Privacy policy
Last updated: 2026-05-14
The German version of this page at
/datenschutzis the legally controlling version. This English translation is provided for convenience.
This privacy policy covers Annal, available at
https://annal.eu (a private journal for the small data of
your life).
1. Controller
Controller within the meaning of the GDPR and other national data protection laws:
Mario Olivio Flores
Grunewaldstr. 27
10823 Berlin
Deutschland
Email: info@annal.eu
Phone: +49 176 45945974
2. Data protection officer
We are not required to appoint a data protection officer (§ 38 BDSG in conjunction with Art. 37 GDPR). For questions about your rights, please use the contact above.
3. General principles
We process personal data only as far as necessary to provide a functional website and our content and services. Processing is regularly based on either consent (Art. 6 (1) (a) GDPR), contract performance (Art. 6 (1) (b) GDPR), legal obligation (Art. 6 (1) (c) GDPR), or legitimate interest (Art. 6 (1) (f) GDPR).
4. Server logs
When you access this website, our system automatically collects data from the requesting computer.
We collect:
- IP address
- Date and time of access
- Requested URL
- Referrer URL
- User agent (browser, operating system)
- HTTP status code and bytes transferred
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in operating the service securely and reliably).
Retention: Log files are deleted after 14 days at the latest, or anonymized by truncating the IP address, unless a security incident requires longer retention.
5. Cookies and local storage (§ 25 TDDDG)
We use only strictly necessary cookies and session storage required to provide the service (e.g. session continuity after login, CSRF protection). Consent under § 25 (1) TDDDG is not required for these (§ 25 (2) No. 2 TDDDG).
We do not use tracking cookies, marketing pixels, or third-party analytics.
6. User accounts
To create and use an account we process:
- Email address
- Password (stored only as a cryptographic hash)
- Optional profile data you provide yourself
- Login and activity timestamps
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
Retention: Until you delete your account. Statutory retention obligations for invoice-relevant data (typically 6–10 years under § 147 AO and § 257 HGB) remain unaffected.
7. Email contact
If you email us, the transmitted data (sender address, message content, attachments) is stored for the purpose of handling the request.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in answering inquiries), or Art. 6 (1) (b) GDPR where the request is contract-related.
Retention: Until the matter is closed and no retention obligations remain.
8. Recipients and processors
We use the following processors (Art. 28 GDPR):
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Server hosting | Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen | Germany (EU) | Server infrastructure. Server location: Falkenstein, Nuremberg, or Helsinki. |
| DNS | deSEC e.V., Berlin | Germany (EU) |
Resolution of annal.eu. No personal user data is sent
to deSEC; DNS queries originate from the client/resolver.
|
Data processing agreements (Art. 28 GDPR) are in place with all processors.
9. International transfers
Personal data is not transferred to third countries outside the European Economic Area (EEA). All processors are headquartered and operate within the EEA.
10. Security
We take technical and organizational measures pursuant to Art. 32 GDPR to protect your data against loss, destruction, manipulation, and unauthorized access. These include in particular:
- Transport encryption for all connections using TLS 1.3 (Let's Encrypt)
- Stored passwords encrypted with modern hashing algorithms (Argon2 / bcrypt)
- Encrypted database backups
- Regular security updates of all software in use
- Access to production infrastructure restricted via SSH keys and firewall
11. Your rights
If your personal data is being processed, you are a data subject under the GDPR and have the following rights against the controller:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing (Art. 21 GDPR)
- Withdrawal of consent (Art. 7 (3) GDPR) — the lawfulness of processing before withdrawal remains unaffected
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Send requests to: info@annal.eu.
12. Competent supervisory authority
Berlin Commissioner for Data Protection and Freedom of Information
(Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Friedrichstr. 219, 10969 Berlin
mailbox@datenschutz-berlin.de
https://www.datenschutz-berlin.de
13. Changes to this policy
We reserve the right to adjust this privacy policy so that it always
complies with current legal requirements or to reflect changes to our
services. The new policy will then apply to your next visit. The current
version is always available at https://annal.eu/privacy.