Skip to main content
Legal · Datenschutzerklärung

Privacy Policy

Last updated: May 2026 · Version 2.0

1. Overview

This Privacy Policy explains how Engineers of AI ("we", "us", "our") collects, uses, stores, and protects personal data when you visit engineersofai.com (the "Site") or use any of our services. It is published in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG").

We collect the minimum amount of personal data needed to operate the Site and the newsletter. We never sell your data. We honor every right granted by the GDPR.

2. Data controller

The data controller responsible for personal data processed via the Site is:

Engineers of AI
[BUSINESS ADDRESS — TO BE UPDATED]
Germany
VAT ID (USt-IdNr.): DE-461921840
General contact: [email protected]
Privacy/legal contact: [email protected]

We have not appointed a statutory Data Protection Officer (Datenschutzbeauftragter) as we do not meet the criteria under Art. 37 GDPR or § 38 BDSG. All privacy matters are handled directly by the controller via the contact above.

3. Scope

This policy applies to personal data processed when you: (a) browse the Site; (b) submit our contact form; (c) subscribe to the newsletter; (d) create an account; (e) interact with embedded third-party services we use to operate the Site. It does not apply to third-party sites we link to, which have their own policies.

4. Categories of personal data we process

4.1 Provided by you

  • Contact form: name, email address, subject, message content, submission timestamp.
  • Newsletter subscription: email address (collected and stored by Substack as a separate controller/processor).
  • Account data (optional): identifiers returned by your identity provider via OIDC (Keycloak): unique user ID, email, given/family name where provided, role claims.

4.2 Collected automatically

  • Server logs: IP address, user-agent, requested URL, referrer, timestamp, response code. Retained ≤ 30 days for security and abuse-prevention.
  • Analytics events: page views, session metadata, anonymized IP, country-level location, device class (via Google Analytics 4 with IP anonymization).
  • Cookies and similar technologies: see Section 9.

4.3 From third parties

We do not buy personal data from data brokers. When you sign in via Keycloak, your identity provider transmits to us only the claims listed in 4.1 above.

5. Purposes and legal bases for processing

We rely on the following legal bases under Art. 6(1) GDPR:

PurposeDataLegal basisRetention
Respond to contact form messagesName, email, messageArt. 6(1)(b) - pre-contractual / Art. 6(1)(f) - legitimate interestUp to 24 months from last contact
Deliver newsletterEmailArt. 6(1)(a) - consentUntil unsubscribe
Account authenticationOIDC identifiersArt. 6(1)(b) - contract performanceFor account lifetime; deleted on request
Security, abuse prevention, log retentionServer logs, IPArt. 6(1)(f) - legitimate interest in operating a secure service≤ 30 days
Aggregate analyticsAnonymized analytics eventsArt. 6(1)(a) - consent (where required) / Art. 6(1)(f)26 months (GA4 default)
Comply with legal obligations (tax, accounting)Invoice/payment records (if applicable)Art. 6(1)(c) - legal obligation; § 147 AO10 years (German tax law)

6. Recipients and processors

We use the following processors under Data Processing Agreements (Art. 28 GDPR). For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and apply supplementary technical measures where appropriate.

ProcessorPurposeLocationTransfer safeguard
Netlify, Inc.Static hosting, CDN, form processingUSA (global edge)SCCs + DPA
Substack, Inc.Newsletter deliveryUSASCCs + privacy notice
Google Ireland Ltd. (Analytics)Aggregated usage analyticsEU/USAEU-US Data Privacy Framework / SCCs
Keycloak (self-hosted or managed)Authentication (OIDC)EUWithin EEA
Cloudflare / jsDelivrStatic asset delivery (fonts, math libraries)Global CDNSCCs where applicable

A full list of subprocessors and access to the relevant Data Processing Agreement is available on request via [email protected].

7. International data transfers

Some processors are located outside the European Economic Area (notably the United States). For such transfers we rely on:

  • The EU-US Data Privacy Framework (where the processor is certified);
  • Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914;
  • Supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging) as required by the Schrems II ruling.

8. Automated decision-making and profiling

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (Art. 22 GDPR). We do not perform profiling for advertising or eligibility purposes.

9. Cookies and similar technologies

We use a small set of cookies. We display a cookie banner where required by the EU ePrivacy Directive and § 25 TTDSG (German Telecommunications-Telemedia Data Protection Act).

  • Strictly necessary cookies: session continuity, security, CSRF protection. No consent required (§ 25(2) TTDSG).
  • Functional cookies: theme preference (light/dark), language. Consent-based where applicable.
  • Analytics cookies: Google Analytics 4 with IP anonymization. Set only after explicit consent.

You can withdraw consent at any time by clearing your cookies or by emailing [email protected]. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

10. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): obtain confirmation and a copy of your data.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): request deletion ("right to be forgotten").
  • Right to restriction (Art. 18): limit how we process your data.
  • Right to data portability (Art. 20): receive your data in a structured, commonly used format.
  • Right to object (Art. 21): object to processing based on legitimate interest or direct marketing.
  • Right to withdraw consent (Art. 7(3)): at any time, without affecting prior lawful processing.
  • Right not to be subject to automated decisions (Art. 22): we do not perform such decisions; see Section 8.
  • Right to lodge a complaint (Art. 77): with a supervisory authority - see Section 11.

To exercise any right, email [email protected]. We respond within one month (extendable by two months for complex requests, Art. 12(3) GDPR). The exercise of these rights is free of charge unless requests are manifestly unfounded or excessive.

11. Lodging a complaint

If you believe our processing of your personal data infringes GDPR, you may lodge a complaint with a supervisory authority. As we are established in Saxony, Germany, our lead supervisory authority is:

Der Sächsische Datenschutzbeauftragte
Devrientstraße 1
01067 Dresden
Germany

You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of the alleged infringement.

12. Data retention

We retain personal data only as long as necessary for the purpose listed in Section 5, or as required by applicable law (e.g., 10 years for accounting records under § 147 AO).

13. Children

The Site is not intended for use by children under 16. In line with Art. 8 GDPR, we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, contact [email protected] and we will delete it without undue delay.

14. Security

We apply technical and organizational measures appropriate to the risks of processing (Art. 32 GDPR), including encryption in transit (TLS 1.2+), encryption at rest where supported by our processors, access controls, audit logging, regular updates, and security headers (CSP, HSTS). See our Security page for details.

15. Changes to this policy

We may update this policy when our processing changes or when required by law. The "Last updated" date and version above will be revised. Material changes affecting your rights will be notified by direct notice (e.g., email or banner) where appropriate.

16. Contact

For any question about this policy or your personal data, write to:
Engineers of AI · [BUSINESS ADDRESS — TO BE UPDATED] · Germany
[email protected]