Privacy Policy

This privacy policy informs you, pursuant to Articles 13 and 14 GDPR, about how we process personal data when you use this website and the Seitenbefund audit.

1. Controller

The controller within the meaning of the GDPR is the provider named in the imprint. You will find the contact details on the imprint page.

Open imprint

2. Data Protection Officer

A Data Protection Officer is not legally required to be appointed. For data-protection enquiries please contact the address shown in the imprint.

Appointing a Data Protection Officer is not legally required.

3. Categories of data we process

We process personal data at clearly delimited collection points within the funnel. The authoritative reference is the audit architecture specification.

Audit request form

When you submit the request form we process the requested domain, the business email address, your explicit consent to the passive audit, the Cloudflare Turnstile token, your IP address for rate-limiting, and your language preference.

Authority verification

To confirm your authority over the requested domain we process either a hashed email verification token or a DNS-TXT record. Both serve only the domain-authority check.

Crawl artefacts

During the passive audit we store excerpts of HTML responses, HTTP headers, screenshots of public pages, performance metrics and increment timestamps. No logins are performed and no vulnerabilities are actively exploited.

Report and payment data

When you purchase the full report we process your Stripe session ID, the payment email address and the payment status. We do not see card data; Stripe processes payment details exclusively.

Optional consulting enquiry

If you request implementation or consulting work from within the report we process the contact and request data you provide for the purpose of getting in touch.

4. Legal bases

We process the request data on the basis of Article 6 (1) (b) GDPR (pre-contractual measures) and additionally on your explicit consent under Article 6 (1) (a) GDPR for the passive audit.
The crawl of your domain is performed to deliver the requested service under Article 6 (1) (b) GDPR and on your consent to the passive audit.
Payment data is processed to perform the contract for the full report under Article 6 (1) (b) GDPR and to comply with statutory retention obligations under Article 6 (1) (c) GDPR.
Transactional email delivery (verification, status and report emails) is performed under Article 6 (1) (b) GDPR.
Bot mitigation, rate limiting and abuse defence are based on our legitimate interest in secure operations under Article 6 (1) (f) GDPR.
Usage statistics are only collected with your consent under Article 6 (1) (a) GDPR and § 25 (1) TTDSG. You can withdraw consent at any time via the cookie settings.

5. Recipients and processors

We engage carefully selected processors to deliver the audit. Each provider is bound by a data-processing agreement under Article 28 GDPR. International transfers are protected by Standard Contractual Clauses and supplementary technical and organisational measures.

Cloudflare, Inc. — bot protection (Turnstile)

We use Cloudflare Turnstile to mitigate automated requests. Browser signals, IP address and a token are transmitted. Headquarters: USA, with global processing regions.

DPA pending — to be signed before the relevant processing goes live

Stripe Payments Europe Ltd. — payment processing

Stripe processes payment data for the full-report purchase. We do not see card data. Headquarters: Ireland, with sub-processors also outside the EU.

DPA pending — to be signed before the relevant processing goes live

Resend, Inc. — transactional email delivery

Resend delivers verification, status and report emails. Email addresses, content and delivery metadata are transmitted. Headquarters: USA.

DPA pending — to be signed before the relevant processing goes live

Vercel, Inc. — frontend hosting

The public web surface is delivered through Vercel. Connection and telemetry data is transmitted to operate the application. Headquarters: USA, EU edge region preferred.

DPA pending — to be signed before the relevant processing goes live

6. International data transfers

Cloudflare, Stripe (via sub-processors), Resend and Vercel may transfer personal data to the USA. Transfers rely on Standard Contractual Clauses under Article 46 (2) (c) GDPR plus supplementary technical and organisational measures. Where the recipient is certified under the EU–U.S. Data Privacy Framework, the European Commission’s adequacy decision under Article 45 GDPR additionally applies.

7. Retention

Retention follows the requirements of each processing activity and the schedules set in the architecture specification.

Request and lead metadata are retained per our internal lead-retention policy. On erasure requests we pseudonymise where data-protection law allows and bookkeeping law requires.
Email verification tokens are stored as hashes only, with short validity and aggressive deletion after expiry.
Crawl evidence (HTML excerpts, headers, screenshots) is deleted by default 30 days after report completion, unless a legitimate interest (e.g. ongoing contract or dispute) requires longer retention.
Report artefacts (PDF, screenshots) in object storage are deleted on TTL. Metadata is marked with a deletion timestamp in the database.
Payment records are retained per German commercial and tax law (typically 10 years); cryptographic shredding is not performed because of those statutory obligations.

8. Cookies and similar technologies

We use technically necessary cookies to operate the application (session, language preference, consent storage) and for bot protection (Cloudflare Turnstile). Statistics and marketing technologies are only used with your consent. You can withdraw consent at any time via the cookie settings.

9. Your rights

Under the GDPR you have the following rights:

Access (Art. 15 GDPR): You may ask which data we process about you.
Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
Erasure (Art. 17 GDPR): You may request deletion to the extent no statutory retention obligation applies.
Restriction (Art. 18 GDPR): You may request restriction of processing.
Data portability (Art. 20 GDPR): You may receive your data in a structured format.
Objection (Art. 21 GDPR): You may object to processing based on legitimate interests.
Withdrawal of consent: You may withdraw any consent at any time with effect for the future.

10. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority, in particular in your country of residence or at the place of the alleged infringement. The provider’s competent supervisory authority:

[Competent state data-protection authority including address and URL]

11. Submit a request

Use the form below to exercise your rights. We review every request and respond within the statutory deadline.

Open request form →

Effective date of this privacy policy: [Effective: YYYY-MM-DD]

3. Categories of data we process

We process personal data at clearly delimited collection points within the funnel. The authoritative reference is the audit architecture specification.

Audit request form

Authority verification

To confirm your authority over the requested domain we process either a hashed email verification token or a DNS-TXT record. Both serve only the domain-authority check.

Crawl artefacts

Report and payment data

When you purchase the full report we process your Stripe session ID, the payment email address and the payment status. We do not see card data; Stripe processes payment details exclusively.

Optional consulting enquiry

If you request implementation or consulting work from within the report we process the contact and request data you provide for the purpose of getting in touch.

4. Legal bases

We process the request data on the basis of Article 6 (1) (b) GDPR (pre-contractual measures) and additionally on your explicit consent under Article 6 (1) (a) GDPR for the passive audit.
The crawl of your domain is performed to deliver the requested service under Article 6 (1) (b) GDPR and on your consent to the passive audit.
Payment data is processed to perform the contract for the full report under Article 6 (1) (b) GDPR and to comply with statutory retention obligations under Article 6 (1) (c) GDPR.
Transactional email delivery (verification, status and report emails) is performed under Article 6 (1) (b) GDPR.
Bot mitigation, rate limiting and abuse defence are based on our legitimate interest in secure operations under Article 6 (1) (f) GDPR.
Usage statistics are only collected with your consent under Article 6 (1) (a) GDPR and § 25 (1) TTDSG. You can withdraw consent at any time via the cookie settings.

5. Recipients and processors

Cloudflare, Inc. — bot protection (Turnstile)

We use Cloudflare Turnstile to mitigate automated requests. Browser signals, IP address and a token are transmitted. Headquarters: USA, with global processing regions.

DPA pending — to be signed before the relevant processing goes live

Stripe Payments Europe Ltd. — payment processing

Stripe processes payment data for the full-report purchase. We do not see card data. Headquarters: Ireland, with sub-processors also outside the EU.

DPA pending — to be signed before the relevant processing goes live

Resend, Inc. — transactional email delivery

Resend delivers verification, status and report emails. Email addresses, content and delivery metadata are transmitted. Headquarters: USA.

DPA pending — to be signed before the relevant processing goes live

Vercel, Inc. — frontend hosting

The public web surface is delivered through Vercel. Connection and telemetry data is transmitted to operate the application. Headquarters: USA, EU edge region preferred.

DPA pending — to be signed before the relevant processing goes live

6. International data transfers

7. Retention

Retention follows the requirements of each processing activity and the schedules set in the architecture specification.

Request and lead metadata are retained per our internal lead-retention policy. On erasure requests we pseudonymise where data-protection law allows and bookkeeping law requires.
Email verification tokens are stored as hashes only, with short validity and aggressive deletion after expiry.
Crawl evidence (HTML excerpts, headers, screenshots) is deleted by default 30 days after report completion, unless a legitimate interest (e.g. ongoing contract or dispute) requires longer retention.
Report artefacts (PDF, screenshots) in object storage are deleted on TTL. Metadata is marked with a deletion timestamp in the database.
Payment records are retained per German commercial and tax law (typically 10 years); cryptographic shredding is not performed because of those statutory obligations.

8. Cookies and similar technologies

9. Your rights

Under the GDPR you have the following rights:

Access (Art. 15 GDPR): You may ask which data we process about you.
Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
Erasure (Art. 17 GDPR): You may request deletion to the extent no statutory retention obligation applies.
Restriction (Art. 18 GDPR): You may request restriction of processing.
Data portability (Art. 20 GDPR): You may receive your data in a structured format.
Objection (Art. 21 GDPR): You may object to processing based on legitimate interests.
Withdrawal of consent: You may withdraw any consent at any time with effect for the future.