← Back to home

Privacy notice · Datenschutzerklärung

How we protect your data.

This privacy notice explains how prvly.de (operated by Daniel Hommen) processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German law.

1. Controller (Verantwortlicher)

Daniel Hommen
Postfach 300610
53186 Bonn
Germany

Email: contact@dhommen.dev

A separate data protection officer has not been appointed because the statutory requirements are not met. Please direct privacy-related enquiries to the contact above.

2. Categories of data we process

  • Server access data: IP address, requested resources, time stamp, user agent, referrer URL, and status codes that are logged automatically when you visit our website.
  • Waitlist data: email address entered into the waitlist form, source of submission, and technical metadata (e.g. time stamp, success or failure status).
  • Session data: for private sharing sessions we generate random session identifiers and store minimal metadata (creation time, connection status) to coordinate encrypted peer-to-peer transfers. File contents are never stored on our servers.
  • Communications: information you provide if you contact us by email.
  • Analytics data: aggregated usage metrics without personal identifiers collected via our self-hosted Plausible Analytics instance (no cookies, no profiling).

3. Purposes and legal bases

We process personal data only when a legal basis under Art. 6 GDPR applies:

  • Website delivery and security (server access data) – legitimate interests, Art. 6(1)(f) GDPR, to provide a secure and technically reliable service.
  • Waitlist onboarding (waitlist data) – consent, Art. 6(1)(a) GDPR. Submission of the form is voluntary and can be withdrawn at any time.
  • Peer-to-peer sessions (session data) – performance of a contract or pre-contractual steps, Art. 6(1)(b) GDPR, to enable the requested transfer between participants.
  • Customer communication (communications data) – legitimate interests, Art. 6(1)(f) GDPR, to respond to enquiries and support users.
  • Usage analytics (aggregated analytics data) – legitimate interests, Art. 6(1)(f) GDPR, to understand product adoption without creating user profiles.

4. Recipients and processors

We use carefully selected service providers that process data on our behalf pursuant to Art. 28 GDPR. These include in particular our infrastructure and analytics providers. We ensure appropriate data processing agreements and technical safeguards are in place.

Hosting and application delivery are currently provided by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Vercel processes server logs and content necessary to operate the service. We rely on the European Commission’s Standard Contractual Clauses and additional technical measures to safeguard EU data when it is processed in the United States.

Analytics is performed via our self-hosted instance of Plausible Analytics located at plausible.dho-studio.de, operated within the European Union. Plausible does not set cookies, stores no personal identifiers, and aggregates data after 24 hours.

5. Storage duration

We retain personal data only as long as necessary for the respective purpose:

  • Server access logs are typically retained for up to 30 days for security and troubleshooting, and may be kept longer if required to investigate incidents.
  • Waitlist submissions are stored until the onboarding process is completed or you request deletion.
  • Session metadata is deleted automatically after the session ends and no later than 24 hours after last activity.
  • Communication data is kept for the duration of the correspondence and applicable retention obligations.
  • Aggregated analytics data is retained in anonymised form without personal identifiers.

6. Data subject rights

You have the following rights under the GDPR and German Federal Data Protection Act (BDSG):

  • Access to your stored personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) for data provided by you
  • Objection to processing based on legitimate interests (Art. 21 GDPR)
  • Withdrawal of consent at any time with future effect (Art. 7(3) GDPR)

To exercise your rights, contact us using the details provided above. We may require verification of your identity before fulfilling your request.

7. Right to lodge a complaint

You also have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany (https://www.ldi.nrw.de/).

8. International data transfers

Where service providers outside the European Economic Area (EEA) are involved, we ensure compliance with Art. 44 et seq. GDPR. Transfers rely on adequacy decisions or Standard Contractual Clauses combined with additional safeguards such as encryption and data minimisation.

9. Security measures

We employ state-of-the-art technical and organisational measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. This includes enforced HTTPS, end-to-end encryption for peer-to-peer transfers, strict access controls, and continuous monitoring of our infrastructure.

10. Cookies and tracking

We do not use marketing cookies or fingerprinting technologies. Plausible Analytics operates without cookies and respects the "Do Not Track" browser setting. If we introduce additional tracking technologies in the future, we will seek your prior consent where required by law.

11. Updates to this notice

We may update this privacy notice to reflect changes in law, our services, or processing practices. The latest version is always available at this URL. Material changes will be communicated where legally required.

Last updated: 9 October 2025