Privacy Policy
Last updated: April 2026
This privacy policy informs you about the nature, scope and purpose of the processing of personal data on this website in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
The controller responsible for data processing on this website is:
Georgos Gakis
Rolandstr. 63
50677 Köln
Germany
E-mail: mail[at]georgos-gakis[dot]com
Website: https://georgos-gakis.com
Supervisory authority: As the controller is based in North Rhine-Westphalia, the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf, Germany, www.ldi.nrw.de.
2. Overview of processing activities
This website processes personal data in the following contexts:
| Activity | Legal basis (Art. 6 GDPR) | Data involved |
|---|---|---|
| Hosting / server log files | Art. 6(1)(f) – legitimate interest (security, operation) | IP address, browser, OS, referrer, timestamp |
| Contact form | Art. 6(1)(a) – consent / Art. 6(1)(b) – pre-contractual measures | Name, e-mail, message content |
| Newsletter subscription | Art. 6(1)(a) – consent | E-mail address |
| YouTube embeds | Art. 6(1)(a) – consent (lazy-load, no autoplay) | IP address (only on interaction) |
| ConvertKit commerce (TipJar) | Art. 6(1)(a) – consent (loaded only on scroll) | IP address, browser data |
This website does not use tracking cookies, Google Analytics, Facebook pixel, advertising networks, profiling, or automated decision-making.
3. Hosting — Vercel
This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.
When you visit the website, Vercel automatically collects and stores server log files containing your IP address, browser type and version, operating system, referrer URL, and the date and time of your request. These log files are processed for security, abuse detection and operational purposes.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in secure and stable website operation.
Retention: Vercel retains log data for a limited period as documented in their data processing terms.
International transfer: Vercel is certified under the EU-US Data Privacy Framework (DPF) and provides appropriate safeguards for transfers of personal data to the USA pursuant to Art. 45 GDPR (adequacy decision) or, alternatively, standard contractual clauses (Art. 46(2)(c) GDPR). Further information: https://vercel.com/legal/privacy-policy
A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR is in place with Vercel.
4. Contact form
The contact form on this website transmits your data to Twilio SendGrid (a service of Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA), which delivers the e-mail to the controller.
Data processed: first name, last name, e-mail address, optionally company, phone, country, project type, and your message.
Your data is used exclusively to respond to your enquiry and is not transferred to any other third parties. It is deleted as soon as it is no longer needed and no statutory retention obligations require continued storage.
Legal basis: Art. 6(1)(a) GDPR (your explicit consent via the privacy policy checkbox) and Art. 6(1)(b) GDPR where the enquiry relates to pre-contractual measures.
International transfer: Twilio/SendGrid is certified under the EU-US Data Privacy Framework (DPF). A DPA is in place with Twilio SendGrid. Further information: https://www.twilio.com/en-us/legal/privacy
You may withdraw your consent at any time with effect for the future by contacting the controller at the address above.
5. Newsletter
If you subscribe to the newsletter, your e-mail address is transmitted to ConvertKit, LLC (a service of Kit), 750 N San Vicente Blvd, Suite 800 West, Los Angeles, CA 90069, USA.
ConvertKit processes your e-mail address solely for the purpose of delivering the newsletter. Subscription is confirmed via a double opt-in procedure: after submitting your e-mail address you will receive a confirmation e-mail which you must click to activate the subscription. This serves as proof of your consent.
Legal basis: Art. 6(1)(a) GDPR – your explicit consent.
Withdrawal: You may unsubscribe from the newsletter at any time by clicking the unsubscribe link in any newsletter e-mail or by contacting the controller. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
International transfer: A DPA with standard contractual clauses (Art. 46(2)(c) GDPR) is in place with ConvertKit. Further information: https://convertkit.com/privacy
6. YouTube embeds
Some pages embed YouTube videos via the privacy-enhanced embed method. Videos are loaded lazily: no connection to YouTube servers is established until you scroll the video into the visible area of the browser. When the video becomes visible, a connection to YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) is established and your IP address, browser data and referrer are transmitted to Google.
Legal basis: Art. 6(1)(a) GDPR – consent given implicitly by scrolling the video into view.
Google may process personal data in the USA. Google LLC is certified under the EU-US Data Privacy Framework. Further information: https://policies.google.com/privacy
7. ConvertKit commerce (TipJar)
On some pages a "Buy me a coffee" button is displayed using ConvertKit Commerce (operated by Kit / ConvertKit, LLC). The underlying JavaScript from https://productive-blogging.ck.page/commerce.js and the associated Stripe payment iframe are loaded only after you begin scrolling the page. Payment processing is handled by Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA).
Legal basis: Art. 6(1)(a) GDPR – consent given by scrolling the page. If you initiate a payment, Art. 6(1)(b) GDPR applies additionally.
Both ConvertKit and Stripe operate under the EU-US Data Privacy Framework and/or standard contractual clauses.
8. GitHub API (build-time only)
To display repository information on the About/Portfolio pages, the GitHub REST API (GitHub, Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA) is queried at build time only using a server-side API token. No request to GitHub is made when you visit the site; no personal data of visitors is transmitted to GitHub.
9. Social media links
This website contains links to GitHub, Instagram and LinkedIn. These are plain hyperlinks only. No social plugins, tracking pixels or cookies from these platforms are loaded on this website. Clicking a link will take you to the respective external platform, where that platform's own privacy policy applies.
10. Cookies and local storage
This website does not set any cookies and does not use browser local storage for tracking or analytics purposes. The website operates without a cookie banner because no consent-requiring cookies are used.
Server infrastructure (Vercel) may set technical session cookies strictly necessary for content delivery. These do not require consent under Art. 5(3) of the ePrivacy Directive (§ 25(2) TTDSG).
11. Retention periods
| Category | Retention period |
|---|---|
| Server log files (Vercel) | Up to 30 days (Vercel policy) |
| Contact form enquiries (e-mail) | Until the matter is concluded; thereafter deleted unless a statutory retention obligation applies (e.g. commercial correspondence: 6 years under § 257 HGB; tax-relevant documents: 10 years under § 147 AO) |
| Newsletter subscriber data | Until unsubscription or withdrawal of consent |
12. Your rights under the GDPR
As a data subject you have the following rights:
- Right of access (Art. 15 GDPR): You may request confirmation of whether and which personal data relating to you are processed, and receive a copy.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or completion of incomplete personal data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where no overriding legitimate purpose or statutory retention obligation exists.
- Right to restriction of processing (Art. 18 GDPR): You may request that processing be restricted in defined circumstances.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): Where processing is based on Art. 6(1)(e) or (f) GDPR, you may object to processing on grounds relating to your particular situation. You have an unconditional right to object to processing for direct marketing purposes.
- Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw that consent at any time with effect for the future.
- Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The competent authority for this website is the LDI NRW (see Section 1).
To exercise any of these rights, please contact the controller by e-mail at the address in Section 1. Requests will be processed within one month of receipt (Art. 12(3) GDPR); this period may be extended by a further two months in cases of complexity.
13. Data security
This website is delivered exclusively over HTTPS using TLS encryption. The server infrastructure implements HTTP security headers including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Strict-Transport-Security (HSTS). These technical and organisational measures protect data in transit and mitigate common web application attacks.
14. No automated decision-making or profiling
This website does not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
15. Changes to this privacy policy
This privacy policy may be updated to reflect changes in the services used or applicable law. The date of the last update is stated at the top of this document. The current version is always available at https://georgos-gakis.com/privacy-policy.