Consider relaxing the defaults for the privacy controls a little for better UX
Our current approach to the privacy controls is to disable everything by default, which—in general—is a good idea of course and certainly better than the alternative of opt-out-ing everything.
But asking for permission to do every last thing is probably not the right solution either. That might annoy the user and drive them away from the (already fairly involved) task of using da.de. Or (maybe even worse) condition them to just blindly accept everything as we've seen happen with those ridiculous cookie warnings.
Especially, considering that many of our privacy controls are not actually privacy-critical (my requests, saving the id_data, remembering the companies selected in the access request wizard, etc. all happen exclusively in the user's browser). A better approach here might be to make those opt-out instead of opt-in and then explain to the user what happened when they first encounter the 'consequences' of those features (for example the first visit to the 'my requests' page after you've used the generator) and clearly guide them on how to disable those, if they so choose.
That would greatly reduce the amount of permissions we have to ask for in the 'on-boarding process' (leaving us pretty much only with stupid Algolia -.-) and make that a better experience for the user.
In addition to that, I feel like we can use the DNT header as an additional signal here. If that is enabled, the user is likely more privacy-conscious and willing to deal with additional prompts before getting to use a website. In that case, we could implement additional UI only for those users and make everything strictly opt-in again, even though none of our current features involve actual tracking.