Privacy Policy
Clear. Direct. Understandable.
A. Who we are
Responsible for this website:
Büro für GestaltungEmail: info(at)bfg-ott.de
Phone: follows
More in the legal notice.
B. How we handle your data
We process personal data according to GDPR and applicable ePrivacy rules. Where required, we ask for consent.
Our legal bases:
- Consent (Art. 6(1)(a) GDPR) – for analytics and session recordings
- Contract performance (Art. 6(1)(b) GDPR) – when you contact us
- Legitimate interest (Art. 6(1)(f) GDPR) – for operation, security, abuse prevention
C. Hosting and server logs
When you visit our website, technical data is processed: IP address, time, requested page, browser, operating system, referrer.
We need this for secure operation and to defend against attacks.
Legal basis: Art. 6(1)(f) GDPR
Retention: 7–30 days
D. Cookie settings (Klaro)
We use Klaro! for your cookie preferences. Klaro stores your choice on your device.
You decide. Change anytime via "Cookie Settings". Withdrawal applies to future processing.
Legal basis: Art. 6(1)(c) GDPR (documentation) and Art. 6(1)(a) GDPR
E. Web analytics and session recording (PostHog)
We use PostHog Cloud EU (Frankfurt) – for web analytics and, if you consent, session recordings.
API host: eu.i.posthog.com
Data stays in the EU.
What we collect
- Page views, clicks, interactions
- Browser, operating system, device characteristics
- Pseudonymous identifiers (cookie/LocalStorage IDs)
- Truncated IP address
Why
- Web analytics: Understand how the website is used. Improve.
- Session recording: Find errors. Optimize usability.
Important
PostHog loads only after your consent. Without consent: no analytics, no recording.
Legal basis: Art. 6(1)(a) GDPR
Retention
- Analytics events: 12 months
- Session recordings: 1 month, then automatically deleted
Data processing
PostHog processes data on our behalf (Art. 28 GDPR). Agreement in place.
More: posthog.com/privacy
F. Cloudflare (CDN, proxy, security)
We use Cloudflare for fast delivery, attack protection, and stability.
Provider: Cloudflare, Inc., San Francisco, USA
EU office: Cloudflare Germany GmbH, Munich
What is processed
- IP address
- Time of access
- Requested content
- Browser and device information
- Security data
Legal basis
Art. 6(1)(f) GDPR – legitimate interest in secure, stable operation.
US transfer
Cloudflare is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR), supplemented by Standard Contractual Clauses (Art. 46 GDPR).
G. Spam protection (Cloudflare Turnstile)
Our contact form is protected by Cloudflare Turnstile. Prevents automated abuse – no tracking cookies.
Legal basis: Art. 6(1)(f) GDPR
H. Contact
When you write to us, we process your information to handle your request.
Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR
Retention: Until request is complete; longer only if legally required.
I. Your rights
Under GDPR you have:
- Access (Art. 15) – What do we know?
- Rectification (Art. 16) – Correct data
- Erasure (Art. 17) – Delete data
- Restriction (Art. 18) – Limit processing
- Data portability (Art. 20) – Take your data
- Objection (Art. 21) – Object to processing
Withdraw consent: Anytime via "Cookie Settings". Applies to future processing.
Complaint: With a data protection authority (Art. 77 GDPR).
J. Version
February 2026. We update this policy when things change.