Privacy policy
This Privacy Policy informs you under Article 13 of the General Data Protection Regulation (GDPR) which personal data we process when you request our free handout, create a customer account, purchase paid content, or use our learning area.
This English version is provided for readability. Where legal wording matters, the German version is authoritative.
1. Controller
The controller responsible for data processing under the GDPR is:
Bernhard Götzendorfer
Rittingergasse 15/11
1210 Vienna
Austria
Email: office@gotzendorfer.at
2. Data we process
Depending on how you use our offering, we process:
- Newsletter / free handout: your email address (required), optionally your first name, and your IP address plus the timestamps of signup and confirmation (to document consent as part of the double opt-in process)
- Customer account: your email address and the times of your sign-ins (login timestamps)
- Order data: the product purchased, the price, a reference to the Stripe payment session, and links to the related invoices
- Learning progress & feedback: your progress in the learning area (e.g. completed lessons) and any optional feedback you provide on individual lessons
- Personalised PDF: for the optional PDF add-on, an individual watermark based on your buyer identifier (name or email) is embedded in the document
3. Purpose of processing
We use the newsletter signup data only to send you the requested free handout and to occasionally email you practical tips and notes about AI agents and AI automation. We process account, order, and learning progress data to provide you with the purchase, the login, and the use of the learning area, and to comply with our statutory retention obligations.
4. Legal basis
The legal basis for processing the newsletter signup is your consent under Article 6 para. 1 lit. a GDPR. Processing your IP address and timestamps to document the signup process is also based on our legitimate interest in proving consent (Article 6 para. 1 lit. f GDPR). The further processing operations (account, purchase, learning area) are based on the legal grounds set out in the sections below.
5. Customer account & login (magic link)
You can create a customer account to access the learning area. Sign-in works via a magic link: you receive a login link by email, no password is required. For this we process your email address and the times of your sign-ins. We operate the auth service and the related database through Supabase as a processor (see “Processors”). To keep your signed-in session active, technically necessary session cookies (prefix sb-) are set. The legal basis is the performance of the usage contract for the learning area (Article 6 para. 1 lit. b GDPR). We store this data until your account is deleted.
6. Purchase & payment (Stripe)
You can purchase paid content through our checkout. Payment is processed by Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.), which largely acts as an independent controller for this and is certified under the EU-U.S. Data Privacy Framework (DPF). You enter your name, email address, and payment details directly with Stripe; we do not receive full payment data (e.g. card numbers). We only store an order ledger with product, price, and payment reference, plus links to your invoices. The legal grounds are the performance of the contract (Article 6 para. 1 lit. b GDPR), compliance with statutory retention obligations — Article 6 para. 1 lit. c GDPR in conjunction with the seven-year retention period under Section 132 of the Austrian Federal Fiscal Code (BAO) — and our legitimate interest in fraud prevention (Article 6 para. 1 lit. f GDPR).
7. Learning progress & feedback
Within the learning area we store your learning progress (e.g. which lessons you have completed) and any optional feedback you provide on individual lessons. This data is strictly limited to providing and improving the learning area and is associated only with your account. The legal basis is the performance of the contract (Article 6 para. 1 lit. b GDPR).
8. Personalised PDF watermarks
The optional PDF add-on is generated individually for you on request. A buyer identifier (your name or email address) is embedded as a visible watermark in the PDF (footer line on the document pages). The purpose is to prevent unauthorised sharing and to safeguard our legal claims in the event of misuse. The legal basis is our legitimate interest in protecting our content (Article 6 para. 1 lit. f GDPR).
9. Double opt-in
Signup uses a double opt-in process: after you enter your email address, we send you a confirmation email. Your signup only becomes effective, and you are only added to the mailing list, after you click the confirmation link in that email. This helps ensure that the signup actually came from you.
10. Retention period
If you do not confirm your signup, we delete the data collected during signup (email address, optional first name, IP address, timestamp) no later than after 30 days. After confirmation, we store your data for as long as you have consented to receiving our emails. If you withdraw your consent or unsubscribe, we delete your data unless statutory retention obligations prevent this. We store account, learning progress, and feedback data until your account is deleted; we retain order and invoice data for seven years (Section 132 BAO) due to tax obligations.
11. Processors
We use carefully selected service providers as processors to provide our services. We have data processing agreements with them under Article 28 GDPR.
- Email delivery: Resend: Confirmation and newsletter emails are sent via Resend. A data processing agreement (DPA) is in place with Resend. Data may be transferred to the United States; such transfers are protected by appropriate safeguards, including EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework (DPF).
- Hosting: Vercel: This website is hosted by Vercel, which acts as a processor. Data may also be transferred to the United States here, protected by EU Standard Contractual Clauses (SCCs).
- Account, orders & learning progress: Supabase: We manage the magic-link login, the consent ledger, the order ledger, and your learning progress through Supabase. Processing is carried out on the basis of a data processing agreement; where data is transferred to third countries, this is done on the basis of EU Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework (DPF).
- Payment processing: Stripe: Stripe processes payments and, for the core payment processing, largely acts as an independent controller(see “Purchase & payment”). Stripe is certified under the EU-U.S. Data Privacy Framework (DPF).
12. Fonts
The fonts used on this website are served self-hosted, directly from our server (same origin). We do not call the Google Fonts CDN, so your IP address is not transmitted to Google through fonts.
13. Cookies
This website uses only technically necessary cookies. No tracking or marketing cookies run without your consent. In detail:
sb-… (auth session): keeps your signed-in session in the learning area active (magic-link login). Strictly necessary.NEXT_LOCALE(language choice): stores the language you selected. Strictly necessary for the language switcher to function.ab-cookie-consent(cookie decision): stores your decision about cookie usage. This cookie is only set when an optional web analytics service is active.
These cookies are technically necessary and exempt from consent under Section 165 para. 3 of the Austrian Telecommunications Act (TKG 2021). There is no profiling and no automated decision-making.
14. Discord community
We optionally offer a community via Discord. If you use the Discord invite link, you reach a platform operated by Discord Inc. (USA), which requires your own Discord account. Use is voluntary and is not a prerequisite for accessing our content. Discord is certified under the EU-U.S. Data Privacy Framework (DPF); EU Standard Contractual Clauses (SCCs) apply in addition. Discord itself is responsible for the data processing on Discord; details can be found at discord.com/privacy.
15. Use of AI tools
Our website, its content, and the products offered are developed with the help of AI coding tools (including Anthropic Claude Code and OpenAI Codex). Every publication undergoes human review; editorial responsibility lies with Bernhard Götzendorfer. No personal customer data is transmitted to the AI providers in the process. Further information can be found on our AI transparency page.
16. Your rights as a data subject
Under the GDPR, you have the following rights:
- right of access (Article 15 GDPR)
- right to rectification (Article 16 GDPR)
- right to erasure (Article 17 GDPR)
- right to restriction of processing (Article 18 GDPR)
- right to data portability (Article 20 GDPR)
- right to object to processing (Article 21 GDPR)
You can also withdraw your consent at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal. You can withdraw consent informally by email to the address above or through the unsubscribe link in any email.
17. Right to lodge a complaint with the supervisory authority
Without prejudice to other legal remedies, you have the right to lodge a complaint with a data protection supervisory authority. In Austria, this is the Austrian Data Protection Authority (DSB): www.dsb.gv.at.
Last updated: 12 June 2026