Privacy Policy
Last updated: May 2026 · Version 2.0
1. Overview
This Privacy Policy explains how Engineers of AI ("we", "us", "our") collects, uses, stores, and protects personal data when you visit engineersofai.com (the "Site") or use any of our services. It is published in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG").
We collect the minimum amount of personal data needed to operate the Site and the newsletter. We never sell your data. We honor every right granted by the GDPR.
2. Data controller
The data controller responsible for personal data processed via the Site is:
We have not appointed a statutory Data Protection Officer (Datenschutzbeauftragter) as we do not meet the criteria under Art. 37 GDPR or § 38 BDSG. All privacy matters are handled directly by the controller via the contact above.
3. Scope
This policy applies to personal data processed when you: (a) browse the Site; (b) submit our contact form; (c) subscribe to the newsletter; (d) create an account; (e) interact with embedded third-party services we use to operate the Site. It does not apply to third-party sites we link to, which have their own policies.
4. Categories of personal data we process
4.1 Provided by you
- Contact form: name, email address, subject, message content, submission timestamp.
- Newsletter subscription: email address (collected and stored by Substack as a separate controller/processor).
- Account data (optional): identifiers returned by your identity provider via OIDC (Keycloak): unique user ID, email, given/family name where provided, role claims.
4.2 Collected automatically
- Server logs: IP address, user-agent, requested URL, referrer, timestamp, response code. Retained ≤ 30 days for security and abuse-prevention.
- Analytics events: page views, session metadata, anonymized IP, country-level location, device class (via Google Analytics 4 with IP anonymization).
- Cookies and similar technologies: see Section 9.
4.3 From third parties
We do not buy personal data from data brokers. When you sign in via Keycloak, your identity provider transmits to us only the claims listed in 4.1 above.
5. Purposes and legal bases for processing
We rely on the following legal bases under Art. 6(1) GDPR:
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Respond to contact form messages | Name, email, message | Art. 6(1)(b) - pre-contractual / Art. 6(1)(f) - legitimate interest | Up to 24 months from last contact |
| Deliver newsletter | Art. 6(1)(a) - consent | Until unsubscribe | |
| Account authentication | OIDC identifiers | Art. 6(1)(b) - contract performance | For account lifetime; deleted on request |
| Security, abuse prevention, log retention | Server logs, IP | Art. 6(1)(f) - legitimate interest in operating a secure service | ≤ 30 days |
| Aggregate analytics | Anonymized analytics events | Art. 6(1)(a) - consent (where required) / Art. 6(1)(f) | 26 months (GA4 default) |
| Comply with legal obligations (tax, accounting) | Invoice/payment records (if applicable) | Art. 6(1)(c) - legal obligation; § 147 AO | 10 years (German tax law) |
6. Recipients and processors
We use the following processors under Data Processing Agreements (Art. 28 GDPR). For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and apply supplementary technical measures where appropriate.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Netlify, Inc. | Static hosting, CDN, form processing | USA (global edge) | SCCs + DPA |
| Substack, Inc. | Newsletter delivery | USA | SCCs + privacy notice |
| Google Ireland Ltd. (Analytics) | Aggregated usage analytics | EU/USA | EU-US Data Privacy Framework / SCCs |
| Keycloak (self-hosted or managed) | Authentication (OIDC) | EU | Within EEA |
| Cloudflare / jsDelivr | Static asset delivery (fonts, math libraries) | Global CDN | SCCs where applicable |
A full list of subprocessors and access to the relevant Data Processing Agreement is available on request via [email protected].
7. International data transfers
Some processors are located outside the European Economic Area (notably the United States). For such transfers we rely on:
- The EU-US Data Privacy Framework (where the processor is certified);
- Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914;
- Supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging) as required by the Schrems II ruling.
8. Automated decision-making and profiling
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (Art. 22 GDPR). We do not perform profiling for advertising or eligibility purposes.
9. Cookies and similar technologies
We use a small set of cookies. We display a cookie banner where required by the EU ePrivacy Directive and § 25 TTDSG (German Telecommunications-Telemedia Data Protection Act).
- Strictly necessary cookies: session continuity, security, CSRF protection. No consent required (§ 25(2) TTDSG).
- Functional cookies: theme preference (light/dark), language. Consent-based where applicable.
- Analytics cookies: Google Analytics 4 with IP anonymization. Set only after explicit consent.
You can withdraw consent at any time by clearing your cookies or by emailing [email protected]. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
10. Your rights under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation and a copy of your data.
- Right to rectification (Art. 16): correct inaccurate data.
- Right to erasure (Art. 17): request deletion ("right to be forgotten").
- Right to restriction (Art. 18): limit how we process your data.
- Right to data portability (Art. 20): receive your data in a structured, commonly used format.
- Right to object (Art. 21): object to processing based on legitimate interest or direct marketing.
- Right to withdraw consent (Art. 7(3)): at any time, without affecting prior lawful processing.
- Right not to be subject to automated decisions (Art. 22): we do not perform such decisions; see Section 8.
- Right to lodge a complaint (Art. 77): with a supervisory authority - see Section 11.
To exercise any right, email [email protected]. We respond within one month (extendable by two months for complex requests, Art. 12(3) GDPR). The exercise of these rights is free of charge unless requests are manifestly unfounded or excessive.
11. Lodging a complaint
If you believe our processing of your personal data infringes GDPR, you may lodge a complaint with a supervisory authority. As we are established in Saxony, Germany, our lead supervisory authority is:
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of the alleged infringement.
12. Data retention
We retain personal data only as long as necessary for the purpose listed in Section 5, or as required by applicable law (e.g., 10 years for accounting records under § 147 AO).
13. Children
The Site is not intended for use by children under 16. In line with Art. 8 GDPR, we do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, contact [email protected] and we will delete it without undue delay.
14. Security
We apply technical and organizational measures appropriate to the risks of processing (Art. 32 GDPR), including encryption in transit (TLS 1.2+), encryption at rest where supported by our processors, access controls, audit logging, regular updates, and security headers (CSP, HSTS). See our Security page for details.
15. Changes to this policy
We may update this policy when our processing changes or when required by law. The "Last updated" date and version above will be revised. Material changes affecting your rights will be notified by direct notice (e.g., email or banner) where appropriate.
16. Contact
For any question about this policy or your personal data, write to:
Engineers of AI · [BUSINESS ADDRESS — TO BE UPDATED] · Germany
[email protected]
