Privacy Policy

As a resident in Spain, my services are subject to Spanish law which implements GDPR, the EU’s data protection directive.

The English language version of this policy is translated and kept in sync with the Spanish version to the best of my knowledge and ability, but only the Spanish language version is legally binding.

Table Of Contents

1. DATA CONTROLLER

Identity: Pekka Gaiser
Address: Diseminado B-2, 35542 Tabayesco, Haría (Las Palmas), Spain
NIE (Foreign ID): Y3488723M
Email: webmechanic@pekka.net
Phone: +49 (0) 163 4444 376
Website: https://pekka.net/webmechanic

In compliance with Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 (GDPR) and Spanish Organic Law 3/2018 of December 5 on Personal Data Protection and guarantee of digital rights (LOPDGDD), we inform you about the processing of your personal data.

2. PURPOSES OF PROCESSING AND LEGAL BASIS

I process your personal data for the following purposes and legal bases:

2.1 Managing inquiries and contact

Purpose: Respond to inquiries made through the contact form or email
Legal basis: Consent of the data subject (Art. 6.1.a GDPR) and legitimate interest (Art. 6.1.f GDPR)
Data processed: Name, email, phone, problem description, and any additional information voluntarily provided

2.2 Service provision

Purpose: Execute contracted web technical assistance services
Legal basis: Contract performance (Art. 6.1.b GDPR)
Data processed: Identification data, contact details, system access credentials, technical data of your web infrastructure

2.3 Billing and legal compliance

Purpose: Invoice issuance and tax obligation compliance
Legal basis: Legal obligation compliance (Art. 6.1.c GDPR)
Data processed: Name or company name, Tax ID, address, payment data

2.4 Website analysis and improvement

Purpose: Analyze website usage for improvement and optimization
Legal basis: Legitimate interest (Art. 6.1.f GDPR)
Data processed: Browsing data, IP address, browser type, pages visited

3. SPECIAL CATEGORIES OF DATA

3.1 Access credentials

During service provision, I may have access to:

Passwords and system access credentials
FTP/SSH access
Website administration credentials
API keys and configurations

Applied security measures:

Encrypted storage
Restricted access
Deletion according to your preference (immediate, 7 days, or indefinite retention upon express request)

3.2 Third-party data

If during service provision I have access to personal data of your customers or users, I will act as a Data Processor. I can formalize a Data Processing Agreement according to Art. 28 GDPR upon request.

4. DATA RECIPIENTS

Your data may be communicated to:

4.1 Public Administrations

Spanish Tax Agency: For tax obligations compliance and electronic invoicing system (SII)
Other authorities: When required by law

4.2 Service providers (Data Processors)

Hosting providers:
- ALL-INKL.COM – Neue Medien Münnich (Germany)
- Hetzner Online GmbH (Germany)
Cloud storage:
- Dropbox International Unlimited Company (Ireland) – Transfers to Dropbox Inc. (USA) are made under the EU-U.S. Data Privacy Framework
Web analytics (fully GDPR compliant):
- Plausible Analytics (Plausible Insights OÜ, Estonia) – Web analytics service that does not use cookies, does not collect personally identifiable data, and is fully GDPR compliant. No consent required for its use. More information: https://plausible.io/privacy
Payment processors:
- PayPal (Europe) S.à r.l. et Cie, S.C.A.
- Stripe Payments Europe, Ltd.

5. INTERNATIONAL TRANSFERS

Data is primarily stored on servers located in the European Economic Area. When using Dropbox, transfers to the United States may occur under:

EU-U.S. Data Privacy Framework
EU Standard Contractual Clauses

6. DATA RETENTION PERIODS

Retention periods vary by data type:

Data type	Retention period
Inquiries not converted to clients	1 year
Client data	During contractual relationship + 5 years (tax obligations)
Invoices and accounting documents	6 years (Spanish legal obligation)
Access credentials	According to your choice: immediate, 7 days, or indefinite
Web browsing data	3 months
Work backups	As agreed: immediate deletion or 30 days

7. DATA SUBJECT RIGHTS

You have the right to:

7.1 GDPR Rights

Access: Obtain confirmation about your data processing and a copy thereof
Rectification: Correct inaccurate or incomplete data
Erasure (“right to be forgotten”): Request deletion of your data
Restriction of processing: Request suspension of processing in certain cases
Data portability: Receive your data in a structured, commonly used format
Opposition: Object to the processing of your data
Withdrawal of consent: Withdraw consent at any time

7.2 LOPDGDD Rights (specific to Spain)

Right not to be subject to automated decisions
Right of access to deceased persons’ data (heirs)
Right to digital disconnection in the workplace

7.3 Exercising rights

To exercise these rights, send a request to: webmechanic@pekka.net

Attach a copy of your ID, NIE, or passport
Clearly indicate which right you wish to exercise
Response time: maximum 1 month from receipt

7.4 Complaint to the supervisory authority

You may file a complaint with:

Spanish Data Protection Agency (AEPD)

Address: C/ Jorge Juan, 6. 28001 Madrid
Phone: 901 100 099 / 912 663 517
Web: www.aepd.es
Electronic headquarters: https://sedeagpd.gob.es

For German clients: You may also file complaints with German data protection authorities.

8. SECURITY MEASURES

I implement appropriate technical and organizational measures according to Art. 32 GDPR:

8.1 Technical measures

Encryption of data at rest and in transit (SSL/TLS)
Backup and recovery systems
Firewall and intrusion detection systems
Regular security updates
Two-factor authentication when possible

8.2 Organizational measures

Physical and logical access control
Data protection training
Contractual confidentiality
Incident management procedures
Periodic security assessments

9. COOKIES AND WEB ANALYTICS

9.1 Web analytics with Plausible

I use Plausible Analytics for statistical analysis of the website. Plausible is a web analytics tool that:

Does not use cookies
Does not collect personally identifiable data
Does not require consent under GDPR
Does not track across websites
Fully complies with GDPR, PECR, and CCPA

Data collected by Plausible:

Page views and unique visitors (without identification)
Traffic sources (referrer)
Session duration
Country of origin (without precise geolocation)
Device and browser (general information)

Provider: Plausible Insights OÜ (Estonia, EU) More information: https://plausible.io/privacy

9.2 Technical cookies

The website uses only essential technical cookies:

Session management
Language preferences
Security and fraud prevention

These cookies are necessary for site functionality and do not require consent.

For more information, see our [Cookie Policy].

10. “DO NOT TRACK” INFORMATION

I currently do not respond to “Do Not Track” browser signals.

11. MINORS

I do not provide services to minors under 18 years of age. If I become aware of having collected data from minors, I will proceed to immediately delete it.

12. POLICY MODIFICATIONS

I reserve the right to modify this privacy policy. Changes will be published on this page with the last update date indicated. I recommend periodically reviewing this policy.

13. DATA PROTECTION OFFICER

I am not required to appoint a Data Protection Officer under Art. 37 GDPR. For privacy inquiries, contact the controller directly at: webmechanic@pekka.net

14. ADDITIONAL INFORMATION

14.1 Legitimate interest basis

When processing is based on legitimate interest, this consists of:

Improving our services
Preventing fraud and ensuring security
Direct marketing of similar services to existing clients

14.2 Automated decisions

I do not perform profiling or automated decisions that produce significant legal effects.

14.3 Data source

Data comes directly from the data subject or from website browsing.

Last updated: October 7 2025
English version – For information purposes only. The Spanish version is legally binding.