Privacy Notice (GDPR)

This website is a private, non-commercial learning project operated by an individual for educational purposes only. It is not intended for commercial use, public distribution, or professional services. No personal data is processed beyond what is technically necessary to operate the website.

1. Controller

The controller responsible for data processing on this website is:

Werner Stäblein
Private individual
Address available upon request
Email: werner.staeblein@gmail.com

2. Purpose of the Website

This site functions as an isolated development and testing environment for full‑stack software engineering, including Django, Python, and modern web technologies. It operates without commercial purpose and executes no user‑specific data processing beyond the minimal technical data required for system operation.

3. Categories of Data Processed

Only the following data is processed:

  • Technical server logs (automatically generated by the hosting provider)
  • Session cookie (sessionid) when a user logs in
  • CSRF protection cookie (csrftoken)
  • Voluntary data entered by the user (e.g., login credentials for test accounts)

No analytics, tracking, profiling, or marketing data is collected.

4. Server Logs

The hosting provider automatically collects and stores the following information in server log files:

  • IP address (short-term, for security and technical operation)
  • Date and time of access
  • Requested URL
  • HTTP status code
  • Browser type and version
  • Operating system
  • Referrer URL (if provided by the browser)

These logs are required for the secure operation of the website and are deleted automatically according to the hosting provider's retention schedule.

5. Cookies

This website uses only strictly necessary cookies:

csrftoken

Protects forms against Cross-Site Request Forgery (CSRF) attacks. Contains no personal data.

sessionid

Created only when a user logs in. Maintains the session. Contains no personal data.

No analytics cookies, tracking cookies, advertising cookies, or third-party cookies are used. No cookie banner is required under GDPR and ePrivacy rules.

6. Legal Basis for Processing

Data is processed exclusively on the following legal bases:

  • Art. 6(1)(b) GDPR - performance of a contract (e.g., login functionality)
  • Art. 6(1)(c) GDPR - compliance with legal obligations (e.g., security)
  • Art. 6(1)(f) GDPR - legitimate interests in the secure and technically correct operation of the website
  • Art. 6(1)(a) GDPR - consent, only if the user voluntarily provides data

7. Cloudinary (Media Storage)

This website uses Cloudinary as an external service provider for storing and delivering media files (such as images uploaded within the application). Cloudinary acts as a data processor within the meaning of Art. 28 GDPR.

Only media files that are technically required for the functionality of the website are stored on Cloudinary's servers. No additional personal data is transmitted to Cloudinary beyond what is inherent in the media file itself. Media files are stored and processed exclusively for the purpose of providing the website's functionality.

Cloudinary provides GDPR-compliant data processing and offers hosting within the European Union. Data is stored and processed according to Cloudinary's security standards and retention policies. Further information can be found in Cloudinary's privacy documentation.

No tracking, analytics, advertising, or profiling services from Cloudinary are used.

8. No Third-Party Services

This website does not use:

  • Google Analytics
  • Google Fonts
  • Social media plugins
  • Advertising networks
  • External CDNs
  • Cloud-based tracking tools
  • Third-party scripts
  • External fonts or icon libraries loaded from third-party servers

All resources are served locally.

9. No Data Transfer to Third Countries

No data is transferred outside the European Union.

10. Storage Duration

  • Session data: deleted when the session ends
  • CSRF token: expires automatically
  • Server logs: deleted according to hosting provider's retention schedule
  • Voluntary user input: stored only as long as necessary for the intended function

11. User Accounts

User accounts exist only for testing and learning purposes. No personal data is required to create an account. Users may request deletion of their account at any time.

12. Data Subject Rights

Users have the following rights under GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)

Requests can be sent to the email address listed above.

13. Security Measures

The website uses HTTPS encryption, CSRF protection, session security mechanisms, server-side access controls, and regular updates of software components.

14. No Automated Decision-Making

No automated decision-making or profiling takes place.

15. Changes to This Privacy Notice

This privacy notice may be updated to reflect changes in functionality or legal requirements.