This site uses third party services that need your consent. Learn more about our cookie policy

Skip to content
GRANSHAN

GRANSHAN

PRIVACY POLICY

This Privacy Policy explains how GRANSHAN Foundation e.V. collects and processes personal data when you visit and use our website at granshan.com (the "Website"). We take the protection of your personal data seriously and process it only in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Digital Services Data Protection Act (TDDDG).

Although GRANSHAN operates internationally, we are established in Germany and apply the European standard of data protection to all of our processing activities.

Last updated: 27 May 2026.

Our Website contains links to external websites. We are not responsible for the content of those third-party sites, nor do we have any influence over whether their operators comply with data protection law. Please review the privacy policies of any external sites you visit.

1. Controller

The controller responsible for the processing of personal data on this Website within the meaning of Art. 4(7) GDPR is:

GRANSHAN Foundation e.V.
Wittelsbacherstraße 11
80469 Munich, Germany
Registered at the District Court of Munich, VR 207172
VAT ID: DE312909284
Represented by the Executive Board (President: Boris Kochan)

Phone: +49 89 17860-0
Email: granshan@granshan.com

2. Data Protection Officer

We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR or §38 BDSG, and we have not appointed one. For all questions regarding the processing of your personal data, and to exercise your rights, please contact us using the details above.

We process personal data only where a legal basis under Art. 6(1) GDPR applies. Depending on the processing activity, the relevant legal basis is:

  • your consent (Art. 6(1)(a) GDPR) — e.g. for the newsletter, analytics and third-party embeds;

  • the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) — e.g. competition entries and enquiries;

  • compliance with a legal obligation (Art. 6(1)(c) GDPR) — e.g. statutory retention periods;

  • our legitimate interests (Art. 6(1)(f) GDPR) — e.g. the secure and stable operation of the Website, provided your interests or fundamental rights do not override ours.

4. Data Collected When You Visit the Website

When you use the Website for purely informational purposes — that is, when you do not register or otherwise transmit information to us — your browser automatically sends certain data to our server. We store this data temporarily in server log files for technical reasons, in particular to deliver the Website to you and to ensure its stability and security. The legal basis is our legitimate interest under Art. 6(1)(f) GDPR. This data includes:

  • the page accessed and the HTTP status code

  • the date and time of the request

  • the amount of data transferred

  • the referring URL (where you came from)

  • your browser type and version

  • your operating system

  • your IP address (truncated / anonymised)

  • the language and version of the browser software

These log files are stored only for a limited period and are then deleted. We do not combine this data with other sources or use it to identify you.

5. Hosting and Storage

Our Website is hosted on managed server infrastructure located within the European Union (Germany). Server management is provided by Ploi (Ploi.io, Netherlands). Files that you upload through our forms (for example profile pictures or images) are stored using Amazon Web Services (Amazon S3) in the Frankfurt, Germany (eu-central-1) region. These providers process data strictly on our behalf as processors under a data processing agreement pursuant to Art. 28 GDPR.

6. Cookies and Local Storage

We use cookies and comparable technologies. A cookie is a small text file stored by your browser; local storage works in a similar way. We distinguish between two situations:

  • Strictly necessary technologies — these are required to operate the Website and are used without consent on the basis of Art. 6(1)(f) GDPR and §25(2) TDDDG. They include the session cookie ("granshan_session"), the CSRF security token, and your dark-/light-mode preference (stored locally in your browser). Session cookies are deleted when you close your browser.

  • Non-essential technologies — in particular analytics, advertising and third-party embeds. These are only used after you have given your consent via our consent banner, in accordance with §25(1) TDDDG and Art. 6(1)(a) GDPR.

You can configure your browser to refuse some or all cookies, or to delete cookies that have already been set. Please note that disabling cookies may limit the functionality of the Website.

When you first visit the Website, a consent banner lets you accept or reject the different categories of non-essential technologies (functional, analytics, advertising and video embeds) and to make a granular selection. No non-essential cookies or trackers are set before you have given consent. Your choice is stored locally in your browser and is re-requested periodically. You can change or withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer.

8. Web Analytics (Google Analytics / Google Tag Manager)

Our Website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), integrated via Google Tag Manager. We use this to understand how the Website is used and to improve it.

These services are loaded only after you have given your consent via our consent banner. The legal basis is your consent under Art. 6(1)(a) GDPR and §25(1) TDDDG. We use Google Consent Mode, so that no analytics or advertising cookies are set before consent is given. IP anonymisation is enabled, which means your IP address is truncated within the EU/EEA before any transfer and is not combined with other Google data.

You can withdraw your consent at any time with effect for the future via the "Cookie settings" link. Our consent manager additionally offers categories for advertising/marketing technologies (e.g. ad storage and ad personalisation); these are only activated if you actively consent to them, and no such cookies are set otherwise.

Where data is transferred to Google LLC in the USA, this transfer is based on the EU-US Data Privacy Framework, under which Google LLC is certified, and is additionally safeguarded by the EU Standard Contractual Clauses pursuant to Art. 46 GDPR. Further information is available in Google's privacy policy.

9. Embedded Third-Party Content (Videos)

We embed videos on some pages, for example from YouTube (operated by Google Ireland Limited). Embedded content is blocked by default and is only loaded once you have consented to third-party video embeds. Once loaded, the provider may receive the information that you have accessed the relevant page, may obtain your IP address and may set cookies — including, if you are logged in to the provider, an association with your account. We have no influence over this processing; please refer to the provider's privacy policy for details. The legal basis for loading embeds is your consent under Art. 6(1)(a) GDPR and §25(1) TDDDG.

10. Contacting Us

If you contact us by email or via our contact form, we process the data you provide — typically your name, email address, subject and the content of your message — in order to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR where your enquiry relates to a contract or pre-contractual measures, and otherwise our legitimate interest in responding to enquiries under Art. 6(1)(f) GDPR. Form submissions are stored on our servers and forwarded by email to the relevant members of our team. We delete this data once it is no longer required, unless statutory retention obligations apply.

11. Newsletter

You can subscribe to our newsletter to receive information about GRANSHAN and our activities. The only mandatory field is your email address; providing your first and last name is optional and allows us to address you personally.

We use the double opt-in procedure: after you sign up, we send a confirmation email to the address you provided, and we only add you to our list once you confirm. If you do not confirm within a reasonable period, your sign-up data is blocked and subsequently deleted. To document your consent, we store the time of sign-up and confirmation. The legal basis is your consent under Art. 6(1)(a) GDPR.

Newsletter sign-ups are processed via Mailchimp, a service of The Rocket Science Group LLC / Intuit Inc. (USA). Newsletter campaigns are created and delivered using Mailcoach (Spatie BV, Belgium), and the HTML of our emails is rendered via the MJML API (operated by Mailjet SAS, France). Our newsletters contain a tracking pixel and tracked links that allow us to see, on a pseudonymous basis, whether and when an email was opened and which links were clicked, so that we can improve our content.

You can withdraw your consent and unsubscribe at any time, with effect for the future, via the unsubscribe link in every newsletter or by contacting us. Where data is processed by Mailchimp in the USA, this is based on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.

12. Competition Entries, Submissions and Other Forms

Through various forms — including competition entries and self-commitment statements, the waitlist, and the Supporting Foundries Club form — we collect the data you enter. Depending on the form, this typically includes your name and email address and may include additional information such as a profile picture, a CV, links to your online presence, or details about your foundry and submitted typefaces.

We use this data to administer your participation in our competitions and events and to provide the respective service. The legal basis is the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), your consent for any optional information you choose to provide and for the publication of designer information where applicable (Art. 6(1)(a) GDPR), and our legitimate interest in organising and documenting the competition (Art. 6(1)(f) GDPR). Form submissions are stored on our servers within the EU and forwarded by email to the relevant members of our team; uploaded files are stored on Amazon S3 in Frankfurt, Germany. To prevent automated spam, our forms use a honeypot field and a captcha mechanism.

Our search function is powered by Meilisearch, which runs on our own server infrastructure within the EU. Search queries are processed entirely server-side and are not shared with any third party. No search API key is exposed to your browser.

14. Error and Performance Monitoring

We use Sentry (Functional Software, Inc., USA) to detect and diagnose technical errors and to monitor the performance of our Website, on the basis of our legitimate interest in a secure and reliable service (Art. 6(1)(f) GDPR). Sentry is configured not to transmit personal data (PII) by default. Where data is transferred to the USA, this is based on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.

15. Recipients and Processors

We use carefully selected external service providers (processors) who act only on our instructions and with whom we have concluded data processing agreements under Art. 28 GDPR. The main recipients of personal data are:

  • Hosting & server management — managed infrastructure within the EU (Germany), with server management by Ploi (Netherlands).

  • File storage — Amazon Web Services (Amazon S3), Frankfurt, Germany (EU).

  • Newsletter sign-up — Mailchimp / Intuit Inc. (USA).

  • Newsletter delivery — Mailcoach / Spatie BV (Belgium).

  • Email rendering — MJML API / Mailjet SAS (France).

  • Web analytics — Google Ireland Limited and Google LLC (Ireland / USA), consent-based.

  • Video embeds — YouTube / Google (Ireland / USA), consent-based.

  • Error & performance monitoring — Sentry / Functional Software, Inc. (USA).

  • Search — Meilisearch, self-hosted on our EU infrastructure.

We do not sell your personal data. We only disclose data to public authorities where we are legally obliged to do so.

16. International Data Transfers

We process your personal data primarily within the EU/EEA, and access by our staff and partners is limited to the EU. Some of the processors named above (Google, Mailchimp, Sentry) are based in or may transfer data to the USA. Such transfers take place only on the basis of an adequacy decision — the EU-US Data Privacy Framework, under which these providers are certified — and/or the EU Standard Contractual Clauses pursuant to Art. 46 GDPR, together with appropriate additional safeguards. We do not transfer your personal data to any recipients outside the EU/EEA other than the processors listed in this Privacy Policy.

17. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or for as long as we are legally required to retain it:

  • Server log files: deleted after a short period.

  • Enquiries and form submissions: deleted once your request has been handled, unless statutory retention obligations apply.

  • Newsletter data: stored until you unsubscribe; proof-of-consent records are kept for as long as necessary to demonstrate compliance.

  • Competition and submission data: stored for the duration of the relevant competition and a reasonable archival period thereafter.

  • Analytics data: retained for a limited period in accordance with our Google Analytics retention settings (up to 14 months).

  • Data subject to statutory retention (e.g. under §257 German Commercial Code (HGB) or §147 German Fiscal Code (AO)) is retained for the applicable period of 6 or 10 years and then deleted.

18. Data Security

We use appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, manipulation or misuse. These include TLS/HTTPS encryption of data in transit, access controls, and HTTP-only and SameSite cookie settings. Our security measures are reviewed regularly and adapted to technological developments.

19. Children

Our services are directed at adults. Persons under the age of 16 should not transmit personal data to us without the consent of a parent or legal guardian.

20. Your Rights

Under the GDPR you have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR) — to obtain confirmation of whether we process your data and a copy of that data.

  • Right to rectification (Art. 16 GDPR) — to have inaccurate or incomplete data corrected.

  • Right to erasure (Art. 17 GDPR) — to have your data deleted where the legal conditions are met.

  • Right to restriction (Art. 18 GDPR) — to restrict processing in certain circumstances.

  • Right to data portability (Art. 20 GDPR) — to receive your data in a structured, commonly used, machine-readable format.

  • Right to object (Art. 21 GDPR) — see the dedicated note below.

  • Right to withdraw consent (Art. 7(3) GDPR) — to withdraw any consent at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at granshan@granshan.com. Exercising your rights is free of charge.

21. Right to Object

Where we process your personal data on the basis of our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object at any time, on grounds relating to your particular situation, to that processing. Where we process your data for direct marketing purposes, you have the right to object at any time; following such an objection, your data will no longer be processed for those purposes.

22. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

23. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: https://www.lda.bayern.de

You may also contact the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our services or to legal requirements. The current version is always available on this page.