Privacy Policy

Last updated: June 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Wonderlandmovies GmbH
Große Hamburger Straße 28
10115 Berlin
Germany

Phone: +49 30 209 889 37
Email: [email protected]
Website: www.wonderlandmovies.de

Represented by the Managing Directors:
Benjamin Budde
Jan-Till Manzius

2. Data Protection Officer

We have appointed an external Data Protection Officer:

IITR Datenschutz GmbH
Dr. Sebastian Kraska
Marienplatz 2
80331 Munich

Email: [email protected]
Phone: +49 89 18917360

Data subjects may contact our Data Protection Officer at any time with any questions regarding data protection and the exercise of their rights.

3. General Information on Data Processing

We process personal data exclusively in accordance with the statutory data protection provisions, in particular the GDPR, the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data means any information relating to an identified or identifiable natural person. This includes in particular name, address, email address, telephone number, IP address, usage data and communication data.

We process personal data only insofar as this is necessary for providing our website, communicating with users, rendering our services, ensuring technical security or complying with legal obligations.

4. Legal Bases for Processing

Where we obtain consent for processing operations, processing is carried out on the basis of Art. 6(1)(a) GDPR.

Where processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, it is carried out on the basis of Art. 6(1)(b) GDPR.

Where we are legally obliged to process data, processing is carried out on the basis of Art. 6(1)(c) GDPR.

Where processing is necessary to safeguard our legitimate interests or those of third parties, it is carried out on the basis of Art. 6(1)(f) GDPR.

5. Hosting and Technical Provision

Our website is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany.

When our website is visited, the hosting provider processes technically required data, in particular:

• IP address,
• date and time of access,
• pages and files accessed,
• amount of data transferred,
• browser type and browser version,
• operating system,
• referrer URL,
• host name of the accessing computer.

Processing is carried out for the secure and stable provision of our website. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the technical functionality, security and optimization of our online offering.

A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

6. Server Log Files

Our systems automatically store information in so-called server log files. This data is technically necessary in order to deliver the website, ensure system security and trace misuse or attacks.

Server log files are generally deleted no later than after 30 days, unless longer storage is required to investigate security incidents or to comply with legal obligations.

The legal basis is Art. 6(1)(f) GDPR.

7. Cloudflare

We use services provided by Cloudflare Inc., 101 Townsend Street, San Francisco, CA 94107, USA, to secure and optimize our website.

Cloudflare provides, in particular, a content delivery network, security functions, DDoS protection and performance optimizations.

In this context, the following data in particular may be processed:

• IP address,
• system configuration information,
• information about data traffic to and from our website,
• browser and device information,
• time of access,
• security events.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and efficient provision of our website.

Where data is transferred to the USA, this is carried out on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses or certification under the EU-U.S. Data Privacy Framework, where applicable.

Further information can be found in Cloudflare’s Privacy Policy: https://www.cloudflare.com/privacypolicy/

8. Cookies and Similar Technologies

Our website uses cookies and similar technologies. Cookies are small text files that are stored on your end device. Some cookies are technically necessary; others are used for analytics, statistics or marketing purposes.

Technically necessary cookies are processed on the basis of Section 25(2) TDDDG and Art. 6(1)(f) GDPR.

Non-essential cookies and similar technologies are used only after your express consent. The legal basis is Section 25(1) TDDDG and Art. 6(1)(a) GDPR.

You may withdraw or change your consent at any time with effect for the future via the cookie settings.

9. Consent Management with CookieFirst

We use a consent management platform from CookieFirst on our website.

The provider is:

Digital Data Solutions BV
Plantage Middenlaan 42a
1018 DH Amsterdam
Netherlands

Website: https://cookiefirst.com

CookieFirst is used to obtain, manage and document consent for the use of cookies and similar technologies.

When our website is accessed, a connection is established to CookieFirst servers in order to display the cookie banner and store your consent settings.

In this context, the following data in particular may be processed:

• consent status or withdrawal of consent,
• anonymized or shortened IP address,
• browser information,
• device information,
• date and time of the visit,
• URL of the page on which consent was stored or updated,
• approximate location,
• universally unique identifier (UUID).

Processing is carried out to fulfil statutory documentation obligations in connection with consent. The legal basis is Art. 6(1)(c) GDPR. Where processing is carried out for the user-friendly management of consent, the additional legal basis is Art. 6(1)(f) GDPR.

A data processing agreement pursuant to Art. 28 GDPR has been concluded with CookieFirst.

10. Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a system for managing website tags. Other services can be integrated and controlled via Google Tag Manager, in particular analytics and marketing services.

Google Tag Manager is used exclusively for the technical management of website tags. Where services that require consent are integrated via Google Tag Manager, these are activated only after the corresponding consent has been given.

Further information can be found at: https://policies.google.com/privacy

11. Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics 4 enables us to analyze the use of our website. This allows us to understand how visitors interact with our website, which content is used and how we can improve our online offering.

Google Analytics 4 may process the following data in particular:

• page views,
• interactions with the website,
• approximate location data,
• browser and device information,
• referrer URL,
• duration of use,
• technical identifiers,
• shortened or anonymized IP address.

Google Analytics 4 is used only after your express consent via our consent management system. The storage period for data processed by Google Analytics is currently 14 months.

The legal basis is Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

You may withdraw your consent at any time with effect for the future via the cookie settings.

Google may also transfer personal data to the USA. Where data is transferred to third countries, this is carried out on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses or certification under the EU-U.S. Data Privacy Framework, where applicable.

Further information can be found in Google’s Privacy Policy: https://policies.google.com/privacy

12. LinkedIn Insight Tag

We use the LinkedIn Insight Tag on our website. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

The LinkedIn Insight Tag is used to analyze and measure the success of our LinkedIn advertising campaigns and to create target groups for marketing purposes.

The LinkedIn Insight Tag may process the following data in particular:

• IP address,
• browser information,
• device information,
• referrer URL,
• time of visit,
• pages accessed,
• interactions with our website.

LinkedIn may link this data to your LinkedIn account if you are logged in to LinkedIn. We do not receive personal profiles of individual users from LinkedIn, but only aggregated analyses.

The LinkedIn Insight Tag is used exclusively after your express consent via our consent management system.

The legal basis is Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

You may withdraw your consent at any time with effect for the future via the cookie settings.

Where data is transferred to the USA or other third countries, this is carried out on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular standard contractual clauses or certification under the EU-U.S. Data Privacy Framework, where applicable.

Further information on your setting options can be found at https://www.linkedin.com/psettings/

Further information can be found in LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Information about the LinkedIn Insight Tag can be found at: https://www.linkedin.com/help/lms/answer/a427660

13. Contact by Email and Contact Form

If you contact us by email or via our contact form, we process the data you provide in order to handle your inquiry.

The following data in particular may be processed:

• name,
• email address,
• telephone number, if provided,
• company, if provided,
• content of your message,
• time of contact.

Processing is carried out in order to handle your inquiry. The legal basis is Art. 6(1)(b) GDPR if your inquiry is related to the implementation of pre-contractual measures or an existing contractual relationship. In all other cases, processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the proper handling of incoming inquiries.

The data entered via the contact form is transmitted directly to us by email.

Contact inquiries are deleted as soon as they are no longer required for processing, unless statutory retention obligations prevent deletion. Business correspondence may be subject to statutory retention obligations.

14. Email Communication via Google Workspace

We use Google Workspace provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the processing and sending of emails.

In the context of email communication, the following data in particular may be processed:

• name,
• email address,
• communication content,
• communication metadata, e.g. times, recipients and technical protocol data.

Processing is carried out for handling inquiries, implementing pre-contractual measures, fulfilling contracts and business communication.

The legal basis is Art. 6(1)(b) GDPR, insofar as the communication is related to a contractual relationship or pre-contractual measures. In all other cases, processing is carried out on the basis of our legitimate interest in efficient and secure communication pursuant to Art. 6(1)(f) GDPR.

We use Google Workspace Enterprise with the Europe data region. Primary data is stored within the European Union, insofar as this is provided for within the data regions offered by Google.

However, it cannot be excluded that individual technical support, maintenance or administrative services are provided by companies of the Google group outside the European Union. Where personal data is transferred to third countries in this context, this is carried out on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR.

Further information can be found at: https://workspace.google.com/intl/de/security/

15. Newsletter and Direct Communication

Where we send newsletters or comparable information, this is done only if you have consented to this or if there is statutory permission.

Dispatch is currently carried out manually and not via an external newsletter service provider.

The following data in particular may be processed for dispatch:

• name,
• email address,
• company,
• communication history.

The legal basis for dispatch based on consent is Art. 6(1)(a) GDPR. Where communication takes place within existing business relationships, processing may be based on Art. 6(1)(f) GDPR. Our legitimate interest lies in maintaining customer and business contacts.

You may object to receiving further communications at any time or withdraw consent given with effect for the future.

16. Local Videos

Video content may be embedded on our website. These videos are provided locally on our own servers or via our own technical infrastructure.

When locally embedded videos are played, no data is transmitted to external video platforms such as YouTube or Vimeo.

Technically required data for delivering the video files may be processed as part of the general server log files.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the user-friendly presentation of multimedia content.

17. Local Fonts

We use fonts on our website that are integrated locally on our own servers.

When our website is accessed, no connection is made to servers of external font providers such as Google Fonts.

Technically required data is processed as part of the general provision of our website. The legal basis is Art. 6(1)(f) GDPR.

18. Map Display

On our website, we provide a static map view of our location. The map is loaded as a locally stored image file.

When the map is displayed, no personal data is transmitted to external map services such as Google Maps.

If you click the external map link, you leave our website. Only then is a connection established to the relevant map provider.

19. No Application Forms

We currently do not provide a separate application form on our website.

If you send us application documents by email, we process the data you provide exclusively for the purpose of carrying out the application process.

The legal basis is Art. 6(1)(b) GDPR in conjunction with Section 26 BDSG.

Application documents are generally deleted no later than six months after completion of the application process, unless longer storage is required by law or you have consented to longer storage.

20. Recipients of Personal Data

Personal data may be transmitted to external service providers insofar as this is necessary for providing our website, technical infrastructure, communication or compliance with legal obligations.

This includes in particular:

• hosting service providers,
• IT service providers,
• consent management providers,
• analytics and marketing service providers after consent,
• tax advisors, legal advisors or authorities, where legally required.

Where service providers process personal data on our behalf, we conclude data processing agreements pursuant to Art. 28 GDPR.

21. Third-Country Transfers

When individual services are used, personal data may be transferred to countries outside the European Union or the European Economic Area.

This may in particular concern services from Google, LinkedIn and Cloudflare, insofar as their processing operations require transfer to third countries.

A transfer takes place only insofar as the statutory requirements of Art. 44 et seq. GDPR are met. This may in particular be based on an adequacy decision, certification under the EU-U.S. Data Privacy Framework or standard contractual clauses.

22. Storage Period

We store personal data only for as long as is necessary for the respective processing purposes or for as long as statutory retention periods apply.

Where no specific storage period is stated in this Privacy Policy, personal data is deleted as soon as the purpose of processing no longer applies.

Statutory retention periods, in particular retention obligations under commercial and tax law, remain unaffected.

23. Security of Processing

We take technical and organizational measures to protect personal data against loss, destruction, manipulation, unauthorized access and unauthorized disclosure.

Our security measures are continuously adapted in line with technological development.

24. Your Rights

Within the framework of the statutory requirements, you have the following rights:

• right of access pursuant to Art. 15 GDPR,
• right to rectification pursuant to Art. 16 GDPR,
• right to erasure pursuant to Art. 17 GDPR,
• right to restriction of processing pursuant to Art. 18 GDPR,
• right to data portability pursuant to Art. 20 GDPR,
• right to object pursuant to Art. 21 GDPR,
• right to withdraw consent given pursuant to Art. 7(3) GDPR.

To exercise your rights, you may contact us or our Data Protection Officer at any time.

25. Withdrawal of Consent

Where processing is based on your consent, you may withdraw this consent at any time with effect for the future.

The lawfulness of processing up to the time of withdrawal remains unaffected.

26. Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data that is carried out on the basis of Art. 6(1)(e) or (f) GDPR.

Where personal data is processed for direct marketing purposes, you have the right at any time to object to processing for such advertising purposes.

27. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

The competent authority may in particular be the supervisory authority of your place of residence, your place of work or the place of the alleged infringement.

For Berlin, this is:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin

Website: https://www.datenschutz-berlin.de

28. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy if our website, our data processing activities or the legal requirements change.

The current version published on this website shall apply.