Privacy Policy

§ 1 Controller

The controller within the meaning of the General Data Protection Regulation (GDPR / DSGVO) and other national data-protection laws and regulations is:

Email

hi@aunomo.com

Phone

+49 151 57881941

§ 2 Principles of Data Processing

Protecting your personal data is a serious concern for us. We collect, process, and use your data exclusively in accordance with the GDPR, the German Federal Data Protection Act (BDSG), and other applicable data-protection regulations.

This website uses Google Analytics 4 (GA4) for statistical reach analysis. Processing only takes place after your explicit consent via the cookie banner (see § 8). Without consent, no data is transferred to Google. We do not use marketing pixels or social-media widgets. Personal data is additionally collected when you use the contact form or contact us by email.

§ 3 Contact and Inquiry Form

This website provides a contact form through which you can submit a non-binding inquiry. When using this form the following personal data is collected:

• Name (required)
• Email address (required)
• Company name (required)
• Area – Engineering, Consulting, or General (required)
• Description of your inquiry / use case (required)
• Your browser user-agent (for spam protection, truncated to 200 characters)

Purpose of processing

The data is used solely to handle your inquiry and to make contact regarding a potential consulting or engineering engagement.

Legal basis

Processing is based on Art. 6(1)(b) GDPR (processing necessary to take steps prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest in responding to business inquiries).

Storage and deletion

Your inquiry data is stored in a secured database (see § 5). Once the matter is concluded — i.e. no engagement materializes, or after the full completion of an engagement — the data is deleted at the latest after six years, unless statutory retention obligations (in particular § 147 AO, § 257 HGB) require longer retention. Earlier deletion is granted on request, provided no statutory retention obligation applies.

Spam protection (honeypot)

The contact form contains a required field that is invisible to human users (a "honeypot"). This field is filled in by automated bots but not by real users. If the field is filled, the inquiry is silently discarded without storing any data. This is a purely technical measure that does not collect or process personal data.

§ 4 Bot Protection: Cloudflare Turnstile

To protect the contact form against automated abuse we use Cloudflare Turnstile — a privacy-friendly CAPTCHA system from Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA).

Cloudflare Turnstile analyzes user behavior in the browser without showing a visible puzzle or image challenge. Technical signals (browser information, timestamps, interaction patterns) are transmitted to Cloudflare. No tracking cookies are set and no persistent user profiles are created.

Data transfer to the USA is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Cloudflare is certified under the EU-U.S. Data Privacy Framework. Legal basis for the processing is Art. 6(1)(f) GDPR (legitimate interest in form security).

Cloudflare Privacy Policy: cloudflare.com/privacypolicy

§ 5 Data Storage: Supabase

Data submitted through the contact form is stored in a PostgreSQL database operated via Supabase (Supabase, Inc., 970 Toa Payoh North, Singapore; European infrastructure). Data is stored exclusively on European servers (region: eu-central-1 / Frankfurt, Germany).

Database access is protected by Row-Level Security (RLS): write access for the form is allowed without authentication (anonymous insert), read access is only allowed with authentication. Your data is not publicly visible.

Legal basis: Art. 6(1)(b) GDPR (steps prior to contract) in conjunction with Art. 28 GDPR (data processing on behalf of the controller). A Data Processing Agreement (DPA) is in place with Supabase.

Supabase Privacy Policy: supabase.com/privacy

§ 6 Server Logs and Hosting

This website is hosted by Vercel, Inc. (340 Pine Street, Suite 700, San Francisco, CA 94104, USA). When the website is accessed, technical access data is automatically recorded in server log files:

• IP address (anonymized)
• Date and time of access
• Name of the requested resource
• Browser type and version (user agent)
• HTTP status code

This data is processed to ensure smooth operation and detect attacks (Art. 6(1)(f) GDPR). Logs are automatically deleted after a maximum of 30 days. A Data Processing Agreement (DPA) is in place with Vercel.

§ 7 Cookies

This website distinguishes between strictly necessary cookies and opt-in cookies for statistical analysis.

Strictly necessary cookies (no consent)

NEXT_LOCALE

Stores your language preference (German / English). Retention: up to 12 months. Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25(2)(2) TTDSG (strictly necessary).

aunomo_consent

Stores your choice in the cookie banner (accept or decline). Retention: 12 months. Legal basis: Art. 6(1)(c) GDPR (legal obligation to document consent).

Statistics cookies (consent only)

_ga

Google Analytics 4 — distinguishes individual visitors via an anonymous identifier. Retention: 2 months (shortened from the default via our GA configuration). Legal basis: Art. 6(1)(a) GDPR + § 25(1) TTDSG (consent).

_ga_<ID>

Google Analytics 4 session ID. Retention: 2 months. Legal basis: Art. 6(1)(a) GDPR + § 25(1) TTDSG.

You can withdraw your consent at any time via the "Cookie settings" link in the footer, with future effect.

§ 8 Web Analytics: Google Analytics 4

This website uses Google Analytics 4 (GA4), a web-analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) and Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Purpose of processing

Pseudonymized statistical reach analysis: we want to understand which content is relevant to our visitors so we can continuously improve the site. No cross-device profiling, no linking with advertising accounts, and no transfer to Google Ads occurs.

Data collected

• Anonymized IP address
• Browser type and version, device information, screen resolution
• Visited URLs, time on page, click paths, referrer
• Approximate location (country / region) inferred from IP
• Anonymous device / session ID (cookies _ga and _ga_<ID>)

Legal basis

Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TTDSG. You can withdraw consent at any time via the "Cookie settings" link in the footer, with future effect. The lawfulness of processing carried out before withdrawal is not affected.

Retention

The GA4 property is configured to the shortest possible retention option of 2 months. Event-level data is automatically deleted after that period. The lifetime of the _ga and _ga_<ID> cookies is also shortened server-side to 2 months (Google's default would be 24 months).

Data transfer to the USA

A transfer of data to the USA cannot be ruled out. Google is certified under the EU-U.S. Data Privacy Framework (EU Commission decision of 10 July 2023). Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are in place with Google Ireland, as is a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

Browser opt-out

You can additionally prevent Google Analytics from collecting data by installing the browser add-on at tools.google.com/dlpage/gaoptout.

Google's privacy policy: policies.google.com/privacy

§ 9 Your Rights as a Data Subject

You have the following data-protection rights:

Access (Art. 15 GDPR)

You may request information about the data stored about you, its origin, recipients, and the purpose of processing.

Rectification (Art. 16 GDPR)

You have the right to have incorrect or incomplete data corrected.

Erasure (Art. 17 GDPR)

You may request deletion of your data, provided no legal retention obligation exists.

Restriction of processing (Art. 18 GDPR)

Under certain conditions you may request that processing of your data be restricted.

Data portability (Art. 20 GDPR)

You have the right to receive data concerning you in a structured, common format.

Objection (Art. 21 GDPR)

You may object at any time to processing based on Art. 6(1)(f) GDPR.

Withdrawal of consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time with future effect.

To exercise your rights, please contact: hi@aunomo.com

§ 10 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data-protection supervisory authority about the processing of your personal data. The competent authority for Bavaria is:

§ 11 Updates and Changes

We reserve the right to update this Privacy Policy when data-processing practices or legal requirements change. The current version is available at aunomo.com/datenschutz. Please check the current version regularly.