Privacy Policy

Status: April 2026. Reflects GDPR, TDDDG (German Telecommunications-Digital-Services-Data-Protection-Act, formerly TTDSG) and DDG (Digital Services Act, formerly TMG).

1. Controller

Controller per GDPR Art. 4 No. 7:
Nawinn Gutzeit, address see Imprint.
Email: datenschutz@stackschmiede.de

2. Hosting

This site runs on a VPS in Germany with a GDPR-compliant hosting provider. A Data Processing Agreement per GDPR Art. 28 is in place; the full name of the processor is provided on request.

3. Endpoint access (§ 25 TDDDG)

This site sets no cookies that aren't strictly necessary for delivering the requested service. No § 25 TDDDG consent is required. Exception: an optional localStorage entry persisting your theme choice (light/dark) — strictly necessary per § 25 (2) No. 2 TDDDG.

4. Analytics (Plausible)

Plausible Analytics (Plausible Insights OÜ, Estonia, EU). No cookies, no plain-text IPs, no fingerprinting. Aggregated page views only. Legal basis: GDPR Art. 6(1)(f). No consent required.

5. Contact form and email

Submitted data goes to kontakt@stackschmiede.de and is stored on my own mailserver (Postfix/Dovecot) on the same VPS in Germany. No external mail provider, no third party sees the contents. Legal basis: Art. 6(1)(b) or (f). Deletion after request resolution or after 3 years.

6. Spam protection (Cloudflare Turnstile)

Cloudflare Turnstile (Cloudflare Inc., DPF-certified). No cookies, no fingerprinting. Anonymous token to Cloudflare. Legal basis: Art. 6(1)(f). US transfer only as technically required (DPF-certified).

7. Self-hosted fonts

Inter, JetBrains Mono, Instrument Serif served from this server — no Google Fonts CDN, no third-party connection on page load.

8. Server location and third-country transfers

All processing in EU/EEA (VPS DE incl. own mailserver, Plausible EE). No third-country transfers — except Cloudflare Turnstile (DPF-certified).

9. Your rights

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17)
• Restriction (Art. 18)
• Portability (Art. 20)
• Objection (Art. 21)
• Complaint to supervisory authority (Art. 77)

10. Chat assistant (AI widget)

This website embeds a voluntary-use chat assistant that is activated only after your explicit opt-in consent within the widget.

Provider: Messages are sent to Mistral AI SAS (15 rue des Halles, 75001 Paris, France, EU) for processing. Mistral AI is a European provider with servers in the EU. A Data Processing Agreement is in place.

What is transferred:

• Your chat messages and the conversation history of the current session
• No real names or contact data — unless you actively enter them
• A hashed IP value is used server-side for rate-limiting (not sent to Mistral, not persisted after session)

Browser storage: The conversation history is stored in your browser's localStorage until you clear it in the widget or clear browser storage. No server-side storage of the chat transcript.

Third-country transfers: Mistral AI is an EU provider; no transfer outside the EU.

Legal basis: GDPR Art. 6(1)(a) (consent).
Deletion: Mistral AI stores conversation data per their privacy policy. Request access or deletion at: mistral.ai/terms/privacy.
Withdrawal: Revoke consent at any time by clicking "Clear history" in the widget. Messages already transmitted are not affected.

Right of access: For processing on my server infrastructure, contact datenschutz@stackschmiede.de.

11. Automated decisions / profiling

No automated decision-making per Art. 22 GDPR, no profiling. AI models used on this site only for content preparation, not visitor analysis.

Legal note: Reflects requirements known as of April 2026 (GDPR, TDDDG, DDG, DSA references). Final review recommended before go-live.