Privacy Policy

1. Introduction

Welcome to Building Better Teams - Brian Graham ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websites or use our services.

Our websites include:

• buildingbetterteams.de
• kb.buildingbetterteams.de
• fortran.buildingbetterteams.de (entertainment-only antique Punched Card simulation)
• auth.statagroup.com (private portal, invite-only access)
• git.statagroup.com (code hosting portal, public repositories visible to all, account access by invite only)

This policy DOES NOT cover dashboard.buildingbetterteams.de ("Dashboard") which has its own unique policy as that domain hosts an interactive application with logins.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access our website or use our services.

2. Data Controller

3. Personal Data We Collect

We collect and process only the minimum amount of personal data necessary to provide our services:

3.1 Data We Collect

• Authentication Data: Information required for signing in and maintaining session cookies on invitation-only services (auth.statagroup.com and git.statagroup.com)
• Technical Data: Web server access and error logs across all services (immediately anonymized and purged after 7 days)
• Cookies and Similar Technologies: Session cookies necessary for the functioning of our invite-only websites
• Aggregate Data: We may collect anonymous aggregate statistics such as total visitor count per day, which cannot be used to identify individuals

3.2 Important Notes on Data Collection

• buildingbetterteams.de and kb.buildingbetterteams.de do not store cookies
• We do not track users on an individual level
• We do not share any data with third parties for marketing or analytical purposes
• auth.statagroup.com is expressly not intended for public use and is a private web portal where access is granted by personal invite only
• git.statagroup.com is a code hosting portal (Forgejo) which exposes public repositories for browsing, but logins are provided by personal invite only

3.3 Web Application Firewall

• BunkerWeb WAF: We use a self-hosted instance of BunkerWeb as a Web Application Firewall (WAF) to protect our websites against malicious traffic and abuse
• The WAF temporarily processes IP addresses and request data (such as HTTP headers and request patterns) solely for security purposes
• All WAF data remains under our direct control on our own infrastructure and is not shared with any third parties
• WAF logs are automatically purged after 7 days (or sooner) in line with our other server logs

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• To provide and maintain our services
• To process and complete transactions
• To manage your account and provide customer support
• To improve and personalize user experience
• To protect our rights, property, or safety and that of our users
• To comply with legal obligations

5. Legal Basis for Processing

Under GDPR, we must have a legal basis for processing your personal data. We rely on the following legal bases:

• Consent: Where you have given us explicit consent to process your data for a specific purpose
• Contractual Necessity: Where processing is necessary for the performance of a contract with you
• Legal Obligation: Where processing is necessary for compliance with a legal obligation
• Legitimate Interests: Where processing is necessary for our legitimate interests, provided those interests do not override your fundamental rights and freedoms

6. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Web server access and error logs are immediately anonymized and purged after 7 days.

For business continuity and disaster recovery purposes, we create encrypted backups of our servers which are stored offline on encrypted hardware in a secured location. These backups may contain the same data as described in section 3, including logs within their retention period. Backups are retained for a maximum of 7 days, after which they are securely deleted. All backups remain under our direct physical control and are never shared with third parties.

We periodically test our backup restoration process to ensure data recoverability in the event of a system failure or data loss incident.

6.1 Log Anonymization Process

Our Nginx web server logs use a basic logging format that captures limited information and masks the last octet of an IP address:

        # Anonymization map
        map $remote_addr $remote_addr_anonymized {
            ~^(\d+\.\d+\.\d+)\. $1.0;  # Mask last octet
            default 0.0.0.0;
        }

        # Anonymize IP addresses in Nginx
        log_format anonymized '$remote_addr_anonymized - $remote_user [$time_local] '
                              '"$request" $status $body_bytes_sent '
                              '"$http_referer" "$http_user_agent"';
    

After collection, IP addresses in logs are anonymized by removing the last octet (in IPv4) or the last 80 bits (in IPv6), making it impossible to identify specific individuals. All logs are automatically purged after the 7-day retention period.

7. Data Sharing and Transfers

We do not share your personal data with any third parties except in the following circumstances:

• Service Providers: Our web server is hosted in Finland at Hetzner, which is within the European Economic Area (EEA)
• Legal Requirements: We may disclose your information if required by law, court order, or governmental authority

Your data is stored and processed within the European Economic Area (EEA), ensuring compliance with GDPR standards and regulations.

7.1 Subprocessors

Beyond our hosting provider (a Hetzner facility located in Finland), we use the following subprocessors:

• Google Workspace: For email communications management

All data processing activities are conducted either by us directly or through these explicitly named subprocessors. No other third parties have access to your personal data.

8. Your Data Protection Rights

Under GDPR, you have the following rights:

• Right to Access: You have the right to request copies of your personal data
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete
• Right to Erasure: You have the right to request that we erase your personal data, under certain conditions
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions
• Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions
• Right to Data Portability: You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions

To exercise any of these rights, please contact us via email at info@buildingbetterteams.de. Please note that since we collect minimal personal data and anonymize logs after 7 days, we may not have any personal data to provide in response to such requests. We will respond to your request within one month.

8.1 Identity Verification for Data Requests

To protect your privacy and security, we require verification of your identity before fulfilling data subject access requests. Since we collect minimal personal data, our verification process is simple:

• For registered users of our invite-only platforms: direct personal verification through established communication channels, as we maintain personal relationships with all invited users
• For email communications: requests must come from the same email address that contacted us previously
• For other scenarios: we may request additional verification appropriate to the circumstances

We aim to balance security with convenience, requiring only the minimum verification necessary to protect your rights.

9. Data Security

We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. However, no method of transmission over the Internet or method of electronic storage is 100% secure.

As part of our security measures, we employ a self-hosted BunkerWeb Web Application Firewall (WAF) that helps detect and block potentially malicious traffic. This self-hosted approach enhances privacy since all security-related data remains under our control and on our infrastructure, rather than being processed by external vendors. The WAF is configured to collect only the minimum data necessary for security purposes, consistent with our overall privacy-focused approach.

Our data protection measures extend to our backup procedures. All server backups are fully encrypted both during transfer and at rest using industry-standard encryption. Backup media is stored in a physically secured location accessible only by authorized personnel. This approach ensures that even in backup form, your data remains protected against unauthorized access.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies only for essential website functionality such as authentication and session management. These cookies are necessary for the proper functioning of our website. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our website.

11. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not target children with our services and do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us.

12. Changes to This Privacy Policy

We may update our Privacy Policy at any time without prior notice. Any changes will be effective immediately upon posting the updated Privacy Policy on our website. We encourage you to periodically review this Privacy Policy to stay informed about how we protect your personal data.

13. Contact Us

14. Complaints

If you have a complaint about our use of your personal data or response to your requests regarding your personal data, you may submit a complaint to the data protection regulator in Germany. We would, however, appreciate the opportunity to address your concerns before you approach a data protection authority, and would welcome you contacting us in the first instance.

15. Email Communications

Our business email (info@buildingbetterteams.de) is managed through Google Workspace (Gmail). When you contact us via email, your communication, including any personal data you provide, will be processed on Google's servers. Google acts as a data processor in this context.

Email communications may be retained for business continuity and legal purposes. We limit access to emails containing personal data to only those individuals who need such access to perform their job functions. For Google's privacy practices, please refer to Google's Privacy Policy.

16. Data Breach Notification

In the unlikely event of a data breach affecting personal data, we will:

• Notify affected individuals directly when possible and when required by law
• Notify the appropriate data protection authority (Berlin Commissioner for Data Protection) within 72 hours of becoming aware of the breach, if required by law
• Document the facts relating to the breach, its effects, and the remedial action taken

Given our minimal data collection practices and short retention periods, the impact of any potential breach is significantly limited.