Privacy notice
Last updated
This page explains the personal data we process about you when you visit tobiasleonhardt.de, why we process it, who else is involved, and how you exercise the rights GDPR gives you. It is written in plain English; the legal precision is in the structure and the named lawful bases. The legal imprint sits on a separate page at /impressum.
1. Who we are (Controller)
The data controller — the person who decides why and how your data is processed — is:
Tobias Leonhardt
Wahnfriedstrasse 20
13465 Berlin, Germany
Email: privacy@tobiasleonhardt.de
Telegram: @tobiasleonhardt
2. What data we process
Two streams, kept clearly separate so each is honest about where the data came from.
Stream A — what we learned about you before we met
If you received a personalized link to this site (a URL under /m/<slug>), we did some homework about you from public sources first — usually:
- your name, role, and company
- things you've posted publicly (LinkedIn, blog, podcasts, talks)
- public hiring or funding signals about your company
- content on your company's public website
We mined this before our first contact so the conversation could be specific and useful from message one. Under GDPR this is the Article 14 case (data not obtained from the data subject); we disclose it here, and the outreach email itself carries the same disclosure with an explicit offer to scrub.
Stream B — what you share when you talk with Leon
Leon is the AI on this site. The replies are generated by Anthropic’s Claude API(Claude, the model); we set Leon’s voice, instructions, and tools, and Anthropic runs the inference. When you chat with Leon, we store:
- your messages (the content of the conversation)
- anything personal you choose to share inside the chat — email, name, role, what you’re working on
- a signed cookie (
marketing_client_id) that lets the conversation continue across page loads
Under GDPR this is the Article 13 case(data collected from you directly). Leon names what’s happening inline when he asks for contact details; the small disclosure line at the foot of every page names what’s happening before you’ve typed anything. Providing data in the chat is voluntary — you can close the page at any moment and nothing further is processed.
3. Why we process it (Purposes and lawful basis)
Each purpose is named specifically — vague language like "to improve our services" is what regulators push back on under the legitimate-interest basis.
| Purpose | Lawful basis | What it means |
|---|---|---|
| Personal follow-up by Tobi | Art. 6(1)(f) legitimate interest (Recital 47 — direct marketing) | Tobi reads transcripts to follow up with people who want it, and to learn whether our work fits theirs. |
| Refining outreach and value proposition | Art. 6(1)(f) legitimate interest | Qualitative review of what people share informs how Tobi describes the work in future outreach and copy. Pseudonymized at analysis time. |
| Qualitative product insights | Art. 6(1)(f) legitimate interest | Looking at themes across conversations informs product direction. Aggregated; no individual decision-making. |
| Operating the chat itself | Art. 6(1)(b) contract necessity (steps prior to a contract) | Storing your messages so the conversation continues across page loads. |
We have done a Legitimate Interest Assessment for the Article 6(1)(f) purposes: the data comes from public sources, the contact volume is low (1–3 messages per week, each individually tailored), B2B professional outreach is within reasonable expectations under Recital 47, and opt-out is always one message away. The full LIA is captured in our internal architecture notes and available on request.
What we explicitly do not do:
- train AI models on your conversations (Anthropic does not train on Claude API data by default, and we do not run our own training)
- sell or share your data with third parties beyond the subprocessors named in Section 4
- make automated decisions about you that produce legal or similarly significant effects (no Article 22 processing)
- process Article 9 special-category data (health, faith, political opinion, sexual orientation, racial origin, trade-union membership, genetic or biometric data) — Leon is instructed to skip past it even if you volunteer it
4. Who else processes your data (Subprocessors)
This site runs on a small, deliberate stack. Subprocessors are listed here so the chain of custody is visible end-to-end.
| Subprocessor | Role | Location | Safeguard |
|---|---|---|---|
| Supabase | Database (Postgres, Realtime, Storage) | eu-central-1 (Frankfurt, EU) | EU residency; DPA signed |
| Vercel | Web hosting (serverless functions, static assets) and Vercel Web Analytics — a cookie-free, aggregated page-view counter (production only) | fra1 (Frankfurt, EU) for marketing routes | DPA signed |
| Anthropic | AI inference (Claude) for Leon's replies | United States | Standard Contractual Clauses + DPA; no training on customer data |
| Notion | Internal prospect records (private workspace) | United States | Standard Contractual Clauses + DPA |
| Google Workspace | Tobi's email and calendar (for follow-up after the chat) | EU + United States (Google's standard hosting) | Standard Contractual Clauses + DPA |
OpenAI is listed here only when active. It is not used today; if a future feature uses it for embedding generation on data that includes yours, this table is updated before the change goes live.
5. How long we keep it (Retention)
- Personalized link page (Stream A data): 30 days from creation. After that the link returns HTTP 410 Gone.
- Personalization payload (the warmth context Leon was loaded with): present until revocation or expiry. On revocation: nulled immediately by an atomic database function (
revoke_prospect_surface). On expiry: the link stops serving (HTTP 410) but the payload remains in the database until a scheduled cleanup pass nulls it. The cleanup pass is on the roadmap, not yet running. If you want your data fully removed before that, ask by email and we run the revocation function manually. - Chat transcripts: retained while the surface is active. On revocation the message content is nulled and the thread is soft-deleted in the same atomic call. On expiry, the same scheduled-cleanup caveat applies as above.
- Cookie (
marketing_client_id): signed; 30-day lifetime; strictly necessary so the chat conversation continues across page loads. - Audit and activity events: retained for operational review (records-of-processing requirement, Article 30). Pseudonymized where individual-level granularity is not required.
6. Your rights (Articles 15–22)
You have the right to:
- Access the data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17). For personalized links we honor erasure immediately via an atomic database function (
revoke_prospect_surface) that nulls the personalization payload, nulls chat content, and soft-deletes the thread in one transaction. - Restrict processing (Art. 18)
- Portability — get a copy of your data in a machine-readable format (Art. 20)
- Object to processing (Art. 21). Because our processing rests on legitimate interest, an objection carries high weight: the burden is on us to demonstrate compelling legitimate grounds, which we typically cannot meet for direct outreach. So objections result in erasure in practice.
How to exercise these rights:
Email privacy@tobiasleonhardt.de with what you'd like. We respond within one month (extensible by up to two months for complex requests — we let you know within the first month if that applies). For day-to-day requests like "stop saving my messages" you can also just say so to Leon in the chat; Leon recognizes natural-language opt-out and sets the flag immediately.
You also have the right to lodge a complaint with a supervisory authority. For visitors in the EU/EEA the relevant authority is typically the one where you reside; the controller is supervised by the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin DPA).
7. Cookies
Visiting the site today sets at most one cookie, and only when you engage with the chat — both are strictly necessary in the GDPR / TTDSG sense, and no banner is required:
marketing_client_id— signed; 30-day expiry. Lets Leon recognize you across page loads so the conversation continues. Strictly necessary for the chat to function (TTDSG § 25 (2) Nr. 2 / ePrivacy Article 5(3) — no consent required).gate— set only when the site is running in password-gated mode (e.g. during private staging, controlled by thePASSWORD_GATE_ENABLEDenvironment variable). The gate is not enabled in production today, so this cookie is not set on visitors right now. When the gate is active, the cookie carries the signed proof of unlock and is strictly necessary by definition.
We do not use marketing or advertising cookies, third-party analytics cookies, social-media trackers, or pixels. We use Vercel Analytics, which is cookie-free per Vercel's documentation. Because no non-essential cookies are set on the site, no consent banner is required under the German TTDSG. If that ever changes (e.g. analytics or marketing cookies are added later), a banner will appear before they are set.
8. International transfers
Some subprocessors (Anthropic, Notion, Google Workspace) are based in the United States. Transfers happen under Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary measures where the processor offers them.
The primary data store (Supabase) and the request/response path (Vercel fra1) are in the EU. Only AI inference content (sent to Anthropic at conversation time) and follow-up email content (handled by Google Workspace if and when Tobi replies) crosses the Atlantic.
9. Changes to this notice
We update this notice when our processing changes. Material changes are communicated by email to anyone we have an open conversation with. The page itself carries the last-updated date at the top.
Questions about your data? Email privacy@tobiasleonhardt.de or reach Tobi on Telegram at @tobiasleonhardt.