Privacy Policy

Table of Contents

This privacy policy explains what personal data we collect, how we use it, and what rights you have regarding your data. This website is operated by Pang Wayne Wee, and we are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and German data protection law.

Data Minimization: This website is designed with maximum data minimization. We collect only the minimum personal data necessary to respond to your inquiry. We do not create user profiles or engage in behavioral profiling.

1. Data Controller

Pang Wayne Wee
Heßhofstr. 18
51107 Cologne
Germany
[email protected]

2. Information We Collect

Contact Form Data

When you submit the contact form on our website, we collect the following information: name, email address, company name (optional), and message content.

Your submission is processed and stored by SplitForms and forwarded to our email address. SplitForms does not currently offer EU data residency, so your form data may be processed outside the EU. We use EU Standard Contractual Clauses (Module Two pursuant to EU Decision 2021/915) to protect your data in accordance with GDPR Article 46. We conduct Transfer Impact Assessments to evaluate whether supplementary safeguards are necessary, as the United States does not provide an adequate level of data protection pursuant to GDPR Article 45. You can request deletion of your data at any time by contacting us.

Contact Form Data Retention

Your contact form data is retained in SplitForms for a maximum of 30 days, after which it is automatically deleted. Email notifications containing your submission are deleted immediately after being read. Your contact form submission is used solely to respond to your inquiry and contact you at the email address you provide. We do not sell, share, or transfer your contact form data to third parties for marketing, advertising, or any other purpose.

Website Analytics

We use Google Analytics 4 (measurement ID: G-G4QDFBNPDQ) to understand how visitors use our website. This involves cookies and data transfers to the United States. Your event and user-level analytics data is retained in Google Analytics for a maximum of 14 months, after which it is automatically deleted from Google's reporting systems. This retention period is separate from the cookie expiration times listed in the table below. Google Analytics 4 is loaded via Google Tag Manager and requires your explicit consent to both statistics and marketing categories. See the "Marketing & Tag Management" section below for details on how this consent requirement works.

Google is certified under the EU-U.S. Data Privacy Framework (DPF), which the European Commission has recognized as providing an adequate level of data protection pursuant to GDPR Article 45 (Implementing Decision (EU) 2023/1795). This adequacy decision is the primary legal basis for the resulting transfer of your data to the United States. As a supplementary safeguard, data transfers are additionally backed by EU Standard Contractual Clauses (Module Two pursuant to EU Decision 2021/915) for processing not covered by the DPF certification. We inform you that, notwithstanding the DPF, US authorities may under certain circumstances gain access to your data pursuant to US surveillance laws (such as FISA Section 702 and Executive Order 12333). You can object to this processing at any time via our cookie consent tool.

Marketing & Tag Management

Google Tag Manager manages analytics and marketing tags on our website. Google Tag Manager also loads Google Analytics 4, which means both tools work together. Google Tag Manager requires your explicit consent to both statistics and marketing categories in order to load. If you deny either consent category, Google Tag Manager will not load, which means Google Analytics 4 will also not load. Without Google Tag Manager and Google Analytics 4 loading, no analytics or marketing data will be collected or sent to Google. You can modify your consent preferences at any time using the cookie banner.

Server Logs and Hosting

Our hosting provider Cloudflare Pages automatically captures technical data in server logs for security, DDoS protection, and troubleshooting purposes, including IP addresses, browser type, operating system, referrer URL, request timestamp, HTTP status codes, and response size. Server logs are retained by Cloudflare according to their standard retention policy (typically 30 days after processing) and then deleted. This data is not used for analytics or marketing. For more information about Cloudflare's data processing, see Cloudflare's Privacy Policy and Data Processing Addendum.

Cookies

In accordance with Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG) and the GDPR, we only store or access information on your device with your consent, except where strictly necessary to provide a service you have explicitly requested. We use Cookiebot (EU-based) to manage cookie consent. Below are the cookies set by these services:

Service Cookie Name(s) Purpose Expires
Google Analytics 4 _ga User identification & tracking 2 years
Google Analytics 4 _ga_G4QDFBNPDQ Session engagement tracking 2 years
Cookiebot CookieConsent Consent preferences 12 months

You can manage cookie preferences via our cookie banner. Withdrawal of consent takes effect immediately.

3. Legal Bases for Processing

We process personal data on the basis of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). Our processing activities rely on the following legal grounds:

The German Federal Data Protection Act (BDSG) provides additional protections for personal data processing in Germany and complements the GDPR. In particular, the rights to access, rectification, deletion, and data portability are regulated in both laws.

4. Security Measures

We implement technical and organizational measures to protect your personal data from unauthorized access, loss, destruction, and misuse:

5. Third-Party Services and Data Processors

Google Analytics 4 — Website analytics to measure visitor numbers and usage behavior (US-based; parent company Google Ireland Limited, Dublin; data transfers protected by EU Standard Contractual Clauses pursuant to EU Decision 2021/915; Data Processing Agreement: Google Data Processing Terms)

SplitForms — Contact form processing and storage (US-based; no EU data residency available; data transfers protected by EU Standard Contractual Clauses; GDPR compliance confirmed; Data Processing Agreement on file)

Cookiebot — Consent management and cookie compliance (EU-based, operated by Cybot A/S, Denmark; servers located in the EU)

Google Tag Manager — Tag container for managing analytics and marketing tags (US-based; data transfers protected by Standard Contractual Clauses)

Cloudflare Pages — Website hosting and content delivery network (Cloudflare Inc., US; see Cloudflare's Privacy Policy for details on data processing and locations)

6. Your Rights

You have the following rights pursuant to the General Data Protection Regulation (GDPR Articles 15-22):

To exercise your rights, please send an email to [email protected] with the subject line "Data Subject Rights Request" and specify which right you wish to exercise. Requests to exercise your rights will be processed within 30 days in accordance with GDPR Article 12. Should this not be possible, you will be informed of a delay.

7. Supervisory Authority

If you believe we've violated your rights, you can lodge a complaint with the data protection authority responsible for our place of business (North Rhine-Westphalia):

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Email: [email protected]
Website: ldi.nrw.de

8. Data Protection, Security & Updates

This website uses HTTPS/TLS encryption to protect your data in transit between your browser and our server. All data processors (SplitForms, Google, Cloudflare) are contractually obligated to protect your data and implement data protection measures in accordance with GDPR Articles 28 and 32. All relevant Data Processing Addenda (DPA) are available.

We review this privacy policy at least annually and update it when there are changes to our data processing practices or when required by law. Should we make material changes, we will notify you in advance where possible.