Privacy Policy
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:
Sebastian Software GmbH
Dalheimer Straße 12
55128 Mainz
Germany
Phone: +49 6131 9729-830
Fax: +49 6131 9729-831
Email: info@sebastian-software.de
Represented by the managing directors: Sebastian Fastner, Sebastian Werner
A data protection officer has not been appointed, as the requirements under Art. 37 GDPR are not met. If you have any questions regarding data protection, you may contact us at any time using the contact details provided above.
2. General Information on Data Processing
The protection of your personal data is of great importance to us. This privacy policy informs you about what personal data we collect in connection with the operation of our websites sebastian-software.de and sebastian-software.com and how such data is processed. Both domains refer to the same website; this privacy policy applies uniformly to both domains.
Our website serves exclusively to provide information about our company and our services. No contact forms, newsletter sign-ups, or user accounts are used. For anonymised analysis of website usage, we employ a self-hosted instance of Plausible Analytics (see Section 8). Cookies and local storage technologies are not used.
Automated individual decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place.
The provision of personal data is neither required by law nor by contract, nor is it necessary for entering into a contract. However, accessing our website technically requires the transmission of certain data (in particular the IP address). Without this data transmission, delivery of the website is not technically possible.
Insofar as information from the user's terminal equipment is technically transmitted when accessing our website or when external services are integrated (in particular Cloudflare, Sanity, Storyblok, Plausible) (e.g. IP address, browser type, operating system), we rely on Section 25(2) no. 2 of the German Telecommunications-Telemedia Data Protection Act (TTDSG). Access to this information is strictly necessary in each case to provide the telemedia service expressly requested by you.
3. Provision of the Website and Server Log Files
3.1 Description and Scope of Data Processing
Each time our website is accessed, our hosting system automatically collects data and information from the accessing computer. The following data may be collected:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the page or file accessed
- Volume of data transferred
- Notification of whether the access was successful
- Browser type and version
- Operating system of the user
- Referrer URL (previously visited page)
3.2 Legal Basis
The processing of this data is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the technical functionality and security of the website. Insofar as this involves access to information stored on the user's terminal equipment (e.g. browser type, operating system), this is additionally based on Section 25(2) no. 2 TTDSG, as such access is strictly necessary to provide the telemedia service expressly requested by the user.
3.3 Storage Duration
The data is deleted as soon as it is no longer necessary for the purpose for which it was collected. For server log files, this is generally the case after no more than 30 days, unless security-related events require longer retention.
4. Hosting (Amazon Web Services)
4.1 Description and Scope of Data Processing
Our website is hosted by Amazon Web Services EMEA SARL (AWS), 38 Avenue John F. Kennedy, L-1855 Luxembourg. The servers are located in the AWS Region EU (Frankfurt, eu-central-1) and thus within the European Union.
Each time our website is accessed, the data described in Section 3 is processed by AWS acting as a processor. A data processing agreement (Data Processing Addendum) pursuant to Art. 28 GDPR is in place between us and AWS.
4.2 Legal Basis
The processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the reliable and secure operation of our website.
4.3 Note on Third-Country Transfers
AWS is a company of Amazon.com, Inc., based in the USA. Although data processing takes place on servers in Frankfurt (EU), access from the USA for maintenance or support purposes cannot be entirely excluded. In such cases, we rely on the Standard Contractual Clauses of the European Commission (Art. 46(2)(c) GDPR) as well as, where applicable, the certification of Amazon.com, Inc. under the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR.
Further information on data protection at AWS can be found at: https://aws.amazon.com/de/privacy/
5. Content Delivery Network (Cloudflare)
5.1 Description and Scope of Data Processing
We use the Content Delivery Network (CDN) of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare provides a globally distributed network of servers that is used to accelerate the delivery of our website content and to protect against malicious access (e.g. DDoS attacks).
When you access our website, your request is routed through a Cloudflare server. In this process, access data is technically processed, in particular your IP address, the page accessed, browser type, operating system, and the date and time of access. A data processing agreement (Data Processing Addendum) pursuant to Art. 28 GDPR is in place between us and Cloudflare.
5.2 Legal Basis
The use of Cloudflare is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, fast, and efficient provision of our website.
5.3 Third-Country Transfer
Cloudflare is a US-based company. Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection pursuant to Art. 45 GDPR. In addition, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR have been agreed upon.
5.4 Storage Duration
Cloudflare does not permanently store HTTP access logs by default. Request data is generally discarded within four hours of access and is used exclusively for short-term abuse detection and load balancing.
Further information on data protection at Cloudflare can be found at: https://www.cloudflare.com/de-de/privacypolicy/
6. Content Management System and Image CDN (Sanity)
6.1 Description and Scope of Data Processing
We use Sanity (Sanity AS, Trondheimsveien 2, 0560 Oslo, Norway) as our content management system. Image content on our website is delivered via the Sanity CDN (cdn.sanity.io). When retrieving this content, your IP address is transmitted to Sanity's servers. Sanity logs the IP address of the requesting computer to prevent abusive use (e.g. denial-of-service attacks).
In this context, Sanity acts as a processor within the meaning of Art. 28 GDPR. Sanity's general terms of use and Data Processing Agreement govern the handling of the processed data.
6.2 Legal Basis
The processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the efficient management and delivery of our website content.
6.3 Third-Country Transfer
Sanity AS is headquartered in Norway, a member state of the European Economic Area (EEA). However, Sanity also operates infrastructure in the USA through its subsidiary Sanity US Inc. Sanity US Inc. is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection pursuant to Art. 45 GDPR. In addition, Sanity relies on the Standard Contractual Clauses of the European Commission (Art. 46(2)(c) GDPR).
Further information on data protection at Sanity can be found at: https://www.sanity.io/legal/privacy
7. Image CDN (Storyblok)
7.1 Description and Scope of Data Processing
Certain image content on our website (in particular banner graphics) is delivered via the Content Delivery Network of Storyblok (Storyblok GmbH, Peter-Behrens-Platz 2, 4020 Linz, Austria). When retrieving these images, your browser establishes a direct connection to Storyblok's servers (a.storyblok.com). In this process, your IP address and technical access data (browser type, time of access) are transmitted to Storyblok. Storyblok acts as a processor within the meaning of Art. 28 GDPR. A corresponding data processing agreement (Data Processing Agreement) is in place, available at: https://www.storyblok.com/legal/dpa
7.2 Legal Basis
The processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the optimised and performant delivery of image content on our website.
7.3 Third-Country Transfer
Storyblok GmbH is headquartered in Austria and thus within the European Union. For the delivery of image content, Storyblok uses the Content Delivery Network Amazon CloudFront, which operates globally distributed edge servers — including locations in the USA. When retrieving images, your request may therefore be routed through an edge server outside the EU. For the associated transfer of personal data to third countries, Storyblok relies on the Standard Contractual Clauses of the European Commission (Art. 46(2)(c) GDPR).
7.4 Storage Duration
Storyblok deletes access logs in accordance with the periods specified in the data processing agreement and in compliance with statutory requirements. Upon termination of the contractual relationship, all customer data is deleted or blocked. Further details can be found in the Data Processing Agreement at: https://www.storyblok.com/legal/dpa
Further information on data protection at Storyblok can be found at: https://www.storyblok.com/legal/privacy-policy
8. Web Analytics (Plausible Analytics)
8.1 Description and Scope of Data Processing
We use Plausible Analytics on our website, a privacy-friendly web analytics software. Plausible is self-hosted by us on our own servers (self-hosting at the subdomain t.sebastian-software.de) and is not a service provided by an external provider. The collected data does not leave our own infrastructure.
Plausible collects exclusively aggregated, anonymised usage data. Specifically, the following information is processed:
- Page visited (URL)
- Referrer URL (referring page)
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Country of access (based on the IP address, which is not stored)
Plausible does not use cookies and does not use local storage. No cross-site tracking or cross-device tracking takes place. Individual visitors are not identified or recognised. The IP address is used exclusively to derive the country of access and is immediately discarded thereafter — it is neither stored nor logged at any point.
8.2 Data Protection Classification and Legal Basis
In our self-hosted configuration, Plausible Analytics does not store any personal data. Neither IP addresses are stored nor are cookies or other tracking technologies used. The processed usage data (page views, referrer, browser type, operating system, country of access) is available exclusively in aggregated and anonymised form; it is not possible to draw conclusions about individual natural persons. The scope of application of the GDPR is therefore not opened due to the absence of a personal data reference (Art. 4(1) GDPR).
Should a personal data reference nevertheless be assumed, we rely subsidiarily on Art. 6(1)(f) GDPR as the legal basis. Our legitimate interest lies in the statistical analysis of the use of our website to improve our offering.
Insofar as the transmission of device information (browser type, operating system) through the integrated analytics script may be considered access to terminal equipment within the meaning of Section 25(1) TTDSG, we additionally rely as a precaution on the exception under Section 25(2) no. 2 TTDSG: the access is strictly necessary to provide the telemedia service expressly requested by you, as the analysis of anonymised usage data serves the ongoing assurance of the technical functionality and needs-based design of our website.
8.3 Further Information
Plausible Analytics is open-source software. Further information can be found at: https://plausible.io/data-policy
9. Communication and Calendar Management (Google Workspace)
For the processing operations described below, we use Google Workspace (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). A data processing agreement pursuant to Art. 28 GDPR is in place between us and Google.
9.1 Contact by Email
You can contact us via the email address provided on our website: info@sebastian-software.de. In this case, the personal data of the sender transmitted with the email (in particular email address, name, content of the message) is processed and stored on Google's servers.
The processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). If the contact is aimed at concluding or performing a contract, Art. 6(1)(b) GDPR serves as an additional legal basis.
The personal data transmitted in the course of the contact will be deleted as soon as the respective conversation has ended and the matter has been conclusively resolved. General enquiries without a contractual or tax-related connection (e.g. general information requests) are therefore deleted immediately upon completion of the matter. Excluded from this are data subject to statutory retention obligations. Insofar as emails constitute business correspondence of commercial relevance, they must be retained for up to six years pursuant to Section 257 of the German Commercial Code (HGB). Insofar as they contain tax-relevant documents, the retention period pursuant to Section 147 of the German Fiscal Code (AO) is up to ten years. The respective retention period begins at the end of the calendar year in which the last processing of the matter took place.
9.2 Calendar Management (Google Calendar)
In the context of scheduling appointments with clients and business partners, we use Google Calendar as part of Google Workspace. In this process, personal data of the participants is processed, in particular name, email address, date and time of the appointment, and, where applicable, further details stored in the appointment entry (e.g. subject, notes, location). This data is processed and stored on Google's servers.
The processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in the efficient organisation and management of business appointments). Insofar as the appointment scheduling is related to the initiation or performance of a contractual relationship, Art. 6(1)(b) GDPR serves as an additional legal basis.
Appointment data is deleted as soon as it is no longer required for documenting the business transaction. Excluded from this are data subject to statutory retention obligations (see Section 9.1).
9.3 Third-Country Transfer
Google Ireland Limited may transfer data to its parent company Google LLC (USA). Google LLC is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection pursuant to Art. 45 GDPR. In addition, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR have been agreed upon.
Further information on data protection at Google can be found at: https://policies.google.com/privacy
10. SSL/TLS Encryption
Our website uses SSL/TLS encryption for security purposes and to protect the transmission of personal data. You can recognise an encrypted connection by the "https://" prefix in the address bar of your browser and the padlock icon.
When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.
11. Your Rights as a Data Subject
As a data subject, you are entitled to the following rights:
11.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have a right of access to such personal data and to the information specified in detail in Art. 15 GDPR.
11.2 Right to Rectification (Art. 16 GDPR)
You have the right to obtain without undue delay the rectification of inaccurate personal data and, where applicable, the completion of incomplete data.
11.3 Right to Erasure (Art. 17 GDPR)
You have the right to obtain the erasure of personal data concerning you without undue delay, provided that one of the grounds set out in Art. 17 GDPR applies and the processing is not necessary.
11.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to obtain the restriction of processing where one of the conditions set out in Art. 18 GDPR is met.
11.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance, provided that the processing is based on consent or a contract and is carried out by automated means. We note that this right requires that the respective processing is based on consent (Art. 6(1)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR). Insofar as we process data exclusively on the basis of our legitimate interest (Art. 6(1)(f) GDPR) — as is the case with server log files and web analytics — there is no entitlement to data portability.
11.6 Right to Object (Art. 21 GDPR)
Important notice: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Art. 6(1)(f) GDPR (legitimate interest). This applies to all processing operations described in this privacy policy that are based on this legal basis. You may address your objection informally to the contact details provided in Section 1.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.
11.7 Right to Withdraw Consent (Art. 7(3) GDPR)
If processing is based on your consent, you have the right to withdraw your consent at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until the withdrawal remains unaffected. We note that no data processing is currently carried out on the basis of consent; all processing operations are based on the legal bases set out in this privacy policy (in particular Art. 6(1)(f) and Art. 6(1)(b) GDPR).
11.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority responsible for us is:
The State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate
(Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz)
Postfach 30 40
55020 Mainz
Phone: +49 6131 8920-0
Email: poststelle@datenschutz.rlp.de
Website: https://www.datenschutz.rlp.de
You are not bound to this supervisory authority. You may also contact the data protection supervisory authority of your habitual residence or your place of work.
12. Currency and Amendments to This Privacy Policy
This privacy policy is current as of March 2026. We reserve the right to amend this privacy policy in order to adapt it to changes in the legal situation or to changes in the service and data processing. The current version is always available on our website.