← Zurück zur Vorschau-Auswahl | Vorschau-Modus

Privacy Notice

The protection of your personal data is important to me. This privacy notice informs you about the scope and purposes of processing personal data in connection with my website at haak.legal.

This is an English summary of the German privacy notice; the German version is the legally binding text.

1. Controller

The controller within the meaning of the GDPR is:

Heiko Haak
Rechtsanwalt (German-qualified lawyer)
Stresemannstraße 110
22769 Hamburg, Germany
Email: heiko@haak.legal

2. Processing in connection with this website

2.1 Contact via email or contact form

If you contact me via email or the contact form, the personal data you provide (name, organisation, email address, content of the message) is processed solely for the purpose of handling your enquiry and any follow-up communication.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in handling the enquiry properly). If your enquiry relates to the conclusion or performance of a contract, Art. 6 (1) (b) GDPR additionally applies.

To deliver form submissions to my email address, I use the service Resend (see §3.3).

Data is deleted once the purpose has been fulfilled, unless statutory retention obligations apply.

2.2 Server log files

When you visit the website, the hosting provider automatically collects technically necessary data (URL, date/time, IP address, browser type, OS, referrer, data volume, HTTP status). This data is used to ensure technical operation and security.

Legal basis: Art. 6 (1) (f) GDPR. Log files are deleted after seven (7) days at the latest.

2.3 Cookies

The website uses only technically necessary cookies. No marketing or analytics cookies are used. Session cookies are deleted automatically when the browser is closed.

Legal basis: Section 25 (2) (2) TDDDG.

2.4 Web fonts

No external web font services (such as Google Fonts) are used. Fonts are served either from the own server or rendered from the operating system. No IP address is transmitted to third parties for font loading.

2.5 LinkedIn link

The website contains a plain link to my LinkedIn profile. No LinkedIn plug-in is embedded; merely visiting this website does not transmit data to LinkedIn. Data is only processed by LinkedIn (as separate controller) once you actively follow the link.

3. Service providers and third-country transfers

External service providers are used only on the basis of Art. 28 GDPR processing agreements and, where third-country transfers occur, on the basis of appropriate safeguards (Art. 44 et seq. GDPR).

3.1 Hosting (Cloudflare Pages)

The website is hosted via Cloudflare Pages, operated by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Connection data (in particular IP address) is processed by Cloudflare for the technical provision of the website.

Legal basis: Art. 6 (1) (f) GDPR. A processing agreement under Art. 28 GDPR is in place. Cloudflare is certified under the EU-U.S. Data Privacy Framework; additionally, EU Standard Contractual Clauses (Art. 46 (2) GDPR) apply.

3.2 Cloudflare Turnstile (spam protection)

The contact form is protected by Cloudflare Turnstile against spam and bot abuse. Turnstile analyses signals such as IP address, dwell time, mouse movements and device information to determine whether the request is human.

Legal basis: Art. 6 (1) (f) GDPR. Transfers to the USA rely on Cloudflare's DPF certification and on EU Standard Contractual Clauses.

3.3 Email delivery (Resend)

To deliver contact form submissions to my email address, I use Resend, operated by Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. The form fields (name, organisation, email, topic, message) and technical metadata are processed by Resend on my behalf.

Legal basis: Art. 6 (1) (f) and (b) GDPR. A processing agreement under Art. 28 GDPR is in place. Transfer to the USA relies on EU Standard Contractual Clauses (Art. 46 (2) GDPR).

3.4 Calendly (external link only)

I link to Calendly (Calendly, LLC, 271 17th St NW, Floor 10, Atlanta, GA 30363, USA) for scheduling introductory calls. Calendly is opened via an outbound link only — no Calendly scripts, cookies or content are embedded on this website. Data is processed by Calendly as a separate controller once you actively follow the link.

4. Location of processing and data security

Processing primarily takes place within the EU/EEA, except as set out above for US service providers. The website uses TLS encryption and appropriate technical and organisational measures to protect data against manipulation, loss, destruction and unauthorised access.

5. Your rights

Subject to the statutory conditions, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21) and withdrawal of consent (Art. 7 (3) GDPR).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit), Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany.

6. Updates

This privacy notice may be updated to reflect legal, technical or organisational changes.

As of: May 2026