Privacy Policy

Last updated: February 15, 2026

1. Controller

The controller responsible for data processing on this website is:

Simon Schwer
Wolfringstraße 14
90765 Fürth
Germany
Email: contact@contextdrivenpm.org

2. Overview

This website includes static content and interactive features, in particular:

Whitepaper reader with anonymous contribution flow
optional voting on suggestions
contact form
blog comments via Giscus/GitHub

Depending on how you use the website, we process different categories of data.

3. Data Processing When Visiting This Website

3.1 Server Log Files

When you access this website, the hosting provider processes technical connection data (for example IP address, time, requested resource, user agent, referrer) to ensure operations and security.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in secure and stable operation).

3.2 Technically Necessary Web Functions

We do not run marketing or analytics cookies ourselves. Technically necessary browser/framework functions may still process local technical data where required to provide the website.

Legal basis: Art. 6(1)(f) GDPR.

3.3 Blog Comments (Giscus/GitHub)

On blog pages, an external comment widget (Giscus/GitHub) may be embedded. When loading this widget, data is transmitted directly to those third parties (for example IP address, browser data, and potentially account/session data when signed in to GitHub).

Legal basis: Art. 6(1)(f) GDPR (community functionality). Processing by Giscus/GitHub is governed by their own privacy terms.

4. Whitepaper Collaboration (Rolling SSOT)

If you submit a suggestion in the whitepaper, we process in particular:

locale/language, anchor/section reference, target type
selected excerpt (target_excerpt)
proposed change (proposed_change)
rationale
suggestion type, status metadata, timestamps
pseudonymized IP hash (rate limiting, voting, abuse prevention)
optional display name, only if you explicitly opt in

There is no account/login in V1.

4.1 Input Filtering, AI Validation and Translation

Suggestions pass a server-side filter (including link/spam pattern checks). Valid suggestions are then included in AI triage. For this, suggestion content plus relevant whitepaper context are sent to the configured Mistral model to:

decide valid=true|false
generate translation into the other language when valid=true

Only AI-approved suggestions are shown by default in the reader.

Legal basis: Art. 6(1)(f) GDPR (quality assurance, abuse reduction, bilingual operation).
Optional display name/author credit: Art. 6(1)(a) GDPR (consent via active opt-in).

4.2 Suggestion Voting

For up/down votes, we store the current vote type per suggestion and pseudonymized IP hash to limit repeated voting per IP on the same suggestion and to support prioritization.

Legal basis: Art. 6(1)(f) GDPR.

4.3 Moderation and Distillation

Distillation is controlled by the Project Owner (human-in-the-loop). There is no solely automated decision with legal effect in the sense of Art. 22 GDPR.

5. Contact Form and Contact Requests

If you use the contact form, we process:

name
email address
optional company
message

We use this data to handle your request. Depending on configuration, delivery may run through SendGrid.

Legal bases:

Art. 6(1)(b) GDPR (pre-contractual/contract-related communication)
Art. 6(1)(f) GDPR (general communication and request handling)

6. Event Notifications and Blog Likes

For certain interactions (for example selected CTA events), a technical event including IP address and timestamp may be sent to a Telegram channel for operational notifications.
For blog likes, we store per-post counters (slug) in a local data file.

Legal basis: Art. 6(1)(f) GDPR.

7. Recipients and Service Providers

Depending on feature usage, data may be shared with these categories of recipients:

hosting provider (infrastructure/operations)
Mistral (AI validation and suggestion translation)
SendGrid (email delivery, if enabled)
Telegram (operational notifications, if enabled)
GitHub/Giscus (blog comments, if used)

Where required, processing is based on suitable contractual safeguards.

8. International Data Transfers

Some services may process data outside the EU/EEA. Where required, we apply appropriate safeguards under Art. 44 et seq. GDPR (for example EU Standard Contractual Clauses).

9. Retention

We store data only as long as necessary for the relevant purpose. For the whitepaper collaboration flow, current retention includes:

IP hash/rate-limit artifacts: 30 days
suggestion_blocked events without raw text: 14 days
AI-rejected suggestions: raw text is redacted after 7 days
accepted/distilled suggestions and change history: until traceability/documentation purpose no longer applies; in published artifacts, potentially permanently in version history (repository/PDF)

Contact requests are stored until fully handled and beyond that only where legal retention obligations apply.

10. Legal Bases Summary

Unless otherwise specified, we process data on the following legal bases:

Art. 6(1)(f) GDPR (operations, security, abuse prevention, product quality)
Art. 6(1)(b) GDPR (contract/pre-contract related communication)
Art. 6(1)(a) GDPR (voluntary author naming via opt-in)

11. Your Rights

Under GDPR, you have in particular the right to:

access (Art. 15 GDPR)
rectification (Art. 16 GDPR)
erasure (Art. 17 GDPR)
restriction of processing (Art. 18 GDPR)
data portability (Art. 20 GDPR)
object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
withdraw consent with future effect (Art. 7(3) GDPR)
lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, contact: contact@contextdrivenpm.org

12. Security

We apply technical and organizational measures to protect processed data, including pseudonymization via IP hashing, validation/filtering controls, and restricted access to PO-only endpoints.

13. Changes to This Privacy Policy

We update this privacy policy when functions, processing flows, or legal requirements change. The version published on this website applies.