Privacy Policy

Last updated: March 24, 2026

1. Controller

Alexander Sadomsky
c/o IP-Management #42121
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Email: [email protected]

2. Overview

We take the protection of your personal data seriously. This privacy policy explains what data we collect when you visit our website, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR).

3. Hosting & Server Log Files

This website is hosted on a self-managed Linux server. When you visit our website, the web server automatically collects and stores information in server log files that your browser transmits. This includes:

  • IP address (anonymized after 7 days)
  • Date and time of the request
  • Requested URL and referrer URL
  • Browser type and version
  • Operating system

This data is processed based on Art. 6(1)(f) GDPR (legitimate interest) to ensure the security and stability of our website. Log files are automatically deleted after 14 days.

4. Cookies

4.1 Strictly necessary cookies

The following cookies/storage entries are strictly necessary for the operation of the website and do not require your consent under Art. 6(1)(f) GDPR:

  • alexsdev_cookie_consent (Local Storage) — Stores your cookie consent decision; persistent until manually cleared
  • alexsdev_club_token (Cookie) — Identifies your Club membership after newsletter confirmation; expires after 1 year
  • alexsdev_club_id (Local Storage) — Anonymous identifier for gamification tracking; persistent until manually cleared
  • __cf_bm (Cloudflare) — Bot detection; expires after 30 minutes
  • cf_clearance (Cloudflare) — Security challenge clearance; expires after 30 minutes

4.2 Analytics cookies (consent required)

The following cookies are only set if you give your consent via our cookie banner:

  • _ga (Google Analytics) — Distinguishes users; expires after 2 years
  • _ga_* (Google Analytics) — Maintains session state; expires after 2 years

These cookies are loaded via Google Analytics 4 and help us understand how visitors use our website. No cookies are set until you actively consent. You can withdraw consent at any time via the Cookie Policy page.

4.3 Third-party cookies

This website does not use advertising cookies, retargeting, or social media tracking pixels.

5. External Resources

All fonts are self-hosted on our own server. The website uses the following external services:

  • Cloudflare — CDN and DDoS protection (see Section 9)
  • Google Analytics — Web analytics, only with your consent (see Section 10)
  • Google Sign-In — Optional authentication, only when actively used (see Section 11)

No data is transmitted to these services without either a legal basis (Cloudflare, legitimate interest) or your explicit consent (Google Analytics, Google Sign-In).

6. Contact Form

When you use our contact form, the following data is collected and processed for the purpose of handling your inquiry:

  • Name (required)
  • Email address (required)
  • Project type (optional)
  • Budget range (optional)
  • Subject (optional)
  • Message content (required)

This data is processed based on your explicit consent (Art. 6(1)(a) GDPR), which you provide by checking the privacy checkbox before submitting the form. You can withdraw your consent at any time by contacting us at [email protected]. Additionally, processing is supported by Art. 6(1)(b) GDPR (pre-contractual measures) where your inquiry relates to a potential project engagement.

When you submit the contact form, your data is transmitted via an encrypted (HTTPS) API connection to our server and forwarded to [email protected] via SMTP (IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany). IONOS processes this data exclusively within the EU. No data is stored on our server beyond the email delivery.

Your contact data will be stored only for the duration necessary to process your inquiry and any resulting business relationship, unless legal retention obligations apply (e.g., 6 years under German commercial law, 10 years under German tax law).

7. Newsletter

You can subscribe to our email newsletter to receive updates about new blog posts, wiki entries, product announcements, or promotional offers. Subscribing is voluntary and requires your explicit consent.

7.1 Data collected

When you subscribe to our newsletter, we collect and store:

  • Email address (required)
  • IP address at the time of subscription (for proof of consent)
  • Timestamp of subscription and confirmation
  • Selected newsletter categories

7.2 Double opt-in

We use a double opt-in process: after entering your email address, you will receive a confirmation email with a verification link. Your subscription is only activated after you click this link. This ensures that only the owner of the email address can subscribe.

7.3 Legal basis

Newsletter processing is based on Art. 6(1)(a) GDPR (your consent). For promotional emails (marketing category), you provide separate, explicit opt-in consent.

7.4 Newsletter categories

You can independently subscribe to or unsubscribe from the following categories:

  • Blog Updates — New blog posts about development and infrastructure
  • Wiki Updates — New wiki entries and reference guides
  • General News — Product updates, announcements, and tips
  • Promotions & Offers — Occasional promotions for services and tools (separate opt-in)

7.5 Unsubscribe & data deletion

Every newsletter email contains an unsubscribe link at the bottom. You can also manage your preferences or unsubscribe entirely at /newsletter/. After unsubscribing, your data is retained for 30 days (to prevent accidental re-subscription) and then permanently deleted. You can request immediate deletion at any time by contacting [email protected].

7.6 Email delivery service

Newsletter emails are sent via SMTP through IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany). IONOS processes email data exclusively within the EU. See IONOS Privacy Policy.

8. alexsdev.io Club (Gamification)

8.1 Data collected

When you interact with the alexsdev.io Club gamification feature, the following data is collected and stored:

  • A randomly generated anonymous identifier (stored in your browser’s Local Storage)
  • Actions performed (e.g., daily visit, blog read, wiki read) and associated timestamps
  • Page paths associated with content-reading actions
  • Total accumulated Data Points and membership level

8.2 Account linking

If you subscribe to the alexsdev.io newsletter, your anonymous activity data is linked to your newsletter subscriber record. This allows you to view your accumulated Data Points in your Club dashboard. A cookie (alexsdev_club_token) is set upon newsletter confirmation to identify your membership; this cookie expires after 1 year.

8.3 Legal basis

Anonymous tracking of gamification interactions is based on Art. 6(1)(f) GDPR (legitimate interest in providing an engaging website experience). Linking anonymous data to your newsletter subscription is based on Art. 6(1)(a) GDPR (your consent, given by subscribing to the newsletter).

8.4 Data deletion

Club data linked to your newsletter account is deleted when you unsubscribe from the newsletter. Anonymous (unlinked) gamification data is automatically purged after 90 days. You can request immediate deletion at any time by contacting [email protected].

9. Payment Processing

9.1 Stripe

Payments may be processed via Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland).

The following data may be transmitted to Stripe:

  • Name and email address
  • Payment method details (credit/debit card number, SEPA bank details)
  • Transaction amount and currency
  • IP address and device information (for fraud prevention)

This data is processed based on Art. 6(1)(b) GDPR (contract fulfillment). Payment data is processed exclusively by Stripe in accordance with PCI DSS Level 1 compliance standards. We do not store your full card numbers or bank details on our servers. Stripe may transfer data to the United States based on EU Standard Contractual Clauses (SCCs). See Stripe’s Privacy Policy.

9.2 PayPal

Payments may also be processed via PayPal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg).

When you pay via PayPal, the following data may be transmitted:

  • Name and email address
  • PayPal account information
  • Transaction amount and currency
  • IP address and device information (for fraud prevention)

This data is processed based on Art. 6(1)(b) GDPR (contract fulfillment). PayPal may transfer data to the United States based on EU Standard Contractual Clauses (SCCs). We do not have access to your PayPal payment details (bank/card numbers). See PayPal’s Privacy Policy.

9.3 Bank Transfer

Bank transfers to our business account may be offered as an alternative. In this case, your bank processes the data according to its own terms; we only receive the data visible on the bank statement (name, IBAN, amount, reference).

10. Cloudflare (CDN & Security)

This website uses Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a Content Delivery Network (CDN) and for DDoS protection.

When you visit this website, your connection is routed through Cloudflare’s network. Cloudflare may process the following data:

  • IP address
  • Browser type, language, and referring page
  • Date and time of request
  • Cloudflare security cookies (e.g., __cf_bm, cf_clearance) for bot detection

This data is processed based on Art. 6(1)(f) GDPR (legitimate interest in website security and performance). Cloudflare is certified under the EU-US Data Privacy Framework. See Cloudflare’s Privacy Policy.

11. Google Analytics

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).

Google Analytics collects the following data:

  • Pages visited, session duration, and interaction events
  • Approximate geographic location (country/city level, derived from anonymized IP)
  • Device type, browser, operating system, and screen resolution
  • Referral source (how you arrived at our website)

IP anonymization is enabled; your full IP address is not stored by Google. Google Analytics sets cookies (e.g., _ga, _ga_*) to distinguish users. These cookies are only set if you have given your consent via our cookie banner.

This data is processed based on Art. 6(1)(a) GDPR (your consent). You can withdraw your consent at any time via the cookie settings or by using the Google Analytics Opt-out Browser Add-on.

Google may transfer data to the United States. Google Ireland Ltd. is certified under the EU-US Data Privacy Framework. See Google’s Privacy Policy.

12. Self-hosted Analytics & Geolocation

In addition to Google Analytics, we operate a self-hosted, cookie-free analytics system on our own server to understand how visitors use our website. This system does not set any cookies and does not rely on third-party services.

12.1 Data collected

When you visit a page, the following data is collected automatically:

  • Page URL visited and referrer URL
  • Screen resolution
  • A daily pseudonymized visitor identifier (SHA-256 hash of your IP address, user agent, and the current date — rotated daily, not reversible)
  • Approximate geographic location (country and city), derived from your IP address via a local GeoIP database (MaxMind GeoLite2)

12.2 GeoIP processing

Your IP address is used at the time of the page request to determine your approximate geographic location (country and city level) using a locally hosted GeoIP database (MaxMind GeoLite2). The lookup happens entirely on our server — no data is transmitted to MaxMind or any other third party for this purpose.

Only the resulting country code (e.g., “DE”) and city name (e.g., “Berlin”) are stored alongside the pageview record. Your full IP address is not stored in the analytics database.

12.3 Purpose & legal basis

This data is processed based on Art. 6(1)(f) GDPR (legitimate interest) to understand regional traffic distribution, optimize content for different audiences, and improve the website experience. Our legitimate interest lies in operating the website efficiently and providing relevant content to our visitors.

12.4 Data retention

Analytics pageview records (including the pseudonymized visitor hash and geographic data) are retained for a maximum of 90 days and then automatically purged. The daily visitor hash cannot be used to identify you personally, as it changes every day and is not linked to any account or personal data.

12.5 Opt-out

If your browser sends the Do-Not-Track (DNT) header, our analytics script respects this signal and does not collect any data from your visit.

13. Google Authentication (OAuth)

We may offer the option to sign in using Google Sign-In (Google OAuth 2.0), provided by Google Ireland Limited. This is an optional convenience feature; account creation via email is always available as an alternative.

When you use Google Sign-In, the following data is transmitted from your Google account:

  • Name and email address
  • Profile picture (if available)
  • Google account ID (unique identifier)

We do not receive your Google password or access to your Google account beyond the data listed above. This data is processed based on Art. 6(1)(a) GDPR (your consent, given by clicking “Sign in with Google”) and Art. 6(1)(b) GDPR (contract fulfillment for authenticated features).

You can revoke access at any time through your Google Account permissions. See Google’s Privacy Policy.

14. External Links

This website contains links to external services, including:

  • Fiverr (fiverr.com) — Our freelance profile. When you click this link, you leave alexsdev.io and are subject to Fiverr’s own privacy policy.
  • EU ODR Platform (ec.europa.eu) — EU Online Dispute Resolution, as required by law.

We have no control over the data collected by these third-party websites. Please refer to their respective privacy policies for more information. No data is transmitted to these services until you actively click the link.

15. Data Security

This website uses TLS/SSL encryption (HTTPS) for all data transmission. All form inputs are sanitized on the client side to prevent injection attacks. Server access is restricted to SSH key-based authentication with firewall protection.

16. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Server log files: 14 days (automatically deleted)
  • Contact form inquiries: Until inquiry is resolved, then deleted unless a business relationship is established
  • Contractual data: 6 years (German commercial law, §257 HGB) / 10 years (German tax law, §147 AO)
  • Payment records (Stripe): 10 years (German tax law, §147 AO); payment method details stored by Stripe per their retention policy
  • Self-hosted analytics data: 90 days (pseudonymized pageview records including GeoIP data)
  • Newsletter subscription data: Until unsubscribed + 30 days; immediate deletion on request
  • Club gamification data: Linked data deleted on newsletter unsubscribe; anonymous data purged after 90 days
  • Cookie consent preference: Until manually cleared by the user

17. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR) — obtain information about your stored data
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data
  • Right to erasure (Art. 17 GDPR) — request deletion of your data
  • Right to restriction (Art. 18 GDPR) — restrict processing of your data
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured format
  • Right to object (Art. 21 GDPR) — object to data processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent previously given, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receiving your request.

18. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22
20459 Hamburg, Germany
datenschutz-hamburg.de

19. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this page indicates when this policy was last revised.

20. alexsdev Sync (Software Service & Data Processing)

“alexsdev Sync” is an optional, paid software service that lets customers deliver content one-way from a central source to their employees' devices (“one-way sync”). This section applies only if you use alexsdev Sync.

20.1 Roles under the GDPR

Where a customer processes its own content and, where applicable, personal data of its employees via alexsdev Sync, the customer is the controller (Art. 4(7) GDPR) and alexsdev (Alexander Sadomsky) is the processor (Art. 4(8), Art. 28 GDPR). For this purpose we conclude a Data Processing Agreement (DPA) under Art. 28 GDPR with the customer. We process such data only on the customer's documented instructions.

20.2 Data processed

  • Access token: stored only as a hash in the backend and encrypted on the user's device via Windows DPAPI — purpose: access control (Art. 6(1)(b) GDPR).
  • Connection/retrieval data (timestamp, channel, retrieved content or its hashes, “last active”) — purpose: service provision, stability, abuse prevention (Art. 6(1)(b) and (f) GDPR).
  • Customer-provided content (uploaded as a folder or pulled from a linked GitHub repository) delivered to authorised end users.

No content is transmitted from the end user's device to us. The consent record (version, timestamp) remains locally on the user's device.

20.3 Storage location & sub-processors

Sync data (metadata and content) is stored on our self-managed server within the European Union (PostgreSQL database and content-addressed file storage). There is no storage on Cloudflare R2/KV or outside the EU. Cloudflare is used solely as a CDN/proxy for transport (see Section 10). If a customer links a GitHub repository as a source, the current state is fetched from GitHub (GitHub B.V., Amsterdam / GitHub Inc.); the customer is responsible for the lawfulness of the content provided there.

20.4 Retention

  • Token records: until the access is revoked or the contract ends.
  • Content: until deleted by the customer or until contract termination.
  • Local data on the device (token, consent, backups): controlled by the end user.

20.5 Overwriting files

The Windows client updates managed files in the target folder and may overwrite or remove them to match the source. A local backup is created before each change; personal, non-managed files remain untouched. Details are set out in the Terms/EULA.