Privacy Policy

1. Controller

The controller within the meaning of the GDPR is:
Julius T. Geiger
Esterházygasse 18/15
1060 Vienna
Austria
Email: julius.geiger.pm@gmail.com

2. Overview

This is a personal essay site. The personal data processed through this site is limited to what is described below: technical data required to deliver the site (Section 3), cookieless first-party analytics that runs without setting any identifier on your device (Section 4), the newsletter sign-up (Section 5), and any data you provide when you contact me by email (Section 6). There are no third-party trackers, no advertising, and no cross-site tracking. Because no identifier is stored in your browser, no cookie consent banner is shown.

3. Server log files (hosting)

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you access the site, the hosting provider processes the following technical information on a temporary basis:

• IP address of the requesting device
• Date and time of the request
• URL accessed
• HTTP status code and amount of data transferred
• Referrer and user-agent string

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in stable and secure delivery of the website). This processing is technically necessary to serve the site at all.

Since Vercel is based in the United States, a transfer of data to a third country may occur. Vercel is certified under the EU-U.S. Data Privacy Framework and provides Standard Contractual Clauses. Details: vercel.com/legal/privacy-policy.

4. Analytics (cookieless, first-party)

To understand which essays resonate, this site runs first-party analytics that does not set any cookie, does not read or write anything in localStorage, sessionStorage or IndexedDB on your device, and does not use device fingerprinting. Because nothing is stored on or read from your terminal, the consent requirement of § 25 TDDDG / Art. 5(3) ePrivacy Directive is not triggered, and no consent banner is shown.

Legal basis for the server-side processing: Art. 6(1)(f) GDPR (legitimate interest in understanding which content is read, so the site can be improved). The balancing test under Art. 6(1)(f) falls in favour of processing because (a) your IP address is never stored, (b) the only per-visitor signal is an irreversible hash that resets every UTC midnight, (c) no data is shared with third parties, and (d) no profile is built across days, sessions or devices.

The following data is recorded:

• The URL path you visit and the referring page. Query parameters that could carry personal data are stripped.
• A coarse device category (mobile / tablet / desktop) and a country code derived from the IP address by the hosting provider.
• A daily-rotating pseudonymous hash: sha256 of your IP address + user-agent string + the current UTC date + a server secret. This hash is the only per-visitor signal that exists. Because the date is part of the input, the hash changes every UTC midnight, which makes it impossible to recognise you the next day. The raw IP and user-agent are not stored.
• Reading-behaviour signals on essay pages: visible time on the page, maximum scroll depth, count of tab switches, time spent per section heading, words-per-minute reading pace, whether text was selected or copied (the length and location, never the content), where the reader paused for more than five seconds, which figures were visible, and which links were hovered without being clicked. All of these are attached to the daily hash above, never to a long-lived identifier.
• For the newsletter form: whether the form came into view, where on the page it appeared, time spent in each input field, and whether the form was submitted.
• Browser context recorded once per tab session: viewport width bucket, connection-speed category, IANA timezone, browser language, color-scheme and reduced-motion preferences.

Explicitly not recorded: your IP address, the contents of any text you select or copy, full user-agent strings, the parameters of any link you follow, any persistent identifier across days, or any cross-site tracking signal.

All analytics data is stored in a database hosted in the EU (Neon, Frankfurt region) and is retained for as long as is necessary to spot multi-month trends — typically 24 months — after which it is aggregated and the raw rows are deleted. No analytics data is shared with third parties.

Automatic opt-out: this site honours the Global Privacy Control and Do-Not-Track signals. If your browser or a privacy extension sends either, no analytics request is recorded — no page view, no event, nothing. You do not need to do anything else.

You also have the right to object to this processing under Art. 21 GDPR at any time, free of charge, by sending an email to the address in Section 1. Because no identifier links the analytics rows to you personally, an objection is implemented by stopping all further collection for the IP range or pattern you describe and, where still attributable, deleting existing rows.

5. Cookies set by this site

This site sets no cookies for visitors. The only cookies that may ever be written are administrative cookies set on the site operator's own devices after a successful admin login:

• admin_session — authenticates the site operator to the admin area.
• va_optout / va_devid— written automatically on any device that has been logged in as admin, so the operator's own traffic is excluded from public analytics and can be inspected per device in a separate admin view.

These cookies are strictly necessary for the admin functionality the operator explicitly uses and are exempt from consent under Art. 5(3) ePrivacy. They are never set for normal visitors.

6. Newsletter

If you sign up for the newsletter via the form on this site, the data you submit (first name, last name, email address) is stored for the purpose of sending you new essays by email. Legal basis: Art. 6(1)(a) GDPR (consent) — the consent text you saw is stored verbatim alongside your record. Your IP address and user-agent at submission are stored for spam protection. The data is kept until you unsubscribe; every newsletter email contains a one-click unsubscribe link.

7. Contact by email

If you contact me by email, your message and the data provided (name, email address) will be processed to handle your request. Legal basis: Art. 6(1)(b) or (f) GDPR. The data will be deleted as soon as it is no longer needed for the purpose for which it was collected.

8. Your rights

Under the GDPR you have the following rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Please send requests to the email address above.

You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at.

9. External links

This site contains links to external websites. The operators of those sites are solely responsible for their content and their handling of personal data. This privacy policy does not extend to third-party sites; please consult the privacy notices of the respective providers.

10. Children's privacy

This site is not directed at children under the age of 16 and does not knowingly collect personal data from them. If you believe a child has provided personal data via this site, please contact me at the address above and the data will be deleted.

11. Changes to this policy

This policy will be updated if data processing changes (e.g. when analytics or forms are added). Last updated: May 27, 2026.