Privacy Policy

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Simon Maximilian Heistermann
Mutter-Teresa-Weg 6, 46325 Borken, Germany
Email: simon@heistermann-solutions.de

2. Data Protection Officer

We are not legally required to appoint a data protection officer pursuant to § 38 of the German Federal Data Protection Act (BDSG). For any data protection inquiries, please contact us directly at simon@heistermann-solutions.de.

3. Data We Collect

We process personal data that you provide to us or that is automatically collected when you use our website.

3.1 Contact Form Data

When you submit a contact form, we collect the following information:

  • Full name and email address
  • Inquiry type (project, collaboration, or general)
  • Your message
  • For collaboration inquiries: collaboration type and organization (optional)
  • Consent confirmation (privacy policy and terms acceptance with timestamp)

3.2 Protected Content Access

Certain areas of this website are protected by access codes. When you enter an access code, it is transmitted to our database for verification. However, no personal data (such as your identity or IP address) is stored in connection with the code verification.

Your access code and the list of unlocked pages are stored exclusively in your browser's local storage. This data never leaves your device after the initial verification.

3.3 Technical Data

When you visit our website, the following data is automatically collected by our hosting provider:

  • IP address
  • Browser type and version
  • Operating system
  • Date, time, and duration of access
  • Referring URL
  • Pages visited

3.4 Analytics Data

This website uses Plausible Analytics, a privacy-friendly analytics tool based in the EU. Plausible does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and anonymous. No cookie consent is required.

3.5 Email Communication Data

When you submit a contact form, a notification email is sent via our email service provider. Logged data includes: recipient email address, email template used, delivery status, and timestamps.

4. Purposes and Legal Basis

We process your personal data for the following purposes and on the following legal bases:

PurposeLegal Basis
Contact form processingArt. 6(1)(b) GDPR — pre-contractual measures at your request
Email notificationsArt. 6(1)(f) GDPR — legitimate interest in effective communication
Website hosting & securityArt. 6(1)(f) GDPR — legitimate interest in operating a secure website
Analytics (anonymous)Art. 6(1)(f) GDPR — legitimate interest in understanding website usage
Protected content accessArt. 6(1)(b) GDPR — necessary for service provision

5. Third-Party Processors

We use the following third-party service providers to operate our website. Each processor has entered into a Data Processing Agreement (DPA) with us in accordance with Art. 28 GDPR.

Vercel Inc.

San Francisco, California, USA

Purpose: Website hosting and content delivery network (CDN).

Data processed: Technical access data (IP address, request logs).

Supabase Inc.

San Francisco, California, USA

Purpose: Database hosting for contact form submissions and access code verification.

Data processed: Contact form data (name, email, message, timestamps).

Resend

San Francisco, California, USA

Purpose: Transactional email delivery (contact form notifications).

Data processed: Recipient email address, email content, delivery metadata.

Plausible Analytics

EU (Estonia)

Purpose: Privacy-friendly, cookie-free website analytics.

Data processed: Aggregated, anonymous usage data only. No personal data.

6. International Data Transfers

Our third-party processors Vercel, Supabase, and Resend are based in the United States. Data transfers to the US are conducted on the following legal bases:

  • EU-US Data Privacy Framework (DPF): The European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework (Commission Implementing Decision of 10 July 2023). Our processors are certified under the DPF, which ensures an adequate level of data protection.
  • Standard Contractual Clauses (SCCs): As an additional safeguard, we have entered into Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with our processors.

Plausible Analytics is based in the EU. No international data transfer occurs for analytics data.

7. Cookies and Similar Technologies

This website does not use cookies. No cookie consent banner is required or displayed.

We use your browser's localStorage to store the following data locally on your device:

  • Theme preference (light/dark mode)
  • Access code and unlocked pages for protected content
  • Contact form rate limiting data

This data never leaves your browser and is not transmitted to our servers. You can clear it at any time through your browser settings.

8. Retention Periods

We retain your personal data only as long as necessary for the purposes for which it was collected:

Data CategoryRetention Period
Contact form submissions12 months from submission, or upon deletion request
Email delivery logs12 months
Server/access logs (Vercel)Per hosting provider policy (typically 30 days)
Analytics data (Plausible)Aggregated and anonymous — retained indefinitely
localStorage dataUntil you clear your browser data

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data.
  • Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR) — You may request deletion of your data, subject to legal retention obligations.
  • Right to restriction (Art. 18 GDPR) — You may request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR) — You may request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests at any time, for reasons related to your particular situation.
  • Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at simon@heistermann-solutions.de. We will respond within one month of receiving your request.

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44
40102 Düsseldorf, Germany
Website: www.ldi.nrw.de

11. Automated Decision-Making

We do not use fully automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

12. Obligation to Provide Data

Contact form: Providing your name, email address, and message is necessary for us to respond to your inquiry. If you do not provide this data, we cannot process your request.

Protected content: Providing a valid access code is necessary to view protected content areas.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. Minor corrections or clarifications may take effect immediately. The “Last updated” date below reflects the most recent revision.

14. Severability

Should any provision of this privacy policy be held invalid or unenforceable, the remaining provisions shall remain in full force and effect. Any invalid provision shall be replaced by a valid provision that comes closest to the intent of the original.

Last updated: February 2026

Imprint·Terms of Service·Contact