Privacy Policy / Datenschutzerklärung

Per Art. 13 GDPR. German version below the English text.

1. Controller (Verantwortlicher)

Abhilash Anuku — see /impressum for full contact details.

2. What this site collects

2.1 Theme preference (localStorage)

When you click the light/dark theme toggle in the navigation, your choice is saved in localStorage under the key theme-override. This is not a cookie under TTDSG — it stays on your device, never leaves your browser, and never reaches our servers. No consent banner is required.

You can clear it at any time via your browser's site-data settings.

2.2 Contact form

The contact form on the /contact section opens your own email client via a mailto: link. Nothing is sent through our servers; we never see your message until you choose to send it from your email client to abhilashanuku14@gmail.com. Once sent, the email is stored on Google's Gmail infrastructure under Google's data-processing terms.

Lawful basis: consent (Art. 6(1)(a) GDPR) — you actively send the email.

2.3 Spotify playlist embed

The hero section embeds a Spotify playlist player as an <iframe> from open.spotify.com. When loaded, Spotify (Spotify AB, Sweden) may set cookies on your device and process IP, browser, and listening-interaction data per their own Privacy Policy. We do not control or receive this data. If you have not interacted with the player, Spotify still loads its iframe — this is a known third-party-content trade-off documented here.

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — providing a music context for the portfolio. You can opt out at the browser level by blocking third-party cookies from open.spotify.com.

2.4 Lisa welcome voice (Microsoft Edge TTS)

When you click Lisa to play the welcome audio, the request goes to our own /api/lisa/speak route, which generates the audio server-side using Microsoft Edge TTS. No API key is transmitted from your browser; the call stays server-to-Microsoft. We send no personally identifiable information — the spoken text is a hard-coded welcome message. Your IP is visible to our server (Hostinger, EU) as part of the standard request; it is not forwarded to Microsoft. The generated audio is served back with a short cache header and is not stored on our server after the response.

Lawful basis: consent (Art. 6(1)(a) GDPR) — you click to trigger; it does not auto-play.

2.5 Hosting + access logs

The site is hosted on Hostinger (EU servers). Hostinger's web server records standard access logs (IP, user-agent, referrer, timestamp, request path, response code) for security and operational purposes. We retain these logs for 7 days before automatic deletion.

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — operating and securing the service.

2.6 Analytics — self-hosted, cookieless

We run a self-hosted, cookieless analytics layer on our own server. We do notuse Google Analytics, Plausible, Fathom, Matomo, or any third-party analytics provider. No tracking pixels. For each page view we record: the path visited, a timestamp, your browser's user-agent, and a session identifier derived server-side per request as an HMAC of your hashed IP, user-agent, and a 30-minute time bucket. Your raw IP is never stored — it is hashed in memory with a salt that rotates daily and is deleted after 48 hours, after which the hash is computationally irreversible even by us.

Nothing is stored on your terminal device — no cookie, no localStorage, no sessionStorage, no pixel. Because nothing is stored on or read from your device, TTDSG § 25(1) does not apply and no consent banner is required.

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — understanding which sections of the portfolio are viewed. You can opt out entirely: send a DNT: 1 (Do Not Track) header, or visit /?analytics=deny which sets a _lisa_consent=deny preference and disables all collection.

2.7 Cookies

We set zero analytics cookies. The only first-party cookie we may set is _lisa_consent, written only if you choose to opt out of analytics — it stores that preference and nothing else (strictly necessary under TTDSG § 25(2)(b), so it needs no consent). The only third-party cookies you might encounter come from the Spotify iframe (§ 2.3) if you interact with it.

2.8 Data retention

  • Analytics event rows — deleted after 90 days
  • Analytics session rows — deleted after 12 months
  • Daily IP-hash salt files — deleted after 48 hours
  • Hosting access logs (Hostinger) — deleted after 7 days

3. Your rights (Art. 13(2)(b–f) + Art. 15–22 GDPR)

You have the right to:

  • Access (Art. 15)— request a copy of any personal data we hold (which, for the public site, is essentially zero unless you've emailed us)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21) — particularly to processing based on legitimate interest
  • Withdraw consent (Art. 7(3)) — for anything you originally consented to

To exercise these rights, email abhilashanuku14@gmail.com.

4. Right to lodge a complaint

You can complain to the supervisory authority for Baden-Württemberg:

Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Königstraße 10a · 70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de
Tel: +49 711/61 55 41-0

5. International transfers

  • Spotify: data may transfer to non-EU jurisdictions per Spotify's own DPA + standard contractual clauses
  • Microsoft Edge TTS: a server-to-server call; no personal data in the payload (hard-coded text, no user identifier)
  • All other data (analytics, hosting logs) stays in the EU (Hostinger)

6. Children

This site is not directed at children under 16. We do not knowingly collect data from anyone under 16.

7. Changes to this policy

Material changes are reflected by bumping the last-updated date at the top of this document. The current version always lives at abhilashanuku.com/privacy.

Datenschutzerklärung (Deutsch)

1. Verantwortlicher

Abhilash Anuku — siehe /impressum für vollständige Kontaktdaten.

2. Welche Daten diese Website verarbeitet

Theme-Einstellung: Beim Klick auf den Theme-Umschalter wird Ihre Wahl im localStorage Ihres Browsers gespeichert (Schlüssel theme-override). Dies ist kein Cookie nach TTDSG; die Information verlässt Ihr Gerät nicht. Kein Einwilligungs-Banner erforderlich.

Kontaktformular: Der Kontakt-Button öffnet Ihren eigenen E-Mail-Client via mailto:. Es findet keine serverseitige Verarbeitung statt.

Spotify-Embed: Das Spotify-Embed lädt von open.spotify.com. Spotify (Spotify AB, Schweden) verarbeitet beim Laden Daten gemäß deren Datenschutzrichtlinie. Rechtsgrundlage: berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO).

Lisa-Stimme (Microsoft Edge TTS): Beim Klick auf Lisa wird serverseitig Audio über Microsoft Edge TTS erzeugt. Es werden keine personenbezogenen Daten an Microsoft übermittelt — der gesprochene Text ist fest hinterlegt. Rechtsgrundlage: Einwilligung (Art. 6 Abs. 1 lit. a DSGVO).

Analyse — selbst gehostet, ohne Cookies: Wir betreiben eine selbst gehostete, cookielose Analyse auf unserem eigenen Server. Keine Drittanbieter, keine Tracking-Pixel. Pro Seitenaufruf speichern wir Pfad, Zeitstempel, User-Agent und eine serverseitig pro Anfrage abgeleitete Sitzungs-Kennung. Ihre IP wird nie gespeichert — sie wird im Arbeitsspeicher mit einem täglich rotierenden Salt gehasht, der nach 48 Stunden gelöscht wird. Nichts wird auf Ihrem Endgerät gespeichert — kein Cookie. Daher greift TTDSG § 25 Abs. 1 nicht und es ist kein Einwilligungs-Banner erforderlich. Rechtsgrundlage: berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO).

Hosting-Logs: Hostinger speichert Standard-Zugriffslogs (IP, User-Agent, Referrer, Zeitstempel) für 7 Tage. Analyse-Ereignisse: 90 Tage. Analyse-Sitzungen: 12 Monate. Salt-Dateien: 48 Stunden. Rechtsgrundlage: berechtigtes Interesse (Art. 6 Abs. 1 lit. f DSGVO).

Keine eigenen Analyse-Cookies. Die einzige eigene Cookie (_lisa_consent) wird nur gesetzt, wenn Sie der Analyse widersprechen.

3. Ihre Rechte

Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch, Beschwerderecht — siehe oben (§§ 3–4 der englischen Version).

4. Aufsichtsbehörde

LfDI Baden-Württemberg · Königstraße 10a · 70173 Stuttgart.

Last updated: 2026-05-30. Counsel-approved (Pepper Potts · 2026-05-30).