Privacy Policy

Last updated: April 18, 2026

1. Controller

Responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR):

Tobias Brunnauer

Stegreuth 36

83317 Teisendorf, Germany

E-Mail: [email protected]

The appointment of a data protection officer is not legally required.

2. Data Processing Principles

I take the protection of your personal data very seriously. Personal data is only collected to the technically necessary extent. No personal data is sold to third parties or used for advertising or tracking purposes.

This privacy policy applies to the domain br-hosting.com and generally to all associated subdomains. Individual subdomains may have their own supplementary privacy policy – in that case, it takes precedence.

3. Hosting

This website is operated on a server of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). The server is located in Germany.

A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Hetzner. The technical and organizational measures (TOMs) are documented and can be viewed upon request:

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in the secure and stable provision of the website).

4. Cloudflare (Reverse Proxy / CDN)

I use Cloudflare as a reverse proxy for protection against DDoS attacks, bot detection, and performance improvement.

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA

EU office: Cloudflare Germany GmbH

With every page request, data (in particular the IP address) is routed through Cloudflare's infrastructure. Cloudflare sets technically necessary cookies:

__cf_bm – Bot Management (Duration: 30 minutes)
cf_clearance – WAF Challenge (Duration: 30 minutes)

Third country transfer: Cloudflare has servers in the USA. Data transfer is secured by the EU-US Data Privacy Framework (Cloudflare is certified) and Standard Contractual Clauses (SCCs) in the Data Processing Addendum (DPA).

AVV/DPA: The Cloudflare Data Processing Addendum is automatically part of the terms of service.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in DDoS protection and IT security). Cloudflare Privacy Policy

5. Server Log Files

The web server automatically collects and stores information in so-called server log files with each access:

IP address of the requesting computer
Date and time of the request
HTTP method, requested URL, HTTP status code
Browser and operating system used
Referrer URL (previously visited page)

Purpose: Ensuring the security and stability of the server and error analysis.

Retention period: Server log files are automatically deleted after 14 days.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in the security of the IT infrastructure).

6. IT Security (CrowdSec)

To protect against cyber attacks (brute force, DDoS, automated scans), I use CrowdSec, an open-source intrusion detection system (IDS) operated on my own infrastructure.

Processed data: IP address, timestamp, type of security event.

Community signals: CrowdSec sends minimal signal data (aggressive IP address, scenario type, timestamp) to the central CrowdSec API to enable community-based blocklists. No raw log file data is transmitted. CrowdSec automatically anonymizes older data after 6 months.

Retention (local): Security-relevant logs are retained for 90 days and then automatically deleted.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in IT security).

7. Contact Form & Email

When you use the contact form on this website, the following data is collected:

Name
Email address
Message (free text)

The data is transmitted via SMTP to my email inbox at Proton Mail (Proton AG, Geneva, Switzerland). Proton Mail encrypts all stored emails with zero-access encryption. Switzerland has an adequacy decision from the EU Commission, so there is no third-country transfer within the meaning of the GDPR.

Purpose: Responding to your contact request.

Retention period: Unsolicited messages (spam, advertising, etc.) are deleted immediately. Legitimate requests are deleted once they have been fully processed and no legal retention obligations exist.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in responding to inquiries).

8. Cookies

This website uses technically necessary cookies for security and functionality. Additionally, the consent cookie stores your preferences regarding optional web analytics. Consent is not required for technically necessary cookies under § 25(2)(2) TDDDG.

Note: The web analytics tool (Umami) itself does not set any cookies. It is only loaded after your explicit consent via the cookie banner.

Cookie	Provider	Purpose	Duration
__cf_bm	Cloudflare	Bot Management	30 Min
cf_clearance	Cloudflare	WAF Challenge	30 Min
klaro-website	Own server	Consent storage (cookie settings & analytics consent)	365 days
NEXT_LOCALE	Own server	Stores the selected language	365 days

9. Fonts

This website uses the fonts “Geist” and “Geist Mono”. These are automatically downloaded at build time via the Next.js framework and embedded locally on my server.

At no point is data transmitted to Google servers. The integration is fully GDPR-compliant, as there is no contact with external servers and no personal data (such as your IP address) is shared with third parties.

10. External Content (Boot.dev)

On the homepage, a profile image from the learning platform Boot.dev (boot.dev, Lane Wagner, USA) is displayed. This image is fetched server-side by my server, optimized, and served through my own domain.

Your browser does not establish a direct connection to Boot.dev servers. No personal data (such as your IP address) is transmitted to Boot.dev. No cookies are set and no tracking is performed.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in displaying learning progress).

11. SSL/TLS Encryption

This website uses SSL/TLS encryption for security reasons for the transmission of all data. You can recognize an encrypted connection by the browser address bar changing from "http://" to "https://" and by the lock icon in the browser bar.

12. Web Analytics & Session Replay (Umami)

This website offers the option of privacy-friendly web analytics via Umami, an open-source analytics platform. Umami is operated on my own infrastructure at analytics.br-hosting.com (self-hosted). No data is transferred to third parties.

Consent (opt-in): Web analytics is only loaded after your explicit consent via the cookie banner. Without your consent, no analytics code is executed and no data is collected. You can revoke your consent at any time via the cookie settings in the footer.

a) Page Statistics

After consent, the following anonymized data is collected:

Pages visited and time on page
Referring website (referrer)
Country of origin (based on IP, the IP itself is not stored)
Device type, operating system, and browser

Umami operates without cookies and does not store IP addresses. No personal data is collected and no individual user profile is created.

b) Session Replay

In addition to page statistics, anonymized session recordings are created after consent. These record the following interactions:

Mouse movements and clicks
Scrolling and page navigation

Privacy measures: The masking level is set to "strict". This means that all text and input fields on the page are automatically obscured. No readable text, names, email addresses, or other inputs are visible in the recordings. The maximum recording duration is 5 minutes per session.

Retention period: Analytics data is stored on my own server and deleted manually when needed.

Legal basis: Art. 6 Abs. 1 lit. a DSGVO (consent).

13. Not Used

The following are expressly not used on this website:

No third-party analytics tools (no Google Analytics, Matomo, etc.)
No advertising or affiliate links
No social media plugins or tracking pixels
No profiling or automated decision-making
No sharing of personal data for advertising purposes

14. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Access (Art. 15 DSGVO) – What data is stored about you
Rectification (Art. 16 DSGVO) – Correction of inaccurate data
Erasure (Art. 17 DSGVO) – "right to be forgotten"
Restriction (Art. 18 DSGVO) – Restriction of processing
Data portability (Art. 20 DSGVO) – Receiving your data in a machine-readable format
Objection (Art. 21 DSGVO) – Objection to processing
Withdrawal of consent (Art. 7 Abs. 3 DSGVO) – You can withdraw your consent to web analytics at any time via the cookie settings in the footer. The lawfulness of processing carried out before withdrawal remains unaffected.

To exercise your rights, contact me at [email protected].

15. Right to Lodge a Complaint

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. The supervisory authority responsible for me is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27

91522 Ansbach

Website: www.lda.bayern.de

→ Legal Notice → Contact