BirdFlai

Privacy Policy

Last updated: February 22, 2026

1. Overview

BirdFlai UG ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data when you visit birdflai.com and all its subdomains (the "Website").

2. Data Controller

The data controller for the purposes of the EU General Data Protection Regulation (GDPR) is:

BirdFlai UG (haftungsbeschränkt)
Tarpenbekstraße 13
22848 Norderstedt, Germany
Email: jan@birdflai.com

For full company details, see our Imprint page.

A Data Protection Officer (DPO) is not required for our company under Art. 37 GDPR due to the nature and scale of our data processing activities.

3. Data We Collect

  • Contact form data: Name, email address, company name, subject, and message when you submit the contact form.
  • Analytics data (consent-based): Page views, session duration, device and browser information, and approximate location (country level). Collected via Google Analytics 4, only after you have given explicit consent.
  • Server logs (Vercel): IP address, browser type, timestamps, and requested URL. Automatically collected by our hosting provider for security and availability purposes.
  • Consent data (Cookiebot): Your consent status, timestamp, and anonymized IP address. Stored by Cookiebot to document and verify your consent choices.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Contact form: Art. 6(1)(b) GDPR: processing is necessary for pre-contractual measures and to respond to your inquiry.
  • Analytics cookies: Art. 6(1)(a) GDPR: processing is based on your explicit consent given via the Cookiebot consent banner.
  • Server logs: Art. 6(1)(f) GDPR: processing is based on our legitimate interest in ensuring the security, stability, and availability of our Website.
  • Consent management: Art. 6(1)(c) GDPR: processing is necessary to comply with our legal obligation to document consent under the GDPR and ePrivacy Directive.

5. Cookies and Consent

We use Cookiebot as our Consent Management Platform (CMP). Cookiebot is integrated with Google Consent Mode v2, which ensures that Google Analytics only processes data in accordance with your consent choices.

Necessary cookies (no consent required):

  • CookieConsent (Cookiebot): Stores your cookie consent preferences. Expires after 12 months.

Analytics cookies (only set after explicit consent):

  • _ga (Google Analytics): Distinguishes unique visitors. Expires after 2 years.
  • _ga_* (Google Analytics): Maintains session state. Expires after 2 years.

We do not use any advertising, marketing, or personalization cookies.

You can change or withdraw your consent at any time via the cookie settings link in the footer of our Website.

6. Google Analytics 4

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

  • Purpose: Analysis of website usage to improve our content and services.
  • Data collected: Pages visited, session duration, device and browser information, approximate location (country level).
  • IP anonymization: GA4 does not log or store full IP addresses by default.
  • Consent requirement: Analytics data is only collected after you have given explicit consent via the Cookiebot consent banner.
  • Retention period: 14 months.
  • Opt-out: You can withdraw your consent at any time via the cookie settings on our Website. You can also install the Google Analytics Opt-out Browser Add-on.

7. Third-Party Processors

We use the following third-party service providers to operate our Website:

  • Vercel Inc. (San Francisco, USA): Website hosting and CDN. Data transfer to the USA is covered by the EU-US Data Privacy Framework.
  • Resend Inc. (USA): Email delivery for contact form submissions. Data transfer to the USA is covered by Standard Contractual Clauses (SCCs).
  • Google Ireland Limited / Google LLC (Dublin, Ireland / Mountain View, USA): Analytics via GA4. Data transfer to the USA is covered by the EU-US Data Privacy Framework.
  • Usercentrics A/S (Cookiebot) (Copenhagen, Denmark): Consent management. Data is processed within the EU; no international transfer required.

8. International Data Transfers

Some of our service providers are based in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework (DPF): Where applicable, transfers are based on the adequacy decision by the European Commission (July 10, 2023), which recognizes the EU-US Data Privacy Framework as providing adequate protection for personal data.
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR as approved by the European Commission.

You may request a copy of the applicable safeguards by contacting us at jan@birdflai.com.

9. Your Rights (GDPR)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erasure of your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77)

To exercise any of these rights, please contact us at jan@birdflai.com.

You also have the right to lodge a complaint with a data protection supervisory authority. The responsible authority for BirdFlai UG is the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.

10. Automated Decision-Making

We do not use automated decision-making or profiling as defined by Art. 22 GDPR. No decisions with legal or similarly significant effects are made automatically based on your personal data.

11. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected:

  • Contact form submissions: 12 months
  • Server logs (Vercel): 30 days
  • Analytics data (GA4): 14 months
  • Consent records (Cookiebot): 12 months

12. Changes

We may update this Privacy Policy from time to time. The date at the top indicates the latest revision.

13. Contact

For privacy-related questions, please contact us at jan@birdflai.com or see our Imprint.