LEGAL

Privacy Policy.

How we handle personal data — pursuant to GDPR and TTDSG.

1. Controller

Stefan Veit
Veit Digital LLC
500 4th St NW, Suite 102 #1582
Albuquerque, NM 87102
United States of America

E-mail: [email protected]
Phone: +49 163 6198195

The actual processing of personal data is carried out by the owner, Stefan Veit, from his place of residence in the Republic of Uruguay. No processing by the provider's staff on the provider's own servers within the United States of America takes place. For details on third-country transfers, see §7.

A representative within the European Union pursuant to Art. 27 GDPR has not currently been appointed. Please direct any data processing inquiries directly to the contact details above; they will be answered within the statutory deadlines.

2. General Information on Data Processing

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data on veit-digital.tech. We collect personal data as sparingly as possible. A purely informational visit to the website is possible without providing personal data.

3. Legal Bases for Processing

Where we obtain consent for processing operations, Art. 6 para. 1 lit. a GDPR serves as the legal basis. For processing related to the initiation or performance of a contract, Art. 6 para. 1 lit. b GDPR applies. Statutory obligations are fulfilled on the basis of Art. 6 para. 1 lit. c GDPR. For processing based on legitimate interests, Art. 6 para. 1 lit. f GDPR applies; the legitimate interest in each case consists in providing and securing the website.

4. Categories of Data Collected

Depending on how you use the site, we process the following categories of data:

5. Purposes of Processing

6. Recipients and Processors

We use the following service providers as processors pursuant to Art. 28 GDPR:

A data processing agreement pursuant to Art. 28 GDPR (DPA) has been concluded with each processor. No further disclosure of personal data to third parties takes place unless we are required by law to do so.

7. Third-Country Transfers

Operational data processing is carried out by the owner from his place of residence in the Republic of Uruguay (see §1). An adequacy decision by the European Commission exists for Uruguay (Decision 2012/484/EU of 21 August 2012); no additional transfer safeguard pursuant to Art. 46 GDPR is required for this transfer.

Certain services transfer personal data to the USA: Google Analytics 4 (Google LLC), Microsoft Clarity (Microsoft Corp.), Resend, Inc., and Cal.com, Inc. are based there. The transfer is made on the basis of EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR). For Google and Microsoft, the adequacy decision of the European Commission on the EU–US Data Privacy Framework of 10 July 2023 additionally applies. Cloudflare preferentially processes requests from EU users via EU data centers.

8. Retention Periods and Deletion

Personal data is deleted as soon as the purpose of storage no longer applies and no statutory retention obligations stand in the way:

9. Hosting (Cloudflare Pages)

This website is hosted on Cloudflare Pages (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA). Cloudflare operates data centers in the EU and preferentially processes requests from EU users via EU points of presence. A DPA pursuant to Art. 28 GDPR is in place. Cloudflare also provides services for reliability and protection against cyber attacks (DDoS protection, Web Application Firewall). Legal basis: Art. 6 para. 1 lit. f GDPR.

10. Server Log Files

Cloudflare automatically collects information transmitted by your browser with each page request: browser type and version, operating system, referrer URL, date and time of the request, and IP address. This data is not merged with other personal data and is used exclusively for error analysis and ensuring operation. Retention period: up to 7 days. Legal basis: Art. 6 para. 1 lit. f GDPR.

11. Cookies and Consent Management (Klaro)

This website uses cookies. Technically necessary cookies — including the consent cookie "vd_klaro" (retention period: 180 days) — are set without prior consent, as they are required for the proper operation of the website (§25 para. 2 no. 2 TTDSG). Analytics cookies (Google Analytics 4, Microsoft Clarity) are only set after your explicit consent (§25 para. 1 TTDSG, Art. 6 para. 1 lit. a GDPR).

Consent management is handled via Klaro. Your consent is valid for 180 days and can be withdrawn at any time via "Cookie Settings" in the footer. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

12. Google Analytics 4

This website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. GA4 is only loaded and activated after your consent. Data on page views, session duration, and device categories is collected in anonymized form; the IP address is truncated before storage (IP anonymization active). Cookies: _ga (2 years), _gid (24 hours). Data is transferred to Google LLC, USA; basis: EU Standard Contractual Clauses and EU–US Data Privacy Framework. Legal basis: Art. 6 para. 1 lit. a GDPR. Withdrawal at any time via "Cookie Settings" in the footer.

13. Microsoft Clarity

This website uses Microsoft Clarity, a heatmap and session analysis tool provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Clarity is only loaded after your consent. It captures anonymized click, scroll, and mouse movement data to improve user navigation; no inputs or personal content are recorded. Cookies: _clck, _clsk, CLID. Session recordings are deleted after 90 days. Data is transferred to Microsoft Corp., USA; basis: EU Standard Contractual Clauses. Legal basis: Art. 6 para. 1 lit. a GDPR. Withdrawal at any time via "Cookie Settings" in the footer.

14. Contact Form

When you use the contact form (request a strategy consultation), we process: name, e-mail address, optionally phone number, and your project description. The data is used exclusively to process your inquiry and prepare the strategy consultation. No disclosure to third parties takes place. Retention period: 3 years from initial contact, then deleted unless a contractual relationship has been established. Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures).

15. Contact Form Spam Protection (Cloudflare Turnstile)

The contact form on this website is protected by Cloudflare Turnstile, a service for detecting automated requests (bot protection) provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. When filling out the form, Turnstile analyzes technical characteristics such as IP address, browser type, device information, and interaction patterns to distinguish human users from automated bots. Unlike conventional CAPTCHA services, Turnstile does not set persistent cookies and does not create cross-site user profiles. A DPA pursuant to Art. 28 GDPR has been concluded with Cloudflare; data is transferred to the USA on the basis of EU Standard Contractual Clauses (see §9). Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest: protection against spam and abusive automated access).

16. E-mail Delivery (Resend)

Form submissions and outgoing e-mail notifications are sent via Resend, Inc. (548 Market St., Suite 19199, San Francisco, CA 94104, USA). A DPA pursuant to Art. 28 GDPR has been concluded with Resend; data transfer to the USA is based on EU Standard Contractual Clauses. The e-mail address [email protected] is forwarded to a Gmail mailbox via Cloudflare Email Routing; the content passes through Cloudflare servers in the process. Legal basis: Art. 6 para. 1 lit. b or lit. f GDPR.

17. Newsletter (Double Opt-In)

Newsletter sign-up uses the double opt-in procedure: after signing up you receive a confirmation e-mail and are only added to the mailing list after clicking the confirmation link. The following data is stored: e-mail address, timestamp of sign-up, and IP address of the confirmation click as proof of consent. Unsubscribing is possible at any time via the unsubscribe link in each newsletter; sign-up data is deleted after unsubscribing. Legal basis: Art. 6 para. 1 lit. a GDPR.

18. Appointment Scheduling (Cal.com)

For scheduling the strategy consultation we use Cal.com (Cal.com, Inc., 340 S Lemon Ave #2707, Walnut, CA 91789, USA). The booking widget is only loaded after the contact form is submitted (click-to-load); until then no data is transferred to Cal.com. When booking, name, e-mail address, and the selected appointment are transmitted to Cal.com. Data transfer to the USA is based on EU Standard Contractual Clauses and a DPA pursuant to Art. 28 GDPR. Legal basis: Art. 6 para. 1 lit. b GDPR.

19. Strategy Consultations and Discovery Calls

Information voluntarily shared during a strategy consultation or discovery call (e.g., details about the website, company, and project goals) is used exclusively for the preparation and conduct of the call and any potential collaboration. Audio recordings are not made without explicit consent. Call notes are stored internally and deleted after 3 years without a contract being concluded. Legal basis: Art. 6 para. 1 lit. b GDPR.

20. Social Media and External Links

This website contains links to external platforms (e.g., LinkedIn). When clicking these links you leave veit-digital.tech; the privacy policy of the respective platform applies. Social media buttons are not implemented as embedded tracking plugins — visiting this website alone does not transfer any data to social networks.

21. Security Measures

We implement technical and organizational measures pursuant to Art. 32 GDPR: HTTPS/TLS encryption for all connections, DDoS protection and Web Application Firewall via Cloudflare, regular security updates, access restrictions on internal systems, and no storage of payment data or passwords in our own systems.

22. Data Subject Rights

You have the following rights against us under the GDPR:

To exercise your rights, please contact: [email protected]

23. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The competent authority is the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement within the EU. For private-sector entities in Germany, the relevant state data protection authority (Landesdatenschutzbehörde) of the federal state in which you are located is responsible. An overview of all German supervisory authorities can be found at bfdi.bund.de/Anschriften/Laender.

24. Automated Decision-Making

We do not use automated decision-making including profiling within the meaning of Art. 22 GDPR that produces legal effects concerning data subjects or similarly significantly affects them.

25. Currency and Amendments to This Policy

This privacy policy is current as of: May 2026. We reserve the right to update it in response to technical or legal changes. The current version is always available on this page.