Privacy policy

Controller

Anika Schmidt

Antonstr. 1

95445 Bayreuth

Germany

Phone: +49 176 66675948

Email: anika.schmidt.pm@icloud.com

1) Scope of this Privacy Policy

This Privacy Policy explains how personal data is processed when you visit my portfolio website and when you contact me. It applies to all pages and functions of this website.

Legal basis: Art. 13 GDPR (information to be provided where personal data are collected from the data subject).

2) Definitions

  • Personal data: Any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

  • Processing: Any operation performed on personal data (Art. 4(2) GDPR).

  • Controller: The person who determines the purposes and means of processing (Art. 4(7) GDPR).

  • Processor: A service provider processing data on behalf of the controller (Art. 4(8) GDPR).

3) General principles of processing

I process personal data according to GDPR principles, especially:

  • Lawfulness, fairness, transparency (Art. 5(1)(a) GDPR)

  • Purpose limitation (Art. 5(1)(b) GDPR)

  • Data minimization (Art. 5(1)(c) GDPR)

  • Storage limitation (Art. 5(1)(e) GDPR)

  • Integrity and confidentiality (Art. 5(1)(f) GDPR)

4) Data processing when visiting the website (server log files)

4.1 Which data is processed?

When you access the website, the hosting provider typically processes server log data, such as:

  • IP address (usually in log form)

  • Date and time of access

  • Requested page/file

  • Referrer URL

  • Browser type/version and operating system

  • HTTP status code / amount of data transferred

4.2 Purposes

  • Technical delivery of the website

  • System security and abuse prevention (e.g., defense against attacks)

  • Troubleshooting and stability monitoring

4.3 Legal basis

  • Art. 6(1)(f) GDPR (legitimate interest): secure, stable, and efficient website operation.

4.4 Retention

Server logs are stored only as long as necessary for the purposes above, then deleted or anonymized. Typical retention periods vary by host (often days to weeks), depending on security needs.

4.5 Recipients

  • Hosting provider (as processor)

  • Potentially IT/service providers supporting hosting/security (processors)

5) Hosting and processing by service providers (Processors)

This website is hosted with an external provider. Personal data processed during website use may be stored on the provider’s servers.

5.1 Legal basis

  • Art. 6(1)(f) GDPR (legitimate interest) for secure and efficient provision

  • If a contact form is used: also Art. 6(1)(b) GDPR (pre-contractual measures) may apply.

5.2 Data processing agreement

Where legally required, I conclude a Data Processing Agreement (DPA) with processors under Art. 28 GDPR.

5.3 International transfers

If a provider processes data outside the EU/EEA (e.g., in the USA), data transfer may occur under:

  • Adequacy decision (Art. 45 GDPR) where applicable, or

  • Standard Contractual Clauses (SCCs) (Art. 46 GDPR) and additional safeguards where required.

6) Contact via email / contact form

6.1 Which data is processed?

If you contact me, I process the data you provide, typically:

  • Name (if provided)

  • Email address

  • Message content

  • Any other information you share (e.g., company, role, attachments)

6.2 Purposes

  • Responding to your request

  • Communication and follow-up

  • Initiating/preparing a professional relationship (e.g., job opportunities, project inquiries)

6.3 Legal basis

Depending on the context:

  • Art. 6(1)(b) GDPR (pre-contractual measures / contract) – e.g., project inquiry

  • Art. 6(1)(f) GDPR (legitimate interest) – handling general requests

  • Art. 6(1)(a) GDPR (consent) – if consent is explicitly requested for a specific use

6.4 Retention

I keep contact data only as long as necessary to process the request and any related follow-up, and as required by statutory retention obligations (if applicable). Unneeded correspondence is deleted.

6.5 Disclosure

Your contact data is not sold and is not shared with third parties unless:

  • it’s necessary to handle your request (processors), or

  • required by law.

7) Cookies and similar technologies

7.1 What are cookies?

Cookies are small text files stored on your device. Similar technologies include local storage, pixels, and scripts.

7.2 Types of cookies

  • Strictly necessary cookies: required for core functions and security

  • Preference cookies: store settings (e.g., language)

  • Statistics/analytics cookies: measure usage (only with consent where required)

  • Marketing cookies: track across sites (typically consent-required)

7.3 Legal basis

  • Strictly necessary cookies: Art. 6(1)(f) GDPR (legitimate interest)

  • All non-essential cookies (analytics/marketing): Art. 6(1)(a) GDPR (consent)

7.4 Consent management

If a cookie banner/consent tool is used, you can grant or withdraw consent at any time via the consent settings (where available). Withdrawal does not affect the lawfulness of processing before withdrawal.

8) Analytics (e.g., Google Analytics 4) – only if enabled

This section applies only if I actively use analytics (e.g., GA4) on the website.

8.1 Processed data (typical)

  • Interaction data (page views, clicks, scrolling, session duration)

  • Device and browser information

  • Approximate location (derived)

  • IP address (generally processed transiently; configuration may reduce/avoid storage)

  • Online identifiers (e.g., cookies, device IDs) depending on setup

8.2 Purposes

  • Understanding how visitors use the website

  • Improving content, UX, and performance

  • Measuring the effectiveness of portfolio content (e.g., pages visited)

8.3 Legal basis

  • Art. 6(1)(a) GDPR (consent) for analytics that are not strictly necessary.

8.4 International transfers

Analytics providers may process data outside the EU/EEA. Safeguards may include SCCs and additional measures under Art. 46 GDPR, unless an adequacy decision applies.

8.5 Retention

Retention depends on the analytics configuration. Where possible, data is stored for limited periods and aggregated/anonymized.

8.6 Opt-out

If a consent banner is used, you can decline analytics cookies. If already accepted, you can withdraw consent via consent settings (if provided).

9) Embedded content (e.g., YouTube, Vimeo, Google Fonts, LinkedIn)

Portfolio sites often embed external content (videos, posts, icons, fonts). When such content loads, your browser may connect to the third-party provider, which can receive:

  • Your IP address

  • Browser/device data

  • The page you visited (referrer)

Legal basis

  • For strictly necessary content: Art. 6(1)(f) GDPR

  • For optional embeds/marketing-related services: typically Art. 6(1)(a) GDPR (consent) if they set cookies or track users.

Best practice is to use privacy-friendly embedding (e.g., click-to-load) where relevant.

10) Social media links (LinkedIn, etc.)

If this website links to social media profiles, clicking those links takes you to the external platform. Processing there is governed by the platform’s own privacy policy. I am not responsible for processing by third-party platforms.

11) Security measures

I use appropriate technical and organizational measures to protect data, including:

  • HTTPS/TLS encryption (where available)

  • Access controls for administrative systems

  • Principle of least privilege

  • Regular updates/maintenance (where applicable)

Legal context: Art. 32 GDPR (security of processing).

12) No automated decision-making / profiling

I do not use automated decision-making (including profiling) within the meaning of Art. 22 GDPR for this website.

13) Your rights under the GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)

  • Right to rectification (Art. 16 GDPR)

  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

  • Right to restriction of processing (Art. 18 GDPR)

  • Right to data portability (Art. 20 GDPR)

  • Right to object (Art. 21 GDPR)

    • Especially where processing is based on Art. 6(1)(f)

  • Right to withdraw consent (Art. 7(3) GDPR)

    • At any time, with effect for the future

  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

If you want to exercise any rights, contact me via the email above.

14) Supervisory authority (Germany)

You can lodge a complaint with a data protection authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

For Bavaria, the relevant authority is typically the Bavarian State Office for Data Protection Supervision (BayLDA) (responsible for the private sector). (No link here—keeping it clean for your website, but you can add it.)

15) Changes to this Privacy Policy

I may update this Privacy Policy if the website changes (e.g., new tools, new embeds) or if legal requirements change.

Last updated: February 2026

Mini-Reality-Check (so it’s not “legal cosplay”)

This policy is GDPR-structured and detailed, but for maximum correctness it should match your real stack.

If your portfolio is on Webflow and uses GA4 (you’ve used GA4 in projects before), I can give you a clean “Webflow + GA4 + Form + Embedded LinkedIn” version that explicitly lists:

  • the exact services,

  • what they collect,

  • retention settings,

  • consent banner expectations.