Privacy Policy | Maxfeld.legal

This privacy policy provides information about how your personal data is processed when you use our website maxfeld.legal and about your rights under the General Data Protection Regulation (GDPR). It also provides information about the use of cookies and similar technologies in accordance with the Telecommunications Digital Services Data Protection Act (TDDDG).

Responsible body

Maxfeld.legal Rechtsanwaltsgesellschaft mbH
Leipziger Platz 21
90491 Nuremberg
Germany

Phone: +49 911 569 61-0
Email contact@maxfeld.legal

Authorized representative:

Sebastian Harschneck, Geschäftsführer & Managing Partner
Johannes Egelhof, Geschäftsführer
Daniel Gößling, Geschäftsführer
Martin Neupert, Geschäftsführer

As the operator of this website, is the responsible body (controller) within the meaning of the GDPR, which alone decides on the purposes and means of processing personal data ("data").

Contact Data protection

Email privacy@maxfeld.legal

Postal address: Leipziger Platz 21, 90491 Nuremberg, Germany, Addition: Data Protection

Definitions

To make our privacy policy easy for you to read and understand, we explain the terms used in advance.

According to Art. 4 No. 1 GDPR, "personal data" is any information relating to an identified or identifiable natural person (data subject). A natural person is identifiable if they can be identified directly or indirectly, in particular by association with an identifier (such as name, address, telephone number, email address, IP address, location data, or special characteristics such as genetic, economic, and social identity of that natural person).

According to Art. 4 No. 2 GDPR, "processing" means any operation or set of operations which is performed on data, whether or not by automated means. This includes, in particular, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

According to Art. 4 No. 11 GDPR, "consent" of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

According to Art. 4 No. 8 GDPR, a "processor" is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

According to Section 2 (2) No. 6 TDDDG, an "end device" is any device directly or indirectly connected to the interface of a public telecommunications network for sending, processing, or receiving messages (e.g., a desktop PC, a mobile phone, or a tablet PC).

With regard to the other data protection terms used, we refer to the definitions in Art. 4 GDPR.

Legal basis

By law, any processing of personal data is initially prohibited (Article 5(1)(a) GDPR in conjunction with Article 6(1) GDPR).

Insofar as we obtain consent, we process data on the basis of Art. 6 (1) (a) GDPR.

Art. 6 (1) (b) GDPR regularly applies to (pre)contractual communication/initiation of a mandate.

We process data on the basis of Art. 6 (1) (c) GDPR in order to fulfill legal obligations.

In all other cases, we base our processing operations on Art. 6 (1) (f) GDPR (legitimate interest).

Further details on the purpose, scope, legal basis, and storage period of the respective processing operations can be found in the following sections on the individual services and functions of this website.

Insofar as we store information on your end device or access information already stored there (e.g., cookies, local storage, tags/pixels), this is also done in accordance with the provisions of Section 25 TDDDG. We base technically necessary processes on Section 25 (2) TDDDG; otherwise, the use of cookies is only permitted with your consent in accordance with Section 25 (1) TDDDG, which you can revoke at any time via the cookie settings.

Purpose limitation of processing

We process personal data in accordance with the principles of data minimization and purpose limitation (Art. 5 (1) (b) and (c) GDPR) exclusively for the purposes stated in this privacy policy.

Processing for other purposes will only take place if you have given your prior consent, if another legal basis permits this, if we are legally obliged to do so, or if further processing is compatible with the original purpose in accordance with Art. 6 (4) GDPR.

If we process data on the basis of legitimate interests (Art. 6 (1) (f) GDPR), you may object to the processing for reasons arising from your particular situation in accordance with Art. 21 GDPR. Further details can be found in section 14 Rights of data subjects.

Storage period

We only process personal data for as long as is necessary for the respective purposes, unless longer storage is required by statutory retention obligations (e.g., commercial or tax law retention obligations).

If the processing is based on your consent, we will store the data until you revoke your consent; beyond that, only to the extent and for as long as the data is necessary for the respective purposes or we are legally obliged to store it for a longer period.

In individual cases, longer storage may be necessary to assert, exercise, or defend legal claims.

Once the purposes no longer apply and provided that there are no conflicting retention obligations or legitimate interests, we delete the personal data.

Recipients / Processors

Your data will only be passed on to third parties who are external service providers (processors) working on our behalf if this is necessary for the purpose of fulfilling the contractual relationship. We conclude contracts with processors in accordance with Art. 28 GDPR. Our processors are obliged to maintain confidentiality and comply with the provisions of the GDPR. The data passed on may only be used by our service providers to fulfill their tasks.

In exceptional cases, data may also be transferred to government institutions and authorities if we are legally obliged to do so or if you consent to such transfer.

Third country transfer

If we use services whose providers/servers are located outside the EU or the European Economic Area (EEA) or can be accessed there, data will only be transferred in compliance with the provisions of Art. 44 ff. GDPR. Processing is then carried out under guarantees that are suitable for ensuring a sufficiently high level of data protection.

Server log files (technically necessary data)

When you visit our website, the web server processes the following data, among other things: IP address, date/time, page/file accessed, referrer URL, browser/OS, status codes, amount of data transferred.

The purpose of processing is to deliver the website and ensure its stability and security, as well as to analyze errors.

The legal basis for processing here is the legitimate interest in the secure and stable operation of the website, in the detection and prevention of attacks and misuse, in error analysis, and in ensuring technical functionality in accordance with Art. 6 (1) lit. f. GDPR.

Web hosting

Our website is operated by a hosting service provider. Our hosting provider for this website is:

Host Europe GmbH
c/o WeWork Wallarkaden
Pilgrimstraße 6
50674 Cologne
Germany

We have a contract with the hosting provider for order processing in accordance with Art. 28 GDPR. The purpose of the processing is the provision and technical operation of this website. The legal basis for the processing is Art. 6 (1) lit. f GDPR, the legitimate interest in the efficient and secure provision of this website and the economic operation of the IT infrastructure.

Cookies and similar technologies (TDDDG)

We use cookies and similar technologies. These are either technically necessary (provided without consent) or optional (e.g., statistics and marketing) and are then only set with your consent.

The legal basis for storing the technically necessary cookies on your end device is Section 25 (2) No. 2 TDDDG. Any resulting data processing is based on Art. 6 (1) lit. f GDPR, our legitimate interest in the error-free provision of our website. Should any other legal bases be relevant, these will be presented below.

The legal basis for storing optional cookies on your end device is your consent in accordance with Section 25 (1) TDDDG. Any resulting data processing is also based on your consent in accordance with Art. 6 (1) lit. a GDPR.

You can revoke or adjust any consent at any time via the cookie settings with effect for the future. We provide an overview of the cookies/technologies used (cookie declaration) via our consent tool.

Consent Management Tool: Cookie Bot

We use the consent management tool "Cookiebot" on our website. Cookiebot is operated by Usercentrics A/S (Cookiebot), Havnegade 39, 1058 Copenhagen, Denmark.

Cookiebot is used to obtain, manage, and document consent for the use of cookies and services requiring consent, as well as to block the execution of optional services until consent is given. Users can adjust their selection at any time via the banner or the cookie settings.

To this end, Cookiebot processes in particular the consent status (granted/refused/individual selection), a timestamp, a pseudonymous consent ID, browser and device information, and the IP address in truncated form.

The legal basis for processing is Art. 6 (1) (c) GDPR, insofar as processing is carried out to fulfill our legal obligation to obtain consent before setting or reading non-essential cookies or similar technologies, Art. 25 (1) TDDDG, and to be able to prove that consent has been given, Art. 7 (1) GDPR in conjunction with the accountability obligation under Art. 5 (2) GDPR.

In addition, we base the processing on Art. 6 (1) lit. f GDPR, our legitimate interest in legally compliant and user-friendly consent management and the technical control and blocking of services requiring consent.

Detailed information on the specific cookies or similar technologies used, in particular their name, provider, purpose, duration, and category, can be found at any time in our cookie management system and in the cookie declaration available there.

etracker (web analysis)

We use the "etracker" analysis service on our website. The provider is etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany. We use etracker to analyze the use of our website in order to measure its reach and optimize our offering in terms of technology and content.

In particular, information about how visitors interact with the website is processed, such as page views, length of stay, entry and exit pages, as well as technical information about the browser and device used and the origin of the visit (referrer).

This serves to optimize our offering and improve its functionality. Depending on the configuration, cookies or entries in local or session storage are used for this purpose.

The legal basis for processing this data is your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG. You can revoke your consent at any time via the cookie settings.

Google Analytics (GA4)

We use "Google Analytics (GA4)" for statistical analysis of the use of our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Among other things, Google Analytics enables us to evaluate page views, user interactions, and technical information about your device/browser in order to improve the website, make content more user-friendly, and identify errors or performance issues more quickly.

Cookies or similar technologies are used for this purpose, and usage and event data are processed. Data may also be transferred to Google services outside the EU/EEA, in particular to the USA.

Any transfers to third countries are carried out exclusively in compliance with the requirements of Art. 44 ff. GDPR through appropriate safeguards and security mechanisms.

The legal basis is your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG. You can revoke your consent at any time via the cookie settings.

Google Tag Manager (GTM)

We use "Google Tag Manager." The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage and display website scripts ("tags"), in particular to provide analysis and optimization services that are technically integrated and controlled. Tag Manager is generally an administration tool and does not typically set its own analysis cookies; cookies or similar technologies are regularly set by the respective integrated services.

When you visit the website, information (e.g., IP address and device/browser data) may be processed for technical reasons. We use Tag Manager in such a way that tags requiring consent, insofar as this is technically possible, are only loaded or activated after you have given your consent via our consent management system.

The legal basis for the use of Tag Manager in conjunction with services requiring consent is your consent in accordance with Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. You can revoke your consent at any time via the cookie settings.

Microsoft Clarity (session replays/heat maps)

We use "Microsoft Clarity" to track the use of our website and improve its user-friendliness. The provider for the European region is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

Clarity enables, among other things, the evaluation of typical usage patterns (such as scrolling and clicking behavior, mouse movements, drop-off points) and provides heat maps and pseudonymized session recordings depending on the configuration. On this basis, we can optimize content and navigation and identify technical hurdles.

In particular, interaction data (clicks, scrolling, mouse movements), device and browser data, and information about pages accessed are processed. Entries in form fields are masked or not recorded. Cookies or similar technologies may be used. Depending on the processing, access from third countries cannot be ruled out; any transfers to third countries will only be made in compliance with Art. 44 ff. GDPR.

The legal basis is your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TDDDG. You can revoke your consent at any time via the cookie settings.

Detailed information about the specific cookies or similar technologies used, in particular their name, provider, purpose, duration, and category, can be found at any time in our cookie management system and in the cookie statement available there.

Google Search Console (search performance)

We use Google Search Console to monitor and improve the technical performance and findability of our website in Google searches (e.g., indexing status, crawling and display errors, search queries, and click data in aggregated form). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Search Console is an administrative analysis tool; typically, no additional analysis cookies are set on your device unless other Google functions are actively integrated into the website.

The legal basis is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in technical error diagnosis, security and stability, and optimizing the findability and display of our website.

Google Fonts ( local )

We use fonts ("Google Fonts") on our website to display content in a uniform, easily readable, and user-friendly manner. The provider of "Google Fonts" is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; for the European region, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. However, we integrate the fonts locally, which means that the required font files are delivered from our own servers.

When you visit our website, your browser loads the required font files and usually stores them in the browser cache to enable faster display when you visit other pages.

In doing so, we process technical information that is necessary for retrieval, such as IP address, date/time of retrieval, file accessed (font file), amount of data transferred, and browser and device information, typically in the context of server log files. This processing serves exclusively to display the website and to deliver the content in a stable and secure manner; tracking or profiling solely via the local font provision does not take place.

The legal basis for the local provision and delivery of font files is Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the consistent, barrier-free, and high-performance display of our website, as well as in data-efficient implementation, since local integration means that your IP address is not transmitted to Google for the sole purpose of font delivery.

Detailed information on the specific technologies used, in particular the name, provider, purpose, duration, and category, can be found at any time in our cookie management system and in the cookie declaration available there.

Landing pages, forms, and QR code collection for campaigns and seminars

We use landing pages in the context of campaigns, events, or seminars, among other things. You can enter data via forms or QR code registrations (typically name, email address, company, position, interests; optionally telephone number or other details).

We process this data to process registrations, provide content/information, organize participation, follow up on seminars, and, if necessary, contact you afterwards.

If further promotional contact is required (e.g., invitations to follow-up events, sending information), this will only take place within the framework of the legal basis provided for this purpose, in particular your consent.

The legal basis is Art. 6 (1) (b) GDPR (registration/request) and/or your consent pursuant to Art. 6 (1) (a) GDPR, in particular for further contact and marketing measures. If additional tools are used for specific campaigns, these will only be loaded after you have given your consent, if consent is required, and will be made transparent in the cookie settings.

If additional cookies or similar technologies are used in the context of landing pages/forms, you can find detailed information on the specific cookies or similar technologies used (in particular name, provider, purpose, storage period/duration, and category) at any time in our cookie management (Cookiebot) and in the cookie declaration available there.

Contacting us by email or phone

If you contact us by email or telephone, we will process the data you provide, such as your name, contact details, the content of your enquiry and, if applicable, further information resulting from the conversation or your message, in order to process your request, clarify any queries and communicate with you.

Depending on the content, this may also serve to initiate or execute a mandate. We only store communication content for as long as is necessary for processing and then delete it, unless there are legal retention obligations or the need to assert, exercise, or defend legal claims.

The legal basis is Art. 6 (1) (b) GDPR insofar as it concerns pre-contractual measures or contract implementation, otherwise Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient processing and response to general inquiries, the documentation of communication, and the prevention of abuse/spam.

CRM Nimble

We use the CRM system "Nimble" to manage contacts/prospects and to document communication. The provider is Nimble, Inc., 3122 Santa Monica Blvd., Suite 302, Santa Monica, CA 90404, USA. In the CRM, we process in particular contact data (name, company, position, email, telephone number), communication content, and notes and assignments, such as the origin of the contact, event reference, and interests, insofar as this is necessary for processing inquiries, organizing our contacts, and following up on campaigns/seminars.

The legal basis is Art. 6 (1) lit. b GDPR, the initiation or execution of contracts and/or Art. 6 (1) lit. f GDPR, our legitimate interest, and, if applicable, Art. 6 (1) lit. a GDPR, your consent.

Our legitimate interest lies in the structured, traceable management of contacts and communication, efficient internal organization, and quality assurance and documentation of inquiries.

Transfers to third countries may occur, but these will only take place in compliance with Art. 44 ff. GDPR.

Newsletter (Brevo)

For the dispatch and administration of the newsletter, we use the Brevo service provided by Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany, as a processor within the meaning of Art. 28 GDPR. Accordingly, a data processing agreement is in place.

For the newsletter, we process in particular your email address and, if provided, your name. To document consent (double opt-in proof), we also process verification data such as the time of registration and confirmation, as well as technical log data, if necessary, in order to be able to prove consent in a legally secure manner.

According to the provider, Brevo processes and stores data on servers within the European Union. Brevo may use sub-processors. If personal data is transferred to third countries in this context, this is only done in compliance with the provisions of Art. 44 ff. GDPR, in particular using appropriate safeguards such as EU standard contractual clauses.

If we use reach measurement/success evaluation in the context of sending newsletters, Brevo may record opening and click rates (e.g., via tracking pixels and link tracking) in order to evaluate the use of the newsletter and optimize content.

The legal basis for sending the newsletter is your consent in accordance with Art. 6 (1) (a) GDPR; insofar as comparable technologies are used for reach measurement that require consent in accordance with § 25 (1) TDDDG, we additionally base this on this.

You can revoke your consent at any time with effect for the future, in particular via the unsubscribe link in each email. After unsubscribing, your data will be deleted or blocked from the newsletter distribution list, unless there are legal retention obligations to the contrary; we may retain evidence of consent within the statutory limitation periods for the purpose of legal defense.

Social networks

We maintain publicly accessible profiles on social networks to provide information about our law firm and to communicate with interested parties.

You will find links to our profiles on our website. These are purely hyperlinks. Only when you click on a link will you be redirected to the respective platform, at which point the respective provider will process personal data on its own responsibility.

If the platform providers provide us with aggregated statistics ("insights") in connection with our profiles, joint responsibility may exist for this in accordance with Art. 26 GDPR. We typically only receive aggregated statistical information and have only limited influence on the data processing of the platform providers.

We process personal data when you interact with us via the platform in order to respond to your request or communicate with you. Depending on the context, the legal basis is Art. 6 (1) (b) GDPR or Art. 6 (1) (f) GDPR, our legitimate interest in providing up-to-date information to interested parties and communicating effectively with them.

We operate a company profile on the LinkedIn social network. The provider for users in Europe is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

When you visit our LinkedIn profile or interact with us there, LinkedIn processes personal data on its own responsibility. LinkedIn may use this data for purposes including providing the network, security, analysis, and personalized content/advertising.

LinkedIn typically provides page operators with statistical evaluations ("Page Insights"). Insofar as this concerns personal data and LinkedIn determines the purposes and means together with page operators, joint responsibility may exist in accordance with Art. 26 GDPR. We usually only receive aggregated statistics and do not have access to the underlying raw data processing by LinkedIn.

We process the data you provide to us via LinkedIn (e.g., message content, comments, reactions, and, if applicable, profile information, insofar as visible) in order to communicate with you and respond to inquiries. The legal basis for this is Art. 6 (1) (b) GDPR for contract negotiations or contract conclusion, or Art. 6 (1) (f) GDPR, our legitimate interest in effective communication and in the external presentation of our law firm.

Further information on data processing by LinkedIn, cookies, and joint responsibility can be found here:

Privacy policy: www.linkedin.com/legal/privacy-policy
Cookie policy: www.linkedin.com/legal/cookie_policy
Page Insights / Joint Controller Information: legal.linkedin.com/pages-joint-controller-addendum

Instagram

We operate a profile on Instagram. The provider for users in Europe is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

When you visit our Instagram profile or interact with us there, Meta processes personal data on its own responsibility. Meta may use this data for purposes including providing the platform, security, analysis, and personalized content and advertising.

Meta typically provides page operators with statistical evaluations ("Insights"). Insofar as this concerns personal data and Instagram determines the purposes and means together with page operators, joint responsibility may exist in accordance with Art. 26 GDPR. We typically only receive aggregated statistics and do not have access to Meta's underlying raw data processing.

We process data that you provide to us via Instagram (e.g., messages, comments, reactions, and, if applicable, profile information, if visible) in order to communicate with you and respond to inquiries. The legal basis for this is Article 6(1)(b) GDPR for contract negotiations or contract conclusion, or Article 6(1)(f) GDPR, our legitimate interest in effective communication and in the external presentation of our law firm.

Further information on data processing by Instagram/Meta, cookies, and joint responsibility can be found here:

Instagram Data Policy (Meta): help.instagram.com/155833707900388
Meta Privacy Policy: privacycenter.instagram.com/policy/
Cookie information (Meta): www.facebook.com/policies/cookies/
Information on Insights/joint responsibility (Meta): www.facebook.com/legal/terms/page_controller_addendum

Applications by email

If you send us an application by email, we will process the personal data you provide exclusively for the purpose of conducting the application process and assessing your suitability for the position in question.

The primary legal basis for this processing is Art. 6 (1) (b) GDPR for the initiation of a contractual relationship. If your application contains special categories of personal data, such as information on severe disability, we also base the processing on Art. 9 (2) (b) GDPR.

Your data will be treated as strictly confidential within our company and will only be made available to those persons who are directly involved in the selection process.

In the event of rejection, we will delete your data six months after completion of the application process. This storage is based on Art. 6 (1) (f) GDPR to protect our legitimate interest in providing evidence in the event of claims under the General Equal Treatment Act (AGG). Any further storage, for example for inclusion in a talent pool, will only take place if you have given us your express consent in accordance with Art. 6 (1) (a) GDPR.

If your application leads to employment, the data you have provided will be transferred to our human resources department for the purpose of implementing and processing the employment relationship and will be integrated into your personnel file. The legal basis for this further processing is Art. 6 (1) lit. b GDPR, fulfillment of the employment relationship, as well as Art. 6 (1) (c) GDPR for the fulfillment of legal obligations, such as the payment of social security contributions and taxes. In this case, your data will be stored for the duration of your employment and deleted after its termination in accordance with the statutory retention periods.

Rights of data subjects

If we process your data, you have extensive rights as a data subject. You can assert these rights against us at any time. The necessary contact details can be found at the beginning of our privacy policy.

Revocation of consent

If you have given us your consent to process your data, you can revoke your consent at any time with effect for the future in accordance with Art. 7 (3) sentence 1 GDPR. The legality of the data processing carried out until the revocation remains unaffected by the revocation. This also applies to consent in accordance with § 25 (1) TDDDG.

Right to information

You can obtain information about your data processed by us at any time within the scope of Art. 15 GDPR. In particular, you can request information about the purposes of processing, the categories of data processed, categories of possible recipients, and the planned storage period.

Right to rectification

If the data is incorrect, you are entitled to request the correction or completion of your data stored by us within the scope of Art. 16 GDPR.

Right to erasure

You can request the erasure of the data within the scope of Art. 17 GDPR if the storage of the data is no longer necessary and there is no other legal basis for the processing. You can also request erasure if you have objected to the processing and there are no overriding legitimate grounds for further processing of your data, if your data has been processed unlawfully, or if there is a legal obligation to erase it under European or national law.

Right to restriction of processing

Furthermore, under Article 18 of the GDPR, you have the right to restriction of processing if you contest the accuracy of the data for a period enabling the controller to verify the accuracy of the data. The same applies if the processing is unlawful but you oppose the erasure of the data or the purpose of the processing has been fulfilled but the data is still required for the assertion of your legal claims. Finally, if you have objected pursuant to Art. 21 GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh your interests.

Right to data portability

Under Art. 20 GDPR, you have the right to receive the data concerning you in a commonly used, structured, and machine-readable format (data portability). In addition, under certain conditions, you can request that your data be transferred directly from one controller to another, provided that this is technically feasible.

Right to object

You have the right to object to the use of your data for the above-mentioned purposes at any time (Art. 21 GDPR). This is possible if the objection is directed against direct marketing or if there are reasons for this arising from your particular situation. In the case of an objection to direct marketing, you have a general right of objection, which we will implement without you having to specify a particular situation.

Right to lodge a complaint with the data protection supervisory authority

You have the right to lodge a complaint with a supervisory authority. A current list of supervisory authorities (for the non-public sector) with addresses can be found at:

www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

The supervisory authority responsible for data protection for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach

Phone: +49 981 180093-0
Email poststelle@lda.bayern.de
Website: lda.bayern.de

Changes to this privacy policy

We reserve the right to amend this privacy policy if the legal situation, website functions, or services used change.