Back to home

Privacy Policy

Last updated: June 14, 2026

How we process personal data on blog-maker.com and blog-maker.de. GDPR compliant.

1. Controller

Controller for data processing is Digital Mind Agency Ltd., Evagora Pallikaridi 38, 8010 Paphos, Cyprus, registered in the Cypriot company registry under HE 428155. Represented by Oliver Albrecht. Contact: hello@blog-maker.com.

2. What data we collect

We process only the data necessary to operate the service. On registration we store your name, email address, and a hashed password (bcrypt). On creating a brand we store domain, brand voice texts, and WordPress connection data (app-password encrypted at-rest). For article generation we store topics, outlines, pipeline outputs, and final content. If you use Stripe Checkout we forward name, email, and customer ID to Stripe; we only store the Stripe customer ID locally.

3. Cookies and Consent Mode v2

We set technically necessary cookies for login session, locale (de/en), and A/B variant persistence. These are permitted without consent (Art. 6(1)(f) GDPR, legitimate interest). Optional analytics and marketing services load only after your active consent via the cookie banner (Basic mode: before you choose, no analytics or marketing script is loaded and no connection to the providers is made). For the Google services we use Google Consent Mode v2: the default state is 'denied' (analytics_storage, ad_storage, ad_user_data, ad_personalization), and signals are only set to 'granted' after your consent. In the banner you can allow or decline each service individually (e.g. only Google Analytics but no Meta Pixel).

4. Analytics and marketing services with consent

Only with your active, per-service consent do we use: (1) Google Analytics 4 (provider Google LLC, USA; measurement ID G-ED583SQNZQ; reach measurement and page views with anonymized IP, anonymize_ip enabled; Consent Mode v2). (2) Meta Pixel (Meta Platforms Ireland Ltd.; conversion tracking and retargeting for Facebook/Instagram ads; the pixel has no Consent Mode pathway and is therefore hard-blocked in code until you consent to Meta). (3) Google Ads (Google LLC, USA; remarketing lists and conversion tracking; only active if configured). For these services data is transferred to the USA; the transfer is safeguarded by the respective providers' Standard Contractual Clauses (SCC). Your choice takes effect immediately and is documented (hashed IP and user agent, no plain-text storage, Art. 7 GDPR). You can revoke any consent per service at any time via 'Cookie Settings' in the footer or the privacy control at the bottom left; on revocation we remove the scripts, browser globals, and cookies that were set.

5. Third parties without consent (data processors)

Necessary for the service: Anthropic PBC (USA, AI article generation via Claude API). Per Anthropic Commercial Terms, API inputs are NOT used to train models by default (source: privacy.claude.com 'Is my data used for model training'). Standard Contractual Clauses (SCC) are auto-incorporated in the Anthropic Commercial DPA. Data is processed and stored in the USA. Stripe Payments Europe Ltd. (Ireland/USA, payment processing, own SCC). Sentry (USA, error tracking with anonymized source maps, SCC). Plesk mail server (EU, transactional mail).

6. Hosting and storage location

Server infrastructure: Dawico Deutschland GmbH (dawico.de), certified to ISO 27001 / ISO 50001 / ISO 9001, locations Berlin and Frankfurt am Main, Germany. Data Processing Agreement (DPA) under Art. 28 GDPR is in place. PostgreSQL 16 database encrypted at-rest, daily backups, 30-day retention. Account data, brand data, and article volumes remain in Germany. Only individual API calls to Anthropic Claude leave the EU. On request we can future-set Anthropic's `inference_geo` parameter to anchor inference compute in a specific region (1.1x token surcharge). Anthropic data storage currently remains in the USA with SCC protection.

7. Retention period

Account data is deleted 90 days after account deletion. Articles and brand data are deleted by the user actively. Stripe-related data is kept for 10 years per commercial-law requirements. Server logs are anonymized after 30 days.

8. Your rights (GDPR)

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), objection (Art. 21), data portability (Art. 20). Send an email to hello@blog-maker.com. We respond within 30 days. You can also file a complaint with the relevant supervisory authority (in Cyprus: Office of the Commissioner for Personal Data Protection, https://www.dataprotection.gov.cy).

9. Security

Encrypted connection (TLS 1.3, HSTS), password hashing (bcrypt cost 12), brand credentials AES-256 encrypted, regular security audits, Sentry for real-time error monitoring. In case of data breaches we inform you and the supervisory authority within 72 hours.

10. Changes

We update this policy when features or processors change. Last change: June 14, 2026. We inform you by email about material changes.