Privacy Policy
Last updated: April 2026
1. Privacy at a Glance
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.
2. Responsible Party
The person responsible for data processing on this website is Harald Schwankl. Details can be found in the legal notice.
3. Data Collection on This Website
Data processing on this website is carried out by the website operator. When you visit this website, technical information is automatically collected (server log files). This data is only required to provide the website.
4. Your Rights
You have the right to free information about your stored personal data, its origin and recipients, and the purpose of data processing, as well as the right to correction or deletion of this data at any time.
5. Hosting
This website is hosted on an IONOS VPS in Germany. The provider is IONOS SE. Details on data protection can be found in the IONOS privacy policy.
6. Legal Basis (Art. 6 GDPR)
The processing of personal data on this website is based on the following legal grounds: - Consent (Art. 6(1)(a) GDPR): For cookie consent, newsletter subscription, and use of AI demos. - Contract Performance (Art. 6(1)(b) GDPR): For processing contact inquiries and project execution. - Legitimate Interest (Art. 6(1)(f) GDPR): For website analysis, ensuring IT security, and spam protection.
7. Data Retention Periods
We store your personal data only as long as necessary for the respective purpose: - Contact inquiries: 6 months after completion of the inquiry - Chat logs (AI demos): 24 hours, then automatically deleted - Demo uploads (RAG): 24 hours, then automatically deleted - Server logs: 30 days - Cookies: Session cookies until browser is closed, consent cookie 1 year - Outgoing emails (IONOS mailboxes info@ and noreply@schwankl.info): archived via the audit-safe IONOS email archive in line with German commercial and tax retention rules (§ 147 AO, § 257 HGB — 6 to 10 years depending on classification as business letter or accounting record). Copies outside the retention period are deleted.
8. Third-Party Providers and Data Processors
We use the following third-party providers and data processors. Data Processing Agreements (DPA) have been concluded with all listed providers in accordance with Art. 28 GDPR. - IONOS SE — Web hosting (VPS) — Location: Germany (Karlsruhe). Processes: server logs, anonymized IP addresses. - Supabase Inc. (EU operations: Supabase EU B.V., Netherlands) — Database, Authentication — Infrastructure location: Frankfurt, EU. Processes: all data entered via contact form, appointment booking, or admin functions. - Scaleway SAS — AI Inference API (Mistral, bge embeddings) — Location: Paris, France, EU. Processes: chatbot inputs (after PII anonymization), RAG document content. No training on user data. - IONOS SE (email delivery) — Transactional email delivery (booking confirmations, declines, admin notifications, contact autoresponder) directly via the IONOS mailboxes `noreply@schwankl.info` (newsletters, automated confirmations) and `info@schwankl.info` (customer support) over SMTP (smtp.ionos.de). Location: Germany (Karlsruhe, same IONOS infrastructure as hosting). Processes: recipient name, email address, subject and content of outgoing emails. Legal basis: Art. 6(1)(b) GDPR (contract performance / pre-contractual measures) for booking-related mails; Art. 6(1)(f) GDPR (legitimate interest in reliable communication) for system notifications. No external email service provider — delivery stays entirely within IONOS infrastructure. Note on internal archiving (BCC): customer-facing emails (booking confirmations, declines, contact autoresponder) include a blind carbon copy to `info@schwankl.info`. Purpose: audit-safe documentation of business communication and preservation of evidence (Art. 6(1)(c) + (f) GDPR, in combination with § 257 HGB / § 147 AO). The BCC copy is invisible to the recipient and does not leave our IONOS infrastructure. - Google Ireland Limited — Google Calendar API + Google Meet link generation for appointment bookings (see section 14). Only triggered when a booking is confirmed. - Telegram (Telegram FZ-LLC, UAE) — internal admin notifications (e.g. new booking) are sent to a private chat ID of the operator. No customer email content is transmitted, only name, date/time and subject. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
9. AI Processing and Demos
This website offers interactive AI demos. The following principles apply: - Chatbot: Your inputs are sent to Scaleway Inference (Mistral model) to generate a response. - RAG Demo: Uploaded documents are stored temporarily (max. 24 hours) and sent to the AI service for processing. - Anonymization: Personal data (e.g., email addresses, phone numbers, IBAN) is automatically anonymized before AI processing and restored after receiving the response. - NO training of AI models with your user data takes place.
10. Server Logs
Each time you access this website, the following data is automatically collected: - IP address (anonymized) - Browser type and version - Operating system - Referrer URL - Time of access Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Retention period: 30 days. No tracking takes place. No cookies are used for analytics.
11. Data Subject Rights
You have the following rights regarding your personal data: - Right of Access (Art. 15 GDPR): Right to information about your stored data - Right to Rectification (Art. 16 GDPR): Right to correction of inaccurate data - Right to Erasure (Art. 17 GDPR): Right to deletion ("right to be forgotten") - Right to Restriction (Art. 18 GDPR): Right to restriction of processing - Right to Data Portability (Art. 20 GDPR): Right to receive your data in a machine-readable format - Right to Object (Art. 21 GDPR): Right to object to processing - Right to Complain: You have the right to lodge a complaint with the competent supervisory authority (Bavarian State Office for Data Protection Supervision, BayLDA) To exercise your rights, contact: info@schwankl.info
12. Technical and Organizational Measures (TOM)
To protect your personal data, we implement the following technical and organizational measures: - TLS 1.3 encryption for all connections - IP pseudonymization in server logs - Row Level Security (RLS) in the database - Automatic PII anonymization for AI requests - Access control: Only the administrator has access to personal data - Automatic deletion of demo data after 24 hours
13. Integration of YouTube Videos (Two-Click Solution)
On our website, we occasionally embed videos from the YouTube platform (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The integration is carried out via a data-protection-conscious 'two-click solution'. Initially, only a local preview image is loaded; no data is transmitted to YouTube. Only when you actively click on 'Load video' do you consent to a connection being established with YouTube's servers and the video being loaded in 'enhanced data protection mode' (youtube-nocookie.com). In this process, your IP address is transmitted to YouTube, and cookies or similar technologies from YouTube may be set. The legal basis for this is your explicit consent in accordance with Art. 6 (1) (a) GDPR. Further information can be found in Google's privacy policy: https://policies.google.com/privacy.
14. Online Appointment Booking and Google Meet
On /kontakt you can optionally choose a Friday afternoon slot (14:30–17:00) for a 30-minute appointment. Data processed: name, email, subject, message, preferred slot. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and your consent (Art. 6(1)(a) GDPR). Email delivery: booking confirmations, declines and cancellation receipts are sent directly via our IONOS mailbox (smtp.ionos.de, located in Germany) — no external email service provider is involved. See also section 8. Calendar integration: After we confirm, you will receive an email invitation with a Google Meet link, generated via the Google Calendar API. Using Google Meet results in connection data (IP, browser, device) being transmitted to Google LLC (USA). Adequate protection via EU-US Data Privacy Framework (Google LLC certified). Details: https://policies.google.com/privacy Retention: confirmed appointments kept 180 days after the appointment date; declined/cancelled requests deleted 30 days after status change. Automatic deletion thereafter. Right to cancel: every confirmation email contains an individual cancellation link that lets you cancel without authentication. The calendar entry is then removed automatically. If you prefer not to use Google Meet, tell us in the message field — we provide alternative communication channels (phone, email).
15. Online Dispute Resolution and Consumer Arbitration
Online Dispute Resolution (ODR): The European Commission provides a platform for online dispute resolution, available at https://ec.europa.eu/consumers/odr/ Notice under § 36 VSBG (German Consumer Dispute Resolution Act): We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
16. Newsletter (Double Opt-In)
You can subscribe to a newsletter on this site to receive updates about new blog articles, AI topics and practical examples. Processed data: email address, optionally name. At signup we additionally store the timestamp and a truncated IP address to prevent abuse. Legal basis: Your explicit consent under Art. 6(1)(a) GDPR in conjunction with § 7(2)(3) German Unfair Competition Act (UWG). Double opt-in: After signup we send a confirmation email with an activation link. Only when you click that link does your subscription become active and you start receiving the newsletter. This ensures that only you yourself signed up your address. Delivery: The newsletter is sent from the IONOS mailbox noreply@schwankl.info (located in Germany — see section 8). No third-party newsletter platforms such as Mailchimp, Brevo or Mailjet are used. Unsubscribing: Every newsletter contains a one-click unsubscribe link at the bottom. Clicking it removes your address from the list immediately. Alternatively, send an informal email to info@schwankl.info. Retention: Active subscribers — as long as the subscription is active. After unsubscribing: full deletion. Successfully verified signups are documented with timestamp and consent IP for evidentiary purposes (Art. 7(1) GDPR) for up to 3 years after unsubscribing; afterwards: deletion. No tracking: Newsletters contain no tracking pixels. Open/click statistics are not collected.