← Dr. Matthias Pfaff
EN/DE
GDPR · Art. 13 information

Privacy Policy

Last updated: 31 May 2026

This policy informs you about the nature, scope and purpose of the processing of personal data on this website pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR). This website is operated for personal and professional self-presentation and does not offer commercial services online.

1. Controller

Dr. Matthias Pfaff
Bergmannstrasse 54, 80339 München, Germany
Email: info@matthiaspfaff.online
Phone: +49 89 500 949 27

2. Data processed automatically (server log files)

When you visit this website, the hosting provider's web servers automatically record technical access data into log files:

  • IP address of the requesting device
  • Date and time of the request
  • Requested URL and HTTP status code
  • Referrer URL
  • Browser type, version, language and operating system (User-Agent)
  • Volume of data transferred

Legal basis: Art. 6 (1) lit. f GDPR. The legitimate interest lies in ensuring a stable, secure and functional website and in defending against abuse.

Retention: Log data is retained for up to 90 days by the hosting provider (Lovable Labs Incorporated), in line with their privacy policy, unless retention is required for the clarification of a specific security incident.

3. Hosting

This website is hosted on the Lovable platform, operated by Lovable Labs Incorporated (United States). Lovable processes the server-log data listed in section 2 on our behalf as a processor within the meaning of Art. 28 GDPR, under the terms of Lovable's Data Processing Agreement (available at lovable.dev/legal). Lovable engages sub-processors to operate the platform; the current list is published at trust.lovable.dev/subprocessors.

International transfers. Because Lovable Labs Incorporated is based in the United States, hosting this website involves a transfer of personal data to a third country. These transfers are safeguarded by the EU Standard Contractual Clauses (Module 2, Commission Decision 2021/914), as set out in Lovable's Privacy Policy (lovable.dev/privacy, section 6). You can exercise your data subject rights against the controller (see section 1) at any time.

Edge / DNS — Cloudflare, Inc. Authoritative DNS for matthiaspfaff.online is operated by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. In addition, all traffic to this website is routed through Cloudflare's global reverse-proxy, CDN and WAF (web application firewall). Cloudflare therefore processes — in our name and on our behalf as a processor under Art. 28 GDPR — the same technical request data listed in section 2 (IP address, requested URL, HTTP method and status code, referrer, User-Agent, transferred bytes), as well as TLS termination metadata, in order to deliver, cache, secure and accelerate the site.

Legal basis: Art. 6 (1) lit. f GDPR — legitimate interest in a reliable, secure, performant and DDoS-resilient web presence.

Cookies set by Cloudflare. Cloudflare may set the strictly necessary bot-management cookie __cf_bm (lifetime approximately 30 minutes) used to distinguish humans from automated traffic. This cookie is consent-exempt under §25 (2) Nr. 2 TDDDG because it is technically required to provide the security service you have implicitly requested by accessing the site.

International transfers. Cloudflare is US-based; transfers of personal data to the US are safeguarded by Cloudflare's certification under the EU‑US Data Privacy Framework and by the EU Standard Contractual Clauses. See Cloudflare's privacy policy at cloudflare.com/privacypolicy and the data processing addendum at cloudflare.com/cloudflare-customer-dpa.

4. Fonts

Typefaces (Newsreader, Geist, JetBrains Mono) are served exclusively from this website's own origin via self-hosted font files. No connection to Google Fonts or any other third-party font CDN is established. No personal data is transmitted to third parties for the purpose of font rendering.

5. No cookies, no analytics, no tracking

This website does not set any cookies that require consent. No web analytics, tracking pixels, fingerprinting, retargeting tools or third-party advertising tools are used. There are no embedded third-party widgets on this site (no YouTube, Vimeo, social media plugins, comment systems, maps or similar). Therefore, no consent banner is presented. The appointment-booking link in section 7 is an outbound link to a separate site, not an embed. Exception: the strictly necessary, consent-exempt bot-management cookie __cf_bm may be set by Cloudflare; see section 3.

6. Contact by email or phone

If you contact us by email or phone, the personal data you provide (name, email address, message content) is processed for the sole purpose of handling your enquiry. Legal basis is Art. 6 (1) lit. b GDPR (pre-contractual measures) or Art. 6 (1) lit. f GDPR (legitimate interest in responding). Your message is stored as long as necessary to handle the matter and afterwards in accordance with statutory retention obligations.

7. Appointment booking

The homepage features a "Book an appointment" button that links to book.matthiaspfaff.online, a separate site operated by the same controller (see section 1). Following the link takes you off this website.

Booking platform. The booking page is provided by TimeTuna (timetuna.com), acting as a processor under Art. 28 GDPR. When you request a slot there, the following data is processed: name, email address, phone number, meeting purpose, chosen time slot and time zone.

Purpose and legal basis. The data is processed solely to schedule and confirm the requested call. Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual / contractual measures).

Google Meet. Confirmed bookings automatically generate a Google Meet video-conference link. The conferencing service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with onward transfers to Google LLC (USA). Transfers to the US are safeguarded by Google's certification under the EU‑US Data Privacy Framework and the EU Standard Contractual Clauses. Google's privacy policy is available at policies.google.com/privacy.

The booking subdomain has its own privacy notice, which governs once you follow the link.

8. External links

This website links to external sites (e.g. LinkedIn). Once you follow such a link, this privacy policy no longer applies and the privacy practices of the linked operator govern.

9. Transport encryption

This website uses TLS encryption for all connections to protect data transmitted between your device and our servers.

10. Your rights

You have the following rights under the GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object to processing based on legitimate interests (Art. 21)
  • Right to withdraw consent at any time with effect for the future (Art. 7 (3))

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for the controller is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

11. Changes to this policy

We may update this policy to reflect changes in the website, our processing activities or applicable law. The current version is always available at this URL.