Privacy policy
Last updated: 17 July 2026
1. Controller
C&I Business 5.0 GmbH
Aachener Straße 37–39
50674 Cologne
Germany
Email: hello@smile-unlocked.com
2. Hosting, website delivery and server logs
The website is hosted on a server operated by us in an IONOS data centre in Berlin. IONOS provides the data-centre infrastructure. Connections between your browser and the website are TLS encrypted.
When you access the website, the server processes connection data required for delivery and security, in particular IP address, date and time, requested address, transferred data volume, HTTP status, referrer where supplied, browser and operating-system information. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is the secure and reliable operation of the website.
Server logs are generally deleted after no more than seven days unless a security incident exceptionally requires longer retention for investigation or legal enforcement.
3. Campaign and landing-page statistics
Only where a URL contains campaign parameters such as utm_source, utm_medium or utm_campaign does the website send a counting signal to our own server. We store only the day, landing page, campaign labels and aggregated number of views.
The statistics use no cookies, local browser storage, visitor IDs or fingerprinting. IP address, referrer and user agent are not entered into the statistics table. The necessary server connection is covered by section 2. The purpose is to measure our marketing campaigns; the legal basis is Art. 6(1)(f) GDPR. Aggregated rows are deleted after 24 months.
4. Submissions, nominations and uploads
For a wish, nomination or idea we process first and last name, email address, age, country/location, optional social-media handle, story and submission type. For nominations, we also process the nominee’s name and relationship to the submitting person. Optional images or videos are stored with filename, type and size.
The purposes are receipt, assessment, editorial selection and possible preparation of a fulfilment. The legal bases are Art. 6(1)(b) GDPR for steps requested by the submitting person and Art. 6(1)(f) GDPR, based on our legitimate interest in operating and organising the format. Submission alone does not authorise publication or filming; those require separate arrangements and consents.
Do not include health data, religious beliefs, sexual orientation or other particularly sensitive information about another person unless that person has expressly agreed to its disclosure.
Unconfirmed submissions by 13–15-year-olds are deleted after 14 days. Submissions not selected, including uploads, are deleted no later than six months after receipt. Selected submissions are retained for preparation and fulfilment and thereafter only for as long as consents, agreements, statutory evidence or limitation periods require.
5. Information about nominated persons
Nominee data is obtained from the submitting person rather than from the nominee. Categories and purposes are set out in section 4. The legal basis is Art. 6(1)(f) GDPR, based on our interests in reviewing a nomination and making possible contact.
The nominated person receives the information required by Art. 14 GDPR no later than our first contact. We do not publish the information beforehand. Nominees may object to processing at any time.
6. Minors and parental confirmation
For submissions by 13–15-year-olds, we additionally process a parent or guardian’s email address, a one-time confirmation link and the confirmation time. Before any fulfilment, recording or publication involving a minor, we obtain separate written consents from the legal guardians and, according to maturity, from the minor.
7. Partner enquiries and other contact
For partner enquiries we process company, name, email and message. The legal basis is Art. 6(1)(b) GDPR for pre-contractual communication and otherwise Art. 6(1)(f) GDPR. Enquiries not followed by a contract are deleted no later than twelve months after receipt; statutory retention periods apply where a contract is concluded.
8. Email delivery
Confirmation and contact emails are sent through our SMTP mail server at mx1.blera.io. Recipient and sender addresses, subject, message content and technical delivery data are transmitted to that server and the recipient’s email provider. The legal basis depends on the relevant process described in sections 4, 6, 7 and 9.
9. Newsletter
For the newsletter we process email address, language, sign-up and confirmation times, and technical confirmation/unsubscribe tokens. Delivery starts only after confirmation through a double-opt-in link. The legal basis is your consent under Art. 6(1)(a) GDPR.
You may withdraw consent at any time using the unsubscribe link or by emailing us. Unconfirmed sign-ups are deleted after 14 days; confirmed data is deleted after unsubscribing unless a limited record is required to defend legal claims. The newsletter currently creates no individual open or click profiles.
10. Protection against automated submissions: Cloudflare Turnstile
The submission page uses Cloudflare Turnstile, provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, to detect automated and abusive form submissions. Cloudflare processes signals including IP address, TLS fingerprint, user agent, sitekey, origin and other browser signals.
The legal basis is Art. 6(1)(f) GDPR; our legitimate interest is protecting forms, systems and stored data. Where Turnstile stores or accesses information on a device for this security function, it is strictly necessary for the secure form service requested by the user under section 25(2)(2) TDDDG.
Cloudflare may process data in the United States and identifies the EU-US Data Privacy Framework and EU Standard Contractual Clauses as safeguards. See the Turnstile Privacy Addendum and Cloudflare Privacy Policy.
11. Security and administration data
To limit excessive form or login attempts, IP addresses are used only as cryptographic hashes in short-lived rate-limit files, deleted after no more than 24 hours. The protected admin area uses a technically necessary session cookie. The legal basis is Art. 6(1)(f) GDPR and, for the cookie, section 25(2)(2) TDDDG.
12. Recipients, international transfers and automated decisions
Access is limited to authorised internal staff and necessary data-centre, email and security providers. Partners receive personal data only where required and legally covered for a selected fulfilment. There is no solely automated decision-making or profiling; stories are selected by people.
13. Your rights
Subject to the GDPR, you have rights of access, rectification, erasure, restriction and data portability. You may object to processing based on legitimate interests for reasons arising from your situation and withdraw consent at any time for the future.
Contact hello@smile-unlocked.com. You may also complain to a supervisory authority, in particular the North Rhine-Westphalia Data Protection and Freedom of Information Commissioner, Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.
14. External links and changes
Links to social networks and other external sites transfer data to those providers only after you click them. No social-media or YouTube content is currently embedded. We update this policy when functions, providers or the legal position change.