1. Controller

Responsible for data processing on this website:

Maria Grazia Chetta Schererstraße 9, 13347 Berlin, Germany Email: datenschutz@mariagraziachetta.com

2. Hosting and server log files

This website is self-hosted on servers operated by DigitalOcean LLC — Frankfurt, Germany. When you access the site, technically necessary data is automatically recorded in server log files: IP address, date and time of access, the page requested, volume of data transferred, browser type and operating system, and the referrer URL.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the website securely and reliably). A data processing agreement under Art. 28 GDPR is in place with the hosting provider.

3. Strictly necessary cookies

This website runs on the Ghost platform and sets only technically necessary cookies (for example, to maintain core functions). There is no tracking and no audience measurement through cookies. Legal basis: Art. 6(1)(f) GDPR and § 25(2) TDDDG (strictly necessary).

4. Contact by email

If you contact me by email, the data you provide (name, email address, content of your message) is processed solely to handle your enquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) and (f) GDPR. The data is deleted once it is no longer required and no statutory retention periods apply.

5. Contact form

The contact page provides a contact form. The data you enter (name, email address, message) is processed to handle your enquiry. The form is delivered through Web3Forms (operated by Surjith S M, Palakkad, Kerala, India), which processes the data and forwards it to me by email. Web3Forms stores submissions encrypted for up to 30 days (free plan) and then deletes them automatically. This involves a transfer to a third country (India), for which the EU Commission has not issued an adequacy decision; the transfer is made under Art. 49(1)(b) GDPR, as it is necessary for pre-contractual steps taken at your request. Legal basis for processing: Art. 6(1)(b) GDPR and (f) GDPR (legitimate interest in an easy means of contact). To prevent spam the form uses a hidden field (honeypot); no external captcha is loaded.

6. Appointment booking

The contact page offers the option to book an appointment via a link. The link leads to a Google scheduling page (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Google Workspace). Only when you follow the link does Google process your data (name, email address, chosen time). No Google services are embedded on this website and no Google cookies are set here. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps). Google's own privacy policy also applies.

7. Interactive assessment tools

This website offers free interactive self-assessment tools (for example on platform migration readiness, subscription conversion and regulatory readiness). Using a tool is voluntary and requires no registration, no email address and no other identifying information.

Data processed. Only the answers you select in the questionnaire. These answers are not designed to identify you and are not linked to your name, email address or IP address.

How it works. When you request your report, your answers are sent to a serverless function operated on the infrastructure of Cloudflare, Inc. and, from there, to Anthropic PBC (USA), whose "Claude" model generates the written report that is returned to you.

Third-country transfer. Generating the report involves processing by Cloudflare, Inc. and Anthropic PBC in the United States. Both providers are certified under the EU-US Data Privacy Framework, on which the EU Commission's adequacy decision of 10 July 2023 is based; in addition, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply as a secondary safeguard. Data processing agreements pursuant to Art. 28 GDPR are in place with these processors.

Storage. In order to operate and improve the tools and to keep a record of the reports generated, your (non-identifying) answers together with the generated report are stored in a database (Cloudflare D1). No IP address and no contact details are stored with this data. A random, non-personal reference code is shown together with your report so that you can refer to your result if you contact me; the code alone does not identify you.

Internal notification. When a report is generated, a short internal notification (the tool used, the overall score, the weakest dimensions and the reference code — no personal data) is sent to me by email via Web3Forms (see section 5). This notification contains no information that identifies you.

Retention. This data is deleted after 6 months at the latest.

Legal basis. Art. 6(1)(f) GDPR (legitimate interest in providing, securing and improving the tools) and, where you use a tool as a first step towards a possible engagement, Art. 6(1)(b) GDPR (pre-contractual steps).

8. Web analytics (Umami)

This website uses Umami, an open-source web analytics tool that I self-host on my own server (at stats.mariagraziachetta.com). Umami helps me understand, in aggregate, how the website is used — for example which pages are visited and roughly where visitors come from.

Cookieless, no cross-site tracking. Umami does not use cookies and does not store any information on your device. It does not create a persistent identifier and does not track you across other websites.

Data processed. Umami records aggregated, non-identifying usage data such as the pages viewed, the referring website, and general information derived from your browser (device type, browser, operating system, and approximate country). Your IP address is used only momentarily to derive this information and is not stored; unique-visitor counts are produced using a hashed value that rotates daily, not a stored identifier.

No third party, no transfer. The analytics data is processed solely on my own server (DigitalOcean, Frankfurt, Germany). It is not shared with any third party and not transferred outside the EU.

Legal basis. Art. 6(1)(f) GDPR (legitimate interest in understanding and improving how the website is used). Because no cookies or other device storage are used, no consent banner is required.

9. What this website does not do

No newsletter, no registration or membership, no comments, no social media plug-ins, and no third-party or cross-site tracking. Web analytics is limited to the self-hosted, cookieless Umami described in section 8, which involves no third party and no transfer of data. Data is transferred to third-party providers only in the cases described above: to Web3Forms when you submit the contact form (section 5) or when an internal notification about a generated assessment report is sent (section 7), and to Cloudflare and Anthropic when you voluntarily use an interactive assessment tool (section 7). Appointment booking is an external link (section 6), not an embedded element. Should any of this change (for example third-party analytics or an embedded widget), this policy will be updated beforehand.

10. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). To exercise these, use the contact details above.

You also have the right to lodge a complaint with a supervisory authority. The competent authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit, BlnBDI).

11. SSL/TLS encryption

For security, this website uses SSL/TLS encryption (shown by "https" in the address bar).