Controller
The controller within the meaning of the GDPR is: Kemandai Kanalstraße 63 24159 Kiel Deutschland / Germany Email: mail@andreasgoertzen.eu Phone: +49 (0) 152 563 67111
Types of Data Collected
We collect and process the following personal data: - Account data: name, email address, phone number (optional) - Authentication data: hashed passwords, one-time codes (OTP) - Payment data: payment information is processed directly by our payment service providers Stripe and PayPal; we do not store complete payment details - Usage data: IP address, browser type, access times, pages visited - Communication data: content of contact form submissions and email correspondence - Project data: information from the quote wizard and project requests
Purposes and Legal Basis
We process your data based on the following legal grounds (Art. 6(1) GDPR): - Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, e.g. for optional cookies - Contract performance (Art. 6(1)(b) GDPR): To fulfill our contractual obligations, including account creation, quote generation, and payment processing - Legal obligation (Art. 6(1)(c) GDPR): To comply with legal requirements, particularly tax and commercial retention obligations - Legitimate interests (Art. 6(1)(f) GDPR): For our legitimate business interests such as fraud prevention, security, and service availability, unless overridden by your rights
Authentication
We use email/password and email-based one-time password (OTP) authentication. Password data is stored in hashed form only. OTP codes are temporary and expire after use. Authentication sessions are managed via secure HTTP-only cookies.
Cookies
This website uses technically necessary cookies for authentication and session management in accordance with § 25 TTDSG. These cookies are essential for the functionality of the service and do not require consent. Additionally, optional cookies may be used, for which we obtain your consent via our cookie consent banner. You can adjust or revoke your cookie settings at any time via the link in our website footer.
Web Analytics
We collect anonymized page views to improve our service. No tracking cookies are set and no personal data is transmitted to third parties. Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in optimizing our offering.
Server Logs and Hosting
Our hosting provider automatically collects and stores information in server log files that your browser transmits. This includes IP address, browser type and version, operating system, referrer URL, and time of access. This data is processed based on Art. 6(1)(f) GDPR for ensuring the security and stability of our service.
Email Communication
We use Amazon Web Services Simple Email Service (AWS SES) for sending transactional emails (authentication codes, password resets, notifications). AWS processes data in accordance with their Data Processing Addendum. Data may be transferred to AWS data centers within the EU. The legal basis is Art. 6(1)(b) GDPR (contract performance).
Payment Processing
For payment processing, we use the services of Stripe (Stripe Payments Europe, Ltd.) and PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.). When you use a paid service, your payment data is transmitted directly to the respective payment service provider and processed there. We do not store complete credit card or bank details. The legal basis is Art. 6(1)(b) GDPR (contract performance). For more information, see the privacy policies of the providers: - Stripe: https://stripe.com/privacy - PayPal: https://www.paypal.com/webapps/mpp/ua/privacy-full
Third-Party Services and Data Transfers
We use the following third-party services: - Neon (database hosting): Your account data is stored in Neon's PostgreSQL database infrastructure - AWS SES (email delivery): Used for transactional emails - Cloudflare R2 (file storage): For storing uploaded images and files - Stripe (payment processing): For processing credit card payments - PayPal (payment processing): For processing PayPal payments Data transfers to third countries are secured by appropriate safeguards (Standard Contractual Clauses, Art. 46 GDPR).
Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Account data is retained for the duration of the contractual relationship. After account deletion, data is removed within 30 days, unless longer retention is required by law (e.g. tax retention obligations of up to 10 years).
Your Rights
Under the GDPR, you have the following rights: - Right of access (Art. 15 GDPR) - Right to rectification (Art. 16 GDPR) - Right to erasure (Art. 17 GDPR) - Right to restriction of processing (Art. 18 GDPR) - Right to data portability (Art. 20 GDPR) - Right to object (Art. 21 GDPR) To exercise these rights, contact us at: mail@andreasgoertzen.eu
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for us is: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98 24103 Kiel https://www.datenschutzzentrum.de
Automated Decision-Making
We do not use automated decision-making, including profiling, pursuant to Art. 22 GDPR.