Privacy Policy

The following privacy notice informs you about the type, scope, and purpose of the collection and use of personal data when using this website, as well as your rights.

I. Data Controller

Paul Julian Heise
OSVČ / IT-Freelancer
Uralská 689/7, 160 00 Praha 6
Czech Republic
IČO: 23931752
DIČ (VAT ID): CZ687938738

Contact
Email: contact@pauljulianheise.com

Further details can be found in our legal notice.

II. Personal Data, Purpose of Processing, and Legal Basis

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter: "data subject"). A natural person is considered identifiable if they can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

We only process personal data on our website when this is necessary for the following purposes:

• Based on your request and consent (Art. 6(1)(a) GDPR)
• To enable use of the website (Art. 6(1)(b) GDPR)
• To improve user experience, promote our services, and maintain website security (Art. 6(1)(f) GDPR)
• To provide services offered on the website and for pre-contractual measures (Art. 6(1)(a) and/or (b) GDPR)
• To conclude and fulfill a contract (Art. 6(1)(b) GDPR)
• To comply with legal obligations, such as tax regulations and recordkeeping duties (Art. 6(1)(c) GDPR)

Further details regarding data processing can be found under the respective headings below.

1. Access Data / Server Log Files

When visiting our website, our hosting provider’s servers automatically store information your browser transmits, known as server log files. This includes:

• Referrer (previously visited page)
• Requested URL or file
• Browser type and version
• Operating system used
• Device type used
• Time of access
• IP address

Temporary processing of this data is necessary to deliver the website to your device. In particular, the IP address must be processed for this purpose. This data is not merged with other sources and is used exclusively to ensure the technical operation and security of the server and hosting infrastructure, and to prevent abuse.

Legal basis: Art. 6(1)(f) GDPR

2. Contact via Email, Forms, or Other Means

If you contact us via email, web form, or other means, the personal data you provide (e.g., name, email address, message) as well as technical data (e.g., IP address, timestamp) will be processed to handle your inquiry and any follow-up questions.

Legal basis:

• Art. 6(1)(b) GDPR (for responding to inquiries)
• If consent is given: Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR
• In individual cases: Art. 6 in conjunction with Art. 9 GDPR for special categories of personal data

3. Customer Portal / Client Login

We provide a password-protected client portal for our customers. To access it, you log in with your email address and a password. Within the portal we process the personal and business data required to manage our collaboration, in particular:

• Account and contact details (e.g. company name, contact person, email address, phone number, billing address, VAT ID)
• Contracts and related documents
• Invoices and invoice line items
• Deliverables and project status
• Technical login data, including a login timestamp stored in a cookie that is used solely to enforce automatic session expiry

This data is used exclusively to operate the portal, to manage contracts and billing, and to communicate with you about our services. We do not use it for advertising or profiling.

Legal basis:

• Art. 6(1)(b) GDPR (performance and management of the contract with you)
• Art. 6(1)(c) GDPR (statutory retention obligations for contracts and invoices)
• Art. 6(1)(f) GDPR (security of the portal, e.g. session handling and access protection)

The portal, its database, and the authentication service are operated on our behalf by our processor Supabase (see Section III).

4. Third-Party Services and Content

We integrate or link to third-party content and services as follows:

Social Media

We use social media platforms in our legitimate interest to promote our services and presence. The respective providers' privacy policies apply:

• X (formerly Twitter)
  X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland

  • Privacy Policy
  • Imprint
  • Data Transfer Clauses

• Instagram
  Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

  • Privacy Policy
  • Imprint

• LinkedIn
  LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
  Parent: LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA

  • Privacy Policy

• GitHub
  GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA (a subsidiary of Microsoft Corporation)

  • Privacy Policy

Clicking on a social media icon on our site will redirect you to that provider’s site in a new tab or window. Note that data may be processed outside the EU. This may pose risks, e.g., difficulty enforcing your rights. For effective enforcement, please contact the respective platform provider. You may also contact us regarding our profiles.

hCaptcha

To protect our contact form against spam and automated abuse, we use the hCaptcha service. When you interact with the form, hCaptcha analyses technical information to distinguish human users from automated requests. This may include your IP address, information about your browser and device, and interaction data (e.g. mouse movements and time spent on the form). hCaptcha may set cookies for this purpose. The captcha is only loaded once you begin interacting with the form, not on initial page load.

• Provider: Intuition Machines, Inc., 1065 SW 8th St #704, Miami, FL 33130, USA
• Privacy Policy
• Terms of Service

Data may be transferred to the USA. Appropriate safeguards apply (see Section III).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing spam and ensuring the security of our systems)

Vercel Analytics

We use Vercel Web Analytics, a privacy-friendly analytics service provided by our hosting provider Vercel Inc. (see Section III), to understand how our website is used and to improve it. Vercel Web Analytics works without cookies and does not store persistent identifiers on your device. It does not track you across websites and does not create user profiles.

For each page view, aggregated and anonymised information is processed, such as the page visited, the referring page, approximate location at country level, as well as device type, browser, and operating system. To count unique visits without cookies, a non-reversible hash value is derived from incoming request data. This hash does not allow us to identify you and is not used for any purpose beyond counting visits.

• Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA
• Privacy Policy

Data may be transferred to the USA. Appropriate safeguards apply (see Section III).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the needs-based design and statistical evaluation of our website)

Fonts

We use the "Inter" typeface to ensure consistent typography across devices. The font files are hosted locally on our own infrastructure and delivered together with the website. No connection to Google servers or any other third-party font provider is established, and no personal data is transmitted to a font provider when the font loads.

Exali AG Liability Seal

1. Description and scope of data processing This page uses the Exali AG Liability Seal. The graphic element of the seal is reloaded from the servers of Exali AG. For this purpose, due to the technical design of the Internet, your IP address is processed in order to transmit the graphic to your browser. If you click on this seal, you leave our website and you will be forwarded to the servers of Exali AG. Learn more from Exali’s privacy policy: https://www.exali.com/data-protection-declaration/#Processing%20of%20personal%20data%20when%20using/integrating%20the%20exali.de%20Liability%20Seal

2. Legal basis for data processing The legal basis for data processing is Art. 6 para. 1 lit.f) GDPR (legitimate interest).

3. Purpose of data processing The data processing serves the purpose of providing evidence of our professional indemnity insurance and the related mandatory professional information in a visually appealing manner.

4. Legitimate interest Our legitimate interest in data processing arises from the purpose of offering an appealing online offer and fulfilling our information obligations in an appealing manner.

III. Recipients of Personal Data and Transfers to Third Countries

Personal data may be disclosed to the following categories of recipients:

• Our data processors to the extent necessary, in particular our website and hosting provider:

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
United States

• Any relevant sub-processors of Vercel

For our customer portal (login, account data, contracts, invoices) we additionally use the following processor:

Supabase, Inc.
548 Market St, PMB 98450
San Francisco, CA 94104-5401
United States

Supabase provides the database and authentication infrastructure for our client portal. Our database is hosted in a data center within the European Union. As Supabase is a US-based provider, access from or a transfer to the USA cannot be fully excluded; in that case the appropriate safeguards described below apply.

• Any relevant sub-processors of Supabase

To send and store the emails generated by our contact form, we use the following email provider:

Spaceship, Inc. (Spacemail)
4600 East Washington Street, Suite 300
Phoenix, AZ 85034
United States
Privacy Policy

As a US-based provider, data may be transferred to the USA; the appropriate safeguards described below apply.

• Third-party service providers used on our website (see above under Section II.4)

Beyond these cases, we will not share your personal data with third parties without your explicit consent, unless we are legally obligated to do so or the data transfer is necessary to fulfill a contractual relationship with you.

We may process personal data in a third country (i.e., outside the European Union (EU) or European Economic Area (EEA)) if:

• it is required for the performance of our (pre-)contractual obligations,
• based on your consent,
• due to a legal obligation, or
• based on our legitimate interests.

This also applies to processing by third parties acting on our behalf, as well as disclosures or transfers of personal data to third parties.

Third-party service providers processing personal data on our behalf in third countries are only used if:

• an adequacy decision by the European Commission exists for the country (Article 45 GDPR), or
• appropriate safeguards (Article 46 GDPR), such as
  • Standard Contractual Clauses (SCCs) (Article 46(2)(c) GDPR), or
  • Binding Corporate Rules (BCRs) (Article 47 GDPR) are in place.

You can find general information here:

• Adequacy decisions
• Binding Corporate Rules
• Standard Contractual Clauses

For further information, you may contact us at any time.

IV. Duration of Data Storage

We delete personal data once the purpose for processing has been fulfilled and the legal basis for processing no longer applies, provided there is no statutory retention obligation.

• Server log files and IP addresses are automatically deleted no later than three days after collection.
• Session cookies are automatically deleted at the end of your session.
• Other cookies with a set expiration date are stored on your device until that date. You can view, restrict, or delete cookies at any time through your browser settings.

Personal data submitted through email, contact forms, or other means will be processed until your inquiry has been completely handled. After that, the data will be deleted unless a legal retention obligation applies.

You may delete your customer account at any time. Please note, however, that in the context of a contractual relationship with you, certain commercial and tax-related retention obligations apply:

• Accounting documents: generally 5 years, and financial statements 10 years, under the Czech Act on Accounting (Act No. 563/1991 Coll.)
• Tax and VAT documents: 10 years under the Czech VAT Act (Act No. 235/2004 Coll.)

This may also apply to the content of contact requests and email communications.

In general, and in relation to all tools and services used as previously described, we review data annually to determine whether it can be deleted. This is the case when the purpose of processing and the legal basis no longer apply and no statutory retention obligation exists.

V. Provision of Personal Data and Rights of Data Subjects

You are not legally required to provide personal data. However, the provision of such data may be necessary to conclude a contract or use specific website features. Without the provision of required data, certain services or functionalities may not be available.

There is no automated decision-making on our website; profiling does not take place.

Your rights as a data subject

In accordance with Articles 15 to 23 and Article 77 of the General Data Protection Regulation (GDPR), as supplemented by the Czech Personal Data Processing Act (Act No. 110/2019 Coll.), you have the following rights, provided the legal conditions are met:

• Right of access – Article 15 GDPR
• Right to rectification – Article 16 GDPR
• Right to erasure ("right to be forgotten") – Article 17 GDPR
• Right to restriction of processing – Article 18 GDPR
• Right to data portability – Article 20 GDPR

If you have given consent to the processing of personal data, you have the:

• Right to withdraw consent – Article 7(3) GDPR
  Withdrawal applies to future processing and does not affect the legality of processing based on consent before the withdrawal.

You also have the:

• Right to object – Article 21 GDPR
  (More details in Section VI below.)

Please send any requests, inquiries, or communications to us. See Section I for contact details.

Right to lodge a complaint

If you believe that the processing of your personal data violates data protection laws, you always have the:

• Right to lodge a complaint – Article 77 GDPR

This right can be exercised with the competent data protection authority, particularly in the member state of your residence, workplace, or the place of the alleged infringement.

The competent supervisory authority for us is the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ):

Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
www.uoou.gov.cz

You may also lodge a complaint with the supervisory authority in your country of residence or workplace.

VI. Information about the Right to Object under Article 21 GDPR

1. Right to object on grounds relating to your particular situation

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6(1)(f) GDPR (data processing based on a balancing of interests).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

2. Right to object to direct marketing

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be made without any formal requirements and should preferably be directed to us using the contact details provided above under Section I.