Legal information

Privacy Policy

Controller

Stefan Kohlweg
Stenografengasse 4, 1230 Wien, Austria
Email: [email protected]

What data we collect and why

Counseling case submissions
When you submit a counseling case (via contact form or after payment), we collect your name, email address, situation type, timezone, and the description of your situation. This data is used to provide asynchronous email counseling. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (explicit consent).

Confidentiality of case content
Any personal information you share — including descriptions of your situation, context, and desired outcomes — is treated with strict confidentiality. It is not shared with third parties beyond what is technically necessary to deliver the service (see below).

Payment data
Payment is processed by Stripe (credit card, Apple Pay, Google Pay) or via x402 protocol (USDC on Base blockchain). We store only the payment session reference (Stripe session ID or x402 transaction hash) — not credit card numbers or financial account details.

Server and access logs
Technical data (IP address, browser type, access timestamp, pages visited) is processed automatically by Cloudflare for security and error analysis. Cloudflare may derive approximate geolocation (country-level) from your IP address for security purposes. These logs are retained by Cloudflare for up to 30 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and availability of the service).

AI-assisted processing

We use Anthropic Claude AI models, accessed via Google Cloud Vertex AI (Anthropic PBC, San Francisco, USA; Google Cloud region europe-west3, Frankfurt, Germany), to assist in drafting counseling responses. Your case content — situation description, context, and desired outcome — is transmitted to Google Cloud's EU infrastructure for this purpose. Your email address is never transmitted to the AI service. Google Cloud Vertex AI does not use customer data for model training. Anthropic's terms for Vertex AI also prohibit training on customer data.

This is AI-assisted processing, not automated decision-making under Art. 22 GDPR. Every counseling response is reviewed, edited where necessary, and approved by a qualified human counselor (MSc in Psychosocial Counseling) before delivery to you. No automated profiling or scoring takes place.

Third-party services

Cloudflare (hosting, database, serverless compute)
This website is hosted via Cloudflare Pages. Case data is stored in Cloudflare D1 (SQLite database). Cloudflare acts as a data processor under Art. 28 GDPR. A Data Processing Addendum (DPA/Auftragsverarbeitungsvertrag) is in place. Cloudflare is certified under the EU-US Data Privacy Framework. All connections are encrypted via TLS 1.2+ with HSTS enforced. SSL operates in strict mode with origin certificate validation.
Privacy policy: cloudflare.com/privacypolicy
DPA: cloudflare.com/gdpr

Cloudflare Turnstile is used on submission forms to prevent automated abuse. Turnstile processes minimal technical data (IP address, browser characteristics) without setting tracking cookies or persistent identifiers. This processing is covered by the Cloudflare DPA and certifications referenced above.

Stripe (payment processing)
Stripe processes payments as an independent data controller under its own GDPR obligations. Stripe receives your email and payment amount but does not receive counseling content. A separate DPA is in place with Stripe.
Privacy policy: stripe.com/privacy

Google Cloud / Vertex AI (AI-assisted counseling drafts)
Anthropic Claude AI models are accessed via Google Cloud Vertex AI (region europe-west3, Frankfurt, Germany) to generate draft counseling responses. Google Cloud acts as data processor under Art. 28 GDPR. Anthropic is a sub-processor under Google's Data Processing Agreement. Only case content (situation description, context, desired outcome) is transmitted — email addresses and payment data are never sent to the AI service. Data is processed in the EU (Frankfurt). Google Cloud does not use customer data for model training.
Google Cloud is certified under the EU-US Data Privacy Framework. The Google Cloud DPA incorporates EU Standard Contractual Clauses (Art. 46 GDPR).
DPA: cloud.google.com/terms/data-processing-addendum
Sub-processors: cloud.google.com/terms/subprocessors

Porkbun (email delivery)
Counseling responses are delivered via SMTP through Porkbun's email service over encrypted TLS connections (port 465, TLS 1.2+). Porkbun processes email addresses and email content for the purpose of delivery only. No formal Data Processing Agreement (Auftragsverarbeitungsvertrag) is currently in place with Porkbun. Migration to an EU-based email delivery provider with a published DPA is under evaluation.
Privacy policy: porkbun.com/legal/privacy_policy

Fonts
All fonts used on this website are self-hosted. No connections to external font services (such as Google Fonts) are made. No visitor data is transmitted to third parties for the purpose of loading fonts.

Data retention

Case data (including your situation description and our counseling response) is retained for 7 years from submission. This retention period is required by Austrian tax and accounting law (Bundesabgabenordnung, BAO §132), which mandates that business records be kept for seven years. Legal basis for retention beyond the contract period: Art. 6(1)(c) GDPR (compliance with a legal obligation).

After the 7-year period, closed cases are automatically and permanently deleted. You may request deletion of your case data at any time. Where no legal retention obligation applies, we will delete your data promptly. Where a legal retention obligation exists, we will restrict processing of your data to what is legally required and delete it as soon as the retention period expires.

Server logs processed by Cloudflare are typically retained for no longer than 30 days.

No tracking or analytics

This website does not use Google Analytics, Meta Pixel, or any other behavioural tracking or advertising technology. No cookies are set by this website. No browser fingerprinting or behavioural profiling takes place.

Technical security measures (Art. 32 GDPR)

We implement the following measures to protect your data:

  • All connections are forced to HTTPS — HTTP requests are automatically redirected
  • HTTP Strict Transport Security (HSTS) is enabled with a 1-year max-age, including subdomains and preload
  • TLS 1.2 is the minimum supported version; TLS 1.3 is enabled
  • SSL operates in strict mode with full origin certificate validation
  • X-Content-Type-Options: nosniff is set to prevent MIME-type sniffing
  • Access to staging environments is restricted via Cloudflare Access (identity-based authentication)
  • Administrative access requires two-factor authentication
  • Email delivery uses encrypted TLS connections (SMTP over TLS 1.2+)

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Correction of inaccurate data (Art. 16)
  • Deletion of your data (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time where processing is consent-based (Art. 7)

To exercise any of these rights, contact: [email protected]

Right to lodge a complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde):
Wickenburggasse 8, 1080 Wien
[email protected] · dsb.gv.at

Changes to this policy

This privacy policy may be updated as the service evolves. The current version is always available at this URL. Last updated: April 2026.