Privacy Policy
Last updated: March 10, 2026
1. Controller
2. Data We Process
2.1 Infrastructure & Security Logs
Infrastructure logs can include IP address, date/time, requested URL, HTTP status, browser/OS information, and referrer URL.
Legal basis: Art. 6(1)(f) GDPR (security and technical stability). Retention: limited to what is necessary for security and troubleshooting, then deleted or anonymised.
2.2 Device Storage (No Cookies)
We currently do not set tracking cookies. We use browser storage keys for consent and analytics session handling:
kaeso_consent(localStorage): stores your consent choicekaeso_visited(localStorage): returning-visitor flag, only when consent is grantedkaeso_session_tracked(sessionStorage): prevents duplicate session-start events, only when consent is granted
Legal basis: storage/access that is strictly necessary to remember your consent choice is based on § 25(2) no. 2 TDDDG. Optional analytics-related storage is only used with consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR.
2.3 Analytics (Consent-Based)
Analytics is disabled by default and only activated after explicit opt-in.
With consent, analytics events can include page and navigation interactions, scroll and dwell behavior, outbound link clicks, referrer and UTM data, device/screen/viewport metadata, performance metrics, JavaScript error metadata, and short text-selection previews.
Newsletter email addresses and full form content are not sent as analytics payloads.
Legal basis: § 25(1) TDDDG (for storage/access on end devices, where applicable) and Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time via the Privacy settings control on the site.
2.4 Newsletter
For newsletter subscriptions, we process email address, subscription timestamps, selected topics, IP address, and user-agent for consent documentation and delivery security.
We use double opt-in. Confirmation tokens are purpose-bound and expire.
Retention: unconfirmed subscriptions are deleted after 30 days. Confirmed subscriptions remain active until unsubscription. After unsubscription, consent proof may be retained for up to 3 years.
Legal basis: Art. 6(1)(a) GDPR.
2.5 Contact by Email
If you contact us by email, we process your message and contact data to answer your request. Legal basis: Art. 6(1)(b) and/or Art. 6(1)(f) GDPR.
2.6 External Media & Links
Some pages may load external media (for example image CDNs). External links (including social or donation links) are opened only when clicked. The respective third-party provider is then responsible for data processing on its platform.
3. Recipients
We do not sell personal data. Data may be processed by infrastructure providers, email delivery infrastructure, analytics providers (only with consent), and authorities where legally required.
4. International Transfers
Where providers process data outside the EEA, we rely on recognised safeguards where required (for example adequacy decisions or standard contractual clauses).
5. Your Rights
To exercise your rights: [email protected]
6. Right to Complain
You may lodge a complaint with a supervisory authority. Competent authority for us:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI)
Postfach 30 40, 55020 Mainz, Germany
7. Changes
We may update this policy when processing activities, legal requirements, or website features change.