Skip to content
Privacy Policy

How we handle personal data GDPR-compliant, practical, and transparent

This page explains what data we process, why we process it, which providers are involved, how long we keep data, and your rights under the GDPR.

Last updated: 2026-01-21
Plain language: We do not sell personal data. We process data only to deliver services, keep systems secure, and meet legal obligations.

1. Controller Information

Stepien Digital is established in Germany and acts as the data controller within the meaning of the General Data Protection Regulation (GDPR).

Controller
Fernando Stepien
VAT ID: DE454302821
Address: Hauptstraße 23, 76549 Hügelsheim, Germany.

2. Scope of This Privacy Policy

This Privacy Policy explains how personal data is collected, processed, and protected when you use Stepien Digital services, websites, and communication channels.

It applies to visitors, prospects, business clients, and contacts who reach out via email, web forms, social platforms, or other channels used to deliver our services.

3. Data We Process

We may process the following categories of personal data, depending on the interaction and service scope.

Business contact details
Names, company name, job title, business address, and other contact details shared in a business context.
Email addresses and phone numbers
Used to respond to inquiries, coordinate onboarding, and provide support.
Website content provided by clients
Text, images, and business information provided for website creation and ongoing maintenance.
Technical usage data
Device information, browser type, basic usage telemetry, and server logs needed to operate and secure services.
Billing information
Payment related metadata processed via Stripe and basic billing details required for invoicing and accounting.
Communication data
Messages and attachments you send us, plus related metadata such as timestamps and subject lines.
We do not intentionally collect special categories of personal data unless you explicitly provide them and their processing is necessary for a lawful purpose.

4. Purpose of Processing

We process personal data to provide services, operate websites, manage digital presence, maintain secure systems, communicate with clients, handle billing, and comply with legal obligations.

Service delivery
Creating, operating, and maintaining websites, landing pages, and related infrastructure.
Security
Preventing abuse, protecting services, and monitoring availability and performance.

Legal bases may include performance of a contract, legitimate interests, and compliance with legal obligations. When consent is required, we request it clearly and specifically.

5. Hosting and Infrastructure

Websites and databases are hosted on SmarterASP.NET. DNS and security services are managed through Cloudflare. Media and static assets may be stored and delivered via Cloudflare R2.

SmarterASP.NET hosting
Hosts application runtime, databases, and operational logs required for stability and security.
Cloudflare DNS and security
Provides DNS management, security features, and protective layers to reduce malicious traffic and abuse.
Cloudflare R2 storage
Stores and serves media and assets that improve performance and reliability.
Private backups
Private repositories may be used for version control and disaster recovery where necessary for a specific project.
Infrastructure choices focus on availability, security, and consistent delivery for clients and visitors.

6. Third Party Services

We use third party services only when needed to deliver services, run infrastructure, process payments, improve security, or support operations.

Stripe
Payment processing and billing workflows. Stripe processes payment related data as an independent controller or processor depending on context.
Cloudflare
DNS, security features, and delivery of static assets. Cloudflare may process technical connection data to provide security and performance.
SmarterASP.NET
Application and database hosting, including the technical logs required to operate services securely.
GitHub
Private repositories and backups used for version control and disaster recovery, when applicable.

When we rely on providers, we aim to use appropriate contractual protections and technical safeguards.

7. Cookies and Technical Data

Our websites process technical data needed to display pages, protect services, prevent abuse, and measure aggregate usage. This can include server logs, IP addresses, request metadata, and security or analytics signals. We use Cloudflare Web Analytics instead of Google Analytics and avoid marketing or behavioral tracking technologies on this website.

Essential cookies
Cookies required for core site functionality may be used, such as session handling and security protection.
Security logs
Logs may include timestamps, request paths, and technical identifiers used to detect and block malicious traffic.
This Stepien Digital website uses Cloudflare Web Analytics instead of Google Analytics. It is designed to operate without marketing cookies or cross-site tracking. Additional safeguards are used to protect the website against abuse.

8. Communication

When you contact us, we process the data you provide to respond, document the request, and support service delivery.

Communication data can include message content, attachments, and technical metadata. We keep communication data as long as needed to handle the request and meet legal obligations.

9. Billing and Payments

Billing information may be processed to issue invoices, manage ongoing services, and maintain accounting records. Payments may be processed through Stripe.

We do not store full card details on our systems. Payment card data is handled by Stripe according to their security standards.

10. Data Retention

We keep personal data only as long as necessary for the stated purposes and to comply with legal retention duties.

Contract and billing records
Retained according to legal accounting and tax obligations in Germany.
Support and communication
Retained for a reasonable time to resolve requests and maintain service continuity.
Security logs
Retained for security monitoring, incident response, and abuse prevention, then deleted or anonymized when no longer needed.

11. International Transfers

Depending on the providers used, personal data may be processed in different countries. Where international transfers occur, we aim to rely on appropriate safeguards, such as contractual protections and security measures.

12. Data Subject Rights

Data subjects have the right to access, rectify, erase, restrict processing, object, and request data portability in accordance with GDPR.

How to exercise rights
Send a request to the email address listed in the Contact section. [email protected]We will review and respond to your request in accordance with applicable legal requirements.
Identity verification
We may request verification to protect your data from unauthorized access.
You may also have the right to lodge a complaint with a supervisory authority.

13. Security Measures

Stepien Digital uses transport encryption, firewall protections, access controls, and monitoring measures to safeguard personal data.

Encryption
TLS encryption is used for data in transit whenever supported and applicable.
Access controls
Access to administrative systems is restricted on a need-to-know basis and in accordance with the principle of least privilege.
Monitoring
Monitoring and alerting to detect incidents, downtime, and suspicious activity.

14. Limitation of Liability

Stepien Digital is not responsible for the misuse of its services, unlawful content provided by clients, or actions taken by third-party platforms.

Clients remain responsible for the legality of content they provide, and for compliance obligations that apply to their specific business activities.

15. Updates to This Policy

This Privacy Policy may be updated to reflect legal or technical changes. The current version is published on the website.

This Privacy Policy is provided in English for convenience. In the event of discrepancies or interpretation issues, the German version shall prevail.