Note: The German version (/datenschutz) is the legally binding version. This English translation is provided for convenience only.
Privacy Policy
1. Controller
Eduardo Arturo Sieber Artiles
Heubnerweg 9
14059 Berlin, Germany
Email: hi@sieberedu.com
For questions about data protection on this website, please contact us directly by email at the address above.
2. Data Protection Officer
We have not appointed a Data Protection Officer as the legal prerequisites of § 38 BDSG are not met. As a sole trader without employees who regularly process personal data, and without processing of special categories under Art. 9 GDPR (these are actively rejected — see section 15), no appointment is required.
3. Your rights as a data subject
You have the following rights regarding your personal data:
- Access (Art. 15 GDPR): You can request information about what data we process about you, for what purpose and on what legal basis.
- Rectification (Art. 16 GDPR): You can request the correction of inaccurate data or the completion of incomplete data.
- Erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligations apply.
- Restriction of processing (Art. 18 GDPR): Under certain conditions, you can request that processing of your data be restricted.
- Data portability (Art. 20 GDPR): Data you have provided to us on the basis of consent or a contract can be requested in a structured, machine-readable format.
- Objection (Art. 21 GDPR): You can object at any time to processing of your data that is based on legitimate interest (Art. 6(1)(f)). We will then stop processing your data unless we can demonstrate compelling legitimate grounds.
- Withdrawal of consent (Art. 7 para. 3 GDPR): You can revoke consent you have given at any time with effect for the future. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
To exercise your rights, please contact us by email at hi@sieberedu.com.
4. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with the competent data protection supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)
Friedrichstr. 219
10969 Berlin, Germany
Website: https://www.datenschutz-berlin.de
5. App hosting (Vercel)
This website is operated on the Vercel, Inc. platform (440 N Barranca Ave #4133, Covina, CA 91723, USA).
| Attribute | Details |
|---|---|
| Role | Data processor (Art. 28 GDPR) |
| Data location | Server Actions and Edge functions are pinned to the Frankfurt region (fra1) per apps/website/vercel.json. Vercel's US control plane (build logs, account metadata) processes operational data in the US. |
| Transfer mechanism | EU-US Data Privacy Framework (DPF) — Vercel is DPF-certified since 2024 (listing: https://www.dataprivacyframework.gov/list). Standard Contractual Clauses (SCCs) from the Vercel DPA apply as a fallback. |
| DPA status | Vercel Data Processing Addendum (https://vercel.com/legal/dpa) — accepted by Eduardo prior to production go-live. |
| Data processed | All data transmitted via the website (access and function logs, contact form data at the moment of Server Action invocation, edge cache content). Encrypted persistence occurs in the Neon database (section 6). |
| Security measures | TLS 1.2+ in transit; DDoS protection; region pinning to fra1; Auth.js sessions with MFA for admin access. |
DNS resolution and outbound transactional email dispatch use Hostinger International Ltd. — see section 9.
6. Database
The database for this website is operated by Neon, Inc. (US company).
| Attribute | Details |
|---|---|
| Role | Data processor (Art. 28 GDPR) |
| Data location | EU Frankfurt (AWS eu-central-1) — confirm database region in Neon project dashboard before production write |
| Transfer mechanism | Operational data stays in EU Frankfurt. Neon's US-based control plane requires Standard Contractual Clauses (SCCs) — Neon publishes a DPA with SCC addendum |
| DPA status | Neon standard DPA (available via Neon project dashboard) |
| Data processed | Encrypted lead data, consent logs, email logs, audit log |
| Security measures | Column-level encryption via pgcrypto; TLS in transit; Row-Level Security (RLS); daily backups |
7. Anti-bot protection (Cloudflare Turnstile)
When submitting the contact form, we use Cloudflare Turnstile by Cloudflare, Inc. (US company). This protects the form from automated abuse submissions.
| Attribute | Details |
|---|---|
| Role | Data processor (Art. 28 GDPR) |
| Data processed | IP address, user agent, behavioural signals during the security check. No form content |
| Legal basis | Art. 6(1)(f) GDPR — legitimate interest in securing the contact infrastructure (LIA-006 available on request) |
| Transfer mechanism | EU-US Data Privacy Framework (DPF) — Cloudflare is DPF-certified |
| DPA status | Cloudflare Data Processing Addendum (https://www.cloudflare.com/cloudflare-customer-dpa/) |
Turnstile does not use third-party cookies and avoids extensive browser fingerprinting.
8. Analytics and web statistics
We only activate analytics tools when you have given us explicit consent (cookie banner). Without consent, no analytics scripts are loaded — this is controlled server-side.
Google Analytics 4
With granted consent, we use Google Analytics 4 by Google Ireland Ltd. (for EEA users) or Google LLC (US).
- IP anonymisation is enabled (
anonymize_ip: true). - No personally identifiable data is captured in custom GA4 events.
- Transfer mechanism: EU-US Data Privacy Framework (DPF).
- Legal basis: Art. 6(1)(a) GDPR (your consent).
- You can withdraw consent at any time via "Manage cookies" (footer).
Microsoft Clarity
With granted consent, we use Microsoft Clarity by Microsoft Corporation (US).
- PII masking is enabled — form content and personal data are not recorded.
- Transfer mechanism: EU-US Data Privacy Framework (DPF).
- Legal basis: Art. 6(1)(a) GDPR (your consent).
- You can withdraw consent at any time via "Manage cookies" (footer).
9. DNS and email dispatch (Hostinger)
DNS resolution for sieberedu.com and the dispatch of transactional confirmation emails use Hostinger International Ltd. (61 Lordou Vironos Street, 6023 Larnaca, Cyprus).
| Attribute | Details |
|---|---|
| Role | Data processor (Art. 28 GDPR) |
| Purpose | DNS resolution for the sieberedu.com zone; SMTP dispatch of confirmation emails to inquiry senders |
| Data location | EU (Cyprus / EU data centres) |
| Transfer mechanism | Within EU/EEA — no Chapter V mechanism required |
| DPA status | Hostinger standard DPA (available via hPanel account management) |
| Data processed | DNS queries (resolver IPs); recipient address, subject and message body of confirmation emails |
10. Source code hosting (GitHub)
The source code for this website is hosted on servers of GitHub, Inc. (US, Microsoft subsidiary, DPF-certified). GitHub does not process personal data of website visitors during normal website operation. The source code contains no personal data.
11. Cookies
A detailed list of all cookies used — with purpose, duration and legal basis — can be found in our Cookie Policy.
12. Contact form
When you contact us via the contact form on this website, we process the following data:
Data collected: Name, email address, optional phone number, company, industry, country, message text.
Purpose: Processing and responding to your inquiry; potentially scoping a consulting engagement.
Legal basis: Art. 6(1)(a) GDPR (your explicit consent via the mandatory checkbox in the form) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in handling inbound business inquiries — LIA-001 available on request).
Retention period: 24 months from last interaction. After expiry, personal fields (email, phone, message text) are anonymised.
Recipients: Eduardo Sieber as controller only. No disclosure to third parties for advertising purposes.
Email addresses and phone numbers are stored encrypted in the database (column-level encryption via pgcrypto).
13. Confirmation emails and email log
After receipt of your inquiry, we send an automatic confirmation email. For accountability purposes (Art. 12(3) GDPR) and bookkeeping obligations (§ 147 AO), we maintain an encrypted email log.
Retention period: 24 months for inquiry confirmations (anonymised after expiry); 10 years for invoicing-related emails (§ 147 AO retention obligation).
Legal basis: Art. 6(1)(f) (audit trail) and Art. 6(1)(c) (statutory retention obligation for invoicing records).
14. Security-relevant data (rate limiting)
To prevent abuse of the contact form, we process a pseudonymised HMAC-SHA256 hash of your IP address and user agent when you submit the form.
Purpose: Protection against automated submission floods (rate limiting).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in protecting the contact infrastructure (LIA-006 available on request).
Retention period: 10 minutes. After this, the data is automatically deleted.
Note: The stored hash values are pseudonymised (Art. 4(5) GDPR) — without the server-side HMAC key, it is not possible to trace back to the original IP address.
15. Notice for users in healthcare
We offer consulting services on IT tools and processes for medical practices, therapy facilities, and similar healthcare providers. Our consulting relates exclusively to your own operational workflows — not to individual treatment cases or patient data.
We explicitly ask you not to share patient data or personal data of third parties in our contact form or in future chat interactions. We do not need this information to help you select suitable tools and design GDPR-compliant processes.
If such data is submitted inadvertently, we will redact the content upon receipt and record the redaction in our audit log. No further processing of this data will take place.
16. International data transfers
The following processors based in the US process data in connection with the use of this website:
| Processor | Purpose | Transfer mechanism |
|---|---|---|
| Vercel, Inc. | App hosting (Server Actions, Edge functions) | EU-US Data Privacy Framework (DPF) + SCCs per Vercel DPA |
| Cloudflare, Inc. | Turnstile anti-bot | EU-US Data Privacy Framework (DPF) |
| Google LLC | Analytics 4 (consent only) | EU-US Data Privacy Framework (DPF) |
| Microsoft Corporation | Clarity (consent only) | EU-US Data Privacy Framework (DPF) |
| GitHub, Inc. | Source code hosting (no runtime personal data) | EU-US Data Privacy Framework (DPF) |
| Neon, Inc. | Database operation | Standard Contractual Clauses (SCCs) + data location EU Frankfurt |
The EU-US Data Privacy Framework was recognised by the European Commission via adequacy decision of 10 July 2023. All named US recipients are DPF-certified as of our last review. Should the DPF be invalidated by future decisions of the Court of Justice of the European Union (comparable to Schrems II, CJEU Case C-311/18 of 16.07.2020), we will rely on Standard Contractual Clauses (SCCs) per Implementing Decision 2021/914 in conjunction with additional technical and organisational measures (TLS encryption in transit, column-level encryption of sensitive data, data location pinning) from that point onward. DPF certifications are reviewed at least annually.
17. Retention periods at a glance
| Data category | Retention period | Basis |
|---|---|---|
| Lead data (contact inquiries) | 24 months from last interaction | Business follow-up (LIA-001) |
| Client data (invoicing records) | 10 years | § 147 AO statutory retention |
| Audit log | 3 years | Art. 5(2) GDPR accountability |
| Consent log | 3 years after withdrawal | Art. 7(1) GDPR evidence |
| Email log (inquiries) | 24 months | Art. 12(3) GDPR tracking |
| Email log (invoices) | 10 years | § 147 AO |
| Internal notifications | 90 days | Operational necessity |
| Agent tasks | 90 days | Operational necessity |
| Rate-limit data (pseudonymised) | 10 minutes | Purpose limitation (LIA-006) |
18. Automated decision-making
We do not make solely automated decisions with legal effect pursuant to Art. 22 GDPR. Tool recommendations created on the basis of your inquiry are reviewed and approved by Eduardo Sieber personally before they are sent to you. No fully automated decision-making without human review takes place.
19. Data security
We take technical and organisational measures to protect your data from unauthorised access, loss, or misuse:
- Transport encryption: TLS 1.2 or higher for all connections.
- Encryption at rest: Storage-level encryption by Vercel (build and function artifacts) and Neon (database storage); additional column-level encryption of sensitive fields (email, phone, message text) via pgcrypto.
- Access restriction: Row-Level Security (RLS) in the database ensures each component can only access the data it needs.
- Key management: Encryption keys are managed as separate environment variables; a rotation plan is documented.
- Authentication: Multi-factor authentication (MFA) for admin access.
- Audit log: All admin access to personal data is logged.
20. Changes to this privacy policy
This privacy policy was last updated on 11 May 2026. We reserve the right to update this privacy policy to reflect changes in legal requirements or our services. The current version is always available on this page. For material changes, we will inform you where possible.
The German version is the legally binding version.