Privacy Policy — Contact Form

This privacy notice explains how we process your personal data when you use the contact form on jozapf.de. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

1. Controller

Jo Zapf
Berliner Str. 45
13189 Berlin, Germany

2. Purposes & Legal Bases

We process data submitted via the contact form for the following purposes:

• Responding to your inquiry and managing follow-up communication;
• Preventing misuse and ensuring service security (spam detection, captcha validation, rate-limiting, abuse prevention);
• Documenting communication to establish, exercise, or defend legal claims where necessary.

Legal bases under Art. 6 GDPR:

• Art. 6(1)(b) GDPR — performance of a contract or steps prior to entering into a contract (if your inquiry relates to a contract or service request);
• Art. 6(1)(a) GDPR — consent (e.g., privacy policy acceptance checkbox);
• Art. 6(1)(f) GDPR — legitimate interests (efficient handling of inquiries, service integrity, IT security, and protection against automated abuse).

3. Data Categories Collected via the Contact Form

3.1 Form Data

• Identification: first name, last name;
• Contact: email address, phone number (optional);
• Message content: subject (optional), message text;
• Security: arithmetic challenge answer (local captcha, no third-party service);
• Consent: privacy policy acceptance (checkbox).

3.2 Technical Metadata (Extended Logging)

To protect our service from automated abuse, spam, and security threats, we log the following technical metadata when you submit the contact form:

• IP Address — your internet protocol address;
• Timestamp — date and time of submission;
• User-Agent — browser type and version;
• Browser Fingerprint — non-invasive technical identifier derived from HTTP headers (used for duplicate detection);
• Spam Score — automated risk assessment (0-100) based on content analysis and submission patterns;
• Validation Results — which security checks were triggered (e.g., rate limit, suspicious patterns).

3.3 Blocklist & Whitelist

If your IP address is associated with abusive behavior (e.g., spam, repeated failed submissions, automated attacks), we may add it to a blocklist to protect our service. Conversely, trusted IP addresses may be whitelisted. Blocklist entries can be temporary (with expiration date) or permanent, and include a reason for blocking.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining service security and preventing abuse).

4. Cookies

4.1 Technical Cookies (No Consent Required)

We use strictly necessary cookies for essential website functionality. These cookies are required for the operation of our services and do not require consent under ePrivacy law.

4.2 No Tracking or Analytics Cookies

We do not use third-party tracking, analytics, advertising, or social media cookies.

5. Recipients & Processing

Your message is delivered to us by email. For this we use our email provider and hosting services:

• Hosting/Infrastructure: Hetzner Online GmbH — Germany/EU;
• Email transmission (SMTP): Hetzner — Germany/EU.

These service providers act as (sub-)processors under Art. 28 GDPR on the basis of appropriate data processing agreements. Within our organization, access is limited to persons who need the data to process your inquiry (need-to-know principle).

6. Third-Country Transfers

We do not intentionally transfer contact form data to countries outside the EU/EEA. If an exceptional transfer is necessary (e.g., you request contact via a non-EU channel), we will ensure appropriate safeguards under Art. 44 ff. GDPR.

7. Storage Periods & Anonymization

7.1 Message Content

• Email content and form data: retained for 12 months to handle your request and document communication;
• If legal retention obligations apply (e.g., commercial or tax law), we retain data as required by law and restrict processing accordingly.

7.2 Technical Logs (GDPR-Compliant)

7.3 Automatic Anonymization Process

We employ an automated anonymization system that runs periodically to anonymize IP addresses older than 14 days. This process is irreversible and ensures compliance with data minimization principles (Art. 5(1)(c) GDPR). An audit log records all anonymization actions for accountability.

7.4 Whitelist/Blocklist Storage

• Blocklist: Entries remain active until manually removed or until expiration date (if set). Expired blocks are automatically cleaned.
• Whitelist: Trusted IP addresses are retained indefinitely unless manually removed.

8. Your Rights (GDPR)

You have the right to request access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), and data portability (Art. 20), and to object to processing based on Art. 6(1)(f) (Art. 21). Where processing is based on consent, you may withdraw consent at any time (see Section 9).

To exercise your rights, please contact us at the address provided in Section 1.

8.1 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. Note that:

• IP addresses older than 14 days are already anonymized automatically;
• Blocklist entries may be retained if necessary to protect against ongoing abuse (Art. 17(3)(f) GDPR — legal claims);
• Message content retained for legal obligations cannot be deleted until the retention period expires.

9. Consent & Withdrawal

By checking the privacy policy acceptance checkbox when submitting the contact form, you consent to the processing described in this notice (Art. 6(1)(a) GDPR). You may withdraw this consent at any time by contacting us. The lawfulness of processing prior to withdrawal remains unaffected.

10. Obligation to Provide Data

You are not legally obliged to provide personal data. However, without essential information (first name, last name, email address, and message text), we cannot process your inquiry. Optional fields (phone, subject) are marked accordingly.

The privacy policy checkbox must be checked to submit the form (contractual requirement).

11. Security

We implement appropriate technical and organizational measures to protect your data (Art. 32 GDPR), including:

• Transport Encryption: TLS 1.3 for all data transmission;
• Access Control: Dashboard access protected by HMAC-signed authentication tokens (stateless, cryptographically secure);
• Server Hardening: Regular security updates, firewall rules, restricted file permissions;
• Abuse Prevention: Rate limiting, spam detection, IP-based blocking;
• Local Captcha: No third-party services; simple arithmetic challenge processed server-side;
• Audit Logging: Security-relevant events (failed authentication, blocked submissions, anonymization actions) are logged;
• Automated Anonymization: IP addresses older than 14 days are automatically pseudonymized.

12. Complaints

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

In Berlin, Germany, the competent authority is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
www.datenschutz-berlin.de

13. Changes to This Notice

We may update this notice to reflect legal, technical, or operational changes. The "Last updated" date at the top indicates the current version. Material changes will be communicated appropriately (e.g., via website notice).

Summary for Users

What we collect:

• Your contact details and message (to respond to you)
• Your IP address for 14 days (spam protection), then automatically anonymized
• Technical metadata (browser info, timestamps) for security

What we DON'T do:

• We don't use tracking cookies or analytics
• We don't share data with third parties for marketing
• We don't keep full IP addresses longer than 14 days

Your rights: You can request access, correction, or deletion of your data at any time.