This is a courtesy translation. Only the German version (deutsche Fassung) is legally binding. Dies ist eine unverbindliche Übersetzung. Nur die deutsche Fassung ist rechtsverbindlich.

Privacy Policy

§ 1 Controller

The controller within the meaning of the Datenschutz-Grundverordnung (DSGVO) is:

Thomas Dimashki
Thomas Dimashki Digital Services
c/o Autorenglück #74480
Albert-Einstein-Straße 47
02977 Hoyerswerda
Deutschland

E-Mail: contact@selixweb.io
Telefon: +49 1512 957 0277
Website: https://selixweb.io

§ 2 Hosting and Infrastructure

2.1 Supabase (Hosting, Authentication, Database)

We use the services of Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 / USA, for hosting our website, user authentication, and data storage.

Purpose: Website hosting, user authentication, data storage
Legal basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract)
Data categories: Account data (email address, name), authentication data (login timestamps, tokens), application data (usage-related data in the context of contract performance)
Third-country transfer: USA — on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46 Abs. 2 lit. c DSGVO and the EU-US Data Privacy Framework pursuant to Art. 45 Abs. 1 DSGVO
Retention period: For the duration of the contractual relationship; upon termination of the contract, deletion in accordance with our retention policy (see § 11)

2.2 Cloudflare (CDN, DNS, Turnstile)

We use the services of Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA, for content delivery, DNS resolution, DDoS protection, and bot protection (Cloudflare Turnstile).

Purpose: Content delivery, DDoS protection, bot protection
Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in the security and performance of our website)
Data categories: IP addresses, HTTP headers, request data (transient processing)
Third-country transfer: USA — on the basis of Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework
Retention period: Transient processing; log data is stored for a maximum of 24 hours

2.3 Contact and Expression of Interest

When you contact us via our contact form, by email, or via the expression of interest form (Letter of Intent), the data you submit is processed and stored for the purpose of handling your enquiry.

Purpose: Processing of contact enquiries and expressions of interest, pre-contractual measures
Legal basis: Art. 6 Abs. 1 lit. b DSGVO (implementation of pre-contractual measures at the request of the data subject), or Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in responding to contact enquiries) for general enquiries
Data categories: Name, email address, telephone number (if provided), message content; for expressions of interest additionally: company data, desired plan, billing period
Retention period: 6 months after completion of the handling of the enquiry (see § 11); where the enquiry leads to a contractual relationship, for the duration of the contract plus statutory retention periods

2.4 Registration and Account Creation

Upon registration for a customer account, we collect the data necessary for account creation. Authentication is handled via Supabase (see 2.1).

Purpose: Account creation, authentication, provision of the customer dashboard
Legal basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract)
Data categories: Email address, name, password (hashed), login timestamps, IP address upon login
Retention period: For the duration of the contractual relationship; account data is permanently deleted 30 days after account deletion (see § 11)

§ 3 Payment Processing

3.1 Stripe

For the processing of payments in connection with our subscription services, we use the payment service provider Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA.

Purpose: Processing payments for subscription services
Legal basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract)
Data categories: Payment data (credit card number or bank account details — these are processed exclusively by Stripe), billing address, transaction history
Third-country transfer: USA — on the basis of Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework; Stripe is also PCI DSS certified
Retention period: Transaction data is stored pursuant to § 147 AO for the duration of the applicable tax retention periods (8–10 years, see § 11)

§ 4 Web Analytics

4.1 Umami (Self-hosted, EU)

We use Umami as a privacy-friendly analytics tool. Umami is operated by us on servers within the European Union.

Purpose: Collection of anonymised website usage statistics without personal identification
Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in analysing website usage)
Data categories: Anonymised page views, referrers, device types. No cookies are set, no personal data is collected, and no cross-site tracking is carried out.
Third-country transfer: None (self-hosted in the EU)
Retention period: 24 months
Note: Umami is loaded without prior consent, as no consent-requiring data is processed.

4.2 Google Analytics 4 (GA4)

We use Google Analytics 4, a web analytics service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Purpose: Website usage analysis, conversion tracking
Legal basis: Art. 6 Abs. 1 lit. a DSGVO (consent via consent management platform)
Data categories: Page views, session data, IP address (automatically anonymised server-side)
Third-country transfer: USA — on the basis of Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework
Retention period: 26 months
Note: Google Analytics is loaded only upon consent via our consent management platform (CCM19). Without consent, no data collection by GA4 takes place.

5.1 CCM19

We use the consent management platform CCM19 of Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Deutschland, to manage cookie consents pursuant to § 25 TDDDG.

Purpose: Management and documentation of cookie consents pursuant to § 25 TDDDG
Legal basis: Art. 6 Abs. 1 lit. c DSGVO (fulfilment of a legal obligation)
Data categories: Consent decisions, consent ID, timestamps
Third-country transfer: None (hosting in Germany)
Retention period: For the duration of the validity of the respective consent

§ 6 Cookies and Storage Technologies

6.1 Necessary Cookies (Essential)

The following cookies are technically necessary for the operation of the website and are set without consent:

Cookie	Purpose	Retention period
Session cookies	Maintaining the user session	End of session
CSRF token	Protection against cross-site request forgery	End of session
CCM19 consent cookie	Storing your consent decisions	12 months

The following cookies are only set after consent has been given via CCM19:

Cookie	Provider	Purpose	Retention period
`_ga`	Google LLC	Distinguishing users in GA4	2 years
`_ga_*`	Google LLC	Storing session state in GA4	2 years

6.3 Umami

Umami sets no cookies and stores no data on the user's device.

§ 7 Transactional Emails

7.1 Migadu

For sending transactional emails (confirmations, notifications), we use the email service Migadu, Route des Arsenaux 41, 1700 Fribourg, Switzerland.

Purpose: Sending transactional emails (order confirmations, account notifications)
Legal basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract)
Data categories: Email addresses, email content
Third-country transfer: Switzerland — adequacy decision of the European Commission pursuant to Art. 45 Abs. 1 DSGVO; hosting in the EU
Retention period: In accordance with our email retention policy

§ 8 Error Tracking and Monitoring

8.1 Grafana Cloud / Loki / Tempo

We use the services of Grafana Labs, 3 World Trade Center, 175 Greenwich Street, New York, NY 10007, USA, for server log aggregation and performance monitoring.

Purpose: Server log aggregation, performance monitoring
Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in operational security and performance monitoring)
Data categories: Server logs (may contain IP addresses), performance traces
Third-country transfer: EU region (Grafana Cloud EU); processing takes place within the European Union
Retention period: 7 days for logs, 30 days for traces

§ 9 Rights of Data Subjects

You have the following rights with regard to your personal data:

Right of access (Art. 15 DSGVO)
Right to rectification (Art. 16 DSGVO)
Right to erasure (Art. 17 DSGVO)
Right to restriction of processing (Art. 18 DSGVO)
Right to data portability (Art. 20 DSGVO)
Right to object (Art. 21 DSGVO)
Right to withdraw consent granted, with effect for the future (Art. 7 Abs. 3 DSGVO)

To exercise your rights, please contact: contact@selixweb.io

§ 10 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the DSGVO (Art. 77 DSGVO).

The supervisory authority responsible for us is:

Der Sächsische Datenschutz- und Transparenzbeauftragte (SDTB)
Devrientstraße 5
01067 Dresden
https://www.saechsdsb.de

§ 11 Retention Periods and Deletion

We store personal data only for as long as necessary for the respective processing purposes or as required by statutory retention obligations. The following specific periods apply:

Data category	Retention period	Legal basis
Contact enquiries	6 months after completion of handling	Art. 6 Abs. 1 lit. f DSGVO
Account data after deletion	30 days	Art. 6 Abs. 1 lit. f DSGVO
Invoices and accounting records	8 years	§ 147 Abs. 3 Nr. 4 AO
Annual financial statements	10 years	§ 147 Abs. 3 Nr. 1 AO
Business correspondence	6 years	§ 147 Abs. 3 Nr. 2–3 AO
Server logs	7 days	Art. 6 Abs. 1 lit. f DSGVO
GA4 analytics data	26 months	Art. 6 Abs. 1 lit. a DSGVO
Umami analytics data	24 months	Art. 6 Abs. 1 lit. f DSGVO

After expiry of the respective retention period, data is routinely deleted, unless it continues to be required for the performance of the contract or for compliance with statutory retention obligations.

§ 12 Automated Decision-Making

No automated decision-making including profiling pursuant to Art. 22 DSGVO takes place.