Privacy Policy
1. Controller
The controller within the meaning of the GDPR is:
Florian Grasselt
Heinheimer Straße 8
64289 Darmstadt
Germany
E-mail: impressum@floriangrasselt.de
2. Data Protection Officer
There is no statutory obligation to appoint a Data Protection Officer (Art. 37 GDPR). No Data Protection Officer has been appointed.
3. Hosting and automatic language redirect
This website is hosted via Cloudflare Pages (Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA) and delivered through the Cloudflare Content Delivery Network (CDN). Cloudflare acts as a data processor within the meaning of Art. 28 GDPR; a data processing agreement (DPA) is in place. The transfer of data to the USA is based on the EU–U.S. Data Privacy Framework (adequacy decision, Art. 45 GDPR); Cloudflare is certified under this framework. Subsidiarily, the transfer relies on standard contractual clauses (Art. 46(2)(c) GDPR).
When the website is accessed, Cloudflare processes technically necessary connection data: IP address (truncated or full), date and time of access, requested URL, data volume transferred, HTTP status code, referrer URL, browser type and operating system. This data is used solely to ensure stable and secure website operation, is not merged with other sources, and is deleted from real-time logs after a maximum of 24 hours. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient operation of the website).
Automatic language redirect: On the first visit to the website,
if no language preference has been set, the server reads the Accept-Language
HTTP header automatically sent by your browser in order to redirect you to the
German or English version. This header is used solely for this redirect decision
and is not stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in
user-friendly language assignment).
4. Web analytics
This website uses Cloudflare Web Analytics (Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA). The service is delivered through the Cloudflare infrastructure already in place for hosting and does not require a separate third-party cookie.
Cloudflare Web Analytics collects aggregated usage data: pages visited, time on page, country of origin (country level only), browser type, operating system and referrer URL. No tracking of individual visitors across sessions takes place, no user profiles are created and no cross-site tracking occurs. IP addresses are not stored. No cookies are set; a cookie consent banner is therefore not required. Aggregated usage data is retained by Cloudflare for a maximum of 6 months.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the anonymised analysis of usage behaviour to improve the website). The transfer of data to the USA is based on the EU–U.S. Data Privacy Framework (Art. 45 GDPR); subsidiarily on standard contractual clauses (Art. 46(2)(c) GDPR).
5. Contact form
When you use the contact form, the following data is processed to handle your enquiry:
- Name (required)
- Email address (required)
- Requested service (required: Mixing, Mastering, Recording, Production, or Other)
- Message (required)
- Cloud link to audio material (optional)
Upon submission, two emails are sent automatically: a notification to the controller and a confirmation email to the email address you provided. Form data is not stored in a database; it exists solely in the emails sent.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures at the request of the data subject). The data will be deleted as soon as it is no longer required for processing the enquiry, and at the latest after two years.
Email delivery via Resend: Emails are sent via the service Resend (Resend Inc., San Francisco, CA, USA). Resend acts as a data processor within the meaning of Art. 28 GDPR; a DPA is in place. The transfer of data to the USA is based on the EU–U.S. Data Privacy Framework (Resend is certified under this framework, Art. 45 GDPR); subsidiarily on standard contractual clauses (Art. 46(2)(c) GDPR). Resend uses Amazon Simple Email Service (Amazon Web Services, Inc., USA) for delivery, which is also subject to the EU–U.S. Data Privacy Framework.
Spam protection by Cloudflare Turnstile: The form is protected
against automated requests by Cloudflare Turnstile (Cloudflare Inc., USA). When
the form is loaded, an external script is loaded from
challenges.cloudflare.com that evaluates technical browser and
connection signals in the background (e.g. user agent, interaction timing).
As part of this process, a short-lived cookie (__cf_bm, duration:
30 minutes) may be set for bot detection purposes; it does not create user profiles
and does not track across sessions. In rare cases, if the automatic analysis is
inconclusive, a brief confirmation element may be displayed requiring a simple
click. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing spam
and abusive requests); § 25(2)(2) TTDSG (technically necessary cookie, no
consent required).
6. Email contact
When you contact us by email, your email address and all personal data contained in your message are stored for the purpose of processing your enquiry. Emails are received and stored on servers operated by mailbox.org (Heinlein Support GmbH, Schwedter Str. 8/9b, 10119 Berlin, Germany). A DPA with mailbox.org is in place. Your data will not be shared with third parties without your consent. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in processing enquiries); for contract initiation: Art. 6(1)(b) GDPR. Data will be deleted once the correspondence is concluded and no statutory retention obligation applies, at the latest after two years.
7. YouTube video
This website embeds a video via the YouTube service. The provider is Google Ireland
Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC,
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The video is embedded via
the privacy-enhanced domain youtube-nocookie.com.
The video is displayed with a preview image (facade): YouTube content is only loaded and connections to Google servers are only established when you actively click the Play button. No data is transmitted to YouTube or Google before that click.
By actively clicking Play, you consent to YouTube and Google processing technical data — in particular your IP address and any cookie data. For this processing, Google's own privacy policy applies: policies.google.com/privacy . If you are logged into your Google account at the time of clicking, interaction data will be associated with your account; log out before playing to prevent this. Legal basis: Art. 6(1)(a) GDPR (consent through active click on the Play button). The transfer of data to the USA is based on the EU–U.S. Data Privacy Framework and, subsidiarily, on standard contractual clauses.
8. Cookies and local browser storage
This website uses the following cookies and browser storage:
- lang — Stores the language (German or English) you have actively selected. This cookie is set only when you use the language selector in the navigation or footer. No language preference is stored without your active choice. Duration: 1 year. Legal basis: § 25(2)(2) TTDSG (technically necessary based on explicit user request) in conjunction with Art. 6(1)(f) GDPR.
- __cf_bm — Short-lived cookie set by Cloudflare Turnstile (see section 4) for bot detection on the contact form. Duration: 30 minutes. No tracking, no profiling. Legal basis: § 25(2)(2) TTDSG in conjunction with Art. 6(1)(f) GDPR.
- Session storage (browser session) — To improve usability, technical helper data is stored for the duration of your browser session: the service category pre-selected via a pricing package for the contact form, and the scroll position before a language switch. This data is purely functional, contains no personal data, and is automatically deleted when you close the browser tab. Legal basis: § 25(2)(2) TTDSG.
No tracking cookies, marketing cookies, Google Analytics or social media pixels are used.
9. Fonts
This website uses exclusively self-hosted fonts (Inter Tight, Inter, JetBrains Mono) in WOFF2 format, served directly from our own server. No external font services (e.g. Google Fonts, Adobe Fonts) are used. No data is transferred to third parties through font loading.
10. SSL/TLS encryption
This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection by the browser address bar showing "https://" and a padlock icon. When SSL/TLS encryption is active, data you transmit to us cannot be read by third parties.
11. External links
This website contains links to external services (Instagram, LinkedIn). These are plain hyperlinks without embedded social plugins, tracking pixels or any automated data transmission. Data is only transmitted to the respective platform operators when you actively click a link and thereby visit the external website. The privacy policies of those platforms apply to any processing that occurs there.
12. Automated decision-making
No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.
13. Your rights as a data subject
You have the following rights against the controller:
- Right of access to the personal data processed about you (Art. 15 GDPR)
- Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
- Right to erasure of your data, provided no statutory retention obligation applies (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability in a commonly used, machine-readable format (Art. 20 GDPR)
- Right to object to processing based on legitimate interests (Art. 21 GDPR) — in particular, you have the right to object at any time to the processing of your data for direct marketing purposes
- Right to withdraw consent with future effect (Art. 7(3) GDPR) — the lawfulness of processing carried out prior to withdrawal is not affected
To exercise your rights, please contact the email address stated above.
14. Right to lodge a complaint
You have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). The authority responsible for the controller based in Darmstadt, Hesse, Germany is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Postfach 3163
65021 Wiesbaden
Germany
Phone: +49 611 1408-0
datenschutz.hessen.de
15. Objection to promotional emails
The use of contact details published in connection with our legal notice obligation for the purpose of sending unsolicited advertising and information materials is hereby expressly prohibited. We reserve the right to take legal action in the event of unsolicited promotional communications, such as spam emails.
16. Changes to this privacy policy
This privacy policy will be updated when changes are made to the technical infrastructure, the services used, or the applicable legal framework. The current version is always available on this page. We recommend checking this policy periodically for updates.
Last updated: 11 May 2026