Steven Broschart
DE·EN
Contact
Privacy

Statement on the processing of personal data.

This statement complies with the General Data Protection Regulation (EU) 2016/679 and informs you about which personal data we process, for what purposes, on what legal basis - and which rights you have as a data subject.

Responsible

Controller within the meaning of the GDPR

Steven Broschart
Postfach 1133
82241 Fürstenfeldbruck
Deutschland

Email: steven.broschart@proton.me

Scope

Scope of application

This statement applies to our online presence, email communication, social media profiles and all applications in which we process personal data.

Legal bases

On what basis we process data

We process personal data only if at least one of the following conditions is met (Art. 6(1) GDPR):

  • Consent (lit. a) - you have given us your consent to processing.
  • Contract (lit. b) - processing is necessary for the performance of a contract with you.
  • Legal obligation (lit. c) - processing is necessary to comply with a legal obligation.
  • Legitimate interests (lit. f) - processing is necessary to safeguard legitimate interests.

National provisions apply in addition, in particular the German Federal Data Protection Act (BDSG).

Retention

How long we store data

Personal data is only stored for as long as is strictly necessary for the respective processing purpose. As soon as the purpose ceases to apply, the data is deleted - unless statutory retention obligations preclude this.

Web hosting

Server log files

When you access our website, our hosting provider collects technically necessary data in log files. The following information is recorded in particular:

  • IP address of the requesting device
  • date and time of access
  • name and URL of the file accessed
  • browser used and its version, operating system
  • referrer URL

This data is generally deleted after two weeks and is not shared with third parties. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website).

Communication

Email, telephone, forms

When you contact us by email, telephone or via an online form, the transmitted data is stored to handle your enquiry. The data is deleted as soon as the enquiry has been conclusively dealt with and no statutory retention obligations preclude this.

Analytics

Cookie-free, self-hosted analytics

To improve this website I operate a self-hosted, cookie-free analytics layer. No cookies are set, no IP address is stored, no full user-agent string is retained, and no cross-page or cross-device identifier is created. No profiling within the meaning of Art. 22 GDPR takes place.

The following data is collected and stored in a SQLite database on the same server:

  • timestamp, requested path and language of the page
  • referring domain (host name only, not the full URL)
  • coarse device class (desktop / tablet / mobile), derived from the user-agent
  • UTM parameters from the URL where present: utm_source, utm_medium, utm_campaign
  • time on page, maximum scroll depth as a percentage, and — desktop devices only — the cumulative mouse movement distance in pixels (all three sent as anonymous scalars via a tracking pixel when leaving the page; no coordinates, cursor positions, or individual movements are recorded)
  • optionally clicks on specific elements (e.g. video thumbnails), labelled with an event name

To allow path sequences within a single browser tab to be linked together, a random short-lived session identifier (pv_sid) is stored in your browser's sessionStorage. It is scoped to the current tab, deleted automatically when the tab is closed, and never transmitted across tabs, devices, or sessions.

Retention: data is automatically deleted after 365 days at the latest.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding reach and improving the website). Given the data minimisation described above — no cookies, no IP, no cross-device identifier, no profiling — the legitimate interests prevail.

Objection: you can disable analytics at any time by deactivating JavaScript for this domain or by enabling a tracking-blocker extension. The usability of the website is not affected.

AI evaluation

Analysis via external AI interface

For internal analysis of the analytics data described above, I occasionally use the API of Anthropic (Anthropic PBC, San Francisco, USA). Only aggregated, statistical figures are transmitted — such as the number of visits, most frequent paths, or average time on page in the relevant period. No personal data of individuals and no session identifiers are transmitted; re-identification of individuals from this data is not possible. The legal basis is Art. 6(1)(f) GDPR; a data-processing agreement is not required as no personal data is involved.

Comments

Article comments

A moderated comment function is available beneath individual articles. Anonymous comments are not possible; signing in via an external identity provider (Google or LinkedIn) is required. Every comment is manually approved before publication.

Sign-in via Google: Clicking „Sign in with Google" redirects you to Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland). Authentication takes place there - no data is transmitted to Google before the click. After successful sign-in, Google transmits to this site your name, e-mail address, a profile picture URL, and a Google-internal account identifier.

Sign-in via LinkedIn: Analogous to Google, clicking „Sign in with LinkedIn" redirects you to LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland). After successful sign-in, name, e-mail address, profile picture URL, and a LinkedIn-internal account identifier are transmitted.

Storage: Name, e-mail address, profile picture URL, provider identifier, and your comment text are stored in an SQLite database on the same server. When published, only name, profile picture and comment text are publicly displayed. The e-mail address remains non-public and is used solely for moderation and for marking the author.

Login cookie: After successful sign-in a technically required, httpOnly cookie containing a random session token is set (lifetime: 30 days) so you do not need to authenticate on every visit. You can end the session at any time via „Log out".

Legal basis: Art. 6(1)(a) GDPR (consent through actively clicking the sign-in button) and Art. 6(1)(f) GDPR (legitimate interest in a moderated, identified discussion to prevent spam and abuse). Sign-in is voluntary - the website's content is fully usable without it.

Third-country transfer: Google and LinkedIn are subsidiaries of US-based parent companies; transfer to the United States is possible. Both providers are certified under the EU-US Data Privacy Framework. Retention period: comments are retained until revocation or until the underlying article is deleted. You may request deletion of your data at any time via the contact address above.

Security

Technical safeguards

Transmission takes place via TLS (HTTPS) to protect your data against unauthorised access. In addition, we implement appropriate technical and organisational measures to ensure a level of protection commensurate with the risk.

Your rights

Data subject rights under the GDPR

You have the right at any time to:

  • access (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • object to processing (Art. 21 GDPR)
  • not to be subject to a decision based solely on automated processing (Art. 22 GDPR)

To exercise your rights, please contact us at the address provided above.

Authority

Competent supervisory authority

Bayerischer Landesbeauftragter für den Datenschutz
Wagmüllerstraße 18, 80538 München
Email: poststelle@datenschutz-bayern.de