Legal
Privacy Policy
Information on the processing of personal data in accordance with the GDPR.
1. Controller
2. General information
Protecting your personal data is important to me. This privacy policy explains how and for what purpose personal data is processed when you visit this website and when you use my language courses.
3. Domain and DNS
The domain de101.info is registered with IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. DNS is also managed by IONOS. When the domain is accessed, technical connection data (e.g. IP address) may be processed there. Further information: ionos.de/terms-gtc/terms-privacy.
4. Website hosting
This website is hosted and delivered via Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When the site is accessed, technically necessary server log files may be processed (e.g. IP address, date and time, requested URL, HTTP status, referrer, browser type and operating system). Transfers to the USA take place on the basis of the EU-US Data Privacy Framework and, in addition, the EU Standard Contractual Clauses. A data processing agreement under Art. 28 GDPR is in place with the provider. The legal basis for hosting is Art. 6(1)(f) GDPR (legitimate interest in reliably providing the website). Vercel's privacy policy: vercel.com/legal/privacy-policy.
5. Backend, database and authentication (Supabase)
Form submissions (contact requests, enrolment applications, course interest registrations), the related stored records, authentication for administrators and enrolled course members, and server-side functions are operated via Supabase, provided by Supabase Inc. Protected areas use email/password authentication; access is restricted according to the assigned account role.
Depending on use, the Course Portal may process account data, roles, course/cohort membership, chosen display name and avatar, course materials, comments, assignment status, submissions, feedback, rubric assessments, results from assigned exam simulations, certificate metadata and technical timestamps. Supabase Realtime is used in the Course Portal as a technical update signal so that visible course and submission data can be reloaded after changes.
Signed-in course members can use the vocabulary trainer with account-linked learning progress. For this purpose, the trainer stores the vocabulary card, practice direction, scheduling values, next review date and a history of submitted review ratings. This allows the trainer to provide a personalised daily review queue and preserve learning progress across visits.
A data processing agreement under Art. 28 GDPR is in place with the provider. When you submit a form, Supabase processes the data you enter together with technical metadata such as timestamp and, depending on the request, IP address. Technical frontend and server errors may also be logged in Supabase for security, troubleshooting and service reliability; these logs are limited to operational details such as error message, page path and user agent where applicable. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in operating, securing and improving the service). Supabase's privacy policy: supabase.com/privacy.
Depending on use, the Course Portal may process account data, roles, course/cohort membership, chosen display name and avatar, course materials, comments, assignment status, submissions, feedback, rubric assessments, results from assigned exam simulations, certificate metadata and technical timestamps. Supabase Realtime is used in the Course Portal as a technical update signal so that visible course and submission data can be reloaded after changes.
Signed-in course members can use the vocabulary trainer with account-linked learning progress. For this purpose, the trainer stores the vocabulary card, practice direction, scheduling values, next review date and a history of submitted review ratings. This allows the trainer to provide a personalised daily review queue and preserve learning progress across visits.
A data processing agreement under Art. 28 GDPR is in place with the provider. When you submit a form, Supabase processes the data you enter together with technical metadata such as timestamp and, depending on the request, IP address. Technical frontend and server errors may also be logged in Supabase for security, troubleshooting and service reliability; these logs are limited to operational details such as error message, page path and user agent where applicable. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in operating, securing and improving the service). Supabase's privacy policy: supabase.com/privacy.
6. Transactional emails (Resend)
Notification emails to me as well as confirmation and Course Portal emails to you (for example after submitting the contact form, an enrolment application or a course interest registration, or for published course content, comments, submission confirmations, feedback/status changes or due-date reminders) are sent via Resend, provided by Resend, Inc., USA. For this purpose, Resend processes the recipient address, the sender address, the subject line, the email content and technical delivery metadata. Transfers to the USA take place on the basis of the EU-US Data Privacy Framework and, in addition, the EU Standard Contractual Clauses. A data processing agreement under Art. 28 GDPR is in place with the provider. Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery). Resend's privacy policy: resend.com/legal/privacy-policy.
7. SSL/TLS encryption
For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the lock icon in your browser's address bar and the "https://" prefix.
8. Contact form, enrolment form, course interest form and email
This website offers three forms:
To protect these forms from automated abuse, I use Cloudflare Turnstile, provided by Cloudflare, Inc., USA. Turnstile checks whether a form submission is likely to come from a human user and may process technical data such as IP address, browser and device information, interaction data and the page on which the widget is used. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in securing the forms and preventing spam). Cloudflare's privacy policy: cloudflare.com/privacypolicy.
The site also limits repeated requests to reduce spam and protect service availability. For this purpose, IP addresses and submitted email addresses are converted into pseudonymous keyed hashes before short-lived counters are stored. The counters do not contain the original values and are deleted after no more than 48 hours. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in securing the website and preventing abuse).
My mailbox info@de101.info is operated via Zoho Mail (Zoho Corporation B.V., Hoofddorp, Netherlands) in an EU data centre. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) and, for general enquiries, Art. 6(1)(f) GDPR (legitimate interest in answering your enquiry). Your data will be deleted as soon as it is no longer required for this purpose and no statutory retention obligations apply.
- Contact form: name, email address and your message.
- Enrolment application: name, email address, phone number (optional), the desired course, current language level (optional), preferred start date (optional) and motivation/notes.
- Course interest registration: email address, the course you are interested in, and optionally your name, preferred start and a short message.
To protect these forms from automated abuse, I use Cloudflare Turnstile, provided by Cloudflare, Inc., USA. Turnstile checks whether a form submission is likely to come from a human user and may process technical data such as IP address, browser and device information, interaction data and the page on which the widget is used. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in securing the forms and preventing spam). Cloudflare's privacy policy: cloudflare.com/privacypolicy.
The site also limits repeated requests to reduce spam and protect service availability. For this purpose, IP addresses and submitted email addresses are converted into pseudonymous keyed hashes before short-lived counters are stored. The counters do not contain the original values and are deleted after no more than 48 hours. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in securing the website and preventing abuse).
My mailbox info@de101.info is operated via Zoho Mail (Zoho Corporation B.V., Hoofddorp, Netherlands) in an EU data centre. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) and, for general enquiries, Art. 6(1)(f) GDPR (legitimate interest in answering your enquiry). Your data will be deleted as soon as it is no longer required for this purpose and no statutory retention obligations apply.
9. Conducting the language courses (video conferencing)
Lessons take place, depending on the arrangement, via video conferencing services such as Google Meet (Google Ireland Ltd., Ireland) and possibly Zoom (Zoom Video Communications, Inc., USA). When using these services, personal data (e.g. name, email address, IP address, and possibly audio and video during the session) is processed by the respective provider. Recordings are only made with your explicit consent. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). For providers based in or processing data in the USA, transfers take place on the basis of the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.
10. Course Portal, course materials, assignments and private files
Course materials, assignments, feedback and related course activity are provided in the first-party de101 Course Portal. The portal-related data is processed in Supabase as described in section 5. This includes in particular course membership, display name and avatar, course posts, comments, assignment status, submissions, feedback, assigned exam simulations and certificate data.
Course Portal files (for example submitted PDFs/photos/audio recordings, teacher-provided files, feedback attachments and certificate PDFs) are processed in a private Cloudflare R2 storage bucket, provided by Cloudflare, Inc. The browser only receives short-lived, permission-checked upload or download links; storage access keys are not exposed to the browser. Supabase stores the related object keys and metadata. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (secure and reliable Course Portal operation). Cloudflare's privacy policy: cloudflare.com/privacypolicy.
Course Portal files (for example submitted PDFs/photos/audio recordings, teacher-provided files, feedback attachments and certificate PDFs) are processed in a private Cloudflare R2 storage bucket, provided by Cloudflare, Inc. The browser only receives short-lived, permission-checked upload or download links; storage access keys are not exposed to the browser. Supabase stores the related object keys and metadata. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (secure and reliable Course Portal operation). Cloudflare's privacy policy: cloudflare.com/privacypolicy.
11. Newsletter and optional information
The website currently does not provide a public newsletter sign-up form. If you explicitly request information about courses, learning tips or offers, or consent to receiving such messages, I use the email address you provide only for that purpose. The legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw your consent at any time by sending me a message. Delivery may use the email infrastructure described in section 6.
12. Fonts
This website uses locally hosted fonts that are delivered directly from the website's server. No connection to external font providers (such as Google Fonts) is intentionally established.
13. Cookies, web analytics and behaviour analytics (GTM / GA4 / Microsoft Clarity / Vercel)
On this website I use Google Tag Manager provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Tag Manager itself is used solely to manage and load other tags (currently Google Analytics 4 and Microsoft Clarity).
Google Analytics 4 uses cookies and similar technologies to analyse how the website is used (e.g. page views, approximate location, device and browser data, interaction events). According to Google, IP addresses are truncated before storage.
A transfer of personal data to Google LLC in the USA cannot be excluded. Such transfers take place on the basis of the EU-US Data Privacy Framework and, in addition, the EU Standard Contractual Clauses.
I additionally use Microsoft Clarity, a behaviour analytics service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent company: Microsoft Corporation, USA). Clarity uses cookies and similar technologies to create pseudonymised session recordings (mouse movement, clicks, scrolls), heatmaps and page performance metrics so that I can understand how the site is used and improve it. According to Microsoft, sensitive input fields are masked by default and keystrokes in input fields are not used for analytics purposes. A transfer of personal data to Microsoft Corporation in the USA cannot be excluded; such transfers take place on the basis of the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.
On Vercel preview domains (*.vercel.app), Vercel Analytics and Vercel Speed Insights, services provided by Vercel Inc., may also be loaded after the same consent in order to collect page-view and technical web performance metrics. According to the current implementation, these services are not loaded on the production custom domain de101.info.
The legal basis for using Google Tag Manager, Google Analytics, Microsoft Clarity, Vercel Analytics and Vercel Speed Insights is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. These services are only loaded after your active consent via the consent banner. You can withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer.
For more information please see the Google Privacy Policy, the Microsoft Privacy Statement and the Vercel Privacy Policy.
Google Analytics 4 uses cookies and similar technologies to analyse how the website is used (e.g. page views, approximate location, device and browser data, interaction events). According to Google, IP addresses are truncated before storage.
A transfer of personal data to Google LLC in the USA cannot be excluded. Such transfers take place on the basis of the EU-US Data Privacy Framework and, in addition, the EU Standard Contractual Clauses.
I additionally use Microsoft Clarity, a behaviour analytics service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent company: Microsoft Corporation, USA). Clarity uses cookies and similar technologies to create pseudonymised session recordings (mouse movement, clicks, scrolls), heatmaps and page performance metrics so that I can understand how the site is used and improve it. According to Microsoft, sensitive input fields are masked by default and keystrokes in input fields are not used for analytics purposes. A transfer of personal data to Microsoft Corporation in the USA cannot be excluded; such transfers take place on the basis of the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.
On Vercel preview domains (*.vercel.app), Vercel Analytics and Vercel Speed Insights, services provided by Vercel Inc., may also be loaded after the same consent in order to collect page-view and technical web performance metrics. According to the current implementation, these services are not loaded on the production custom domain de101.info.
The legal basis for using Google Tag Manager, Google Analytics, Microsoft Clarity, Vercel Analytics and Vercel Speed Insights is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. These services are only loaded after your active consent via the consent banner. You can withdraw your consent at any time with effect for the future via the "Cookie settings" link in the footer.
For more information please see the Google Privacy Policy, the Microsoft Privacy Statement and the Vercel Privacy Policy.
14. Consent management (Klaro)
To manage your consent for optional services I use the open-source consent tool Klaro. Klaro is delivered from this website's own infrastructure. Klaro stores your selection in a local cookie named "klaro" with a lifetime of up to 180 days. The legal basis for using Klaro is Art. 6(1)(f) GDPR and § 25(2) No. 2 TDDDG (storage access strictly necessary to implement your selection).
15. Your rights
You have the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) and to object to processing (Art. 21 GDPR). You can withdraw any consent you have given at any time with effect for the future (Art. 7(3) GDPR). To exercise your rights, an informal message to the contact details above is sufficient.
16. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for me is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
17. Changes to this privacy policy
I reserve the right to amend this privacy policy so that it always complies with current legal requirements or to reflect changes to my services. The current version applies on each subsequent visit.