Privacy Policy — Apuna (apuna.dev)

The controller within the meaning of Art. 4(7) GDPR is:

Apuna, Inhaber Till Hoffmeyer-Zlotnik (freiberufliches Ingenieurbüro / Einzelunternehmen)

Werftstraße 15-17 68159 Mannheim Deutschland

E-mail: hello@apuna.dev

Pursuant to §19 UStG (Kleinunternehmerregelung — small-business scheme), no value added tax is shown on invoices. Accordingly, no VAT identification number within the meaning of §27a UStG / §5 Abs. 1 Nr. 6 DDG has been issued.

For all data-protection matters write to: hello@apuna.dev

This privacy policy describes how Apuna processes personal data in connection with the operation of the website apuna.dev (the "Site"). It applies to all visitors and persons who contact us via the Site.

Personal data is processed in accordance with Regulation (EU) 2016/679 (GDPR) and, where applicable, the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG — the successor to the TTDSG, renamed in May 2024).

The principles of Art. 5(1) GDPR apply to every processing activity described here: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

This policy covers only the processing operations of the controller named in Section 1. Third-party websites linked from the Site are outside the scope of this policy.

The Site is hosted on Cloudflare Workers and served from Cloudflare's global edge network.

Processor: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA ("Cloudflare").

Cloudflare acts as a processor (Art. 4(8) GDPR) under a Data Processing Addendum that incorporates the EU Standard Contractual Clauses (SCCs) pursuant to Commission Decision (EU) 2021/914 as the transfer mechanism for personal data flows to the United States, which is a third country within the meaning of Art. 44 GDPR. The EU–US Data Privacy Framework (adequacy decision, July 2023) additionally applies to Cloudflare's EU–US transfers; however, the controller relies on SCCs as a belt-and-braces measure pending any further judicial development.

When a visitor accesses the Site, Cloudflare automatically processes technical log data including: IP address (in full or truncated form), date and time of the request, URL requested, HTTP status code, volume of data transferred, referring URL, and the user-agent string of the browser or client. This data is required for the technical delivery of the Site and is processed in Cloudflare's infrastructure.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest. The legitimate interest is the secure and reliable technical operation of the Site, including the detection and defence against attacks (e.g. DDoS). The interests of data subjects are adequately protected by the SCC mechanism and Cloudflare's DPA.

Log data is retained by Cloudflare in accordance with Cloudflare's standard data retention practices; the controller does not operate a separate log archive. Data subjects may request further details from hello@apuna.dev.

Note: The fonts used on this Site (Inter, JetBrains Mono) are loaded exclusively from the Site's own origin. The Next.js font optimisation module downloads and self-hosts these font files at build time; no request is made to Google Fonts or any other third-party font CDN at runtime.

The Site provides a contact form. When you use this form, the following personal data categories are collected: first and last name, e-mail address, company name (optional), and the content of your message.

Purpose: processing your enquiry, preparing a possible contract or consultancy engagement, and communicating with you in that context.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary for steps taken at the request of the data subject prior to entering into a contract. In so far as the enquiry does not lead directly to a pre-contractual relationship, the basis is Art. 6(1)(f) GDPR — legitimate interest in handling and responding to business enquiries.

Storage and deletion: Data submitted via the contact form is stored only as long as necessary to handle the enquiry and any resulting engagement. Once the matter is fully concluded and no further follow-up is required, the data is deleted unless statutory retention obligations require continued storage (e.g. six-year commercial records obligation under §257 HGB or ten-year fiscal records obligation under §147 AO, where applicable). No automated decision-making (Art. 22 GDPR) takes place in connection with the contact form.

Form submissions are delivered to us by e-mail; the message is dispatched through Brevo (Sendinblue SAS, 17 rue Salneuve, 75017 Paris, France), acting as a processor under Art. 28 GDPR. Brevo processes the data within the European Union (data centres in Belgium); the e-mail dispatch therefore involves no transfer to a third country within the meaning of Art. 44 GDPR. Brevo engages sub-processors listed in its Data Processing Agreement; its current processing and sub-processor information is published at https://www.brevo.com/legal/privacypolicy/. Further subprocessor details are available on request at hello@apuna.dev.

This Site uses no cookies of any kind — neither technically necessary cookies nor marketing, preference, or analytics cookies.

This Site uses no web analytics tools, no session-recording services, no heatmap tools, and no third-party tracking pixels. The contact and application forms load Cloudflare Turnstile, a privacy-preserving bot-protection widget that sets no tracking cookies and processes only the technical signals needed to distinguish humans from bots, on the basis of our legitimate interest in preventing spam and abuse (Art. 6(1)(f) GDPR); Cloudflare acts as a processor (see Section 3).

No consent banner or cookie consent management platform (CMP) is operated, because there is nothing to consent to.

This statement covers the technical state of the Site as of the date shown in Section 10. If cookies or analytics are introduced in future, this policy will be updated and, where required by §25 TDDDG, an appropriate consent mechanism will be implemented before any such processing begins.

You have the following rights with respect to your personal data:

Right of access (Art. 15 GDPR): You may request confirmation of whether we process personal data about you and, if so, a copy of that data together with the information listed in Art. 15(1) GDPR.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate personal data and the completion of incomplete data without undue delay.

Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where one of the conditions in Art. 17(1) GDPR applies, provided that no exception under Art. 17(3) GDPR applies (e.g. compliance with a legal obligation).

Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing in the circumstances listed in Art. 18(1) GDPR, for example while the accuracy of data is contested.

Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you may request to receive your data in a structured, commonly used and machine-readable format and to have it transmitted to another controller, where technically feasible.

Right to object (Art. 21 GDPR): Where processing is based on Art. 6(1)(f) GDPR (legitimate interests), you have the right to object to processing on grounds relating to your particular situation. The controller will then cease processing unless it can demonstrate compelling legitimate grounds which override your interests, rights and freedoms.

To exercise any of these rights, contact: hello@apuna.dev. We will respond within one month of receipt of the request (Art. 12(3) GDPR); this period may be extended by a further two months where necessary, with notice.

We do not charge a fee for exercising these rights unless requests are manifestly unfounded or excessive (Art. 12(5) GDPR).

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority competent for the controller is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), as the controller is based in Mannheim, Baden-Württemberg; it is reachable at https://www.baden-wuerttemberg.datenschutz.de. A list of all German supervisory authorities is also published by the Datenschutzkonferenz (DSK) at: https://www.datenschutzkonferenz-online.de

You also have the right to lodge a complaint with the supervisory authority in the Member State of your own habitual residence or place of work.

To exercise any right listed in Section 6, or to lodge any data-protection query, write to:

hello@apuna.dev

Please include enough information to identify the data at issue (e.g. the e-mail address used when submitting the contact form, and the approximate date of contact). We do not require you to use a specific form.

Identity verification: We may ask you to verify your identity before fulfilling a request, to ensure we do not disclose personal data to the wrong person. This check is proportionate and will not be used as a pretext to delay a response.

Response time: One month from receipt of the request (Art. 12(3) GDPR). Where a request is complex or numerous, we may extend the period by a further two months with advance notice.

Apuna accepts applications for open roles via the application form on this Site.

Data collected: chosen role, full name, e-mail address, LinkedIn profile URL (optional), a free-text field in which you describe your experience and motivation, and an optional CV/PDF document.

LinkedIn URL: if provided, the URL is stored solely as a reference link for a human reviewer to open manually in a browser. We do not scrape, crawl, or otherwise process LinkedIn automatically.

CV/PDF (optional): if you attach a CV, it is stored separately in object storage for a human reviewer only. It is never transmitted to Anthropic or any AI system — no AI processing is performed on the CV or its contents. It is deleted on the same retention schedule set out below, or earlier on request to career@apuna.dev.

Please do not include special-category data (Art. 9 GDPR) — such as health, disability, religion, ethnicity, or trade-union membership — in your application. We do not request it and will not use it.

Legal bases:

(a) Processing for the selection process — Art. 6(1)(b) GDPR in conjunction with §26(1) BDSG. Your name, e-mail address, chosen role, LinkedIn URL (if provided), and application text are processed to carry out pre-contractual steps at your request and to conduct the applicant-selection process.

(b) AI-assisted fit assessment — Art. 6(1)(a) GDPR in conjunction with §26(2) BDSG. If you give your express consent via the checkbox on the application form, your free-text field is transmitted to Anthropic PBC, USA, which generates an internal fit-assessment note as decision-support for our reviewers. This processing rests solely on your consent and is separate from the act of submitting your application. Consent is freely given and is not a condition of applying: to apply without AI-assisted assessment, send your application by e-mail to career@apuna.dev instead of using the online form. You may withdraw consent at any time with effect for the future by writing to career@apuna.dev; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Processor and third-country transfer for AI assessment: Anthropic PBC, 548 Market Street, San Francisco, CA 94105, USA, acts as a processor within the meaning of Art. 4(8) and Art. 28 GDPR. Anthropic processes only the role applied for and the free-text you submit; it does not receive your name, e-mail address, LinkedIn URL, or any uploaded CV. The transmission constitutes a transfer to a third country (USA) within the meaning of Art. 44 GDPR. The transfer mechanism is the EU Standard Contractual Clauses pursuant to Commission Decision (EU) 2021/914. Anthropic is additionally certified under the EU–US Data Privacy Framework (adequacy decision, July 2023); the controller relies on the SCCs as a belt-and-braces measure pending any further judicial development.

Human decision-making: A human reviewer makes every hiring decision. There is no solely automated decision-making that produces a legal or similarly significant effect within the meaning of Art. 22(1) GDPR. We go beyond the Art. 22 minimum in any event: you have the right to obtain human intervention, to express your point of view, and to contest any assessment. To exercise these rights write to career@apuna.dev.

AGG — equal-treatment safeguard: The AI-generated assessment evaluates only job-relevant competencies as described in the role posting. It is not designed to evaluate and must not be used to evaluate any characteristic protected under §1 AGG (race, ethnic origin, sex, religion or belief, disability, age, sexual identity).

Retention and deletion: All application data — regardless of whether the consent checkbox was ticked — is deleted approximately six months after the conclusion of the selection process. The retention period is based on the two-month claim window under §15(4) AGG plus a reasonable administrative margin. Deletion is carried out by automatic expiry in the data store. No commercial or fiscal retention periods (§257 HGB; §147 AO) apply to applicant data.

Recipients: Application data is accessed internally only by persons involved in the selection process. Applications are delivered to the selection team by e-mail; the message is dispatched through Brevo (Sendinblue SAS, Paris, France) acting as a processor under Art. 28 GDPR. Brevo processes the data within the European Union (data centres in Belgium); the e-mail dispatch therefore involves no transfer to a third country within the meaning of Art. 44 GDPR. The AI-assessment note produced by Anthropic is internal only and is never disclosed to the applicant or to third parties outside the selection process.

Your rights: Sections 6 and 8 of this policy set out your rights of access, rectification, erasure, restriction, portability, and objection in full. In the context of applications, the right to erasure (Art. 17 GDPR) is particularly relevant: you may request deletion of your application data at any time before the automatic expiry by writing to career@apuna.dev. You also have the right to lodge a complaint with a supervisory authority (Section 7).

We reserve the right to update this privacy policy when the legal or technical basis for our processing changes, or when we introduce new processing activities. The current version is always available at apuna.dev/privacy (or the equivalent page in each language).

Material changes — in particular the introduction of new categories of processing, new processors, or new legal bases — will be communicated by updating the "Last updated" date and, where the change is significant, by a notice on the Site's start page.

Last updated: 2026-06-17