Your data, handled carefully.

The controller for personal data processed via this website is:

Yurii Vasilyev, trading as Xerx (sole proprietor / Einzelunternehmer)

Anna-Dengel-Straße 6, Top C31, 6020 Innsbruck, Austria

Email: hello@xerx.io

We have not appointed a Data Protection Officer (no statutory obligation under Art 37 GDPR for an organisation of this size). Privacy queries are handled directly by the controller at the email above.

Contact form. When you fill in the contact form on /contact, we process the information you provide — your name, email address, and optional fields you choose to fill in (company, project type, budget range, timeline preference) — together with the body of your message. Legal basis: Art 6(1)(b) GDPR (taking steps at your request to enter into a contract). We need this to reply to your enquiry; without it we can't.

Server logs. Our hosting provider (Vercel) processes basic request metadata — IP address, user agent, request timing, response status — for security, anti-abuse, and performance diagnostics. Legal basis: Art 6(1)(f) GDPR (legitimate interest in keeping the site online and protecting it from abuse).

Analytics, only after you opt in. If you grant analytics consent through the cookie banner, PostHog records pseudonymous events — page views, session length, click and scroll behaviour at an aggregate level. IP addresses are truncated; we do not enable session recordings; we do not attempt to re-identify visitors. Legal basis: Art 6(1)(a) GDPR (your consent). You can withdraw at any time via the 'Manage cookies' link in the footer.

We use a small set of third-party processors. Each is bound by a Data Processing Agreement (DPA) and processes data only on our documented instructions. Where international transfers occur, they are covered by the EU-US Data Privacy Framework (DPF) and, additionally, the Standard Contractual Clauses (SCCs).

Vercel Inc. (United States, DPF certified). Hosting and edge functions for the site. Processes server-log metadata (IP, user agent, request timing).

Resend Communications, Inc. (United States, DPF certified). Sends contact-form submissions to our inbox and the confirmation email back to you. Processes the form payload only for the duration of the email delivery, then drops it.

PostHog, Inc. (United States, DPF certified). Pseudonymous product analytics. Loads and runs only after you grant analytics consent. IPs are truncated; session recording is disabled.

WordPress at cms.xerx.io (operated by us, hosted in the EU). Renders blog content. No personal data is collected from visitors via the blog — the CMS only serves published articles and is not a tracking surface.

Contact-form submissions. Kept for as long as the resulting client relationship is active, plus the statutory retention period for invoicing and tax records — seven years under §132 Bundesabgabenordnung (BAO). Submissions that don't lead to a client relationship are deleted within twelve months.

Server logs. Retained by Vercel for thirty days, then deleted automatically.

Analytics events. Retained for twelve months, then aggregated or deleted.

Vercel, Resend, and PostHog process personal data in the United States. Each is certified under the EU-US Data Privacy Framework (DPF), and transfers are additionally covered by the Standard Contractual Clauses (SCCs) where applicable. You can request copies of our DPAs and the supplementary safeguards by writing to hello@xerx.io.

You have the right to: access the data we hold about you (Art 15 GDPR); have it corrected (Art 16); have it erased (Art 17, the 'right to be forgotten'); restrict its processing (Art 18); receive a copy in a portable format (Art 20); object to processing carried out under our legitimate interest (Art 21); and withdraw consent at any time without affecting the lawfulness of any processing carried out before withdrawal (Art 7(3)).

To exercise any of these rights, write to hello@xerx.io. We respond within thirty days. There is no fee, except where requests are manifestly unfounded or excessive (Art 12(5)).

You can lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde / DSB) at any time, regardless of any other administrative or legal remedy:

Barichgasse 40-42, 1030 Vienna, Austria. Phone: +43 1 52 152-0. Email: dsb@dsb.gv.at. Website: https://www.dsb.gv.at.

This site is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with their data, write to hello@xerx.io and we will delete it without delay.

When we update this policy we update the 'last updated' date at the top of this page. Material changes are surfaced as a notice at the top of the next page load so you have a chance to review them before continuing.