Datenschutz / Privacy

> 1. Data Controller

The data controller for this website is Brian Graham, operating as Building Better Teams - Brian Graham, a sole proprietorship registered in Berlin, Germany.

Brian Graham
Mühlenstraße 8a
14167 Berlin, Germany

For data protection inquiries: brian@buildingbetterteams.de

Full registration details are listed in the Impressum.

Die gesetzlichen Voraussetzungen für die Bestellung eines Datenschutzbeauftragten nach § 38 BDSG liegen in unserem Fall nicht vor.

> 2. What I Collect

The reverse proxy in front of the site (Caddy, self-hosted on Hetzner infrastructure in the EU) records standard access log entries for each request:

• > Timestamp of the request
• > Requested URL path
• > HTTP status code and response size
• > User agent string sent by your browser
• > IP address with the lower bits zeroed at write time (last octet of IPv4, last 96 bits of IPv6)

IP anonymization happens via the reverse proxy's ip_mask directive before any log entry is written. Full IP addresses exist only in transit and are never persisted to disk.

I do not use cookies, local storage, session storage, web beacons, fingerprinting, or any other tracking mechanism. The site has no third-party analytics service, no comment system, no email signup, and no JavaScript that contacts third parties on page load.

I do view aggregated, anonymized request statistics from the access log (page views per URL, response codes, top referrers) using a local log-analysis tool that runs on the server. This processing happens on already-anonymized data and is not shared with anyone.

> 3. Why I Collect It

Anonymized access logs are used to detect abuse (DoS attempts, scraping at unsustainable rates, exploit probing) and to debug operational issues. They are not used for marketing, analytics, profiling, or any commercial purpose.

> 4. Legal Basis

Processing of access logs is based on Article 6(1)(f) GDPR (legitimate interest in operating a secure and reliable website). Because IP addresses are masked before being written to disk, I treat the resulting log data as effectively anonymized. There is no path from a log entry back to an identifiable individual.

No data is transferred to third countries under GDPR Articles 44-49. All processing happens within the EU.

> 5. Retention

Access logs rotate at 10 MB per file, with a maximum of 5 rotated files kept for up to 30 days. After that they are permanently deleted. The retained data contains no personally identifiable information: IP addresses are masked before logging, and no other field in the log identifies an individual.

Encrypted backups of the server (which include the masked log files) are stored in three EU locations: Helsinki, Frankfurt, and Berlin. Backups follow the same 30-day retention window and contain no personally identifiable information.

> 6. Data Sharing and Third Parties

I do not share data with third parties. There is one infrastructure provider:

• > Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) provides the physical server. The primary server is located in Helsinki, Finland. Encrypted backups are stored in Helsinki, Frankfurt, and Berlin. All data remains within the EU. A data processing agreement (Auftragsverarbeitungsvertrag) under GDPR Article 28 is in place with Hetzner.

I do not use any CDN, analytics service, advertising network, comment system, email service, font service, or other third-party processor.

> 7. Cookies and Local Storage

Ship the Loop sets no cookies and does not read or write any information on your device. No localStorage, no sessionStorage, no IndexedDB, no service workers. Because nothing is stored on or read from your device without your action, no consent under § 25 TTDSG is required and no cookie banner is shown.

> 8. YouTube Embeds

Video pages contain a local placeholder (no remote thumbnail) where a YouTube video would normally embed. The actual YouTube iframe is only loaded when you explicitly click the play button. Until you click, no request is sent to YouTube and no data is shared with Google.

When you click play, the iframe loads from youtube-nocookie.com (YouTube's reduced-tracking domain). At that point your IP address and browser information become visible to Google's servers, and cookies may be set if you interact further with the player. See Google's privacy policy for details.

> 9. Self-Hosted Assets

All fonts, images, CSS, and JavaScript on Ship the Loop are served from the same server that serves the HTML. I do not load Google Fonts, jsDelivr, cdnjs, or any other third-party CDN.

On a normal page load, the only network requests your browser makes are to shiptheloop.com itself. The single exception is the YouTube embed on video pages, which loads only after you explicitly click play (see section 8). If you do not interact with a video, no third-party server is contacted.

> 10. Your Rights Under GDPR

Because I collect no personal data beyond anonymized access logs, most rights are practically moot. There is nothing personal to access, rectify, or erase. Nevertheless, you have the following rights under the GDPR:

• > Right of access (Art. 15)
• > Right to rectification (Art. 16)
• > Right to erasure (Art. 17)
• > Right to restriction of processing (Art. 18)
• > Right to data portability (Art. 20)
• > Right to object (Art. 21)
• > Right not to be subject to automated decision-making (Art. 22)

To exercise any of these rights, contact brian@buildingbetterteams.de.

> 11. Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the data protection authority for Berlin:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
mailbox@datenschutz-berlin.de
datenschutz-berlin.de

> 12. Changes to This Policy

I may update this policy from time to time, typically when the underlying infrastructure changes (for example, if a new processor is added). The current version is always at this URL. The "Last updated" date at the top of this page reflects the most recent change.