Privacy Policy
This policy informs you about which personal data we process on paluro.de, for what purposes, on what legal basis, and how you can exercise your rights. The German version of this policy is the legally binding one.
1. Controller
Paul Lukas Roder
Montessoristraße 21
40670 Meerbusch, Germany
Email: [email protected]
For further details please see the legal notice.
2. General principles
We only process personal data where necessary to provide a functional website and our content and services. Where consent is required for a processing activity, we obtain it in advance via the cookie banner.
3. Server log files
Each visit to the website automatically processes technical data: IP address, date and time, requested URL, referrer, browser and device information, and HTTP status. This data is processed to deliver the page, ensure technical security, and prevent abuse.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure and
stable operation).
Storage period: short-term, generally no longer than 30 days, unless
a security-relevant incident requires longer retention.
4. Hosting
The website is hosted on Microsoft Azure Static Web Apps in the Frankfurt am Main region, Germany. Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
When the page is loaded, connection data is processed (see server log files). A data processing agreement under Art. 28 GDPR is in place. As Microsoft is part of a US group of companies, transfer to the United States cannot be excluded. Microsoft is certified under the EU-US Data Privacy Framework (DPF); EU Standard Contractual Clauses apply additionally.
Legal basis: Art. 6 (1) (f) GDPR.
5. Cloudflare CDN, protection features, and contact API
For faster and more secure delivery we use Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) as a CDN and reverse proxy. Cloudflare processes connection data such as IP address, date and time, requested URL, technical browser and device information, and security events to deliver content, mitigate attacks, provide TLS, enable caching, and detect abusive access.
Cloudflare also provides protection features that may be active on the
website, in particular email obfuscation against automated scraping of
email addresses. For the contact form we use a Cloudflare Worker function
under api.paluro.de to provide technical form configuration
when the form is used. Form contents are not transmitted via this Worker
function.
A data processing agreement is in place with Cloudflare. Cloudflare is
certified under the EU-US Data Privacy Framework; EU Standard Contractual
Clauses apply additionally.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in fast,
secure, and abuse-resistant delivery of the website).
6. Cookies and similar technologies
We only use cookies and similar technologies where strictly necessary or with your consent:
(a) Strictly necessary storage: To remember your cookie selection
we set a 1st-party entry cc_cookie (storage period approx. six
months). Without it the cookie banner would reappear on every visit.
Legal basis: § 25 (2) (2) TDDDG (strictly necessary) in conjunction
with Art. 6 (1) (f) GDPR.
(b) Analytics cookies (with consent): see the Google Analytics section.
You can change your cookie selection at any time via the "Cookie settings" link in the footer.
7. Google Analytics 4
With your consent we use Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Usage events such as page views, referrers, approximate location data, device and browser information, interactions, and technical event data are processed. According to Google, GA4 uses IP addresses only to derive location information and does not log or store them permanently. The data is used in pseudonymised form to measure reach and improve our content. We do not set our own user ID and configure the tag so that Google Signals and ad personalisation are disabled for this website.
Cookies used: _ga, _ga_* (storage up to 2 years).
Legal basis: Art. 6 (1) (a) GDPR (consent) and § 25 (1) TDDDG.
Third-country transfer: Transfer to the United States is possible.
Google is certified under the EU-US Data Privacy Framework.
Withdrawal: You can withdraw your consent at any time via the
"Cookie settings" link in the footer. Upon withdrawal, the cookies set by
Analytics are automatically removed. You can also install the
browser add-on to disable Google Analytics.
8. Contact
(a) By email: If you contact us at [email protected] we process the data you transmit (sender address, content, attachments) to respond to your inquiry. Our mailbox is operated via Spacemail by Spaceship, Inc., 4600 E Washington St Ste 305, Phoenix, AZ 85034-1908, USA. A data processing agreement with Spaceship is in place as part of the accepted terms of service. A transfer to the United States cannot be excluded; where required, it is based on contractual safeguards provided by the provider. Communication is TLS-encrypted in transit; end-to-end encryption is only available if you use PGP/S/MIME yourself.
(b) Via the project form: When you interact with the contact form,
we load the form script from Web3Forms and the hCaptcha spam protection
embedded in it. This means that technical data such as IP address, user
agent, page URL, timestamp, interaction data, and device information may be
transmitted to Web3Forms and hCaptcha before the form is submitted. Before
submission, your browser also requests api.paluro.de/config to
retrieve the form configuration; no form contents are transmitted through
that request.
When the form is submitted, your name, email address, message, selected interest areas, language, hCaptcha verification result, and technical submission data are transmitted to Web3Forms (Web3Creative, Palakkad, Kerala, India). According to the provider, its servers are located in the US-East region. Web3Forms states that incoming submissions are stored for up to 30 days and then deleted automatically; the data is used to forward the inquiry to us by email. Sub-processors such as Akismet (Automattic Inc., USA) and CleanTalk may be used for spam protection.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or
(f) (legitimate interest in efficient handling of inquiries and protection
against spam/abuse). Where hCaptcha or Web3Forms stores or accesses
information on your device, this is done to protect the contact form on the
basis of § 25 (2) (2) TDDDG.
Third-country transfer: India does not have an adequacy decision
from the European Commission. If you submit the form, you expressly consent
to the transfer described in this policy to Web3Forms in India and to
involved service providers in third countries (Art. 49 (1) (a) GDPR), where
suitable safeguards such as Standard Contractual Clauses do not apply. Third
countries may provide a lower level of data protection; in particular,
public authorities may access data and data subject rights may be harder to
enforce. Alternatively, you can contact us by email.
Storage period at our end: until your inquiry has been resolved.
If statutory retention obligations apply (e.g. commercial or tax law),
data is retained accordingly.
Requirement to provide data: Providing data is voluntary. Without the
fields marked as required in the form, we cannot process your inquiry via
the form.
9. Fonts
We use the typefaces Inter and Space Grotesk. They are served exclusively from our own server. No connection to Google Fonts or other external font providers takes place.
10. External links
This site contains links to external services (e.g. HackerOne). When you click such links your browser transmits data to the respective provider. We have no influence on this processing; please refer to the respective operator's privacy policy.
11. Third-country transfers
In the cases described above (in particular Microsoft, Cloudflare, Google Analytics, Spacemail, Web3Forms, and hCaptcha), your data may be transferred to countries outside the European Economic Area:
United States: covered by the EU-US Data Privacy Framework where
the respective provider is certified (e.g. Microsoft, Cloudflare, and
Google), supplemented by EU Standard Contractual Clauses or other
contractual safeguards where required.
India (Web3Forms): no adequacy decision; when submitting the form,
transfer is based on your explicit consent under Art. 49 (1) (a) GDPR where
suitable safeguards do not apply.
12. Your rights
You have the right at any time to:
Access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection to processing based on legitimate interests (Art. 21), and withdrawal of any given consent with effect for the future (Art. 7 (3) GDPR).
Please direct requests informally to [email protected].
Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place.
13. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4
40213 Düsseldorf, Germany
ldi.nrw.de
14. Storage periods
Personal data is deleted as soon as the purpose of processing no longer applies, unless statutory retention obligations (e.g. § 147 AO, § 257 HGB under German law) require otherwise. Where more specific periods are named, those take precedence.
15. Changes to this policy
We adapt this policy when the legal landscape or our offering changes. Please revisit this page occasionally to stay informed.