Skip to main content

Privacy Policy

Last updated: June 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Patrick Mautsch

Am Klausenberg 68

51109 Cologne

Germany

Email: contact@patrickmautsch.com

Further mandatory information can be found in the Imprint.

A data protection officer is not required by law and has therefore not been appointed.

2. General information

This privacy policy informs you about what personal data is processed when you visit this website (patrickmautsch.com), for what purposes, and on what legal basis. Personal data means any information relating to an identified or identifiable natural person (e.g. name, email address, IP address).

Processing is always carried out in accordance with the GDPR, the German Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG).

The website is operated in the legitimate interest of presenting private and professional projects and enabling contact. There is no registration or creation of user accounts.

3. Your rights as a data subject

You have the following rights vis-à-vis the controller with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing based on legitimate interests (Art. 21 GDPR; see separate note in section 12)
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR); the lawfulness of processing prior to withdrawal remains unaffected

To exercise these rights, an informal message to the contact address stated above is sufficient.

Right to lodge a complaint: Independently of this, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the member state of your habitual residence, place of work, or place of the alleged infringement.

4. Provision of the website and hosting

4.1 Hosting provider

This website is hosted by an external service provider:

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

Vercel processes the data arising from the website on my behalf and provides the server infrastructure. The website is delivered and requests are processed via the server region Frankfurt am Main (Germany, EU). The legal basis is a data processing agreement pursuant to Art. 28 GDPR.

4.2 Server log files

When the website is accessed, the hosting provider automatically collects technically necessary information and stores it in server log files. This typically includes:

  • IP address of the requesting device
  • Date and time of access
  • Page/file accessed and amount of data transferred
  • Referrer URL (previously visited page)
  • Browser type, browser version, and operating system

This data is not merged with other data sources and is not evaluated to identify individual persons.

Purpose:
technically error-free delivery, security and stability of the website, and defence against attacks.
Legal basis:
Art. 6(1)(f) GDPR (legitimate interest in a secure and functional website).
Retention:
Retention follows the hosting provider's specifications and default settings; I do not store data beyond that.

4.3 Data transfers to the USA

Data is processed on servers in the EU (Frankfurt am Main). Although Vercel Inc. is based in the USA, it is certified under the EU-US Data Privacy Framework. See section 9 for details.

5. Fonts

The fonts used on this website are delivered locally via the hosting server (self-hosting). There is no integration of external font services (e.g. Google Fonts); when pages are loaded, no connection to third-party servers is established to load fonts and no IP address is transmitted to third parties for this purpose.

6. Contact

6.1 Contact form

A contact form is available on the website. When you use it, the following data is processed:

  • Required information: name, email address, subject, message
  • technically collected data: IP address and timestamp of the request (solely to limit request frequency and protect against spam/abuse)

A hidden field that is not visible to you is used solely for automated spam protection (honeypot procedure); it does not record any data you enter.

Purpose: to process and respond to your enquiry and to protect the form against misuse.

Legal bases:

  • Art. 6(1)(b) GDPR where your enquiry relates to entering into or performing a contract (e.g. project or business enquiries)
  • Art. 6(1)(f) GDPR (legitimate interest in responding to general enquiries and preventing spam and abuse) for all other enquiries

Recipients / processors: Messages submitted via the form are sent technically via the email service provider Resend (Resend, Inc., USA), which processes message content and associated metadata (sender, recipient, subject) on my behalf. The legal basis is a data processing agreement pursuant to Art. 28 GDPR. For data transfers to the USA, see section 9.

Voluntary provision: Providing the data is voluntary. There is no contractual or legal obligation to do so. However, without the required fields, I cannot process and respond to your enquiry.

Retention: Your enquiry and associated data are deleted as soon as they are no longer required for the purpose – as a rule after your matter has been fully handled, but at the latest after 6 months. Statutory retention obligations remain unaffected. The IP address collected for spam limitation is held only briefly in working memory (maximum one hour) and is not stored permanently.

6.2 Contact by email

Email addresses are provided as clickable links in several places on the website (e.g. imprint, project notes). Clicking opens your local email program; no processing takes place via the website. If you write to me by email, I process the data you provide solely to handle your enquiry.

Legal basis:
Art. 6(1)(b) or (f) GDPR (see 6.1).
Retention:
as described in 6.1.

7. Cookies and local storage technologies

This website does not use tracking, analytics, or marketing cookies. There is no reach measurement or web tracking.

Only one technically functional storage technology in the browser is used (session storage):

NameTypePurposeRetention
hasVisitedSession StorageControls the one-time display of an opening/loading animation per sessionuntil the end of the browser session

This entry contains only a technical value (no personal reference) and is automatically deleted when the browser tab is closed. As it serves solely the correct display of the page requested by the user, its use is based on Section 25(2) No. 2 TDDDG; any data protection processing relies on Art. 6(1)(f) GDPR (legitimate interest in functional presentation). A consent banner is not required for this.

Language selection (German/English) is handled via the respective URL path (/de or /en); no cookie or other browser storage technology is used for this.

8. External links

This website contains links to external third-party websites (including professional profiles, project sites, podcast and source references). I have no influence over their content or data processing. When you click such a link, you leave this website; the respective provider is responsible for processing your data there. No external content (e.g. social media widgets, embedded videos, or iFrames) is integrated on this website, so merely visiting this site does not transmit data to linked providers.

9. Data transfers to third countries

This website is hosted via the Frankfurt am Main (EU) server region; data arising in the context of hosting is therefore processed within the EU. Although Vercel Inc. is headquartered in the USA, it is certified under the EU-US Data Privacy Framework (DPF), including the UK Extension.

When sending email via the contact form (Resend, Inc., USA), personal data may be transferred to or processed in the USA. Resend is certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF; the company is also SOC 2 and GDPR compliant. The transfer therefore takes place on the basis of the EU Commission adequacy decision for DPF-certified recipients (Art. 45 GDPR).

Where a provider – such as Vercel and Resend – is certified under the EU-US Data Privacy Framework, the EU Commission adequacy decision pursuant to Art. 45 GDPR applies to the relevant transfer. In addition, Standard Contractual Clauses of the EU Commission (Art. 46(2)(c) GDPR) are in place with the providers as an additional safeguard within the meaning of Arts. 44 ff. GDPR.

A copy of the agreed safeguards can be requested via the contact address stated in section 1.

10. Retention (overview)

Unless a more specific period is stated in the sections above: personal data is deleted when the purpose of processing no longer applies. If you assert a legitimate request for erasure or withdraw consent, the data concerned will be deleted unless other legally permissible grounds for storage exist (e.g. tax or commercial retention periods). In the latter case, deletion takes place after those grounds cease to apply.

DataRetention
Server log filesaccording to hosting provider specifications/defaults
Contact enquiries (form/email)until fully processed, at the latest after 6 months
IP address for spam limitationtransient, maximum 1 hour
Session Storage hasVisiteduntil end of session

11. Data security

The website is delivered encrypted via TLS (recognisable by "https://" and the lock symbol in the browser address bar). This protects data transmitted between your device and the server against unauthorised access.

However, I point out that data transmission over the internet (e.g. when communicating by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

12. Right to object to processing based on legitimate interests (Art. 21 GDPR)

Where personal data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest), you have the right to object to such processing at any time for reasons arising from your particular situation.

In the event of an objection, the data concerned will no longer be processed unless I can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or processing serves the establishment, exercise, or defence of legal claims.

13. Objection to advertising emails

The use of contact data published under imprint obligations for sending unsolicited advertising and information materials is hereby objected to. In the event of unsolicited advertising, such as spam emails, I expressly reserve the right to take legal action.

14. Currency and changes to this privacy policy

This privacy policy reflects the status stated above. Due to further development of the website or changed legal or regulatory requirements, it may be necessary to update this policy. The current version is available on this page.