Scope. These notices apply to websites, Progressive Web Apps (PWAs) and, where provided, native apps (collectively “Services”) operated by the provider named in the imprint. Functions may vary per project. For privacy requests, always provide the exact URL/name of the affected website/app.
The controller under the GDPR is the provider named in the imprint. Contact: mail@heuken-webservice.com
TTDSG (§25 Germany): Strictly necessary technologies (e.g., session, service-worker cache) are permitted without consent.
Purpose: operation, security, debugging. Data: (anonymised) IP, timestamp, URL/file, referrer, HTTP status, user agent. Basis: Art. 6(1)(f) GDPR. Retention: typically 7 days (longer in incidents). Recipients: hosting/infrastructure processors.
Purpose: offline capability, performance. Basis: TTDSG §25(2)(2) with Art. 6(1)(f) GDPR (strictly necessary). Retention: until update/invalidation or manual deletion. Recipients: none (client-side). Protected resources are not cached.
Purpose: communication/handling inquiries. Data: contact details, message content, metadata. Basis: Art. 6(1)(b) or (f) GDPR. Retention: 6–24 months. Recipients: IT/support processors.
Purpose: information/updates. Data: email, optional name; double opt-in. Basis: Art. 6(1)(a) GDPR (withdrawal anytime). Retention: until withdrawal; suppression list to enforce it (Art. 6(1)(f)).
Preferably self-hosted, cookie-less, Do-Not-Track respected, IP anonymised. Basis: Art. 6(1)(f) GDPR. Retention: up to 13 months. Recipients: none (when self-hosted) or processors.
Purpose: access control, sessions, roles. Data: registration/profile, hashed credentials, session tokens, security logs. Basis: Art. 6(1)(b)/(f) GDPR. Retention: account lifetime; logs 90–180 days. Recipients: hosting/IT processors.
Purpose: message delivery. Data: push tokens/subscriptions, delivery metadata. Basis: Art. 6(1)(a) GDPR; revocable in app/browser/OS. Retention: until withdrawal/invalidation. Recipients: push infrastructure processors.
Purpose: functionality (e.g., camera, microphone, files, location, notifications). Basis: Art. 6(1)(a) GDPR (consent) or (f) (strictly necessary). Retention: only as required. Recipients: no third parties.
Purpose: IT security. Data: file/hash/metadata. Basis: Art. 6(1)(f) GDPR. Third-country transfers: External scanners (e.g., VirusTotal) may involve transfers outside the EU/EEA (incl. US); safeguarded by Art. 46 GDPR (SCC) plus technical/organisational measures. Retention: system-side e.g., up to 90 days/until deletion; scanner per its policy.
Without required data, the requested service cannot be provided (e.g., session, contact details).
We use carefully selected processors (Art. 28 GDPR) under data-processing agreements; no disclosure to third parties without a legal basis.
For transfers outside the EU/EEA, we implement Art. 46 GDPR safeguards (notably SCC), supplementary measures and TIAs. Copies available on request.
We retain data only as long as needed for the purpose, then delete/anonymise unless statutory retention applies.
TLS/HTTPS, role-based access, system hardening, security logging, organisational safeguards.
Access, rectification, erasure, restriction, portability, objection (Art. 21), withdrawal of consent (Art. 7(3)). Contact: mail@heuken-webservice.com.
You may lodge a complaint with a supervisory authority. EU overview: EDPB members.
Not directed at children unless explicitly stated. App permissions are used only as required and based on consent.
We update these notices when technical/legal changes occur; the version published at the time of visit applies.
Version: – Build 1