GDPR / German privacy notice
Data privacy
This public website and its private account area process personal data only where needed to provide the website, answer enquiries, support secure access, meet legal obligations, and prevent abuse.
1. Controller
The controller responsible for this website under the GDPR is:
ByteTAL
Germany
Email: contact@bytetal.com
2. Scope and access
This notice applies to the public marketing website, contact forms, legal pages, and the private account area. Public self-registration is not offered; private accounts are created or invited only by the owner or an authorized administrator. IP addresses, timestamps, browser metadata, and failed access attempts may be processed to deliver and protect the website.
3. Personal data processed
- Account data: name, email address, role, status, creation and update timestamps.
- Authentication data: password hashes, MFA setup data, recovery-code status, session identifiers, reset tokens, and invitation tokens.
- Security data: login attempts, IP address, browser/user-agent data, audit events, timestamps, and administrative security actions.
- Communication data: messages sent to the contact address and related metadata.
- Enquiry data: information voluntarily submitted through the project contact form, including contact details, project requirements, budget or timing information, and consent records.
- Technical data: server logs, essential cookies, CSRF/session data, and delivery metadata.
4. Purposes and legal bases
Processing is limited to operating the website, managing authorized accounts, enforcing access restrictions, providing requested private access, detecting misuse, troubleshooting incidents, maintaining auditability, responding to contact requests, and meeting legal duties.
The legal bases are Article 6(1)(b) GDPR where processing is necessary to provide requested private access, Article 6(1)(f) GDPR for the legitimate interests in secure operation, access control, abuse prevention, and evidence preservation, and Article 6(1)(c) GDPR where processing is required by law. If consent is requested for a future feature, Article 6(1)(a) GDPR will apply and consent may be withdrawn at any time with future effect.
5. Cookies and local storage
This website currently uses only technically necessary cookies or browser storage. No advertising, analytics, profiling, cross-site tracking, or marketing cookies are installed. Under Section 25(2) TDDDG, storage or access that is strictly necessary to provide a service requested by the user does not require separate consent. The privacy banner provides transparency and stores the user's acknowledgement; it does not activate optional tracking.
| Name/category | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Login session, MFA state, CSRF protection, secure account access. | Until logout or session expiry. | Necessary |
| CSRF/session data | Prevents forged requests and protects authenticated actions. | Session based. | Necessary |
| Cookie notice acknowledgement | Stores the notice version, necessary-only status, and acknowledgement timestamp. | Up to 180 days, or until browser storage is cleared. | LocalStorage, non-tracking |
| Language preference | Remembers the language selected by the user. | Up to 12 months. | Functional cookie and LocalStorage |
6. Hosting and processors
The website is hosted with IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Hosting providers may process connection data, server logs, and technical metadata where required to deliver, maintain, and protect the website. A data processing agreement is used where required by Article 28 GDPR.
7. Recipients and transfers
Personal data is not sold. Access is limited to the owner, authorized administrators, hosting/service providers required for operation, and public authorities where disclosure is legally required. No intentional transfer to countries outside the European Economic Area is planned. If a future provider requires such transfer, an adequacy decision or appropriate GDPR safeguards must be used.
8. Retention
Personal data is kept only as long as necessary for authorized access, security, abuse prevention, troubleshooting, or legal obligations. Current operational defaults:
- Expired invitations: 30 days after expiry, unless needed for abuse prevention.
- Password reset tokens: Until expiry, normally 60 minutes.
- Sessions: Until logout, expiry, or administrative revocation.
- Login attempts: Up to 180 days for security monitoring.
- Audit logs: Up to 365 days for security and accountability.
- Inactive accounts: Reviewed periodically and deleted or disabled when no longer required.
9. Security
The website uses technical and organizational measures intended to protect personal data, including password hashing, MFA, recovery controls, CSRF protection, access controls, session management, audit logging, and HTTPS transport where configured by the hosting environment.
10. Your rights and request handling
Under the GDPR, affected persons may have rights of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is based on consent. Requests can be sent to the contact email above. To protect accounts, the owner may verify the requester identity before fulfilling a request.
Providing account, authentication, and security data is necessary for authorized access. Without that data, access to the private website cannot be provided. No automated decision-making or profiling within the meaning of Article 22 GDPR is used.
11. Supervisory authority
You may lodge a complaint with a competent data protection supervisory authority. Current reference: Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), https://www.ldi.nrw.de/.
12. Official references
13. Security disclosure
Please report suspected vulnerabilities to contact@bytetal.com. Do not perform destructive testing, access other users' data, or disrupt availability.
14. Changes
This notice may be updated when the website, hosting, security functions, or legal requirements change.
Last updated: 19 June 2026. Version: 2026-06-19.1