Privacy policy

Information on the processing of personal data

Privacy policy

1. Controller

The controller responsible for processing personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Ali Hussein (brand “Billyr”)
Wilhelmsstraße 31, 34117 Kassel, Germany
Email: hi@billyr.ai

2. General

We process personal data only where necessary to display our website, provide our services (e.g. under a contract or pre-contractual communication), or comply with legal obligations. Where you have given consent, we process data on the basis of your consent (Art. 6(1)(a) GDPR). Contract data and pre-contractual enquiries are processed on the basis of Art. 6(1)(b) GDPR. Providing the website and security-related analysis are based on Art. 6(1)(f) GDPR (legitimate interests), unless another legal basis applies. Data subject rights (access, erasure, objection, portability, complaint) apply irrespective of the legal basis used, where the requirements are met (Arts. 12–22 GDPR).

3. Hosting and infrastructure (EU)

Our website and any related application components are technically operated via

  • Vercel Inc. (provided in the EU region, e.g. Frankfurt, Germany) — hosting, delivery and edge functions. Provider: Vercel Inc., USA. Only data technically necessary for the page view is processed (including IP in shortened/technical form, timestamp, requested resources). Where EU locations alone are not sufficient, we rely on appropriate safeguards (including standard contractual clauses / adequacy decisions) and/or supplementary measures where required. Details: Vercel privacy.
  • Supabase (Supabase, Inc.) — database, authentication and storage where applicable when you use our services; EU / Frankfurt region according to your/our configuration. Supabase privacy
  • GitHub (Microsoft) — source code/CI in development and infrastructure environments where applicable; processing in the EU where configured for operations. GitHub Privacy
  • Namecheap (domain registration billyr.de) — contact and registrant details as required for domain registration. Namecheap Privacy

4. Log files and security

Each time a page is accessed, server or platform log files typically process technical data (e.g. anonymised/truncated IP, time, user agent) briefly to ensure stability and security. No ongoing personally identifiable marketing profiling takes place as described here, unless stated otherwise under “Analytics” below.

5. Google Analytics

This website uses Google Analytics 4 (provider: Google Ireland Ltd., Ireland, possibly Google LLC, USA). This may process your (truncated) IP, device and usage data as events. Legal basis: your consent (Art. 6(1)(a) GDPR) via the cookie/consent banner where implemented, or legitimate interest (Art. 6(1)(f)) only for aggregated technical analysis where legally permitted and provided for in your jurisdiction. You can limit processing (browser settings, opt-out plugins, consent tool where available). Google privacy information, browser opt-out add-on.

Note: Ensure the cookie/consent mechanism is active before Analytics is set (TTDSG/GDPR). If no consent tool is live yet, analytics technologies should remain disabled until the consent solution is in production.

6. Email, contact, newsletter (Brevo)

If you contact us by email, we process the data contained in your message to handle your enquiry (Art. 6(1)(b) or (f) GDPR). For the newsletter and email marketing we use Brevo (formerly Sendinblue). We process your email address, sign-up/unsubscribe data where applicable, and sending metadata. Legal basis: double opt-in / consent (Art. 6(1)(a), Art. 7 GDPR) or legitimate interest in direct marketing (Art. 6(1)(f)) only to the extent stated and where legally permissible. Brevo privacy

7. Storage duration

Personal data is erased once the purpose no longer applies and no statutory retention periods (e.g. commercial or tax law) conflict. We retain email correspondence as needed for ongoing business processes or up to 6–10 years if relevant for accounting, depending on internal practice, unless you request earlier erasure and no overriding legitimate interest applies.

8. Your rights (Arts. 15–21 GDPR)

You have in particular the right to access personal data concerning you, rectification, erasure, restriction of processing, data portability (where provided for), and objection to certain processing based on legitimate interests. You may withdraw consent with effect for the future. You have the right to lodge a complaint with a supervisory authority, e.g. in Hesse: The Hessian Commissioner for Data Protection and Freedom of Information.

9. No data protection officer (mandatory assessment)

Unless Art. 37 GDPR requires appointment or mandatory national law provides otherwise, no operational data protection officer has been designated. For privacy enquiries reach us at hi@billyr.ai.

10. Changes to this statement

We update this statement when underlying processing changes in a legally required manner (e.g. new service, amended law). The current version is always available on this page.

As of: April 2026