Legal

Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains how ONDSU collects, uses, and shares personal data when you use ondsu.com, quiz.ondsu.com, or any related service. ONDSU is a brand of Central Space ISM GmbH, a German limited liability company.

Diese Datenschutzerklärung ist auch auf Deutsch verfügbar: /datenschutz. This policy is also available in German.

1. Who we are

The controller for the personal data covered by this policy is:

Central Space ISM GmbH
Zur Alten Börse 41
12681 Berlin
Germany

Email: mail@centralspaceism.com
Commercial register: Amtsgericht Charlottenburg, HRB 250472 B
VAT ID: DE359600969

Full company details are on our Impressum. We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR or §38 BDSG. For privacy questions, contact us at the email above.

2. Scope

This policy covers ondsu.com (the brand site, hosted on Webflow), quiz.ondsu.com (the Acoustic Score assessment, hosted on Vercel), and any communication that follows from those interactions (emails, scheduled consultations).

3. What personal data we collect

We collect different categories of data depending on how you interact with us.

When you visit the site

IP address (collected by our hosting providers in server logs). Browser and device metadata (user agent, screen size, referrer). Page views and interaction events (only if you accept analytics cookies). A cross-domain visitor identifier (ondsu_vid, only set after analytics consent).

When you take the Acoustic Score quiz

First name, email address (required to receive the report). City and country. Company name (optional). Your answers to the quiz (space type, room dimensions, materials, symptoms, role, treatment status). Your computed score, score band, and report reference. The visitor identifier passed from ondsu.com (only if analytics consent was granted). A timestamp of your submission.

When you book a consultation

Name, email, and any optional intake answers. The time you scheduled. Provided directly to Calendly; we receive a copy via Calendly’s interface.

When you sign up for emails

Email address. Any tags or preferences attached to your contact record. A record of whether and when you consented to marketing.

What we do not collect

We do not collect special categories of personal data (health, race, religion, etc.). We do not collect children’s data. We do not run third-party advertising trackers beyond Google Analytics.

4. Why we use your data and on what legal basis

Each processing activity has a documented lawful basis under Art. 6 GDPR.

Delivering the Acoustic Score report to your email

Art. 6 (1) (b) GDPR, performance of a service you requested.

Computing your score and generating the report PDF

Art. 6 (1) (b) GDPR.

Sending follow-up emails about your room and our services

Art. 6 (1) (f) GDPR, legitimate interest in commercial follow-up. UWG § 7 (3) soft opt-in conditions are met. You can opt out at any time.

Running analytics to understand how the site performs

Art. 6 (1) (a) GDPR, your consent (via the cookie banner).

Booking and managing consultations

Art. 6 (1) (b) GDPR.

Securing our systems and detecting abuse

Art. 6 (1) (f) GDPR, legitimate interest.

Meeting tax, accounting, and other legal obligations

Art. 6 (1) (c) GDPR.

5. Cookies and similar technologies

We use cookies and similar storage on ondsu.com and quiz.ondsu.com. Non-essential cookies (analytics and marketing) only run after you grant consent through the cookie banner. You can change your choice at any time using the “Cookie settings” link in the footer.

The full list of cookies, their providers, and their durations is in our Cookie Notice.

6. Who we share your data with

We share data with the service providers (processors) we need to operate. Each processor acts under a written data processing agreement that meets Art. 28 GDPR. We do not sell personal data.

Webflow Inc.

Hosting ondsu.com. United States.

Vercel Inc.

Hosting the quiz at quiz.ondsu.com. United States.

Supabase Inc.

Database and backend functions for the quiz. Frankfurt, Germany (EU). The company is US-based but our database is hosted in the EU.

Google LLC (Google Analytics 4)

Site and quiz analytics. United States.

Omnisend Ltd.

Email automation and customer record management. United Kingdom and EU (Lithuania).

Calendly LLC

Booking system for consultations. United States.

Resend Inc.

Delivery of transactional emails (your Acoustic Score report). United States.

PDFShift SAS

Converting your report from HTML to PDF. France (EU).

ipapi.co

Approximate geolocation from IP address (for analytics country breakdowns). United Kingdom.

We may also share data when required by law, when needed to protect our rights, or as part of a corporate transaction (sale, merger, acquisition). We will let users know if a transaction would change how their data is handled.

7. International data transfers

Most personal data we hold stays in the European Union. Our database (Supabase, Frankfurt) and our PDF generation (PDFShift, France) both process within the EEA.

Where data does cross EU borders, we rely on the following safeguards:

Transfers to the United States

For Webflow, Vercel, Google (GA4), Calendly, and Resend, we rely on the EU-US Data Privacy Framework. Each of these processors is an active participant under the framework. For Supabase Inc., which is a US company but stores our data in Frankfurt, US staff access for support is covered by the European Commission’s Standard Contractual Clauses (2021 version), incorporated into the Supabase Data Processing Addendum dated 17 March 2026.

Transfers to the United Kingdom

For Omnisend and ipapi.co, we rely on the European Commission’s adequacy decision for the UK.

You can request a copy of the safeguards in place for any transfer by emailing mail@centralspaceism.com.

8. How long we keep your data

We keep personal data only as long as it serves the purpose we collected it for, plus any required legal retention.

Quiz submissions (name, email, score, answers)

36 months from your last interaction with us.

Visitor identifier cookie (ondsu_vid)

365 days from the day it is set.

Google Analytics event data

14 months (the GA4 retention default we use).

Server access logs

30 days.

Page view records in our database

24 months.

Email contact records in Omnisend

Until you ask to be removed, or after 24 months of inactivity.

Consultation booking records

For the lifetime of the consultation relationship, then deleted on request.

Accounting records (e.g., invoices)

10 years, as required by § 147 AO (German Fiscal Code).

You can ask us to delete your data sooner. See section 9.

9. Your rights

Under GDPR you have the following rights regarding your personal data:

Access (Art. 15). A copy of the data we hold about you.

Rectification (Art. 16). Correction of inaccurate data.

Erasure (Art. 17). Deletion, unless we are required to keep the data.

Restriction (Art. 18). Limiting how we process your data.

Data portability (Art. 20). A copy of your data in a structured, commonly used format.

Objection (Art. 21). To processing based on legitimate interest, including marketing.

Withdraw consent (Art. 7 (3)). At any time, without affecting the lawfulness of processing before withdrawal.

Not be subject to automated decisions (Art. 22). We do not make decisions about you solely by automated means with legal effect.

How to exercise your rights

Email mail@centralspaceism.com. We respond within 30 days of receiving a verified request. We may extend this by up to 60 additional days for complex requests and will tell you if we do. We may ask you to confirm your identity using reasonable measures (e.g., reply from the email address you originally used). We do not charge a fee unless a request is manifestly unfounded or excessive.

10. Complaints

You can lodge a complaint with your local data protection supervisory authority. For ONDSU’s Berlin location, that is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61, 10555 Berlin
Telephone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
Web: datenschutz-berlin.de

If you live in another EU country, you may also complain to your local authority.

11. Security

We use technical and organisational measures appropriate to the data we handle. This includes encryption in transit (TLS) for the website and quiz, access controls on our database, and processor agreements that require comparable measures. No system is perfect; we keep our practices under review.

If we become aware of a personal data breach that poses a risk to you, we notify the supervisory authority within 72 hours under Art. 33 GDPR and inform affected users without undue delay under Art. 34 where required.

12. Children

ONDSU is a business-to-business service. We do not intend to collect data from children under 16. If you believe a child has provided us with personal data, contact us at mail@centralspaceism.com and we will remove it.

13. Changes to this policy

We may update this Privacy Policy when our practices change or when the law requires us to. We post the revised version on this page and update the “Last updated” date at the top. For material changes, we will notify users by email where reasonable.

14. Contact

Questions about this policy or about your data:

Central Space ISM GmbH
Zur Alten Börse 41
12681 Berlin
Germany

mail@centralspaceism.com