Privacy Policy

This notice explains what personal data we process when you visit maison.events, subscribe to the Magazine, or contact us, and the rights you hold over that data. It covers this website only; pages we link to keep their own policies.

We collect no more than each interaction requires, we never sell personal data, and we use no advertising or cross-site tracking.

The site is hosted by Vercel. When you load a page, their servers process technical data your browser sends automatically. This is necessary to deliver the site and to keep it secure and available.

• Data: IP address, date and time of the request, the page or file requested, referrer, and browser and operating-system identifiers.
• Purpose: to serve the requested pages and to detect and defend against abuse.
• Legal basis: our legitimate interest in a working, secure site (Art. 6(1)(f) GDPR).
• Retention: held briefly in server and security logs by the host, then deleted or anonymised.

To understand how the site is used and to keep it fast, we use Vercel's privacy-friendly Web Analytics and Speed Insights. They count visits and measure real-world loading performance without cookies, without building a profile, and without following you across other sites. We also count a few deliberate actions — sending a contact message, confirming a Magazine subscription, and opening an entry from the index — as anonymous totals. The result is aggregated statistics that cannot identify you.

• Data: a page view with its referrer and coarse device, browser, and country; a count of the few actions above, each with only a coarse label such as the inquiry type or destination, never your details; anonymous performance timings; and a short-lived one-way hash derived from your request that is discarded after the visit and never stored.
• Purpose: to measure traffic and a few key actions in aggregate and monitor loading performance so we can improve the site.
• Legal basis: our legitimate interest in understanding and improving the site (Art. 6(1)(f) GDPR).
• Processor: Vercel, who also hosts the site.
• Retention: kept only as aggregated statistics; no cookie is set and no individual visitor profile is built.

Subscribing is double opt-in. You give us an email address; we send a confirmation link; nothing is stored as a subscription until you open that link. We use the address only to send the Magazine — about one issue a month — and nothing else.

• Data: your email address, and the date you confirmed.
• Purpose: to deliver the Magazine you asked for.
• Legal basis: your consent (Art. 6(1)(a) GDPR), given by confirming the link.
• Processor: the confirmation message and each issue are sent through Resend, which also stores the confirmed address as our audience list.
• Retention: kept until you unsubscribe; an unconfirmed address is discarded when the link expires.

You can withdraw consent at any time, with effect for the future, using the unsubscribe link in any issue or by writing to us. Withdrawing does not affect mailings sent before you did so.

When you use the contact form or email us, we process what you send so we can read and answer it.

• Data: your name, email address, your message, and any details tied to the kind of enquiry you choose.
• Purpose: to respond to your enquiry and, where relevant, to take steps you have asked for.
• Legal basis: steps prior to or under a contract where your enquiry concerns one (Art. 6(1)(b) GDPR), otherwise our legitimate interest in answering enquiries (Art. 6(1)(f) GDPR).
• Processor: messages are delivered to our inbox through Resend.
• Retention: kept as long as needed to handle your enquiry and any follow-up, then deleted unless we must keep it longer by law.

To stop the contact and subscription forms from being abused, we apply a short-lived rate limit keyed to your IP address. The check runs through Upstash and stores only a counter against that address for a brief window.

• Data: your IP address and a request counter.
• Purpose: to prevent spam and automated abuse of the forms.
• Legal basis: our legitimate interest in protecting the site and its forms (Art. 6(1)(f) GDPR).
• Retention: the counter expires automatically within minutes.

We set no cookies for analytics, advertising, or profiling, and we embed no advertising trackers or social plugins. Our traffic and performance analytics are cookieless (see “Measuring how the site is used”), so any storage your browser uses is strictly what is needed to deliver the page and no consent banner is required.

We work with a small set of providers who process personal data only on our instructions, under data-processing agreements as required by Art. 28 GDPR.

• Vercel — hosting and delivery of the website, and cookieless traffic and performance analytics.
• Resend — sending the Magazine confirmation and issues, delivering contact messages, and storing the subscriber list.
• Upstash — the rate-limit counter that protects the forms.

Some of these providers are based in, or process data in, the United States. Where data leaves the European Economic Area, the transfer is covered by appropriate safeguards under Art. 46 GDPR — the European Commission's Standard Contractual Clauses, together with the provider's technical and organisational measures.

We keep personal data only as long as the purpose it was collected for requires, or as long as the law obliges us to. When neither applies, we delete or anonymise it. The specific periods are noted in the sections above.

Under the GDPR you have the following rights in respect of your personal data. To exercise any of them, write to the data-protection contact above; we answer without undue delay.

• Access — confirmation of whether we process your data, and a copy of it (Art. 15).
• Rectification — correction of inaccurate or incomplete data (Art. 16).
• Erasure — deletion of your data where the conditions are met (Art. 17).
• Restriction — limiting how we use your data in defined cases (Art. 18).
• Portability — your data in a portable format where processing rests on consent or contract (Art. 20).
• Objection — objecting to processing based on legitimate interest (Art. 21).
• Withdrawal — withdrawing any consent at any time, with effect for the future (Art. 7(3)).

You also have the right to lodge a complaint with a supervisory authority if you believe we process your data unlawfully.

The authority responsible for us is:

• Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
• Promenade 18, 91522 Ansbach, Germany

You may also contact the supervisory authority of the EU member state where you live or work.

We may revise this notice as the site or the law changes. The version published here, dated above, is the one that applies.