Privacy Policy

1. Data Controller & Overview

Data Controller under GDPR:
Ingmar Konnow
Rudolf-Leonard-Str. 4
01097 Dresden Germany

Phone: +49 (0)173 9087237
Email: ingmar@konnow.de

Last Updated: 23 August 2025

2. Types of Data Collected

This website processes personal data only to the extent necessary to provide the website, ensure operational security, and communicate upon your request. We currently process:

  • Server and log data (IP address, timestamps, referrer, user agent) to ensure technical operation
  • Communication data that you actively provide (e.g., email address, name, content of your message) when you contact us
  • Contract and project data in the context of individual engagements outside this website

We do not operate user registration, a comment function, or marketing tracking tools on this website. Detailed information on specific processing activities is provided in the relevant sections of this policy.

Special Categories of Data: This website does not intentionally collect any special categories of personal data (such as health information, racial or ethnic origin, political opinions, religious or philosophical beliefs).

Children's Privacy: Our website is not directed at individuals under 16. We do not collect data from children via this website. In the context of teaching activities (private school, grade 9 and above), any processing of student data is carried out solely under the responsibility of the respective school; no student data is processed via this website.

3. Methods and Place of Processing

Processing Methods

The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.

In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons involved with the operation of this Website (administration, legal, system administrators) or external parties (such as third-party technical service providers, hosting providers).

Place of Processing

The Data is processed at the Data Controller's operating offices and in any other places where the parties involved in the processing are located.

Server Location: Germany (Ghost CMS instance at Hetzner Online GmbH)

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To learn more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

4. Hosting Provider

Hetzner Online GmbH

Industriestr. 25 91710 Gunzenhausen Germany

Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interests)

We use Hetzner for:

  • Server infrastructure
  • Network security
  • Data storage

Additionally, we operate self-managed services at Hetzner such as RustDesk (rendezvous/relay server for remote support) and Nextcloud.

Processed data includes:

  • IP addresses
  • Access timestamps
  • Request technical metadata

Data Processing Agreement: An agreement is in place. Server Location: Germany (Ghost CMS instance) Technical and Organizational Measures: Hetzner implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including regular security audits, access controls.

Hetzner's Privacy Policy

5. Data Processing Activities

Server Logs & Security

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in secure provision of the website)

Processed data:

  • IP address
  • User agent (browser/version, OS)
  • Referrer URL
  • Date/time of request
  • Requested resource and status code

Purpose: Provision of the website and maintenance of stability and security (abuse detection, troubleshooting) Storage Duration: 30 days Note: We do not currently perform reach measurement or marketing tracking.

User Accounts (currently not active)

User registration is not available on this website; accounts are not operated at this time.

Comments (currently not active)

A comment function is not enabled on this website.

IT Administration & Remote Support (RustDesk, self-hosted)

Legal Bases:

  • Art. 6(1)(b) GDPR (contract/contract-like trust for support services)
  • Art. 6(1)(f) GDPR (legitimate interests of the customer in issue resolution), where we act as an independent controller
  • When acting as a processor: Art. 28 GDPR together with a Data Processing Agreement (DPA) with the customer

Description: Remote support and IT administration via RustDesk. The rendezvous/relay servers used for this are operated exclusively on servers of Hetzner Online GmbH in Germany.

Data Processed:

  • Connection and session metadata (e.g., timestamps, pseudonymous session IDs, source/destination IP, technical event logs)
  • Content visible during the session (screen view, possibly cursor/input), only transiently to fulfill the specific support purpose
  • We do not create screenshots, screen recordings, or logs of screen contents

Security: Transport encryption (TLS), hardened servers (e.g., firewall/port rules, Fail2Ban, reverse proxy), access secured with two-factor authentication; devices used are protected by biometrics/PIN. See “Technical Security Measures” for details.

Retention:

  • Session contents: not stored
  • Connection metadata: generally aligned with server logs, typically 30 days (security/troubleshooting, proof of service delivery)

Role & DPA: We typically act as a processor. A DPA is provided on request and concluded before service delivery.

Collaboration & Data Synchronization (Nextcloud, self-hosted)

Legal Bases: Art. 6(1)(b) GDPR (contract/project execution); Art. 6(1)(f) GDPR (legitimate interest in secure collaboration), where applicable; when processing on behalf: Art. 28 GDPR (DPA)

Purpose: Exchange of project data; synchronization of calendars, files, emails, and contacts as part of collaboration.

Server Location: Nextcloud instance is operated at Hetzner in Germany.

Data Processed (depending on use): Files and file metadata, communication contents, contact and calendar data, access logs.

Security: Access exclusively via TLS; user accounts with two-factor authentication; server hardening and backup strategy as per “Technical Security Measures”.

Retention: Project and contract data are processed until purpose is fulfilled and/or in line with statutory retention periods. Backups are retained for a maximum of 90 days.

Role & DPA: Where we process data on behalf of a customer, a DPA pursuant to Art. 28 GDPR is concluded.

Payments & Donations (Stripe)

Legal Bases:

  • Art. 6(1)(b) GDPR (contract/payment processing and issuing payment documents)
  • Art. 6(1)(c) GDPR (statutory retention and record-keeping obligations, e.g., tax/commercial law)
  • Art. 6(1)(f) GDPR (legitimate interests in fraud prevention and securing payment transactions)

Description: Processing donations/payments via Stripe. We do not store full payment details (e.g., full card numbers). Payments are handled by Stripe, which processes technical and billing-related data.

Data Processed:

  • Identity and contact data (name, email, and, where needed, address for invoices/donation receipts)
  • Transaction data (amount, currency, date/time, payment status, transaction/payment ID)
  • Technical payment data (payment token, card brand and last 4 digits, fingerprinting/security attributes)

Recipients: Stripe Payments Europe, Limited (Ireland) and affiliated Stripe entities (incl. Stripe, Inc., USA) as well as involved banks/payment service providers.

Third-country transfers: Transfers to third countries (in particular the USA) may be necessary. In such cases, Stripe implements appropriate safeguards (e.g., EU Standard Contractual Clauses and/or participation in the EU‑US Data Privacy Framework). Details: see Stripe’s privacy notice.

Cookies: When using Stripe, strictly necessary cookies and similar technologies may be set for security and payment purposes.

Retention: Payment and invoicing data are retained for up to 10 years to meet statutory retention obligations (tax/commercial). Stripe’s own retention periods also apply.

Responsibilities: For certain processing (e.g., fraud prevention, regulatory reviews), Stripe acts as an independent controller. More info: https://stripe.com/privacy

6. Technical Security Measures

We implement:

  • Periodic security reviews and vulnerability scans, where appropriate
  • Two-factor authentication for admin access
  • Daily backups with secure off-site storage
  • Automatic security updates for all system components
  • Intrusion detection and prevention systems
  • Ongoing security awareness for individuals with system access
  • Server hardening using firewall and strict port rules
  • Fail2Ban on publicly reachable services
  • TLS/SSL encryption via reverse proxy (nginx-proxy)
  • Device and app protection: device biometric lock and two-factor authentication in RustDesk and Nextcloud

Incident Response: We maintain a comprehensive incident response plan to quickly address any potential data breaches. In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours, as required by GDPR Article 33.

7. Data Retention

Personal Data is stored for the following periods:

  • Server Logs: 30 days (security and troubleshooting purposes)
  • Backup Data: Maximum of 90 days (disaster recovery)
  • Payment and invoicing data: Up to 10 years (statutory retention obligations under tax/commercial law)

Personal data will be deleted when:

  • The purpose for which it was collected no longer exists
  • Legal retention periods have expired
  • Consent has been withdrawn
  • The data subject has exercised their right to erasure

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.

Data Minimization: We follow the principle of data minimization, collecting and retaining only the personal data that is necessary for the specified purposes.

8. Purposes of Processing

The Data concerning the User is processed to allow the Owner to provide its services and for the following purposes:

  • Providing the website and its functions
  • Communicating upon request (email/phone)
  • Compliance with legal obligations
  • Protection against misuse, unauthorized access, and cyber threats
  • Performing contracts in the context of individual engagements (outside this website)

Each purpose is tied to specific legal bases as outlined in the respective sections of this privacy policy.

We currently set only strictly necessary cookies required for the operation and security of the website. No preference, analytics, or marketing cookies are used.

Ghost CMS (necessary cookies)

These cookies support secure delivery of the website (e.g., session handling, CSRF protection, cache-bypass). Legal bases: ePrivacy/TTDSG Section 25(2) (strictly necessary access) and GDPR Art. 6(1)(f) (legitimate interests in secure operation).

Ghost Members & Portal (currently not active)

If memberships are activated, Ghost sets necessary authentication/session cookies to log members in and allow access to protected content. Legal bases: ePrivacy/TTDSG Section 25(2); GDPR Art. 6(1)(b) (contract performance) and, where applicable, Art. 6(1)(f) (legitimate interest in secure authentication).

Stripe (Payments/Donations)

When you initiate a payment, Stripe may set strictly necessary cookies and similar technologies for fraud prevention and payment processing (e.g., session/security cookies). These are only set in connection with payment processing. Legal bases: ePrivacy/TTDSG Section 25(2); GDPR Art. 6(1)(b) (payment processing) and Art. 6(1)(f) (fraud prevention). See “Payments & Donations (Stripe)” for recipients/third-country transfers.

Admin area

Ghost backend cookies affect administrators only and are not set during normal page views.

Consent Banner: Because only strictly necessary cookies are used at this time, a consent banner is not required. If optional cookies (e.g., analytics/marketing) are introduced in the future, we will implement a consent management platform (CMP) with granular consent and update this policy.

Cookie Settings & Details: See our Cookie Policy.

10. Third Country Transfers

Apart from the processing described under “Payments & Donations (Stripe)”, we currently do not use services that require transfers of personal data to third countries. If services outside the EU/EEA are used in the future, we will ensure an adequate level of data protection (e.g., EU Standard Contractual Clauses) and inform you in this policy.

Google Fonts

Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interests)

We use Google Fonts to display consistent typography across our website. Google may process your IP address when you access our website. We have implemented Google Fonts locally to minimize data transfer to Google's servers.

OpenStreetMap

Data transfer to the United Kingdom is based on the fact that the United Kingdom is considered a secure third country under data protection law.

RustDesk (self-hosted at Hetzner)

Server location Germany; when using our own rendezvous/relay servers, no third-country transfer takes place.

Nextcloud (Hetzner)

Server location Germany; no third-country transfer takes place.

11. Your Rights under GDPR

You have the right to:

  • Access your stored personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erasure ("right to be forgotten", Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

How to Exercise Your Rights:

  1. Send an email to admin@ingmar.konnow.de with your specific request
  2. Provide sufficient information to identify yourself
  3. Clearly state which right you wish to exercise
  4. We will respond to your request within 30 days

Complaints: If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. You can lodge a complaint in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Contact for data protection inquiries: admin@ingmar.konnow.de

You can withdraw any consent you have given us at any time with future effect. The withdrawal can be made informally, for example by email to:

admin@ingmar.konnow.de

Sample withdrawal text:

Subject: Withdrawal of Consent

Dear Sir or Madam,
I hereby withdraw my consent to the processing of my personal data according to your privacy policy dated [insert date].
 
Yours sincerely,
[Your name]
[Your address, if necessary]

The lawfulness of data processing carried out until the withdrawal remains unaffected.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. For any material changes, we will post a notice on our website.

The date of the latest revision is indicated at the top of this privacy policy. We encourage you to review this privacy policy periodically to stay informed about how we protect your personal information.

13. Contact

For general inquiries, please contact us at: admin@ingmar.konnow.de

Our privacy practices comply with GDPR and other relevant data protection laws. This privacy policy has been prepared with consideration of the guidelines from the European Data Protection Board and applicable data protection authorities.

This privacy policy was created with consideration of the guidelines from the European Data Protection Board.

15. Data Processing (Art. 28 GDPR)

Where we process personal data on behalf of customers (e.g., during remote support/IT administration via RustDesk or when using our Nextcloud instance for project delivery), we act as a processor within the meaning of Art. 28 GDPR.

Data Processing Agreement (DPA):

  • We provide a DPA on request.
  • The DPA specifies, among other things, the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, the obligations and rights of the controller, and our technical and organizational measures (TOM).
  • Subprocessors are limited to necessary infrastructure providers (in particular, Hetzner Online GmbH). A list of subprocessors is available on request.

Technical and Organizational Measures (TOM): Summary in the “Technical Security Measures” section. Detailed TOM are provided with the DPA.

Place of Processing: Generally Germany; in particular, RustDesk servers and the Nextcloud instance are operated at Hetzner Online GmbH in Germany.