Legal · Privacy

Imprint & privacy notice.

Who runs this site, what (very little) data it processes, and the rights you have under EU GDPR, UK GDPR, and Maltese law. Plain language; no dark patterns.

Last updated: 5 May 2026 · Version 1.0

1 / Imprint & operator

Required disclosures under Article 9 of the Maltese Electronic Commerce Act (Cap. 426) and Article 5 of EU Directive 2000/31/EC.

Operator: Karsten Schneiderwind — natural person, registered as a part-time self-employed sole trader in Malta
Business identity: tidewind.io is an unregistered trading style used by Karsten Schneiderwind for this consulting practice. It is not a separate legal entity, company, or registered trade name. All contracts and invoices are issued by, and any liability rests with, the natural person named above.
Address: Triq Luigi Fontana 118, Flat 9
ZBG 3654, Ħaż-Żebbuġ
Malta
Email: karsten@tidewind.io
VAT ID: MT-XXXXXXXX (part-time registration under Article 12 of the Malta Value Added Tax Act, Chapter 406)
Responsible: Karsten Schneiderwind (responsible for content under Art. 9 Cap. 426)

This is a self-employed consulting practice. It is not registered as a company or partnership, is not enrolled with any professional regulatory body, and is not subject to any sectoral authorisation regime beyond general commercial, tax, and data-protection law. Maltese sole traders are not required to register a trade name.

2 / Data controller

For the purposes of EU Regulation 2016/679 (the EU GDPR), the UK Data Protection Act 2018 with the retained EU Regulation 2016/679 (the UK GDPR), and Malta’s Data Protection Act (Cap. 586), the data controller for any personal data processed via this site is the operator named in §1 above.

No data protection officer (DPO) is appointed. The processing carried out by this site does not meet the criteria in Article 37 GDPR that would require one: there is no large-scale processing, no systematic monitoring, and no special-category data.

I am established in Malta (an EU member state). I do not appoint an Article 27 GDPR representative because Article 27 applies only to controllers established outside the EU. For UK GDPR, I rely on the Article 27(2)(a) UK GDPR exemption: any UK-related processing is occasional, does not include special-category or criminal-conviction data on a large scale, and is unlikely to result in a risk to data subjects.

3 / What this site collects

The short answer: nothing the site itself decides to collect. tidewind.io is a fully static page with no analytics, no tags, no pixels, no third-party scripts, and no embedded content from other domains.

Specifically, this site does not

set any cookies (no first-party, no third-party);
use localStorage, sessionStorage, IndexedDB, or any other client-side storage;
load Google Analytics, Google Tag Manager, Plausible, Matomo, Hotjar, Facebook Pixel, or any other analytics or marketing tag;
load fonts, scripts, stylesheets, images, or videos from any external CDN — everything is self-hosted from tidewind.io;
embed iframes, social-media widgets, maps, calendars, chat widgets, or any third-party UI;
operate any contact form, search box, newsletter signup, or other field that posts data to a server;
build profiles, score visitors, or perform any automated decision-making in the sense of Article 22 GDPR.

Personal data only reaches me when you deliberately send it — today that means email (see §6).

4 / Cookies & tracking

None. Because there are no cookies and no other non-essential storage, no consent banner is required under Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended), Maltese Subsidiary Legislation 586.01, or the equivalent UK PECR rules. There is nothing to consent to.

If that ever changes — for instance, if I add an analytics product — this notice will be updated and an appropriate consent mechanism added before any such tag goes live.

5 / Hosting & logs

The site is served from Cloudflare’s global edge network (Cloudflare Workers with Static Assets). When your browser fetches a page, your IP address and request headers are necessarily visible to Cloudflare in order to route the response back to you and to protect the site against denial-of-service and other attacks.

Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) acts as a processor on my behalf for content delivery and edge security under Article 28 GDPR, governed by Cloudflare’s Data Processing Addendum and Standard Contractual Clauses for international transfers.
Cloudflare may process IP addresses, request metadata, and approximate geolocation transiently for routing, caching, TLS termination, bot-management, and abuse mitigation. Retention of those edge logs is governed by Cloudflare’s own privacy policy.
The Worker code that runs in front of the site (src/worker.js in the public source tree) does not log IPs, write to any datastore, call any third-party API, or set any cookies. It is a maintenance-mode gate and a styled error handler — nothing more.
Cloudflare Web Analytics is disabled. No analytics beacon is loaded.

The legal basis for this processing is Article 6(1)(f) GDPR (legitimate interest in delivering the site and protecting it against attack). You can object under Article 21 by not visiting the site — there is no logged-in profile to opt out of.

6 / Email correspondence

The contact link on the home page opens your own email client with my address pre-filled (mailto:karsten@tidewind.io). The site itself does not transmit, intercept, store, or process the message; that all happens in your mail client and between your mail provider and mine.

Once your email arrives in my inbox, I process the personal data it contains — typically your name, email address, employer, and whatever you choose to write — in order to reply and, where appropriate, evaluate and deliver an engagement.

Mailbox provider: my email is hosted by Proton AG (Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland) on the Proton Mail service. Switzerland is recognised by the European Commission as providing an adequate level of data protection (Article 45 GDPR adequacy decision, most recently renewed in 2024) and is similarly recognised under the UK adequacy regulations 2021, so no separate Article 46 transfer mechanism is needed. Proton AG is also subject to the Swiss Federal Act on Data Protection (revFADP).
Encryption at rest: Proton Mail applies zero-access encryption to messages stored on its servers, so the mailbox provider itself cannot read message bodies or attachments. Mail between two Proton accounts is end-to-end encrypted by default; mail to and from non-Proton accounts is protected by opportunistic TLS in transit and (where you supply a PGP key, or use Proton’s password-protected message feature) by end-to-end encryption as well.
Storage: emails sit in the Proton mailbox and standard provider backups. They are not exported into any CRM, marketing tool, or third-party AI service.
Use: only to reply to you, to deliver any engagement we agree, to comply with statutory record-keeping (e.g. invoicing, tax), and to defend any legal claims.

7 / Legal bases

I rely on the following bases under Article 6(1) GDPR (and the equivalent UK GDPR provisions):

Art. 6(1)(b) — performance of a contract or pre-contractual steps. When you email about a possible engagement, I process your message to evaluate, scope, and (if we agree) deliver the work.
Art. 6(1)(f) — legitimate interests. Replying to general inquiries, operating and securing the website (via Cloudflare), and defending against legal claims. The balancing test favours processing because the data is volunteered, the volumes are small, and you can stop the processing at any time by ceasing contact and asking for erasure.
Art. 6(1)(c) — legal obligation. Tax and accounting record-keeping for engagements that result in invoicing, as required by Maltese tax and VAT law.

8 / How long data is kept

General inquiries that do not lead to an engagement: deleted within 12 months of the last meaningful exchange, unless you ask for earlier deletion.
Active engagements: kept for the duration of the engagement and up to 6 years afterwards, in line with the limitation period for contractual claims under Article 2156 of the Maltese Civil Code (and comparable EU/UK limitation rules).
Invoicing and accounting records: retained for the periods required by Maltese tax and VAT law — ordinarily 10 years for VAT records and 9 years for income-tax-relevant records under the Income Tax Management Act.
Cloudflare edge logs: governed by Cloudflare’s own retention schedule; I do not control or extend it.

9 / Recipients & international transfers

I do not sell, rent, or share personal data with anyone for marketing or analytics. The only routine recipients of personal data processed in connection with this site are:

Cloudflare, Inc. (USA) — as edge/hosting processor (see §5). International transfers are covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, alongside Cloudflare’s technical and organisational measures.
Proton AG (Switzerland) — as processor for inbound and outbound email (see §6). Transfers to Switzerland rely on the European Commission’s Article 45 adequacy decision and the equivalent UK adequacy regulations.
The Maltese tax authorities (Office of the Commissioner for Revenue) — for invoiced engagements only, to the extent required by Maltese tax and VAT law.
Courts, regulators, or counterparties — only where necessary to comply with a binding legal obligation or to establish, exercise, or defend a legal claim.

The only routine transfers of personal data outside the EEA and the UK are the Cloudflare and Proton AG relationships described above. The Cloudflare transfer to the United States is covered by Article 46 safeguards (EU SCCs and the UK IDTA); the Proton AG transfer to Switzerland is covered by the Article 45 adequacy decision and the corresponding UK adequacy regulations, so no additional transfer mechanism is required.

10 / Your rights

If I hold personal data about you, you have the following rights under Articles 15–22 GDPR (and the matching UK GDPR articles):

Access — ask for a copy of the personal data I hold about you and the information in this notice in greater detail.
Rectification — ask me to correct inaccurate or incomplete data.
Erasure (“right to be forgotten”) — ask me to delete data that is no longer necessary, where processing was based on consent that you withdraw, or where you successfully object.
Restriction — ask me to limit processing while accuracy or another issue is investigated.
Portability — for data you provided under a contract or consent, receive it in a structured, machine-readable format (e.g. an .mbox export of our correspondence).
Object — object at any time to processing based on legitimate interests; I will stop unless I can show compelling grounds that override your interests.
Not be subject to automated decision-making — this site does none, so the right is satisfied by default.

To exercise any of these rights, email karsten@tidewind.io. I respond within one month (Article 12(3) GDPR), and there is no charge for reasonable requests.

11 / Complaints

You can lodge a complaint with the data protection authority of your habitual residence, place of work, or place of the alleged infringement. The most directly relevant authorities are:

Malta: Office of the Information and Data Protection Commissioner (IDPC) — idpc.org.mt
EU member state: Your national data protection authority — the list is maintained by the European Data Protection Board at edpb.europa.eu
United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

I would appreciate the chance to address your concern directly first — one short email to karsten@tidewind.io is usually faster — but you are not required to do so before contacting a supervisory authority.

12 / Security

The site is served only over HTTPS with HSTS preloaded for two years; a strict Content-Security-Policy blocks any third-party script, style, font, image, or fetch from loading; mixed-content is auto-upgraded; and the site cannot be embedded in iframes anywhere (frame-ancestors ‘none’). A machine-readable security contact lives at /.well-known/security.txt per RFC 9116.

Email correspondence is hosted on Proton Mail with zero-access encryption at rest, opportunistic TLS in transit, and end-to-end encryption between Proton accounts or with any correspondent who supplies a PGP public key. If you would like to send sensitive material end-to-end encrypted, email me first for my PGP key (or use Proton’s password-protected message feature from your own Proton account).

13 / Changes to this notice

If this notice changes in any substantive way, the last updated date and version number at the top of the page will move forward and a short summary of what changed will be added below this paragraph for at least 12 months. Cosmetic edits (typos, layout) are not flagged.

Back to home karsten@tidewind.io security.txt