Privacy Policy

This Privacy Policy explains how I, Luca Alexander Büürma, collect, use, and protect personal data when you visit my website https://lucabuurma.com. I process personal data in accordance with the General Data Protection Regulation (GDPR), the Spanish LSSI-CE where applicable, and other applicable data protection laws.

The Data Controller responsible for this website is:

‍Luca Alexander Büürma
Ronda del General Mitre, 92
Sarrià-Sant Gervasi
08021 Barcelona
Spain
Email: lucabuurma@gmail.com

If you contact me via the contact form, I collect the following information:
- Full Name (First and Last Name)
- Email address
- Message content
‍
Purpose & Legal Basis:
‍I process this data in order to receive, manage, and respond to your inquiry and, where applicable, to take steps prior to a potential professional relationship or contract.

The legal bases are:‍

- Art. 6(1)(b) GDPR, where processing is necessary to take steps at your request prior to entering into a contract

- Art. 6(1)(f) GDPR based on my legitimate interest in receiving and responding to communications addressed to me and in operating a secure and abuse-resistant contact channel. These interests are balanced against the rights and freedoms of the users submitting the inquiry.

Storage & Retention:
Form submissions are transmitted through Web3Forms and may be processed by Web3Forms in order to deliver the message to my email inbox. I retain contact messages only for as long as necessary to process and respond to the inquiry, handle any related follow-up, comply with legal obligations, or establish, exercise, or defend legal claims.

Processors Involved:
Web3Forms – provides the contact form processing service used to transmit and deliver form submissions
Google LLC (through Gmail) – email service provider. Data may be transferred to the United States under Standard Contractual Clauses (SCCs).
Intuition Machines, Inc. (hCaptcha)– provides anti-spam protection for the contact form

Anti-Spam / CAPTCHA:
To protect the contact form against spam, abuse, and automated submissions, this website uses hCaptcha, a service provided by Intuition Machines, Inc. hCaptcha analyzes user interactions and technical data such as IP address, browser information, device information, and other signals in order to determine whether the interaction originates from a human user or an automated system. This processing is based on Art. 6(1)(f) GDPR, namely my legitimate interest in protecting the website and contact form against spam and abuse.

Further information on how hCaptcha processes personal data can be found in the hCaptcha Privacy Policy: https://www.hcaptcha.com/privacy

When you access this website, certain technical data may be processed automatically by the hosting and delivery infrastructure used to make the website available. This may include:
‍
- IP address
‍ - Browser type and version
‍ - Device information
‍ - Date and time of access
‍ - Requested pages or files
‍ - Referrer URL
‍ - Operating system
‍ - Diagnostic and technical log data
‍
In addition, information that your browser sends whenever you visit the website, or when you access it by or through a mobile device, may also be collected.
‍

Purpose & Legal Basis:
‍This processing is necessary to ensure the stability, security, delivery, and proper functioning of the website and is based on Art. 6(1)(f) GDPR.

Hosting Provider:
‍This website is hosted and deployed using Vercel.

Storage & Retention:
‍Technical log data is retained only for as long as necessary for security, operational, and diagnostic purposes, subject to the retention settings and policies of the relevant provider.

This website uses the typeface Satoshi. If the font is self-hosted as part of the website files, no separate request is made to an external font provider when the page is loaded. If, in individual cases, a font or related asset is served through the website hosting infrastructure, the corresponding technical request is handled as part of normal website delivery.

Images, logos, and other static media used on this website are delivered through the website’s current hosting infrastructure. No external third-party media requests are intentionally made unless explicitly indicated elsewhere on the website.

This website may contain simple links to external social media profiles or third-party platforms, such as Instagram, LinkedIn, X/Threads, or YouTube.

These are simple links only. No data is transferred to those providers merely because you visit this website. Data is only transmitted once you actively click such a link and visit the relevant external platform. Once you do so, the respective provider may process your data under its own privacy policy.

I only collect and process personal data that is necessary for the purposes described in this Privacy Policy and aim to apply the principle of data minimization under Article 5(1)(c) GDPR.

This website does not use Vercel Web Analytics.

At the time of writing, this website does not intentionally use analytics tools, advertising trackers, or marketing cookies.

However, strictly necessary technical processes may occur in connection with website delivery, security, and contact form protection. In particular, the contact form uses CAPTCHA protection through hCaptcha, a service provided by Intuition Machines, Inc., in order to prevent spam and automated abuse. As part of this process, technical information such as IP address, browser information, device information, and interaction signals may be processed to distinguish human users from automated systems. If that solution uses cookies or similar technologies that are strictly necessary for security and anti-abuse purposes, they are used solely for that purpose.

I may use the personal data I collect from you for the following purposes:
‍
- to provide and maintain the website
- to ensure website security and proper technical operation
- to respond to your inquiries
- to manage messages and requests you submit
- to communicate with you where necessary in relation to your inquiry
- to prevent spam, abuse, and fraudulent submissions through the contact form
I do not sell your personal data and do not use it for advertising.

Where third-party service providers process personal data on my behalf, they do so as data processors under Article 28 GDPR and only process personal data according to my instructions and applicable data protection law. This may include:
- Vercel, Inc. as hosting and delivery infrastructure provider
- Web3Forms as contact form processing provider
- Google LLC as email provider, if messages are forwarded to Gmail
- Intuition Machines, Inc. (hCaptcha) as anti-spam and security provider for the contact form

I retain personal data only for as long as necessary for the purposes described in this Privacy Policy.

In particular:
- Contact form submissions and related emails are retained only for as long as needed to respond to the inquiry, manage follow-up communication, comply with legal obligations, or defend legal claims.
- Technical usage data and server-related logs are retained only for as long as necessary for security, diagnostic, and operational purposes, in accordance with the settings and retention practices of the relevant provider.

Once the relevant purpose has been fulfilled and no legal reason for further retention applies, the data will be deleted or no longer actively retained.

Your personal data may be processed in countries outside your country of residence, including outside the European Union or European Economic Area, where I use external service providers for hosting, contact form handling, email communication, or form security.

This may include providers such as Vercel, Web3Forms, Google, and Intuition Machines, Inc. (hCaptcha).

Where personal data is transferred outside the European Economic Area (EEA), such transfers are carried out on the basis of an applicable legal mechanism under Chapter V GDPR. This may include an adequacy decision of the European Commission or appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs), where required.

I take reasonable steps to ensure that personal data remains protected in accordance with applicable data protection law.

As a data subject, you have the following rights:

- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

If you believe your data protection rights have been violated, you may lodge a complaint with the competent supervisory authority.
In Spain, this is:
‍
‍Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
www.aepd.es

‍Additionally, if you are based in Germany, you may also contact your local German State Data Protection Authority.

I implement appropriate technical and organizational measures in accordance with Article 32 GDPR to protect personal data against unauthorized access, loss, misuse, alteration, or unlawful disclosure, taking into account the nature of the data processed and the risks involved.

I may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The current version published on this website is the version that applies.