Privacy Policy

Datenschutzerklärung · Last updated: February 2026

1. Controller

The controller responsible for data processing on this website is Maximilian Hess. Full contact details are available in our Legal Disclosure (Impressum).

2. Overview

This website (h3ss.xyz) is designed to collect as little personal data as possible. There are no cookies set, no registration required and no user accounts. All fonts are self-hosted. This policy explains what data is processed, why, on what legal basis and what rights you have.

3. Hosting

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. When you visit this website, Hetzner's web servers automatically process the following data in server log files:

Your IP address
Date and time of the request
Requested URL and referrer URL
Browser type and operating system (user agent)
HTTP status code and transferred data volume

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring the security, stability and functionality of the website.

Retention: Server log files are automatically deleted after 14 days.

Data processing agreement: We have concluded a data processing agreement (Auftragsverarbeitungsvertrag) with Hetzner Online GmbH pursuant to Art. 28 GDPR. All data is processed exclusively on servers located in Germany.

4. Contact (E-Mail)

If you contact us by e-mail, we process the data you provide (name, e-mail address, message content) solely to respond to your inquiry.

Legal basis: Art. 6(1)(b) GDPR — processing necessary for pre-contractual measures or the performance of a contract at your request; alternatively Art. 6(1)(f) GDPR — legitimate interest in responding to inquiries.

Retention: Your message is retained for the duration of the correspondence and deleted once the inquiry is resolved, unless longer retention is required by law (e.g. tax retention obligations of 6–10 years under §§ 147 AO, 257 HGB).

5. Self-hosted fonts

All fonts used on this website (Plus Jakarta Sans, Instrument Serif, JetBrains Mono) are self-hosted on our own server. No external requests to Google Fonts or other third-party font services are made. No data is transmitted to third parties for font loading.

6. Analytics

This website uses Umami, an open-source, privacy-focused, cookieless web analytics tool that we self-host on our own server (Hetzner, Germany). Umami does not use cookies, does not collect personal data, and does not track individual visitors across websites or devices. No IP addresses are stored. All analytics data is aggregated and anonymous.

Since Umami is self-hosted, no data is transferred to any third party. All data remains on our own infrastructure in Germany.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding aggregated, anonymous website usage to improve the website. Since Umami does not process personal data and does not store information on or access information from end devices, no consent under § 25 TDDDG is required.

7. External links

This website contains links to external services including Substack (h3ss.substack.com), X / Twitter, LinkedIn, Paragraph and ENS. These are plain hyperlinks — no data is transmitted to these services until you actively click a link and leave this website. Once you navigate to an external service, that service's own privacy policy applies. We have no control over the data processing carried out by these external services.

8. No cookies

This website does not set any cookies. No first-party cookies, no third-party cookies, no tracking cookies. No consent banner is required or shown because there is nothing to consent to regarding cookie usage.

9. SSL/TLS encryption

This website uses SSL/TLS encryption (HTTPS) for security reasons and to protect the transmission of data. You can recognize an encrypted connection by the lock icon in your browser's address bar.

10. Your rights under GDPR

Under the EU General Data Protection Regulation, you have the following rights with regard to your personal data:

Right of access (Art. 15 GDPR) — you may request information about what personal data we process about you.
Right to rectification (Art. 16 GDPR) — you may request that inaccurate data be corrected.
Right to erasure (Art. 17 GDPR) — you may request that your data be deleted, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR) — you may request that processing be restricted under certain circumstances.
Right to data portability (Art. 20 GDPR) — you may request to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interest (Art. 6(1)(f) GDPR) at any time, for reasons relating to your particular situation.

Where processing is based on your consent (Art. 6(1)(a) GDPR), you have the right to withdraw consent at any time (Art. 7(3) GDPR), without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us via the details in our Legal Disclosure.

11. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR. The competent authority for the controller is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany
datenschutz.hessen.de

12. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our data processing or legal requirements. The current version is always available at this URL. The date of the last update is noted at the top of this page.