDPR.
• Non-Essential Cookies: Used for analysis or marketing. Legal Basis: Consent acc. to Art. 6(1)(a) GDPR.

5.3 Data Processing via User Input

AI Usage Personal data may be processed using Artificial Intelligence (e.g., for automated evaluation of contact forms or internal optimization).

Direct Data Collection (Locker Rental) We offer locker rentals on our website. We collect:

• Name
• Email address
• Phone number Legal Basis: Art. 6(1)(b) GDPR (Contract performance). Deletion: Once the purpose ceases to apply and retention periods expire.

Contact via Email / Phone If you contact us, we process your email address/phone number and request data. Legal Basis: Art. 6(1)(b) or (f) GDPR.

5.4 Chat and Communication Tools

• Chat (Crisp): https://crisp.chat
• Chatbot: https://crisp.chat
• External Phone Service (Placetel): https://www.placetel.de/
• Mailing Service (SMTP2GO): Used to send transactional and marketing emails. Provider: Sand Dune Mail Ltd., New Zealand. Legal Basis: Consent (Art. 6(1)(a) GDPR) or Contract (Art. 6(1)(b) GDPR). Privacy: https://www.smtp2go.com/privacy/.

6. Analysis and Tracking Tools

Google Analytics

Provider: Google Ireland Limited. Analyzes visitor behavior.

• Data: IP (anonymized), browser info, clicks, duration.
• Legal Basis: Consent (Art. 6(1)(a) GDPR).
• Transfer: Data may be transferred to the USA (Data Privacy Framework / SCCs apply).
• Retention: Standard data is deleted/anonymized after 14 months.

Google Consent Mode

Adjusts Google services based on your consent status. We use "Advanced Consent Mode" for detailed data collection if you consent. Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

Google Maps

Displays maps. Transmits IP address to Google (USA). Legal Basis: Consent (Art. 6(1)(a) GDPR).

YouTube

Embeds videos. Connects to Google servers and may set cookies. Legal Basis: Consent (Art. 6(1)(a) GDPR).

Google Tag Manager

Manages website tags. Does not set cookies itself but transmits IP addresses to Google (USA). Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

Google Ads

Uses conversion tracking cookies to display targeted ads. Legal Basis: Consent (Art. 6(1)(a) GDPR).

Meta Pixel

Provider: Meta Platforms Ireland Limited. Tracks behavior after clicking Facebook/Instagram ads. Joint Control: We are jointly responsible with Meta for collection and transfer (Art. 26 GDPR). Legal Basis: Consent (Art. 6(1)(a) GDPR).

Make (formerly Integromat)

Automation service by Celonis, Inc. (USA). Used to optimize workflows and connect APIs. Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR). Transfer: SCCs apply for US transfer.

Vercel Analytics & Speed Insights

Provider: Vercel Inc. (USA).

• Analytics: Real-time traffic insights. Anonymized, no cookies.
• Speed Insights: Performance analysis. No cookies, no personal profiles.
• Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

Matterport

3D virtualization of properties. Data stored on Matterport servers (potentially US). May use cookies for analysis. Legal Basis: Consent (Art. 6(1)(a) GDPR).

7. Social Media

Plugins

We use plugins from the following providers. Connection to servers is established, and IP is transmitted upon activation.

• Facebook (Meta Platforms Ireland Ltd.)
• Instagram (Meta Platforms Ireland Ltd.)
• LinkedIn (LinkedIn Ireland Unlimited Co.)
• TikTok (TikTok Technology Ltd.)
• WhatsApp Channels

Legal Basis: Consent (Art. 6(1)(a) GDPR).

Social Media Profiles (Fanpages)

We operate profiles on LinkedIn, Facebook, Instagram, and Threads. When you visit these pages, data is processed by the platforms (e.g., "Page Insights" regarding reach, demographics). Joint Responsibility: For "Page Insights," we are jointly responsible with the platforms (Art. 26 GDPR). Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) for our marketing; Consent (Art. 6(1)(a)) for platform tracking.

8. Other Services & Content

Google Business Profile

We use the Google Business Profile. If you contact us or review us there, Google processes your data. We have no influence over Google's internal processing.

Google Fonts

Loads fonts from Google servers. IP address is transmitted. Legal Basis: Consent (Art. 6(1)(a) GDPR).

Zapier

Automation tool (USA) to synchronize services. Legal Basis: Consent (Art. 6(1)(a) GDPR).

WooCommerce

E-commerce plugin for WordPress by Automattic Inc. (USA). Used for shop functionality.

Trustpilot

• Reviews: We may send review invitations (only with consent).
• Widget: Displays reviews on our site. Loads data from Trustpilot servers. Legal Basis: Consent (Art. 6(1)(a) GDPR).

Sanity.io (CMS)

Content Management System. Collects IP addresses to prevent fraud (DDOS). Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

Conferencing Tools

We use the following tools for audio/video conferences (contract fulfillment/legitimate interest):

• Zoom (Zoom Communications Inc.)
• Microsoft Teams (Microsoft Ireland)
• Google Meet (Google Ireland)
• Webex (Cisco)
• WhatsApp (WhatsApp LLC)

Payment Services: Stripe

We use Stripe for payment processing. Stripe processes payment data. Legal Basis: Contract fulfillment (Art. 6(1)(b) GDPR) and legitimate interest for functional cookies.

Order Processing: drop-point

Service used: www.drop-point.com

Cloud Backups

To protect against data loss, we use Vercel for cloud backups.

9. Your Rights in Detail

• Right of Access (Art. 15 GDPR): You can request information about whether and how we process your data.
• Right to Rectification (Art. 16 GDPR): You can request the correction of incorrect data.
• Right to Erasure (Art. 17 GDPR): "Right to be forgotten" – you can request deletion under certain conditions (e.g., purpose no longer applies).
• Right to Restriction of Processing (Art. 18 GDPR): You can limit how we process your data under certain conditions.
• Right to Data Portability (Art. 20 GDPR): You can receive your data in a structured format.
• Right to Object (Art. 21 GDPR): You can object to the processing of your data, especially for direct marketing or if processing is based on legitimate interest.
• Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to decisions based solely on automated processing.
• Right to Complain (Art. 77 GDPR): You can complain to a data protection supervisory authority.

Changes to this Policy

Current Status: January 12, 2026. We reserve the right to adapt this Privacy Policy to legal or factual changes. The new version will be published here.