Privacy

Introduction and Overview

This privacy notice has been written to inform you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the German Telecommunications-Digital-Services-Data-Protection-Act (TDDDG), about which personal data is processed on this website and what rights you have.

Scope

This privacy notice applies to all personal data processed on this website (alexander-mader.de) and to data processed by service providers (processors) engaged by the controller.

Legal Bases

We process your data only where at least one of the following legal bases applies:

Consent (Art. 6(1)(a) GDPR): You have given us consent to process data for a specific purpose (e.g. Google Analytics).

Contract / pre-contractual measures (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract (e.g. handling your contact enquiry).

Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for our legitimate interests, provided these do not override your interests (e.g. secure website operation, abuse prevention).

For access to terminal equipment, § 25 TDDDG additionally applies.

Controller Contact Details

The controller within the meaning of the GDPR is: Alexander Mader Buchenring 1, 76297 Stutensee, Germany Email: For questions about data protection or to exercise your rights, please contact the above email address.

Retention Periods

Personal data is stored only for as long as necessary for the respective processing purpose. Specific retention periods:

Technical request logs (request_events): Up to 90 days

Page view data (pageviews): Up to 30 days

Behavioral engagement signals (visit_signals): Up to 90 days

Visit classification data (visit_classifications): Up to 180 days

Aggregated daily statistics (daily_visit_metrics): Long-term; no direct personal reference

Contact form messages: Until final handling of your enquiry, at most 3 months

Google Analytics data (when consent granted): 14 months (configured in GA4)

Cloudflare Turnstile connection data: Per Cloudflare privacy policy

localStorage consent record (cookie-consent-v2): Until deleted by you or your browser

Consent audit records (consent_audit_events): Up to 365 days

If you request deletion of your data or withdraw a consent, data will be deleted as quickly as possible unless a statutory retention obligation applies.

Rights under the General Data Protection Regulation

In accordance with Art. 13, 14 GDPR, we inform you of the following rights:

Right of access (Art. 15 GDPR): You have the right to find out whether we process data about you. If so, you are entitled to a copy of this data and information on: the purpose of processing, categories of data, recipients, retention periods, the origin of data, and whether profiling takes place.

Right to rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected.

Right to erasure (Art. 17 GDPR): You have the right to request erasure of your data ("right to be forgotten"), unless statutory retention obligations prevent this.

Right to restriction of processing (Art. 18 GDPR): You have the right to request restriction of processing, meaning data may be stored but not further processed.

Right to data portability (Art. 20 GDPR): You have the right to receive your data in a commonly used machine-readable format or to have it transferred to another controller. This right applies to automatically processed data based on consent (Art. 6(1)(a)) or a contract (Art. 6(1)(b)).

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with the competent data protection supervisory authority at any time if you believe that processing of your data violates the GDPR. The competent authority is listed below.

Right to Object (Art. 21 GDPR)

Where processing of your data is based on Art. 6(1)(f) GDPR (legitimate interests), you have the right to object at any time on grounds relating to your particular situation. We will then cease processing your data unless we can demonstrate compelling legitimate grounds that override your interests, or the processing serves the establishment, exercise, or defence of legal claims. To exercise the right to object, please contact:

Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time with future effect. You can adjust or withdraw your consent at any time via the cookie settings in the footer of this website.

Automated decisions (Art. 22 GDPR): This website does not carry out solely automated decision-making with legal effect.

In short: you have rights — feel free to contact us by email if you wish to exercise them.

Data Transfers to Third Countries

We transfer personal data to third countries (in particular the USA) only where a legal basis exists. On this website, this applies to:

Cloudflare Turnstile (bot protection): Transfer to Cloudflare, Inc., USA. Legal basis: EU Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework (DPF), to which Cloudflare is certified.

Google Analytics / Tag Manager (only with consent): Transfer to Google Ireland Limited, Ireland (servers also located in the USA). Legal basis: consent and EU-US Data Privacy Framework, to which Google is certified. Adequacy decision of the European Commission dated 10 July 2023.

Further information on the EU-US DPF: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Security of Data Processing

We implement technical and organisational measures to protect your personal data (Art. 25 GDPR, "privacy by design"). All data transfers between your browser and this web server are encrypted via HTTPS (TLS). IP addresses are stored only as cryptographic hashes (HMAC) and are never persisted in plain text.

Custom Website Analytics

This website processes technical request events server-side to ensure reliable operation, detect abuse and attacks, and measure aggregated page usage. Fields stored include: route path, HTTP status code, response time, referrer, and selected request header summaries.

IP addresses and one-time page nonces are stored only as cryptographic HMAC hashes. The system does not use persistent analytics cookies, cross-site identifiers, or fingerprinting methods.

Additionally, each page view records behavioral engagement signals submitted by your browser: click count, scroll events, keystroke count, pointer interactions, scroll depth reached, active-visible duration, and time to first interaction. These signals are processed for human visit qualification and bot detection. They are retained for up to 90 days and are not shared with third parties.

Legal basis: Art. 6(1)(f) GDPR. The legitimate interest is the secure and reliable operation of this website and protection against abusive access. You may object to this processing at any time on grounds relating to your particular situation (Art. 21(1) GDPR). Please contact the controller by email.

Contact Form

When you use the contact form, we process the data you provide (name, email address, message content) to handle and respond to your enquiry. Data is not passed on to third parties.

Legal basis: Art. 6(1)(b) GDPR (handling your enquiry as a pre-contractual measure).

Retention: Data will be deleted once your enquiry has been finally handled, at the latest after 3 months.

Cloudflare Turnstile — Bot Protection

This website uses Cloudflare Turnstile to protect the contact form against automated abuse. Turnstile is loaded exclusively on the contact page.

When the widget loads, your browser transmits connection metadata to servers operated by Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA): client IP address, TLS fingerprint, User-Agent header, the sitekey, and the origin of the embedding page. Cloudflare states it is unable to identify individuals from these signals.

Turnstile does not set cookies and does not access local storage in the configuration used on this website (no Pre-Clearance).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security). Regarding access to your device, § 25(2)(2) TDDDG applies (strictly necessary for the requested service; no cookie placed).

Cloudflare acts as a data processor (data processing agreement: Cloudflare Customer Data Processing Addendum, version 6.4, April 2026). Transfers to the USA are covered by EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework, to which Cloudflare is certified. Further information: https://www.cloudflare.com/turnstile-privacy-policy/ and https://www.cloudflare.com/cloudflare-customer-dpa/

Google Analytics 4

We use Google Analytics 4 ("GA4"), a service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). GA4 is used exclusively following your explicit consent under Art. 6(1)(a) GDPR. Without active consent, GA4 is not loaded and no analytics data is collected. Data collected is used to analyse usage behaviour and to optimise content. We do not use the data to personally identify individual users.

_ga: User distinction (user ID)2 years

_ga_[container-ID]: Session state persistence2 years

Google states it does not store complete IP addresses for EU users; IP addresses are anonymised immediately within the EU.

Google Consent Mode v2: Google Consent Mode is configured with denied defaults. Without your consent, no cookies are set and no personal data is transferred. With Basic Consent Mode, the GA4 script is not loaded until consent is granted. No data is sent to Google before you accept cookies.

Legal basis: Art. 6(1)(a) GDPR (consent); § 25(1) TDDDG for the setting of cookies.

Data transfer: Google may process data on servers in the USA. The transfer is based on your consent and the EU-US Data Privacy Framework, for which the European Commission has confirmed an adequate level of data protection.

You may object to the collection and processing of your data by Google Analytics or withdraw your consent at any time. An opt-out option is available at: https://tools.google.com/dlpage/gaoptout. You can also adjust your consent at any time via the cookie settings in the footer of this website.

Further information: https://support.google.com/analytics/answer/6004245

Local Storage (localStorage)

This website stores your consent decision in your browser's local storage (localStorage) under the key `cookie-consent-v2`. This entry contains your consent status (analytics: granted/denied; advertising: granted/denied) and a timestamp. The entry is not transmitted to any third party.

This storage is strictly necessary to provide the consent management service you have explicitly requested. Separate consent is therefore not required (§ 25(2)(2) TDDDG). Legal basis for processing: Art. 6(1)(f) GDPR.

Right to Lodge a Complaint with the Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority. The supervisory authority competent for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)

Heilbronner Straße 35, 70191 Stuttgart, Germany

+49 711 615541-0

poststelle@lfdi.bwl.de

https://www.baden-wuerttemberg.datenschutz.de/

Withdraw Consent

You may withdraw or change your consent at any time with future effect by reopening the cookie settings via the "Cookie settings" button in the footer of this website. The lawfulness of processing based on consent before its withdrawal is not affected.