Privacy Policy — Apuna (apuna.dev)

The controller within the meaning of Art. 4(7) GDPR is:

Apuna, Inhaber Till Hoffmeyer-Zlotnik (freiberufliches Ingenieurbüro / Einzelunternehmen)

Werftstraße 15-17 68159 Mannheim Deutschland

E-mail: hello@apuna.dev

Pursuant to §19 UStG (Kleinunternehmerregelung — small-business scheme), no value added tax is shown on invoices. Accordingly, no VAT identification number within the meaning of §27a UStG / §5 Abs. 1 Nr. 6 DDG has been issued.

For all data-protection matters write to: hello@apuna.dev

This privacy policy describes how Apuna processes personal data in connection with the operation of the website apuna.dev (the "Site"). It applies to all visitors and persons who contact us via the Site.

Personal data is processed in accordance with Regulation (EU) 2016/679 (GDPR) and, where applicable, the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG — the successor to the TTDSG, renamed in May 2024).

The principles of Art. 5(1) GDPR apply to every processing activity described here: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

This policy covers only the processing operations of the controller named in Section 1. Third-party websites linked from the Site are outside the scope of this policy.

The Site is hosted on Cloudflare Workers and served from Cloudflare's global edge network.

Processor: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA ("Cloudflare").

Cloudflare acts as a processor (Art. 4(8) GDPR) under a Data Processing Addendum that incorporates the EU Standard Contractual Clauses (SCCs) pursuant to Commission Decision (EU) 2021/914 as the transfer mechanism for personal data flows to the United States, which is a third country within the meaning of Art. 44 GDPR. The EU–US Data Privacy Framework (adequacy decision, July 2023) additionally applies to Cloudflare's EU–US transfers; however, the controller relies on SCCs as a belt-and-braces measure pending any further judicial development.

When a visitor accesses the Site, Cloudflare automatically processes technical log data including: IP address (in full or truncated form), date and time of the request, URL requested, HTTP status code, volume of data transferred, referring URL, and the user-agent string of the browser or client. This data is required for the technical delivery of the Site and is processed in Cloudflare's infrastructure.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest. The legitimate interest is the secure and reliable technical operation of the Site, including the detection and defence against attacks (e.g. DDoS). The interests of data subjects are adequately protected by the SCC mechanism and Cloudflare's DPA.

Log data is retained by Cloudflare in accordance with Cloudflare's standard data retention practices; the controller does not operate a separate log archive. Data subjects may request further details from hello@apuna.dev.

Note: The fonts used on this Site (Inter, JetBrains Mono) are loaded exclusively from the Site's own origin. The Next.js font optimisation module downloads and self-hosts these font files at build time; no request is made to Google Fonts or any other third-party font CDN at runtime.

The Site provides a contact form. When you use this form, the following personal data categories are collected: first and last name, e-mail address, company name (optional), and the content of your message.

Purpose: processing your enquiry, preparing a possible contract or consultancy engagement, and communicating with you in that context.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary for steps taken at the request of the data subject prior to entering into a contract. In so far as the enquiry does not lead directly to a pre-contractual relationship, the basis is Art. 6(1)(f) GDPR — legitimate interest in handling and responding to business enquiries.

Storage and deletion: Data submitted via the contact form is stored only as long as necessary to handle the enquiry and any resulting engagement. Once the matter is fully concluded and no further follow-up is required, the data is deleted unless statutory retention obligations require continued storage (e.g. six-year commercial records obligation under §257 HGB or ten-year fiscal records obligation under §147 AO, where applicable). No automated decision-making (Art. 22 GDPR) takes place in connection with the contact form.

Form submissions are delivered to us by e-mail; the message is dispatched through Brevo (Sendinblue SAS, 17 rue Salneuve, 75017 Paris, France), acting as a processor under Art. 28 GDPR. Brevo processes the data within the European Union (data centres in Belgium); the e-mail dispatch therefore involves no transfer to a third country within the meaning of Art. 44 GDPR. Brevo engages sub-processors listed in its Data Processing Agreement; its current processing and sub-processor information is published at https://www.brevo.com/legal/privacypolicy/. Further subprocessor details are available on request at hello@apuna.dev.

This Site uses no cookies of any kind — neither technically necessary cookies nor marketing, preference, or analytics cookies.

This Site uses Cloudflare Web Analytics — a cookieless, privacy-preserving analytics service operated by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). The beacon collects aggregated traffic data (page views, referrers, device type, country) without setting any cookies and without creating cross-site user profiles. Cloudflare Web Analytics does not use fingerprinting or any persistent identifier; it processes only the data strictly necessary to produce aggregate statistics. No consent banner is required. Cloudflare acts as a processor (see Section 3). For Cloudflare's privacy documentation see https://www.cloudflare.com/privacypolicy/. The Site also loads Cloudflare Turnstile on contact and application forms; see the description above.

No consent banner or cookie consent management platform (CMP) is operated, because the analytics used set no cookies and require no consent under §25 TDDDG.

This statement covers the technical state of the Site as of the date shown in Section 11. If additional cookies or tracking tools are introduced in future, this policy will be updated and, where required by §25 TDDDG, an appropriate consent mechanism will be implemented before any such processing begins.

You have the following rights with respect to your personal data:

Right of access (Art. 15 GDPR): You may request confirmation of whether we process personal data about you and, if so, a copy of that data together with the information listed in Art. 15(1) GDPR.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate personal data and the completion of incomplete data without undue delay.

Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data where one of the conditions in Art. 17(1) GDPR applies, provided that no exception under Art. 17(3) GDPR applies (e.g. compliance with a legal obligation).

Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing in the circumstances listed in Art. 18(1) GDPR, for example while the accuracy of data is contested.

Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you may request to receive your data in a structured, commonly used and machine-readable format and to have it transmitted to another controller, where technically feasible.

Right to object (Art. 21 GDPR): Where processing is based on Art. 6(1)(f) GDPR (legitimate interests), you have the right to object to processing on grounds relating to your particular situation. The controller will then cease processing unless it can demonstrate compelling legitimate grounds which override your interests, rights and freedoms.

To exercise any of these rights, contact: hello@apuna.dev. We will respond within one month of receipt of the request (Art. 12(3) GDPR); this period may be extended by a further two months where necessary, with notice.

We do not charge a fee for exercising these rights unless requests are manifestly unfounded or excessive (Art. 12(5) GDPR).

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority competent for the controller is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), as the controller is based in Mannheim, Baden-Württemberg; it is reachable at https://www.baden-wuerttemberg.datenschutz.de. A list of all German supervisory authorities is also published by the Datenschutzkonferenz (DSK) at: https://www.datenschutzkonferenz-online.de

You also have the right to lodge a complaint with the supervisory authority in the Member State of your own habitual residence or place of work.

To exercise any right listed in Section 6, or to lodge any data-protection query, write to:

hello@apuna.dev

Please include enough information to identify the data at issue (e.g. the e-mail address used when submitting the contact form, and the approximate date of contact). We do not require you to use a specific form.

Identity verification: We may ask you to verify your identity before fulfilling a request, to ensure we do not disclose personal data to the wrong person. This check is proportionate and will not be used as a pretext to delay a response.

Response time: One month from receipt of the request (Art. 12(3) GDPR). Where a request is complex or numerous, we may extend the period by a further two months with advance notice.

Apuna accepts applications for open roles via the application form on this Site.

Data collected: chosen role, full name, e-mail address, LinkedIn profile URL (optional), a free-text field in which you describe your experience and motivation, and an optional CV/PDF document.

LinkedIn URL: if provided, the URL is stored solely as a reference link for a human reviewer to open manually in a browser. We do not scrape, crawl, or otherwise process LinkedIn automatically.

CV/PDF (optional): if you attach a CV, it is stored separately in object storage for a human reviewer only. It is never transmitted to Anthropic or any AI system — no AI processing is performed on the CV or its contents. It is deleted on the same retention schedule set out below, or earlier on request to career@apuna.dev.

Please do not include special-category data (Art. 9 GDPR) — such as health, disability, religion, ethnicity, or trade-union membership — in your application. We do not request it and will not use it.

Legal bases:

(a) Processing for the selection process — Art. 6(1)(b) GDPR in conjunction with §26(1) BDSG. Your name, e-mail address, chosen role, LinkedIn URL (if provided), and application text are processed to carry out pre-contractual steps at your request and to conduct the applicant-selection process.

(b) AI-assisted fit assessment — Art. 6(1)(a) GDPR in conjunction with §26(2) BDSG. If you give your express consent via the checkbox on the application form, your free-text field is transmitted to Anthropic PBC, USA, which generates an internal fit-assessment note as decision-support for our reviewers. This processing rests solely on your consent and is separate from the act of submitting your application. Consent is freely given and is not a condition of applying: to apply without AI-assisted assessment, send your application by e-mail to career@apuna.dev instead of using the online form. You may withdraw consent at any time with effect for the future by writing to career@apuna.dev; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Processor and third-country transfer for AI assessment: Anthropic PBC, 548 Market Street, San Francisco, CA 94105, USA, acts as a processor within the meaning of Art. 4(8) and Art. 28 GDPR. Anthropic processes only the role applied for and the free-text you submit; it does not receive your name, e-mail address, LinkedIn URL, or any uploaded CV. The transmission constitutes a transfer to a third country (USA) within the meaning of Art. 44 GDPR. The transfer mechanism is the EU Standard Contractual Clauses pursuant to Commission Decision (EU) 2021/914. Anthropic is additionally certified under the EU–US Data Privacy Framework (adequacy decision, July 2023); the controller relies on the SCCs as a belt-and-braces measure pending any further judicial development.

Human decision-making: A human reviewer makes every hiring decision. There is no solely automated decision-making that produces a legal or similarly significant effect within the meaning of Art. 22(1) GDPR. We go beyond the Art. 22 minimum in any event: you have the right to obtain human intervention, to express your point of view, and to contest any assessment. To exercise these rights write to career@apuna.dev.

AGG — equal-treatment safeguard: The AI-generated assessment evaluates only job-relevant competencies as described in the role posting. It is not designed to evaluate and must not be used to evaluate any characteristic protected under §1 AGG (race, ethnic origin, sex, religion or belief, disability, age, sexual identity).

Retention and deletion: All application data — regardless of whether the consent checkbox was ticked — is deleted approximately six months after the conclusion of the selection process. The retention period is based on the two-month claim window under §15(4) AGG plus a reasonable administrative margin. Deletion is carried out by automatic expiry in the data store. No commercial or fiscal retention periods (§257 HGB; §147 AO) apply to applicant data.

Recipients: Application data is accessed internally only by persons involved in the selection process. Applications are delivered to the selection team by e-mail; the message is dispatched through Brevo (Sendinblue SAS, Paris, France) acting as a processor under Art. 28 GDPR. Brevo processes the data within the European Union (data centres in Belgium); the e-mail dispatch therefore involves no transfer to a third country within the meaning of Art. 44 GDPR. The AI-assessment note produced by Anthropic is internal only and is never disclosed to the applicant or to third parties outside the selection process.

Your rights: Sections 6 and 8 of this policy set out your rights of access, rectification, erasure, restriction, portability, and objection in full. In the context of applications, the right to erasure (Art. 17 GDPR) is particularly relevant: you may request deletion of your application data at any time before the automatic expiry by writing to career@apuna.dev. You also have the right to lodge a complaint with a supervisory authority (Section 7).

The Site offers an optional AI chat assistant (the "Assistant"). Using it is entirely voluntary; the Assistant is not loaded or contacted unless you open it and give your express consent on the consent screen shown before the first message.

Data processed: the text you type and the running conversation context for the current session. The Assistant does not require an account, a name, or an e-mail address; please do not enter personal data or confidential information into it. Apuna does not store or log the content of your messages or the Assistant's replies; only aggregate technical operating metrics (e.g. response latency and message count per request) are recorded, and your IP address is not forwarded to the model provider.

Recipients and sub-processors: messages are routed through Requesty (Requesty, Inc., USA), an LLM routing service acting as a processor within the meaning of Art. 4(8) and Art. 28 GDPR under a data processing agreement that incorporates the EU Standard Contractual Clauses pursuant to Commission Decision (EU) 2021/914. Requesty forwards the request to the underlying model provider that runs the selected free model (currently Google's Gemma model family, operated by Google LLC / Google Ireland Ltd.). Important: where a free model is used, the model provider may use your input to train and improve its models and, for that purpose, acts as an independent controller rather than as Apuna's processor. This is the reason consent is required.

Legal basis: Art. 6(1)(a) GDPR — your consent, given on the consent screen before the first message. You are informed there, in plain language, that a third-party model provider processes your input, that the input may be used to improve the provider's models, that processing takes place outside the EU, that the Assistant is intended for users aged 16 and over, and that the Assistant is decision-support and not advice. You may decline; if you decline, no message is sent and no processing takes place. You may withdraw consent at any time with effect for the future by closing the Assistant; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Third-country transfer: using the Assistant transmits your input to the United States, a third country within the meaning of Art. 44 GDPR. For the routing processor (Requesty) the transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). In so far as the model provider uses your input as an independent controller (model improvement), the transfer is additionally based on your explicit consent pursuant to Art. 49(1)(a) GDPR, given after you have been informed of the possible risks of such a transfer in the absence of an adequacy decision and appropriate safeguards for that specific use.

Retention: Apuna retains no chat content. The conversation exists only in your browser for the duration of the session and is not persisted (no cookie, no local storage, no server-side history). Any retention by the model provider is governed by that provider's own policy.

No automated decision-making: the Assistant produces text for your information only. It makes no decision that produces a legal or similarly significant effect within the meaning of Art. 22 GDPR; a human always makes any concrete commitment.

Voice agent: Apuna additionally maintains a voice assistant for spoken enquiries. It is not part of the website and is not in general public operation at the date of this policy. When it is used, it opens every call with a spoken transparency notice and obtains the caller's express consent before any further conversation, on terms equivalent to those above (AI disclosure, processing by Google's Gemini service as a third-country processor/independent controller, 16+ and decision-support framing, human follow-up). Apuna does not record or store the call. This policy will be updated with the full details before the voice agent enters general operation.

Your rights under Sections 6, 7 and 8 (access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint) apply in full. For any question about the Assistant write to hello@apuna.dev.

We reserve the right to update this privacy policy when the legal or technical basis for our processing changes, or when we introduce new processing activities. The current version is always available at apuna.dev/privacy (or the equivalent page in each language).

Material changes — in particular the introduction of new categories of processing, new processors, or new legal bases — will be communicated by updating the "Last updated" date and, where the change is significant, by a notice on the Site's start page.

Last updated: 2026-06-18