Skip to content

Privacy Policy

Status: 24 May 2026

English working translation of MBR Machinery's GDPR privacy notice. The legally binding version is the German Datenschutzerklärung (available via the DE language switch in the header); German law applies to the controller below.

We appreciate your interest in our online presence at mbrcnc.com and mbrcnc.de (together, the "Website"). Protecting your personal data is a core concern. The following sets out, pursuant to Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR) and the German Telecommunications-Digital-Services Data Protection Act (TDDDG, formerly TTDSG), the nature, scope and purposes of our processing of personal data, together with your rights as a data subject.

Note: The Spanish sister site mbrcnc.es carries its own Política de Privacidad in Spanish, where MBR CNC Iberica SL (Barcelona) is identified as the controller. This privacy notice covers only the offerings available at mbrcnc.com and mbrcnc.de.

1. Controller (Art. 4 No. 7 GDPR)

The controller within the meaning of Art. 4 No. 7 GDPR for the offerings available at mbrcnc.com and mbrcnc.de is:

MBR Vertriebs- & Verwertungs UG (haftungsbeschränkt)
Mergenthalerallee 15–21
65760 Eschborn
Germany

Phone: +49 (0) 6196 9727560
Email: [email protected]

Managing Director: Marcel Brockmann
Commercial register: Amtsgericht Frankfurt am Main, HRB 118884
VAT ID: DE331712934

A data protection officer is not legally required (cf. § 38 BDSG). For any data-protection matter, please reach us at [email protected] in German, English or Spanish.

MBR Vertriebs- & Verwertungs UG is part of the MBR Machinery brand group. The content available at the Spanish ccTLD mbrcnc.es is operated independently by MBR CNC Iberica SL (Barcelona); its processing activities are described in a separate Política de Privacidad.

2. General notes on processing

2.1 Scope

We process our users' personal data only to the extent necessary for the provision of a functioning website and our content and services. Processing is regularly based on consent or on another lawful basis.

2.2 Legal bases

Where we obtain a data subject's consent for processing, Art. 6(1)(a) GDPR is the legal basis. For processing necessary for the performance of a contract or pre-contractual steps, Art. 6(1)(b) GDPR applies. Where processing is necessary to comply with a legal obligation, Art. 6(1)(c) GDPR applies. Where processing is necessary for the purposes of legitimate interests pursued by us or a third party — and these interests are not overridden by the interests, fundamental rights or freedoms of the data subject — Art. 6(1)(f) GDPR applies.

2.3 Erasure and retention

Personal data of the data subject is deleted or blocked as soon as the purpose of its storage no longer applies. Storage beyond that may occur where required by European or national law in regulations, statutes or other provisions binding the controller — in particular for commercial and tax retention obligations (§ 257 HGB: typically 6 years; § 147 AO: typically 10 years).

Data is also blocked or deleted when a retention period prescribed by the named provisions expires, unless further storage is necessary for the conclusion or performance of a contract.

2.4 Recipients outside the EU / EEA (third-country transfers)

Where we transfer data to recipients outside the European Economic Area (EEA), this is done exclusively on one of the following bases:

  • Adequacy decision of the European Commission, in particular on the basis of the EU-U.S. Data Privacy Framework (DPF, adequacy decision of 10 July 2023) for DPF-certified U.S. recipients;
  • EU Standard Contractual Clauses (SCCs) per Implementing Decision (EU) 2021/914, current version;
  • supplementary technical and organisational measures where required;
  • explicit consent of the data subject (Art. 49(1)(a) GDPR) where we rely on this.

We note that the DPF is the subject of pending legal challenges and that comparable mechanisms (Safe Harbor, Privacy Shield) have been invalidated by the CJEU in the past. An overview of the third-country recipients involved and the corresponding legal basis is set out in section 13.

3. Website provision and server log files

3.1 Hosting via Cloudflare Pages

The Website is served statically via Cloudflare Pages, a service of Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Cloudflare operates a globally distributed Content Delivery Network (CDN); requests from Europe are answered primarily via European nodes, although a transfer to the United States cannot be technically excluded in all cases.

A data processing agreement (DPA) under Art. 28 GDPR is in place with Cloudflare. Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework; in addition, the EU Standard Contractual Clauses apply. Cloudflare also maintains contractually agreed technical and organisational measures.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in performant, secure and stable provision of our Website).

3.2 Server log files

Each page request technically requires the following access data to be recorded in server log files:

  • truncated IP address,
  • date and time of the request,
  • requested URL,
  • HTTP status code,
  • volume of data transferred,
  • User-Agent string (browser/operating-system identifier),
  • referrer URL.

This data is used exclusively for operational security, defence against attacks and purely statistical purposes. No combination with other data sources takes place. No profiling occurs.

Logs are deleted or anonymised within 30 days at the latest. In the case of a documented security incident, retention may extend beyond that period until the incident has been fully resolved.

Legal basis: Art. 6(1)(f) GDPR. The legitimate interest is the security, availability and integrity of our online offering.

4. Contacting us

4.1 Contact form

When you use the contact form on our Website, we process the data you provide in order to respond to your enquiry. Categories processed:

  • name,
  • email address,
  • phone number,
  • company,
  • message text,
  • machine/equipment details (e.g. manufacturer, model, year, condition, images),
  • postal address,
  • date and time of submission,
  • truncated IP address for spam prevention.

The form is processed via a self-hosted instance of the open-source workflow automation platform n8n. It runs on servers under our sole control; no transfer of the form contents to third parties takes place — except to the recipients listed in section 5 (CRM systems), to which the contents are forwarded for further handling.

Legal basis:

  • Art. 6(1)(b) GDPR insofar as your enquiry is directed at the conclusion or initiation of a contract;
  • Art. 6(1)(f) GDPR otherwise (legitimate interest in efficient handling of general enquiries).

Retention: we retain your enquiry for as long as is necessary for handling and a legitimate interest in further retention persists (in particular for the resumption of the business relationship within our multi-year machinery-trading business). Where the enquiry leads to a business relationship, commercial and tax retention periods apply (as a rule 6 and 10 years per § 257 HGB and § 147 AO) from the end of the relevant financial year. We carry out periodic reviews and delete enquiries where there has been no communication or discernible initiation for an extended period. You can have your data erased or restricted at any time pursuant to section 14.

4.2 Contact by email, phone or WhatsApp

If you contact us by email, phone or WhatsApp, we process the data transmitted (in particular name, phone number, email address and the content of your message) exclusively for the handling of your request.

If you contact us via WhatsApp, Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland, and Meta Platforms, Inc. (USA) process your data under their own privacy policy. We have no influence on that processing; contact via WhatsApp is exclusively on your own initiative. For more data-protection-friendly channels we recommend email or phone.

Legal basis: Art. 6(1)(b) GDPR for contract-related correspondence, otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient communication with prospects and business partners).

5. Further processing in CRM and productivity systems

We process enquiries and business contacts internally in the following systems:

5.1 Google Workspace

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (processor; Art. 28 GDPR DPA in place). Used for email (Gmail), calendar and document storage (Drive). Transfer to Google LLC (USA) takes place on the basis of the EU-U.S. Data Privacy Framework, supported additionally by the EU Standard Contractual Clauses.

5.2 Pipedrive

Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia (processor; Art. 28 GDPR DPA in place). Pipedrive is a CRM platform used to manage sales contacts, enquiries and ongoing matters. Processing primarily within the EU; in individual configurations Pipedrive may rely on subprocessors in third countries, in which case the EU Standard Contractual Clauses apply.

5.3 Airtable

Formagrid, Inc. (trading as Airtable), 799 Market Street, San Francisco, CA 94103, USA (processor; Art. 28 GDPR DPA in place). Airtable is certified under the EU-U.S. Data Privacy Framework; in addition, the EU Standard Contractual Clauses apply. Used for structured recording and tracking of machine and customer information.

Legal basis for processing in the systems above: Art. 6(1)(b) GDPR (contract initiation/performance) or Art. 6(1)(f) GDPR (legitimate interest in efficient and auditable sales and customer communication).

6. Cookies and consent management

6.1 What cookies are

Cookies are small text files that the browser stores on your device. They enable a device to be recognised on a later visit. Some cookies are technically necessary for the Website to work; others serve comfort, analytics or marketing purposes and are only set with your consent.

6.2 Klaro consent manager (technically necessary)

To obtain, manage and document your consents pursuant to § 25 TDDDG and Art. 7 GDPR, we use the open-source consent manager Klaro (originally developed by KIProtect GmbH, Berlin). Klaro is served directly from our own infrastructure via Cloudflare Pages; no transmission to KIProtect GmbH or any other third party takes place.

Klaro stores a technically necessary first-party cookie klaro-consent with a lifetime of 180 days, in which your consent decision is documented.

Legal basis: § 25(2) No. 2 TDDDG (storage strictly necessary to provide a telemedia service expressly requested by the user — here: the management of consent decisions), in conjunction with Art. 6(1)(c) GDPR (compliance with a legal obligation to document consent under Art. 7(1) GDPR).

You can withdraw or adjust your consent at any time via the "Cookie settings" link in the footer.

7. Web analytics: Google Tag Manager and Google Analytics 4

7.1 Google Tag Manager (consent-gated)

We use the Google Tag Manager (container ID GTM-5XMCC447), a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for EU users) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

The Tag Manager is loaded only after your active consent through the Klaro banner. Before your consent, no transmission to Google occurs. The Tag Manager itself does not store cookies of its own and does not collect personal data beyond what is needed to load configured tags.

7.2 Consent Mode v2 (default denied)

We use Google Consent Mode v2 in "default denied" mode. Until you consent, we signal Google a refusal of all analytics and advertising storage purposes (analytics_storage = denied, ad_storage = denied, ad_user_data = denied, ad_personalization = denied). Only after consent does the signal change to granted.

7.3 Google Analytics 4

With your consent, Google Analytics 4 (Google Ireland Limited / Google LLC) is activated for statistical analysis of Website usage. GA4 sets in particular the cookies:

  • _ga (lifetime: 2 years),
  • _ga_<container> (lifetime: 2 years),
  • _gid (lifetime: 24 hours),
  • _gat (lifetime: 1 minute).

The IP address is received in an EU data centre, used there exclusively to derive country-/region-level location, and truncated before any further processing. The full IP address is not stored. Maximum event data retention in our GA4 property is configured at 14 months. No linking with Google accounts takes place in our property; Google Signals are disabled.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent).
Third-country transfer: EU-U.S. Data Privacy Framework (Google LLC is certified), supplemented by the EU Standard Contractual Clauses.
Data processing agreement: in place with Google under Art. 28 GDPR.
Withdrawal: at any time via the "Cookie settings" button in the footer. The lawfulness of processing up to withdrawal is not affected.

8. Embedded third-party content (two-click)

External content is loaded only after explicit interaction or consent (two-click / consent-gated approach). Before you click the relevant button, no connection at all is made to the providers listed below.

8.1 Google Calendar (appointment booking)

If you book an appointment via the embedded Google Calendar booking interface, Google Ireland Limited / Google LLC processes your data (in particular email address, name, chosen slot, optional message). Legal basis: Art. 6(1)(b) GDPR (contract initiation). Third-country transfer: DPF + SCCs.

8.2 YouTube videos

Embedded videos are loaded via YouTube (Google Ireland Limited / Google LLC) only after you click the placeholder. On load, YouTube receives your IP address and may set cookies. Legal basis: Art. 6(1)(a) GDPR or § 25(1) TDDDG (consent through the click). Third-country transfer: DPF + SCCs.

8.3 Google Maps

Map content is loaded via Google Maps (Google Ireland Limited / Google LLC) only after you click the map placeholder. On load, Google receives your IP address and other browser data. Legal basis: Art. 6(1)(a) GDPR or § 25(1) TDDDG. Third-country transfer: DPF + SCCs.

9. Web fonts (self-hosted)

We use web fonts for consistent visual presentation. They are served exclusively from our own servers / the Cloudflare Pages origin. No connection is made to Google servers or any other external font CDN; in particular, no data is transmitted to Google Fonts (fonts.googleapis.com / fonts.gstatic.com).

10. Newsletter

10.1 Double opt-in sign-up

If you sign up on our Website for our newsletter, we process your email address and any voluntary additional information (e.g. name, company) for the purpose of sending the newsletter. Sign-up uses the double opt-in procedure: after you enter your email, we send a confirmation email containing an activation link. Only after confirmation is your address added to the distribution list.

We record the time of sign-up, time of confirmation and the IP address used for sign-up, to evidence the consent under Art. 7(1) GDPR.

10.2 Distribution provider Brevo

Newsletter dispatch is handled via Brevo (Sendinblue SAS), 106 Boulevard Haussmann, 75008 Paris, France. Brevo processes data exclusively within the EU. A data processing agreement under Art. 28 GDPR is in place with Brevo. Brevo collects statistics (e.g. open and click rates) as part of dispatch, for deliverability and effectiveness analysis.

10.3 Unsubscribe

You can unsubscribe at any time via the unsubscribe link in every email or by informal notice to [email protected]. On unsubscribe, your email address and related profile data are removed from the list without delay; for evidencing purposes we may retain consent and unsubscribe records in a suppression list.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 7(2) No. 3 UWG (consent). Processing of consent records additionally relies on Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR.

11. Job applications

Please send applications for advertised positions or unsolicited applications by email to [email protected]. We process the personal data contained (in particular CV, certificates, cover letter, contact details) exclusively for the application procedure.

Legal basis: § 26(1) BDSG in conjunction with Art. 88 GDPR (employee data protection / pre-contractual measures), Art. 6(1)(b) GDPR, and where applicable Art. 6(1)(a) GDPR for voluntary additional information.

Retention: on rejection, application documents are deleted no later than 6 months after the procedure ends; this preserves our ability to defend against potential AGG claims (§ 15(4) AGG, § 61b ArbGG). Longer retention only with your explicit consent (e.g. for a candidate pool) or in the event of hiring within the employment relationship.

12. Provision of data / consequences of non-provision

Provision of your personal data is neither legally nor contractually required. You are not obliged to provide data. However, if data necessary to respond to your enquiry or to perform a contract is not provided, we may not be able to handle your enquiry or conclude a contract.

13. Recipients and processors at a glance

RecipientLocationPurposeLegal basisThird country / safeguards
Cloudflare, Inc.USAHosting, CDN, DDoS protectionArt. 6(1)(f)DPF + SCCs + DPA
Self-hosted n8nEU (own infrastructure)Contact-form processingArt. 6(1)(b) / (f)— (self-operated)
Google Ireland Ltd. / Google LLCIreland / USAGoogle Workspace (Gmail, Drive, Calendar), Tag Manager, Analytics 4, Google Calendar, YouTube, Google MapsArt. 6(1)(a) / (b) / (f)DPF + SCCs + DPA
Pipedrive OÜEstonia (EU)CRMArt. 6(1)(b) / (f)EU; SCCs for any subprocessors + DPA
Formagrid, Inc. (Airtable)USAStructured data store (CRM extension)Art. 6(1)(b) / (f)DPF + SCCs + DPA
Sendinblue SAS (Brevo)France (EU)Newsletter dispatchArt. 6(1)(a)EU + DPA
Klaro (self-operated, open source)EU (own infrastructure)Consent management§ 25(2) No. 2 TDDDG in conjunction with Art. 6(1)(c)— (self-operated)
Meta Platforms Ireland Ltd. / Inc.Ireland / USAWhatsApp — only on user initiativeArt. 6(1)(b) / (f)DPF + SCCs (Meta's own responsibility)

14. Your rights as a data subject

You have the following rights regarding your personal data at any time:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR) — in particular for processing relying on Art. 6(1)(f) GDPR
  • Right to withdraw consent (Art. 7(3) GDPR) with effect for the future

To exercise your rights, an informal note to [email protected] or by post to the address in section 1 suffices.

Notice of your right to object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to processing of your personal data based on Art. 6(1)(f) GDPR. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

15. Right to lodge a complaint with a supervisory authority

Without prejudice to any other remedies, you have the right under Art. 77 GDPR to lodge a complaint with a data-protection supervisory authority. The authority with territorial competence for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden, Germany
Phone: +49 611 1408-0
Web: datenschutz.hessen.de

You may also turn to the supervisory authority of your habitual residence or place of work.

16. No automated decision-making

Decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR) do not take place.

17. Data security

We use appropriate technical and organisational measures to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. In particular, all data transmission between your browser and our Website is encrypted via TLS 1.2/1.3 (HTTPS); the secured connection is indicated by the padlock symbol in your browser's address bar. Our security measures are continuously reviewed and adapted in line with technological developments.

18. Updates and changes to this privacy policy

This privacy policy is dated 24 May 2026. Owing to the further development of our Website and our offerings, or due to changed legal or regulatory requirements, it may be necessary to amend this policy. The current version is always available at /en/privacy/.

Controller within the meaning of this privacy policy: MBR Vertriebs- & Verwertungs UG (haftungsbeschränkt), Eschborn, Germany.

Part of the MBR Group