Privacy
Controller
The controller for data processing on cem-yilmaz.de is Cem Yilmaz. Full contact details are in the Imprint.
Hosting
The site is hosted by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. A data-processing agreement under Art. 28 GDPR is in place with IONOS. All data (database, file attachments, server logs) is processed on servers located in Germany.
Session cookie
On first visit, a technically necessary cookie is set containing a random session id. The chat needs it to keep the conversation context across requests. It contains no personal data and is not used for tracking or advertising. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the site). The cookie itself is valid for 12 months after the last visit and is deleted by the browser thereafter. The corresponding session row in this site’s database is currently not removed automatically; it is deleted on request (see “Your rights”) and otherwise once its processing purpose has finally ceased.
AI chat (“Ask me anything”)
Using the chat on this site sends your input to Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) as the provider of the Generative Language API so the model can produce a response. Google also processes data in the United States; the transfer relies on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Access is via the paid tier of the Generative Language API: per Google’s API terms, prompts (including system instructions, cached content and attached files) and responses are not used to improve Google’s products on this tier and are retained only for a limited period to detect abuse and meet legal obligations. Inputs and replies are also stored in this site’s database to display the conversation. Legal basis: Art. 6(1)(f) GDPR. There is currently no automated deletion of older chats; chats are deleted on request (see “Your rights”) and otherwise once their processing purpose has finally ceased. Please do not enter personal or confidential data into the chat.
Chat file attachments
You may optionally attach files (e.g. images or PDFs) to the chat. Attachments are stored in this site’s database and forwarded to the Google Generative Language API to generate the response. Retention follows the chat itself; deleting the session also removes the associated attachments. Legal basis: Art. 6(1)(f) GDPR.
Outbound email (“sendEmailToCem”)
When the AI chat sends a message to Cem on the visitor’s behalf, the fields collected during the chat (name or reply-to address, subject, message body) are delivered as an email. The sending service is Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA. Resend processes the content in the United States; the transfer relies on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). A processing agreement under Art. 28 GDPR is in place with Resend; per Resend’s terms it is automatically concluded together with the main contract. Resend itself uses sub-processors based in the USA (including Amazon Web Services, Cloudflare, Google, Vercel and Supabase); the current list is published at resend.com/legal/subprocessors. How long Resend retains delivery metadata (recipient, timestamp, delivery status) for deliverability analysis is not expressly stated in Resend’s privacy policy; Resend will provide details on request. Legal basis for the transfer to Cem: Art. 6(1)(f) GDPR (handling contact requests). The message content also remains part of the chat transcript in this site’s database and shares its processing.
Project requests via the chat
If a visitor describes a project, freelance or business enquiry in the chat, the assistant can open a structured project request. The data processed here is: name, email address, optionally company, project type, description, optionally budget and timeline, plus a reference to the originating chat. These fields are stored in this site’s database in the ProjectRequests table and — once the email is verified — forwarded to Cem by email via Resend. Purpose: replying to and handling the specific enquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps at the data subject’s request), supplemented by Art. 6(1)(f) GDPR. There is currently no automated deletion; project requests are deleted on request (see “Your rights”) and otherwise once their processing purpose has finally ceased. Longer retention only where statutory record-keeping duties (e.g. § 257 HGB, § 147 AO) require it.
Email verification (one-time code)
Before a project request is forwarded to Cem, the email address provided is confirmed via a one-time 6-digit code sent to the visitor by email through Resend. Only a hash of the code (SHA-256 with a random per-request salt), the number of failed attempts and an expiry timestamp (10 minutes) are stored; the plaintext code is never stored. Purpose: protection against abuse, typos and impersonation. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the integrity of contact requests). After successful verification or expiry the code hash is no longer evaluated; it shares the storage of the associated project request.
Server logs
When you visit the site, standard technical data is processed (IP address, user agent, timestamp, requested resource) to operate the site and diagnose errors. Legal basis: Art. 6(1)(f) GDPR. Logs are retained under the standard configuration of the container platform in use (Docker/Coolify) and are periodically overwritten by its rotation; no fixed retention period is configured. Application logs held in this site’s database are deleted on request and otherwise once their processing purpose has finally ceased.
Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18) and data portability (Art. 20), as well as the right to object to processing based on legitimate interests (Art. 21 GDPR). To exercise any of these, use the contact details in the Imprint.
You also have the right to lodge a complaint with a data-protection supervisory authority. The competent authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz, Hintere Bleiche 34, 55116 Mainz, Germany.