Privacy Policy

1. Controller

Paul Herrmann, reachable at [email protected]. This website is run as a private, non-commercial project; I deliberately don't list a postal address here.

2. Hosting and delivery via Cloudflare

This site runs on my own server in my home lab (self-hosted). I don't use an external hosting provider. The site is only reachable through a Cloudflare Tunnel; all visitor traffic passes through Cloudflare's network, where TLS encryption is also terminated.

Cloudflare (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA) acts as a reverse proxy and security provider, and processes the data technically necessary for that: IP address, time of access, the page requested, and browser information. Cloudflare acts as a processor on my behalf here; a data processing agreement under Art. 28 GDPR is in place. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating the site securely and reliably, and in protecting it from abuse and attacks).

From that same access data, Cloudflare also produces aggregated statistics (e.g. number of requests, countries accessed from, browser/device types, threats blocked), which I view in the Cloudflare dashboard to understand and improve how the site is running. The legal basis for this is also Art. 6(1)(f) GDPR (legitimate interest in analyzing and improving site operation). Cloudflare only retains the underlying personal access logs for a limited time; the resulting statistics no longer identify individuals.

This can involve transferring data to the US. That transfer relies on the European Commission's adequacy decision for the EU-US Data Privacy Framework (Art. 45 GDPR); Cloudflare, Inc. is certified under that framework. Should that adequacy decision ever lapse, Cloudflare falls back on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) instead. More detail is in Cloudflare's own privacy policy: cloudflare.com/privacypolicy.

3. Server logs on my own server

The server I run myself (a small, self-written file server that only serves the static pages) keeps no access logs containing personal data; in particular, your IP address and the pages you request are not stored there. The processing of access data through Cloudflare's delivery layer is described in section 2.

4. Cloudflare security features (cookie)

I use Cloudflare's security features, which can intercept suspicious traffic with a security check (challenge). If your browser passes such a check, Cloudflare may set a technically necessary cookie (in particular "cf_clearance") that briefly records that the check succeeded. It serves only site security and stable operation; it is not used to evaluate your behavior for advertising or analytics purposes. Storing or reading this cookie is permitted without consent as strictly necessary under German law (§ 25(2) No. 2 TDDDG, the German law implementing the ePrivacy Directive's cookie rules); the legal basis for the associated processing is Art. 6(1)(f) GDPR (legitimate interest in security and reliable operation).

5. Fonts, analytics tools, and tracking

Fonts are rendered using whatever system fonts your OS or browser already has, so loading the page never triggers a connection to a third-party font server (e.g. Google Fonts). I don't run any analytics or tracking tool of my own (e.g. Google Analytics) with an added script on this site. The aggregated traffic statistics visible in the Cloudflare dashboard (see section 2) are built entirely from data already needed for delivery, and require no extra script or cookie on your device. This site has no comment sections, no contact forms, and no embedded third-party content (e.g. videos or social-media embeds).

6. SSL/TLS encryption

For security, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the "https://" in your browser's address bar.

7. Your rights

You have the right to access, rectification, erasure, restriction, data portability, and objection regarding personal data concerning you. To exercise any of these, just reach out to the contact address in section 1.

Right to complain: You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for me is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, phone: +49 211 38424-0, www.ldi.nrw.de.

8. Right to object under Art. 21 GDPR

Where I process personal data based on my legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time for reasons arising from your particular situation. In practice, the processing described in sections 2 and 4 (delivery via Cloudflare, aggregated traffic statistics, the security cookie) only ever involves data that's kept briefly or in aggregated form, so there's nothing further for me to delete on request. You can raise an objection informally using the contact details in section 1.

Last updated: July 2026