Privacy Policy

1. Controller

The controller within the meaning of Art. 4 (7) GDPR is:

Further details are available in the Legal Notice.

2. Data Protection Officer

A Data Protection Officer has not been appointed. The conditions in § 38 (1) BDSG are not met: this is a single-person business that does not, as a rule, employ at least twenty people in the automated processing of personal data, performs no large-scale processing within the meaning of Art. 35 GDPR, does not process special categories of personal data within the meaning of Art. 9 (1) GDPR, and does not engage in commercial processing of personal data for the purpose of transmission, anonymised transmission, or for market or opinion research.

3. Hosting and server logs

This website is hosted by Variable Object Assignment (c/o Knackeriet, Sankt Paulsgatan 25, 118 48 Stockholm, Sweden; Swedish business identifier / personnummer 860201-7611), operating under the brand statichost.eu. The host is a processor within the meaning of Art. 4 (8) and Art. 28 GDPR. Hosting takes place within the European Economic Area (EEA).

When you load a page, your IP address is processed for the technical purpose of delivering the requested content from the server to your browser (HTTP request and response). According to the host's own privacy statement, no personal data related to website visits is stored in server logs.

Legal basis: Art. 6 (1) (f) GDPR. The legitimate interest is the stable and secure provision of the website. Your opposing interests, in particular in the protection of your personal data, do not override this interest on our balancing, because we process only the technical transmission data required to deliver the content.

4. Contact form

When you submit the contact form, we process the data you enter (name, email address and message) together with the date and time of submission, in order to receive and respond to your enquiry.

Providing this data is voluntary; you are under no statutory or contractual obligation to submit it. Without your name and email address we cannot, however, attribute and reply to your enquiry.

Form submissions are transmitted to and stored by Formcarry (Teijal, Inc. d/b/a Formcarry, 3 Germay Dr, Unit 4 #1278, Wilmington, DE 19804, USA) as a processor under Art. 28 GDPR. Submission data is stored in data centres in Frankfurt am Main (Amazon Web Services EU, region eu-central-1).

Formcarry uses the following sub-processors:

• DigitalOcean, LLC (Frankfurt, EU)
• Amazon Web Services, Inc. (Frankfurt, EU; USA for certain operational functions)
• PostHog Inc. (Frankfurt, EU)
• Automattic Inc. / Akismet (USA), used for spam classification

Because Formcarry is a US company, its staff in the United States may access form submission data. This constitutes a transfer to a third country within the meaning of Chapter V GDPR. The transfer is safeguarded by Standard Contractual Clauses (Module Two, Commission Implementing Decision (EU) 2021/914) concluded between us and Formcarry, supplemented by additional technical and organisational measures described in Formcarry's Data Processing Agreement (https://formcarry.com/legal/data-processing-agreement).

Legal basis: Art. 6 (1) (b) GDPR for enquiries directed at a possible contractual engagement (steps prior to entering into a contract at your request), and Art. 6 (1) (f) GDPR for other enquiries (legitimate interest in receiving and responding to messages addressed to us). For processing under Art. 6 (1) (f) GDPR, your opposing interests do not override this interest on our balancing, because only the minimum data required to handle your enquiry is processed.

Retention: enquiries are kept for as long as necessary to deal with the matter and for any follow-up correspondence. Where a contractual relationship results from an enquiry, the related correspondence is retained for the statutory periods (in particular six years for business letters under § 257 (4) HGB, and eight or ten years for other documents under § 257 HGB and § 147 AO). Enquiries that do not lead to a contractual relationship are deleted no later than twelve months after the last exchange, unless you object earlier.

Formcarry applies an automated spam filter and uses Akismet (Automattic Inc., USA) to classify submissions. A hidden honeypot field is included in the form to block automated bot submissions. Genuine submissions are not affected by this filter. The processing is based on our legitimate interest under Art. 6 (1) (f) GDPR in preventing abuse of the form. Your opposing interests do not override this interest on our balancing, because genuine submissions are not assessed in substance by the spam filter and you can reach us through the other channels named in this policy if a legitimate enquiry is wrongly classified as spam.

5. Web analytics

This website uses Umami, a web analytics service provided by Umami Software, Inc., 1362 42nd Avenue, San Francisco, CA 94122, USA (a Delaware corporation; contact for privacy enquiries: privacy@umami.is), hereinafter "Umami Cloud". Umami acts as a processor under Art. 28 GDPR. Umami Cloud servers operate in the United States and in the European Union.

Umami collects aggregated, anonymised statistics about visits to this website: page URL viewed, referrer URL, browser, operating system, device type, screen size, language, and country (derived from the IP address; the IP address itself is not stored). Umami does not use cookies and stores no information on your end device. Umami does not collect any directly identifying personal data.

Because Umami Software, Inc. is a US company, processing of your data takes place in part in the United States, including the possibility of access under US law (e.g. the CLOUD Act). This transfer to a third country is safeguarded by Standard Contractual Clauses (Module Two, Commission Implementing Decision (EU) 2021/914) concluded with Umami.

Legal basis: Art. 6 (1) (a) GDPR (consent). The storage of, or access to, information on your end device required for loading the analytics script is additionally based on your consent under § 25 (1) TDDDG. Note that Umami itself does not set cookies and stores no information on your end device; we nevertheless rely on your consent as a matter of caution.

Retention: the aggregated statistics collected via Umami are stored indefinitely for ongoing trend analysis. Because no personal data is stored, no personal-data deletion deadlines apply.

Umami is loaded only after you have given consent via the consent banner. Until then, no analytics script is loaded and no analytics data is collected. You can withdraw your consent at any time via the 'Privacy settings' link in the footer of every page. The lawfulness of processing carried out before the withdrawal remains unaffected (Art. 7 (3) sentence 3 GDPR).

6. Local storage in your browser

This website stores the following small items in your browser's localStorage. None of these items leaves your end device or reaches our servers.

• theme: your light or dark mode preference, so the page does not flash on subsequent visits.
• ms:contact-form-draft: a draft of your contact-form input, so you can recover it if you accidentally close the tab. The draft is deleted automatically after seven days or after a successful submission.
• hero-animation-index: a small counter that records which variant of the home-page animation last played, so that on a return visit you see a different variant rather than the same one. Without this entry you would see the same animation on every visit, which many visitors find off-putting; the storage is therefore part of the rendering of the home page you have requested.
• ms:analytics-consent: your consent decision for the web analytics described in section 5 ('granted' or 'denied'). Stored so we do not re-prompt you on every page. Cleared automatically when you withdraw your consent via 'Privacy settings'.

Storage and retrieval of these items is strictly necessary to provide functionality you have expressly requested (loading the website with your chosen settings; preserving an in-progress form; remembering your analytics consent decision so you are not re-prompted on every visit). They are therefore exempt from a consent requirement under § 25 (2) No. 2 TDDDG.

7. External links

This website contains text links to LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland), GitHub (GitHub, Inc., 88 Colin P. Kelly Jr Street, San Francisco, CA 94107, USA, a subsidiary of Microsoft Corporation) and Mastodon (mastodon.world, operated by FediHosting Foundation Stichting, a Dutch non-profit foundation based in Breda, Netherlands; KvK number 92291619). These links are activated only when you click them, and do not load any third-party scripts or images on this site beforehand. Once you follow such a link, your data is processed under the privacy policy of the third-party operator. The Mastodon profile link carries the attribute rel="me" for profile verification; no data is exchanged with mastodon.world unless you visit the profile.

8. Your rights as a data subject

Under the GDPR you have the following rights regarding personal data we process about you:

• Right of access (Art. 15 GDPR): confirmation of whether and how we process data about you, together with a copy of that data.
• Right to rectification (Art. 16 GDPR): correction of inaccurate data, or completion of incomplete data.
• Right to erasure (Art. 17 GDPR): deletion where one of the grounds in Art. 17 applies.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR): for data you have provided to us based on consent or on a contract, in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): at any time, on grounds relating to your particular situation, to processing based on Art. 6 (1) (f) GDPR (e.g. the processing for hosting and the spam filter described in sections 3 and 4).
• Right to withdraw consent (Art. 7 (3) GDPR): where processing is based on consent, you may withdraw it at any time. The lawfulness of processing carried out before the withdrawal remains unaffected.

To exercise these rights, contact matko@flyt.consulting. No fee applies unless your request is manifestly unfounded or excessive within the meaning of Art. 12 (5) GDPR.

9. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The supervisory authority responsible for us is:

10. International data transfers

As explained in sections 4 and 5, the contact-form processor (Formcarry) and the analytics processor (Umami) are US companies. Personal data may therefore be transferred to the United States, a third country within the meaning of Chapter V GDPR. Each transfer is safeguarded by Standard Contractual Clauses (Module Two, Commission Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented by the technical and organisational measures of the respective processor (including encryption in transit and at rest). On request by email to matko@flyt.consulting we will provide you with a copy of the applicable clauses.

11. No automated decision-making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. Formcarry's automated spam classification is not such a decision; if a legitimate enquiry is rejected, you can reach us by email at any time.

12. Children

This website is not directed at children. We do not knowingly collect personal data from persons under 16. If you become aware that a child has provided personal data to us, contact us at matko@flyt.consulting so we can delete it.

13. Data security

This website is delivered exclusively over HTTPS (TLS). The contact form transmits its data to Formcarry over an encrypted connection; Formcarry encrypts submission data at rest with AES-256. The technical and organisational measures of our processors are listed in their respective Data Processing Agreements.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when our processing, the services we use, or legal requirements change. The current version is identified by the effective date below. Substantial changes will be highlighted at the top of this page for a reasonable period.

15. Language

The German version of this Privacy Policy shall prevail. The English translation is provided for convenience only.