1. Responsible Entity
RUF Automobile GmbH
Mindelheimer Str. 21
87772 Pfaffenhausen
Tel: +49 8265-911 911
Email: info(at)ruf-automobile.de
Web: www.ruf-automobile.de
Managing Directors: Alois Ruf, Estonia Ruf
Should you have any questions or suggestions regarding data protection, please feel free to contact us. You can reach our external data protection officer as follows:
Klaus Gattinger
(External Data Protection Officer)
klaus.gattinger(at)DSGVO-fuer-coaches.de
Furthermore, you are welcome to contact our internal data protection coordinator. You can reach them as follows:
Moritz Gruber
Mindelheimer Str. 21
87772 Pfaffenhausen
Email: datenschutz(at)ruf-automobile.de
2. General information on data processing
2.1 Scope
This privacy policy informs users about the nature, scope, and purposes of the processing of personal data within our website and related services. Personal data is any information relating to an identified or identifiable natural person.
2.2 Legal basis
We process personal data exclusively on the basis of legal permission provisions, in particular:
Article 6 paragraph 1 letter a GDPR (consent)
Article 6 paragraph 1 letter b GDPR (performance of a contract, pre-contractual measures)
Article 6 paragraph 1 letter c GDPR (fulfillment of legal obligations)
Article 6 paragraph 1 letter f GDPR (protection of legitimate interests, insofar as these override the interests of the data subject)
2.3 Deletion and storage period
Personal data will be deleted or anonymized as soon as the purpose for which it was stored no longer applies. This applies in particular when processing is no longer necessary or when statutory retention obligations expire. Statutory retention periods (e.g., under the German Commercial Code (HGB), the German Fiscal Code (AO), or the German Value Added Tax Act (UStG)) remain unaffected.
2.4 Data security
We implement technical and organizational security measures to protect personal data against accidental or intentional manipulation, loss, destruction, or unauthorized access. These include:
• SSL/TLS encryption of all data transmissions
• Access controls and regular security updates
• Pseudonymization and encryption of sensitive data
3. Provision of the website and server log files
3.1 Automatic recording of log data
Each time our website is accessed, technical data from the accessing system is automatically stored. These server log files contain:
| category | Example data |
| IP address (truncated) | 192.168.1.xxx |
| Date and time | 27.01.2026 13:50 CET |
| Pages/URLs visited | /product/abc |
| Referrer URL | google.de/search |
| User-Agent (Browser/OS) | Chrome 120 / Windows 11 |
| Device information | Screen resolution, language |
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in technical security and functionality).
Storage period: 7 days, then automated deletion.
Purpose: Ensuring stable operation, detecting attacks (DDoS, brute force), optimization
4. Cookies and similar technologies
4.1 Types of cookies
We distinguish between:
• Technically necessary cookies (always active): shopping cart, login sessions, security functions
• Performance/analytics cookies (opt-in): Usage statistics
• Marketing cookies (opt-in): Personalized advertising
4.2 Cookie banner and consent management
Opt-in principle: Non-essential cookies are only set after the user has given their explicit, active consent (§ 25 para. 1 TTDSG in conjunction with Art. 6 para. 1 lit. a GDPR).
Consent is granular (categories can be selected individually) and can be revoked at any time.
Technology: [Consent management platform, e.g., Complianz or Real Cookie Banner]
Processing: Storing the consent decision in a technically necessary cookie (e.g. cmplz_user_preferences).
Legal basis: Art. 6 para. 1 lit. c/f GDPR (legal obligation, proof of consent pursuant to Art. 7 para. 1 GDPR).
Overview of active cookies:
| name | Provider | Purpose | Length of time |
| cookieconsent_status | Consentmo | Consent management | 12 months |
| _ga | Analytics | 14 months |
5. Google Analytics (GA4) – Detailed description
5.1 Provider and contact details
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
5.2 Functionality
Google Analytics (version 4) collects pseudonymized usage data to analyze website behavior:
• Page views and events (clicks, scrolls)
• Time spent on site, bounce rate
• Device type, operating system, screen size
• Sources (direct, organic, paid)
IP anonymization: Enabled (_anonymizeIP). The last octet of the IP address is truncated within the EU before being transmitted.
5.3 Technologies Used
| Identifier | type | Purpose | Length of time |
| _ga | First Party Cookie | Session ID | 24 months |
| _gid | First Party Cookie | Session data | 24 hours |
| _gat | First Party Cookie | Rate Limiting | 1 minute |
| ga_* | Local Storage | Client ID | Persistent |
5.4 Legal basis and consent
Opt-in: Google Analytics is only activated after explicit consent in the cookie banner.
Legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG.
Revocation: Possible at any time via cookie settings or browser settings.
5.5 International Data Transfer
Pseudonymized data will be transmitted to Google servers in the USA. Basis:
1. EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR)
2. Additional guarantees provided by Google (Data Processing Terms)
3. Consent to transfer to third countries (Art. 49 para. 1 lit. a GDPR)
5.6 Data Processing Agreement
A data processing agreement (DPA) exists with Google in accordance with Art. 28 GDPR, including audit rights.
5.7 Objection and opt-out options
• Cookie banner settings
• Google Analytics opt-out browser add-on
• Browser cookie blocking
• Do-Not-Track signal (supported)
6. YouTube videos (iframe embedding)
We embed videos from the "YouTube" platform, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), on our website. The videos serve to present our content in a clear and entertaining way.
Important note: The embedding uses a two-click process (opt-in principle). When the page is first loaded, no YouTube player is loaded, and therefore no personal data is transferred to Google. Only when you actively click the play button will the video be loaded from YouTube. This requires your explicit consent (Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG).
Data processed (after clicking Play)
When you activate the video, your browser sends the following information to YouTube/Google:
• IP address (full, not anonymized)
• Device and browser information (user agent, screen resolution)
• Referrer URL (the page from which the video is accessed)
• Video viewed and interaction data (play, pause, playback duration)
• Cookies (_youtube.com, yt.intern, etc.) for session tracking and personalization
• Possibly YouTube account data, if logged in
Legal basis
• Art. 6 para. 1 lit. a GDPR: Your voluntary consent by clicking on “Load video”.
• Section 25 Paragraph 1 TTDSG: Specifically for the setting of cookies.
You can withdraw your consent at any time by reloading the video (clearing your browser cache) or
You can deactivate the "External Media" category via our cookie banner.
International data transmission
Personal data will be transferred to Google servers in the USA (a third country).
Legal basis:
1. EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR)
2. Your explicit consent to the transfer of data to third countries (Art. 49 para. 1 lit. a GDPR)
Google has implemented additional protective measures (Google Ads Data Processing Terms).
YouTube Privacy Policy
Further information on data processing can be found in Google's privacy policy and the YouTube terms of service.
Data saving mode
We use privacy-enhanced mode, which means that IP addresses are only stored in pseudonymized form. However, Google may still be able to create a user profile under certain circumstances.
Storage duration of cookies
| Cookie name | Purpose | Length of time |
| YSC | Session tracking | Until the end of the session |
| PREF | Preferences | 8 months |
| VISITOR_INFO1_LIVE | Bandwidth | 6 months |
Options for objection
• Do not activate video (ignore the play button)
• Cookie settings in our banner
• Browser extensions such as uBlock Origin, Privacy Badger
• Google Account advertising settings
7. Use of Cloudflare (Content Delivery Network & Security Service)
We use services from the provider Cloudflare to improve the security and performance of our website (e.g., protection against DDoS attacks, delivery of
Content via worldwide servers).
Cloudflare can process the following data in particular:
• IP address
• accessed content
• technical browser and device information
• Log data on security events.
Cloudflare may also process data on servers outside the EU. So far, so good.
If a transfer to third countries takes place, it will be based on appropriate
Guarantees pursuant to Art. 44 et seq. GDPR (e.g. EU standard contractual clauses).
The legal basis is our legitimate interest in a safe and efficient
Provision of our website in accordance with Art. 6 para. 1 lit. f GDPR.
We have a data processing agreement with Cloudflare in accordance with Article 28 GDPR.
8. Online shop and payment processing (Shopify)
Our online shop is operated via the service provider Shopify. The provider is (depending on the contract/location): Shopify International Ltd. or another company in the Shopify group.
The following data is processed in particular when using the shop:
• Master data (name, address, contact details)
• Order details (ordered products, prices, delivery and billing address)
• Payment data (e.g., payment method, transaction ID; usually processed by external payment service providers)
• Communication data (e.g., email traffic relating to orders).
The processing serves the following purpose:
• the initiation and execution of purchase contracts (Art. 6 para. 1 lit. b GDPR)
• to comply with legal retention obligations (Art. 6 para. 1 lit. c GDPR)
• possibly our legitimate interest in asserting or defending legal claims (Art. 6 para. 1 lit. f GDPR).
Shopify also processes some data on servers outside the EU. Where third countries are involved, the transfer is based on appropriate safeguards pursuant to Articles 44 et seq. GDPR (e.g., EU Standard Contractual Clauses). A data processing agreement pursuant to Article 28 GDPR has been concluded with Shopify.
Depending on the chosen payment method, additional data processing may be carried out independently by payment service providers (e.g., credit card companies, PayPal, Klarna, etc.). The privacy policies of the respective providers apply in this case.
9. Contact forms and customer account
When you contact us via a contact form or create a customer account, we process the data you enter (e.g. name, email address, message, access data) to process your request or to provide the customer account.
Depending on the context, the legal basis is either Article 6(1)(b) GDPR (contractual/pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in processing inquiries). If your consent is requested (e.g., when subscribing to a newsletter), Article 6(1)(a) GDPR applies.
10. Use of Google reCAPTCHA
On certain forms, we use the service "Google reCAPTCHA" to check whether entries are made by a natural person and to prevent misuse (e.g. spam, automated attacks).
The provider is Google LLC or an affiliated company. Google reCAPTCHA analyzes the behavior of website visitors based on various characteristics. The following data, among others, may be processed:
• IP address
• Mouse and keyboard input
• Length of stay
• Browser and device information
• possibly other cookies set by Google.
reCAPTCHA will only be integrated after you have consented to its use via our consent banner or directly on the form (Art. 6 para. 1 lit. a GDPR). Without your consent, reCAPTCHA will not load, and the corresponding form may not be usable or may only be usable to a limited extent. Data may be transferred to the USA or other third countries. The legal basis for this is your consent in conjunction with Art. 49 para. 1 lit. a GDPR. Further information on data processing can be found in Google's privacy policy.
11. Use of hCaptcha
As an alternative or supplement to Google reCAPTCHA, we use the "hCaptcha" service on certain forms to prevent spam and automated access. The provider is Intuition Machines, Inc., or an affiliated company. When using hCaptcha, similar data is processed as with reCAPTCHA, e.g.:
• IP address
• Mouse and keyboard input
• Information about browser and device
• possibly cookies and other technical identifiers.
hCaptcha will only be activated after your explicit consent (opt-in via our consent tool or directly on the form). The legal basis is Art. 6 para. 1 lit. a GDPR. Without consent, the form may not be usable or may only be usable to a limited extent.
Where data is transferred to third countries (e.g., the USA), this can be based on Article 49(1)(a) GDPR. Details regarding data processing can be found in the provider's privacy policy.
12. Contact forms and email contact
12.1 Processed Data
When using the contact form or email contact, we collect:
• Name (optional)
• Email address (required field)
• Phone number (optional)
• Subject and message
• IP address and timestamp (technical)
12.2 Legal basis
Article 6 paragraph 1 letter b GDPR (pre-contractual inquiries, contract initiation)
Article 6 paragraph 1 letter f GDPR (general inquiries, legitimate interest)
12.3 Storage duration
The request will be processed in full, plus 6 months for follow-up questions (statute of limitations protection), then deleted.
13. Rights of the data subject
You have the following rights with regard to your personal data:
| Right | Article GDPR | Description |
| Information | Article 15 | Access to stored data |
| Correction | Article 16 | Correction of erroneous data |
| deletion | Article 17 | "Right to be forgotten" |
| restriction | Article 18 | Temporary blocking of processing |
| Data portability | Article 20 | Received in machine-readable format |
| Contradiction | Article 21 | Against direct marketing, legitimate interest |
| Cancellation | Article 7, paragraph 3 | Anytime against consent |
Contact: Please contact us at the addresses listed above. Information is usually free of charge.
Right to lodge a complaint: You may lodge a complaint with the responsible state data protection commissioner, e.g.
Bavarian State Commissioner for Data Protection
Promenade 18, 91522 Ansbach
Email: poststelle@lda.bayern.de
14. Changes to the Privacy Policy
We reserve the right to update this privacy policy in the event of legal changes or to adapt our services. You can find the most current version on this page.