Privacy Policy

1. Controller

Authentic Memory gUG (haftungsbeschränkt)
c/o Pablo Toussaint
Wendelsteinstraße 3, 81541 München, Germany
Registered: Amtsgericht München, HRB 312015
Email: info@authenticmemory.org

Contact for privacy matters: Pablo Toussaint, reachable at the address and email above.

2. Competent Supervisory Authority

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

3. Hosting

This website is hosted by Netlify, Inc., 512 2nd Street, Suite 200, San Francisco, CA 94107, USA. Netlify operates a global content delivery network; visitor requests are served from the geographically nearest edge location and may be processed in the United States and other countries. The basis for the engagement is a Data Processing Agreement (DPA, November 2023 version) which forms part of Netlify's self-serve subscription terms accepted at account creation; the DPA is available at netlify.com/gdpr-ccpa.

Netlify is certified under the EU-U.S. Data Privacy Framework and the UK Extension thereto (see dataprivacyframework.gov). Transfers of personal data to Netlify in the United States are therefore based on the European Commission's adequacy decision of 10 July 2023 (Art. 45 GDPR). The EU Standard Contractual Clauses apply as a fallback. Netlify maintains SOC 2 Type II and ISO 27001 certifications and operates a publicly listed set of sub-processors at netlify.com/legal/subprocessors.

Further information at netlify.com/privacy. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a fast, secure, internationally reachable website).

4. Email Processing

Email sent to or received from any @authenticmemory.org address — including form notifications generated by this website — is processed by Infomaniak Network SA, Rue Eugène-Marziano 25, 1227 Les Acacias / Genève, Switzerland. Servers are located in Switzerland; Switzerland is recognised as a country with an adequate level of data protection under the European Commission's adequacy decision 2000/518/EC (renewed 2024). A Data Processing Agreement with Infomaniak is part of our subscription. Legal basis: Art. 6(1)(f) GDPR or, where the email itself constitutes pre-contractual or contractual communication, Art. 6(1)(b) GDPR.

5. Forms on this Website

The following overview summarises every form on this site, the data we collect, the legal basis, the retention period, and the recipients.

5.1 Contact form

When you submit the contact form on the home page, your input is processed in two parallel ways: (a) it is recorded by Netlify Forms (so the entry is captured even if email delivery fails) and (b) it is sent as an email via SMTP through Infomaniak to info@authenticmemory.org. We additionally process the technical metadata of the request (IP address, user agent, timestamp) as part of standard server logs, in order to recognise and prevent abuse (legal basis: Art. 6(1)(f) GDPR). Netlify Forms entries are automatically deleted after 60 days by a scheduled function in our infrastructure; the corresponding email in our Infomaniak mailbox is retained for as long as is necessary to handle your inquiry and is then deleted in line with general statutory retention duties.

5.2 Newsletter

When you subscribe to the newsletter, we store your email address and your consent in Netlify Forms. We are not currently sending out a newsletter. Once we launch one, you will receive a single confirmation email (double opt-in) asking you to explicitly opt in before any further mail is sent; only after that step does an actual subscription begin. Until then, your email address is held solely for the purpose of being invited to confirm. You can withdraw at any time by writing to info@authenticmemory.org; if no newsletter launch has occurred within 365 days of your sign-up, the stored entry is automatically deleted.

5.3 Job applications

The application form on /join-us is processed by a custom Netlify Function which forwards your submission via SMTP through Infomaniak directly to application@authenticmemory.org, with your CV file as an email attachment. Your CV file is not stored on Netlify infrastructure at any point; it exists only transiently in function memory for the duration of the request and is then held in our Infomaniak mailbox. This deliberate architectural choice ensures that CV files — which may contain special categories of personal data under Art. 9 GDPR, such as religious affiliation, ethnic origin, or a photograph — remain on infrastructure for which Switzerland's adequacy decision applies.

In the unlikely event that the direct SMTP delivery fails, the function posts the application metadata without the CV file (name, email, role, message, error category) to a separate Netlify Forms bucket so that we are notified of the failed delivery and can contact you to request your application by email. Such fallback entries are automatically deleted after 60 days.

Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into an employment relationship at your request) in conjunction with § 26(1) sentence 1 of the German Federal Data Protection Act (BDSG). If you voluntarily include special categories of personal data (Art. 9 GDPR) in your CV or message, the legal basis for processing this information is your express consent given by submitting such data (Art. 9(2)(a) GDPR); you are not required to include such information and may redact your CV accordingly.

Retention: If you are not hired, we delete your application documents — in our mailbox and any local working copies — no later than six months after the conclusion of the application procedure (typically: six months after we send our rejection). This period accounts for the two-month time limit under § 15(4) German General Equal Treatment Act (AGG) plus a reasonable buffer. If you are hired, your data is transferred to your personnel file and processed on a separate legal basis. If you would like us to keep your application on file for future opportunities, we will do so only on the basis of your express consent for a defined longer period.

Recipients: Authentic Memory gUG (the controller, internal review by authorised hiring personnel only); Infomaniak (mail processor, Switzerland); Netlify (transient transit through the function only, no storage).

6. Server Logs

When you access this site, our hosting provider Netlify automatically processes technical request metadata — including IP address, user agent, referrer, requested URL, response status and timestamp — in order to deliver pages, prevent abuse and ensure the technical security of the service. These logs are processed at Netlify's edge nodes worldwide and retained in line with Netlify's standard retention policy (online for 90 days, offline for up to one year). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, availability and abuse prevention).

7. Reach Measurement

We use Netlify Web Analytics, a privacy-preserving, server-side analytics product operated by our hosting provider. It is based exclusively on the technical request metadata that Netlify already processes to deliver the website (see section 6); it does not set any cookies, does not store any identifiers on your device, does not load any JavaScript tracker in your browser and does not build individual user profiles. The data is processed by Netlify in an aggregated form (pageviews, top paths, approximate country-level geography, referrers) and is not shared with third parties.

Because no information is read from or written to your device, Netlify Web Analytics does not require consent under § 25 TTDSG. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding the reach and usability of our website without tracking individual visitors).

8. Fonts

The Inter typeface used on this site is self-hosted: font files are served from this site's own origin (via the @fontsource/inter package, bundled at build time). No connection is established to Google Fonts or any other external font service when you load this site.

9. Cookies and Similar Technologies

This website does not set marketing or analytics cookies. We do not use tag managers, advertising pixels, session-replay tools or social-media tracking embeds. Only strictly necessary technical state — for example, a transient honeypot value on form submission — may be processed in order for the site to function; this falls under § 25(2) Nr. 2 TTDSG (strictly necessary) and no consent banner is required.

10. Recipients and Third-Country Transfers

The following processors and recipients are involved in operating this site:

• Netlify, Inc. (USA) — hosting, forms processing, edge logging, web analytics. Transfer basis: EU-U.S. Data Privacy Framework (Art. 45 GDPR). DPA in place.
• Infomaniak Network SA (Switzerland) — email processing for all @authenticmemory.org addresses, including SMTP delivery of contact and application form submissions. Transfer basis: adequacy decision for Switzerland (Art. 45 GDPR). DPA in place.
• Netlify sub-processors as listed at netlify.com/legal/subprocessors (in particular Amazon Web Services for compute and storage).

No personal data is shared with any other recipient for marketing or commercial purposes.

11. Your Rights as a Data Subject

You have the right, under Articles 15 to 21 GDPR, to:

• obtain confirmation of and access to your personal data we process (Art. 15);
• have inaccurate data rectified (Art. 16);
• have your data erased (Art. 17);
• request a restriction of processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing based on Art. 6(1)(f) on grounds relating to your particular situation (Art. 21).

Where processing is based on your consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR), you may withdraw that consent at any time with effect for the future, without affecting the lawfulness of processing carried out beforehand. To exercise any of these rights, please contact us at info@authenticmemory.org.

12. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR). The competent authority for us is the Bayerisches Landesamt für Datenschutzaufsicht (see section 2).

13. Updates to this Policy

We update this policy whenever our processing activities materially change. The "last updated" date at the top of this page reflects the most recent change. If we plan to use existing data for a materially new purpose, we will inform you in advance and where required obtain your consent.