Legal
Privacy policy
Last updated: July 2026
On this page
Controller
The controller under the General Data Protection Regulation (GDPR) is:
Andreas Tumbrink
Bismarckstraße 44
59379 Selm
Germany
Email: hello@andreastumbrink.com
At a glance
This website uses no tracking cookies, advertising, user profiles, client-side audience measurement, or client-side performance analytics. It does not write data to Local Storage or Session Storage. Personal data is processed only where required to operate the website securely or when you choose to contact me.
Hosting through Vercel
This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you open the site, Vercel processes technically necessary access data, including the IP address, date and time, requested URL, referrer, request headers, browser information, and operating-system information. This data is used to deliver, stabilise, and secure the website. This site does not enable Vercel Analytics or Speed Insights.
The legal basis is Article 6(1)(f) GDPR: the legitimate interest in operating the website securely and reliably. Vercel is a US provider, so processing outside the EU may occur. The applicable contractual role, data-processing agreement, international-transfer safeguards, and retention of technical hosting logs depend on the selected Vercel plan and deployment configuration and are reviewed by the controller before production use.
Contact form
If you use the contact form, I process the name, email address, and message you provide solely to handle and answer your enquiry. These fields are required for the form to work. The legal basis is Article 6(1)(b) GDPR where the enquiry concerns a contract or pre-contractual steps; otherwise it is Article 6(1)(f) GDPR, the legitimate interest in answering enquiries addressed to me.
Messages are delivered through Resend, a service of Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend receives the form data solely to deliver the message. As this is a US provider, the controller reviews and documents the required contractual basis, data-processing agreement, and international-transfer safeguards before production use. Resend generally documents 30-day retention for email data, subject to different account or contract settings.
The contact form is disabled server-side until the recipient mailbox provider and its retention period are configured and published here.
To prevent automated abuse, the sender's IP address is used only for rate limiting and is converted into a salted, non-readable verification value before storage. This value is never linked to the message. The legal basis is Article 6(1)(f) GDPR: the legitimate interest in preventing abuse and protecting the sending resource. Expired verification values are cleared from volatile memory during form access, and only attempts from the previous hour count. If optional global rate limiting is enabled, Upstash, Inc. (USA) processes the verification value in Redis; the counter has a technical lifetime of one hour. Backup, replication, and final deletion depend on the selected Upstash configuration and contract.
The message and related data in the receiving mailbox are deleted when the correspondence is complete, unless statutory retention duties require longer storage.
Contact by email
If you contact me directly by email, I process your information only to handle the enquiry. The legal basis is Article 6(1)(b) or Article 6(1)(f) GDPR as described above. The data is deleted once it is no longer required for the correspondence, unless statutory retention duties apply.
The contact form is disabled server-side until the recipient mailbox provider and its retention period are configured and published here.
Fonts
All fonts are served locally from this website. Opening a page does not connect your browser to Google Fonts or another font provider.
External links and GitHub data
This website may link to external services such as GitHub and X. When you follow an external link, the privacy policy of that provider applies.
Public GitHub repository and profile data shown on /code is fetched and cached server-side through GitHub's public API. No GitHub access token or contribution graph is used. Your browser does not connect to GitHub merely by visiting /code, and no visitor data is sent to GitHub for this feature.
Encryption
This website uses HTTPS throughout. Data you submit to the website, including contact-form data, is encrypted in transit against interception by third parties.
Recipients, retention, and automated decisions
Depending on how the site is used, recipients of personal data may include Vercel for hosting, Resend for email delivery, the disclosed receiving-mailbox provider, and Upstash when optional global rate limiting is enabled. Data is not sold or disclosed for advertising. The providers' contractual roles and international-transfer safeguards depend on the agreements actually in force and are reviewed for currency before production use.
Data is kept only for as long as its purpose requires: contact enquiries until the correspondence is complete, mailbox and Resend data for the periods described above, rate-limit values for the stated technical period, and hosting logs according to the active Vercel plan and configuration. Statutory retention duties remain unaffected.
No automated decision-making or profiling within the meaning of Article 22 GDPR takes place.
Your rights
You have the rights of access (Article 15 GDPR), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21). Where processing is based on consent, you may withdraw that consent at any time with future effect (Article 7(3)).
Where processing is based on Article 6(1)(e) or (f) GDPR, you may object at any time for reasons arising from your particular situation. An objection can be sent informally to the email address above.
You may also lodge a complaint with a data-protection supervisory authority under Article 77 GDPR. The competent authority is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, www.ldi.nrw.de.
Policy version
This privacy policy was last updated in July 2026. It will be revised when the technology, website, or applicable law changes; the version published here is the current one.