Skip to main content

Legal

Privacy

This privacy notice covers the website, contact flows and optional analytics and marketing services.

Updated: 1. Juli 2026

Controller

Controller
Marsel Nenaj, Nenaj
Address
Seitenstettengasse 5/37, 1010 Wien
Email
hallo@nenaj.at

Cookies and consent

Strictly necessary cookies and storage are used for security, access protection and consent management. Analytics, ads and pixels load only after active consent.

  • nenaj_access: signed access cookie for protected preview deployments, time-limited and technically necessary (not set on the public website).
  • nenaj_cookie_consent_v1: local storage of your cookie choices including timestamp and ID as proof of consent (browser storage, never sent to the server).
  • After “Statistics” consent: Google Analytics 4 (via Google Tag Manager) sets cookies such as _ga and _ga_* for pseudonymous reach measurement (retention up to 2 years).
  • After “Marketing” consent: Google may enable advertising and remarketing features via Tag Manager (Consent Mode ad_storage/ad_personalization; possibly cookies such as _gcl_*). No separate advertising pixel is currently embedded.

You can review or change your choices at any time.

Hosting and delivery through Netlify

The website is delivered through Netlify (Netlify, Inc.). On access, the hosting provider processes technically necessary data such as IP address, timestamp, requested URL, referrer, browser and device information, log data plus security and CDN data.

Purposes include delivery, stability, security, abuse detection, error analysis and technical maintenance. The legal basis is our legitimate interest in secure, stable delivery (Art. 6(1)(f) GDPR).

Contact inquiries: transfer and storage

If you contact us by email or through the inquiry flow, we process data you submit, such as name, company, email address, phone number, project details and message content. Providing an email address and message is required to handle the inquiry; other fields are optional.

The inquiry is processed via Netlify Forms (provider Netlify, Inc.): the data you enter is transmitted to Netlify, stored there and delivered to us by email notification. No own backend or external CRM or marketing services are used for this.

Processing serves inquiry handling, offers, contract preparation and follow-up (Art. 6(1)(b) and (f) GDPR). Inquiries that do not lead to an engagement are deleted after 90 days at the latest.

AI Academy waitlist

On the Academy page you can join a waitlist with your email address to be notified at launch. Processing takes place via Netlify Forms (Netlify, Inc.) based on your consent (Art. 6(1)(a) GDPR). We use the address solely for the launch notification and delete it after launch or on withdrawal; you can withdraw at any time by emailing us.

Security and abuse prevention

To protect against abuse (such as spam via the inquiry flow) we use rate limiting. The IP address is processed briefly as a technical key to limit the number of requests per time window. The legal basis is our legitimate interest in abuse-free operation (Art. 6(1)(f) GDPR).

Error monitoring (self-hosted)

For technical stability we may capture application errors via a self-hosted, Sentry-compatible monitoring on our own infrastructure within the EU. We process technical error data such as the error message, stack trace, affected page or route, browser and device information and the timestamp.

We deliberately do not send directly identifying content. The legal basis is our legitimate interest in stable, secure operation (Art. 6(1)(f) GDPR). The data does not leave the EU and is used only internally for debugging.

Google Analytics 4 and Google Tag Manager

We use Google Analytics 4, integrated via Google Tag Manager (provider in each case Google Ireland Limited), for pseudonymous reach and usage analysis. These services load only after your “Statistics” consent; without consent no Google script runs.

We use Google Consent Mode v2: before consent, analytics_storage, ad_storage, ad_user_data and ad_personalization are set to “denied”. After consent, page views, interactions, device and browser data, a truncated IP address, approximate location, referrer, campaign parameters and pseudonymous identifiers may be processed. The legal basis is your consent (Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG 2021); you can withdraw it at any time via the cookie settings.

Recipients and international transfers

The recipient is the hosting provider Netlify (Netlify, Inc.), which delivers the website and processes the contact inquiries via Netlify Forms. After your consent, Google (Google Ireland Limited, possibly Google LLC) for analytics and tag manager is added as a recipient.

Netlify and Google may process data outside the EEA (in particular the USA). The transfer relies on appropriate safeguards under Art. 44 et seq. GDPR, in particular the EU-US Data Privacy Framework (where the provider is certified) or EU Standard Contractual Clauses. You can obtain a copy or the location of these safeguards on request by emailing the controller. Full protection equivalent to the EU level cannot always be guaranteed with US services.

Retention

Contact inquiries without an engagement: deleted after 90 days at the latest. Contract and invoice records: seven years under statutory tax retention duties (§ 132 BAO). Server and security logs: short-term.

Your cookie consent remains in the browser until you change your choice or a new consent version is introduced.

Your rights

Data subjects have GDPR rights to access, rectification, erasure, restriction, portability, objection and withdrawal of consent with future effect. The lawfulness of processing carried out before withdrawal remains unaffected.

You may also lodge a complaint with the Austrian Data Protection Authority: Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at.

Provider

Privacy for website, contact flows and marketing setup.Back to homepage