Privacy Policy

Last updated: 28 May, 2026

1. Introduction

Protecting personal data is important to us. This Privacy Policy explains how Drapalski Consulting LLC collects, uses, stores, transfers, and protects personal data when you visit this website or otherwise interact with us.

This policy is provided in accordance with:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
Applicable German and European data protection requirements
By using this website, you acknowledge that you have read and understood this Privacy Policy.

2. International Applicability and Governing Privacy Frameworks

This website is operated on a cross-border basis by Drapalski Consulting LLC, with operational management and website administration conducted from Germany. German and EU data protection law applies where relevant to website operations and personal data processing. Depending on the relationship and service scope, additional U.S. legal context may also apply.

Applicable privacy obligations may vary depending on the location of the individual, the nature of the services provided, and the relevant legal jurisdiction.

Information provided through this website is intended for general informational purposes only and does not constitute legal, tax, regulatory, or other professional advice. Individuals should seek qualified professional advice appropriate to their specific circumstances.

3. Data Controller (Responsible Party)

Drapalski Consulting LLC
Data Controller and Primary Privacy Contact
Ross A. Drapalski
Gütersloh, Germany

US Mailing Address:
2232 Dell Range Blvd, Suite 303 #1067
Cheyenne, WY 82009
United States

Email: compliance@drapal.ski
Phone: +49 151 684 683 71
Phone: +1 307 317 3034

Website: www.drapal.ski

If you have questions regarding data protection, you may contact us using the details above.

4. Categories of Personal Data Collected

4.1 Data You Provide Directly

We collect personal data when you voluntarily provide it to us, including:
First and last name
Email address
Phone number (optional)
Company name and role (optional)
Message content
Files or documents you submit
Email address used to:
Download resources (guides, templates, etc.)
Subscribe to newsletters or marketing communications

4.2 Data Collected Automatically

When you visit our website, we may automatically collect:
IP address
Browser type and device information
Pages visited and duration
Interaction data (clicks, scrolling)
Referring URLs
This data is used for security, analytics, and website optimization.

4.3 Comments

If you leave comments on the website, we collect:
Information entered into the comment form
IP address (for spam prevention and security)

5. Purposes and Legal Bases of Processing

We process personal data only where permitted under Article 6 GDPR.

5.1 Consent (Art. 6(1)(a) GDPR)

We rely on your consent when processing data for:
Newsletter subscriptions
Marketing communications
Downloadable resources with follow-up emails
Cookies and analytics where legally required
You may withdraw consent at any time by:
Clicking the “unsubscribe” link, or
Contacting us directly

5.2 Legitimate Interests (Art. 6(1)(f) GDPR)

We process data based on legitimate interests to:
Respond to inquiries
Improve website functionality and content
Ensure website security
Prevent misuse or fraud
We balance our interests against your rights and freedoms.

5.3 Contractual Necessity (Art. 6(1)(b) GDPR)

We process personal data where necessary to:
Provide consulting services
Prepare and perform contracts
Manage client relationships

5.4 Legal Obligations (Art. 6(1)(c) GDPR)

Certain data is processed to comply with:
Tax and accounting laws
Regulatory retention obligations

6. How We Use Personal Data

We use personal data to:
Respond to inquiries
Deliver consulting services
Provide requested resources
Improve website performance
Communicate with clients and prospects
Send newsletters and marketing communications (with consent)
Maintain internal records
Fulfill legal obligations
We do not sell or rent personal data or personal information. We also do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

7. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to:
Improve functionality and performance
Analyze traffic and usage
Store user preferences
Protect against misuse
You can manage cookies through your browser settings.
Where legally required, non-essential cookies are used only with your consent.

Cookies and similar technologies used on this website may include:

Essential cookies required for website functionality and security
Analytics cookies used to understand website traffic and usage patterns
Functional cookies used to store preferences and improve user experience
Marketing or third-party cookies associated with embedded content or external platforms, where applicable

Where legally required, non-essential cookies are used only after obtaining your consent through a consent management mechanism or cookie banner.

8. Embedded and Third-Party Content

This website may contain embedded or integrated third-party content and services (e.g., videos, forms, scheduling tools, articles, or social media integrations).
Embedded content behaves as if you visited the third-party website directly and may collect data in accordance with that provider’s privacy policy.
We do not control third-party data practices.

9. Data Sharing and Processors

We may share personal data with trusted service providers and professional partners involved in operating our business and delivering services, including:

Web hosting and security providers
Email and communication services
Analytics providers, CRM, scheduling, and workflow management providers
Legal and accounting professionals
All processors are contractually obligated to:
Process data only on our instructions
Implement appropriate security measures

Where required under applicable law, Drapalski Consulting LLC enters into appropriate data processing agreements or contractual safeguards with service providers processing personal data on its behalf.

10. International Data Transfers

Personal data may be processed in the EU/EEA, the United States, or other jurisdictions involved in the operation of the website, communication systems, or service delivery.

Where required under applicable law, international transfers rely on recognized transfer mechanisms, including adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful safeguards.

11. Data Retention Periods

We retain personal data only as long as necessary:

Data Type	Retention Period
Comments	Retained only as long as reasonably necessary for operational, legal, or security purposes
Contact inquiries	Up to 24 months
Newsletter data	Until withdrawal of consent
Client records	6–10 years (legal obligation)
Analytics data	Anonymized or deleted within 26 months

12. International Privacy Rights

Depending on your jurisdiction and applicable privacy laws, you may have specific rights regarding the collection, processing, and use of your personal information.
Drapalski Consulting LLC seeks to apply consistent privacy standards globally while complying with applicable regional legal requirements.

12.1. European Economic Area (EEA), United Kingdom, and Switzerland

Individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland may have rights under applicable data protection laws, including the GDPR and related national legislation.

Right of access (Art. 15 GDPR): obtain confirmation whether we process your data and access to that data.
Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data.
Right to erasure (Art. 17 GDPR): request deletion of your data, where legally applicable.
Right to restriction (Art. 18 GDPR): request limitation of processing under certain circumstances.
Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used format and transmit it to another controller, where applicable.
Right to object (Art. 21 GDPR): object to processing based on legitimate interests; you may object to direct marketing at any time.
Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time with effect for the future; withdrawal does not affect the lawfulness of processing prior to withdrawal.
Rights related to automated decision-making (Art. 22 GDPR): where applicable, not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. As of the effective date of this Privacy Policy, Drapalski Consulting LLC does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.

To exercise your rights, please contact us at: compliance@drapal.ski
We may request additional information to verify your identity before fulfilling a request. We will respond within the statutory timeframe (generally within one month, unless an extension is permitted under the GDPR).
You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR). In Germany, you may contact the competent data protection authority for your federal state.

12.2. United States Privacy Rights

Residents of certain U.S. states may have additional privacy rights under applicable state privacy laws. Drapalski Consulting LLC will make reasonable efforts to honor applicable rights requests where legally required.

12.2.1 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including:

The right to know what categories of personal information we collect and how it is used
The right to request deletion of personal information, subject to applicable legal exceptions
The right to request correction of inaccurate personal information
The right to limit the use of sensitive personal information, where applicable
The right to opt out of the sale or sharing of personal information
The right not to receive discriminatory treatment for exercising privacy rights

Drapalski Consulting LLC does not sell or share personal information for cross-context behavioral advertising purposes.

We process personal information only for legitimate business, contractual, legal, and operational purposes consistent with this Privacy Policy.

California residents may exercise applicable privacy rights by contacting:

compliance@drapal.ski

We may take reasonable steps to verify your identity before responding to a request.

12.3 Other Jurisdictions

Individuals located outside the jurisdictions specifically referenced above may also have rights under applicable local privacy or data protection laws.
Drapalski Consulting LLC will make reasonable efforts to respond to verified privacy-related requests in accordance with applicable legal obligations and operational requirements.

12.3.1 Cross-Border Individuals and Multiple Jurisdiction Rights

Certain individuals may be subject to the privacy, data protection, financial reporting, or regulatory frameworks of multiple jurisdictions simultaneously, including dual citizens, dual residents, expatriates, or internationally mobile individuals.

Where applicable, Drapalski Consulting LLC seeks to handle personal data in a manner reasonably consistent with overlapping legal and regulatory obligations. The applicability and scope of specific privacy rights may depend on factors including residency, citizenship, location, service relationship, and governing law.

Nothing in this Privacy Policy is intended to limit rights that may apply under mandatory local privacy or data protection laws.

13. Children’s Data

Our website is not intended for individuals under the age of 16.
We do not knowingly collect personal data from children.

14. Data Security

We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or misuse.
While we implement appropriate safeguards, no method of internet transmission or electronic storage is completely secure.

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect legal or operational changes.
The latest version will always be available on this page.

16. Language

The primary language of this Privacy Policy is English.
If this Privacy Policy is provided in additional languages for convenience, the English version shall prevail in the event of any discrepancies, inconsistencies, or differing interpretations.

17. Social Media Presence

Drapalski Consulting may maintain publicly accessible profiles on social media platforms (e.g., LinkedIn or similar professional networks).
When you interact with our social media profiles (e.g., by following, commenting, sharing, or sending messages), personal data may be processed by the respective platform and by us.
The processing of personal data on social media platforms is governed primarily by the privacy policies and terms of service of the respective platform operators. We do not have full control over data processing carried out by those platforms.
We process personal data obtained through social media interactions solely for the purpose of:

Managing and maintaining our professional presence
Communicating with users and responding to inquiries
Providing information about our services, activities, or content
The legal basis for this processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR, unless another legal basis applies.
Users are advised that any personal data shared publicly on social media platforms may be visible to other users. We recommend reviewing the privacy settings and data protection information of the respective platform.
We reserve the right to remove content from our social media pages that:
Violates applicable laws or regulations
Infringes third-party rights
Is offensive, misleading, or inappropriate
Violates principles of good faith or professional conduct

If you contact us via social media and share personal data, we are not responsible for the security measures implemented by the respective platform provider.