Skip to main content

Privacy Policy

The protection of your personal data is important to me. Below I inform you about the extent to which, and the purposes for which, I process personal data in connection with my website at haak.legal.

1. General information; definitions

My privacy notice is based on the terminology of the General Data Protection Regulation (GDPR).

Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

Processing means any operation performed on personal data, whether or not by automated means (Art. 4 No. 2 GDPR).

Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).

Processor means a natural or legal person which processes personal data on behalf of the controller (Art. 4 No. 8 GDPR).

2. Controller responsible for data processing

The controller within the meaning of the GDPR is:

Heiko Haak
Attorney at law (Rechtsanwalt)
Stresemannstraße 110
22769 Hamburg
Germany
Email: gc@haak.legal

With this privacy notice I fulfil my information obligations pursuant to Art. 12 to 14 GDPR.

3. Data protection contact

If you have questions about data protection on my website or wish to exercise your data subject rights, you can contact me at any time using the contact details given above.

4. Data processing when visiting my website

The scope and nature of the collection, processing and use of your personal data differ depending on whether you use my website merely for information purposes or contact me via the website.

4.1 Contact by email or contact form

If you send me an email or use the contact form, the personal data you provide (e.g. name, company, email address, content of the message) is processed and stored.

This data is processed solely for the purpose of handling your enquiry and in the event of follow-up questions.

The legal basis is Art. 6 (1) lit. f GDPR. My legitimate interest lies in handling your enquiry appropriately. Insofar as your enquiry is aimed at concluding or performing a contract, the additional legal basis is Art. 6 (1) lit. b GDPR.

To transmit the form message to my email address, I use the service provider Resend (Resend, Inc.). Further details under section 5.

I delete the relevant data once the purpose no longer applies, unless statutory retention obligations prevent this.

4.2 Automatically collected data

When you visit my website, technically necessary data is processed automatically.

4.2.1 Server log files

When you visit my website purely for information purposes, the hosting provider (see section 5) automatically collects the following information:

This data is processed in order to provide the website technically and to ensure its security.

The legal basis is Art. 6 (1) lit. f GDPR. My legitimate interest lies in the secure and stable provision of my website.

Log files are regularly deleted after no later than seven (7) days, unless longer storage is required for evidentiary purposes.

4.2.2 Cookies

Only technically necessary cookies are used on my website. These serve the secure and technically error-free provision of the website and contain no information for marketing or analytics purposes.

Session cookies are deleted automatically as soon as you close your browser.

The legal basis for technically necessary cookies is Section 25 (2) No. 2 TDDDG. You can set your browser to reject cookies in general. This may limit the functionality of the website.

4.2.3 Embedded fonts

This website does not use external font services (e.g. Google Fonts). Fonts are loaded exclusively from my own server, or system fonts are used. Your IP address is therefore not transmitted to third parties for the purpose of loading fonts.

4.2.4 LinkedIn link

On my website you will find a link to my profile on the LinkedIn platform operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

The link is a simple hyperlink. No LinkedIn plug-in is embedded; therefore, when you merely access my website, no data is transmitted to LinkedIn.

If you actively click the link and thereby access my LinkedIn profile, the data processing is carried out by LinkedIn on its own responsibility. Further information is available at linkedin.com/legal/privacy-policy.

5. Service providers used and third-country transfers

Insofar as external service providers are required to provide my website or to handle your enquiries, this is done within the framework of processing on behalf pursuant to Art. 28 GDPR or on the basis of appropriate safeguards for third-country transfers (Art. 44 et seq. GDPR).

5.1 Hosting (Cloudflare Pages)

This website is hosted via the Cloudflare Pages service of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, and provided via Cloudflare's content delivery network and security services. In doing so, connection data required for operation (in particular your IP address) is processed by Cloudflare.

The legal basis is Art. 6 (1) lit. f GDPR. My legitimate interest lies in the secure, fast and stable provision of my website. I have concluded a data processing agreement with Cloudflare pursuant to Art. 28 GDPR.

Insofar as personal data is transferred to the USA in this context, this transfer is based on Cloudflare's certification under the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023) and, additionally, on EU standard contractual clauses (Art. 46 (2) GDPR).

Further information on data protection at Cloudflare: cloudflare.com/privacypolicy.

5.2 Cloudflare Turnstile (spam and bot protection)

To protect the contact form against spam and abusive automated use, I use Cloudflare Turnstile, a service of Cloudflare, Inc. (address see above). When the contact form is accessed, Turnstile analyses various characteristics (e.g. IP address, time spent on the page, mouse movements, device information) in order to check whether the access is by a human.

The legal basis is Art. 6 (1) lit. f GDPR. My legitimate interest lies in protecting my contact form against abuse by bots and spam.

Here too, personal data may be transferred to the USA. The transfer is based on Cloudflare's EU-U.S. Data Privacy Framework certification and, additionally, on EU standard contractual clauses (Art. 46 (2) GDPR).

5.3 Email delivery (Resend)

To deliver messages sent via the contact form to my email address, I use the Resend service of Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. In doing so, the data provided in the form (name, company, email, subject, message) and technical metadata (e.g. IP address for delivery) is processed by Resend.

The legal basis is Art. 6 (1) lit. f GDPR (appropriate handling of your enquiry) or Art. 6 (1) lit. b GDPR insofar as your enquiry is aimed at concluding or performing a contract. I have concluded a data processing agreement with Resend pursuant to Art. 28 GDPR.

The transfer to the USA is based on EU standard contractual clauses (Art. 46 (2) GDPR).

Further information: resend.com/legal/privacy-policy.

6. Place of data processing and data security

Personal data is generally processed within the European Union (EU) or the European Economic Area (EEA), unless stated otherwise in this privacy notice. With the US service providers named above, a transfer to the USA is possible; the respective legal bases are set out in section 5.

I use appropriate technical and organisational security measures to protect your data against manipulation, loss, destruction or unauthorised access. This includes in particular TLS encryption of the website.

7. Data subject rights

Within the scope of the statutory requirements, you have in particular the following rights:

In addition, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for me is:

The Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit), Ludwig-Erhard-Straße 22, 20459 Hamburg.

To exercise your rights, a notification to the contact details given above is sufficient.

8. Updates and changes

I reserve the right to amend this privacy notice in the event of legal, technical or organisational changes.

Last updated: May 2026