/

Legal

Privacy Policy

Last updated: June 17, 2026

1. Controller

The controller for the processing of personal data on this website (within the meaning of the GDPR) is:

Torge Stehr
Stehrway

3578 146A Street
Surrey, BC V4P 1B2
Canada

Email: hello@stehrway.com

Stehrway is a sole proprietorship established in Canada. Because we direct our German-language services to users in Germany/the EU and analyse visitor behaviour, the GDPR applies under Art. 3(2). Canadian privacy law (PIPEDA, Quebec Law 25) and Germany’s §25 TDDDG (consent for device access) also apply.

2. Legal bases

  • Art. 6(1)(a) GDPR — your consent (e.g. analytics / session replay);
  • Art. 6(1)(b) GDPR — (pre-)contractual measures (e.g. contact requests);
  • Art. 6(1)(f) GDPR — our legitimate interest in a secure, functional website.

3. Your rights

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and to withdraw consent at any time with future effect (Art. 7(3)).

A short message to hello@stehrway.com is enough. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), usually the one where you reside. Visitors in Canada may contact the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec.

4. Data we collect on this website

Hosting (Vercel)

This site is hosted by Vercel Inc. (USA), which processes technically necessary connection data (IP address, timestamp, requested resource) on the basis of Art. 6(1)(f) GDPR, under a data-processing agreement (Art. 28 GDPR).

Server log files

The host automatically collects log files (browser type/version, OS, referrer URL, timestamp, IP address) on the basis of Art. 6(1)(f) GDPR; this data is not merged with other sources.

Cookies and consent

We use strictly necessary cookies (e.g. to store your language, theme and consent choice). Non-essential cookies and any device access for analytics happen only after your consent via our cookie banner (§25(1) TDDDG, Art. 6(1)(a) GDPR). You can change or withdraw your choice anytime via “Cookie Preferences” in the footer. Global Privacy Control (GPC) and “Do Not Track” are honoured automatically.

Analytics and session replay (Stehrway Analytics)

We use Stehrway Analytics, a self-hosted first-party tool, to understand and improve site usage: pages viewed, clicks, scroll depth, device/browser data, approximate location (from IP, not stored), referrer, and anonymised session recordings with input fields and sensitive content masked.

This processing — including session replay — runs only after your explicit consent (§25(1) TDDDG, Art. 6(1)(a) GDPR). Before consent, no session, recording or _sw_vid identifier cookie is created. Data is processed by Stehrway as a processor (Art. 28 GDPR); recordings are kept ~30 days and event data ~90 days. You can withdraw consent at any time.

Contact form and communication

When you use the contact form or email us, we process the details you provide (name, email, optionally company, industry, website URL and your message) to handle your request. Requests are stored in a database (Neon, EU region) with abuse protection/rate-limiting (Upstash), and emailed via Mailgun. Basis: Art. 6(1)(b) GDPR (pre-contractual) or (f). With valid consent, a successful request may also be counted as a conversion in Stehrway Analytics.

Voice assistant “Isa”

You may optionally start a voice conversation with our AI assistant “Isa”. Your audio is sent to ElevenLabs (USA) for processing; calls may be recorded so we can follow up. This happens only on your active request (Art. 6(1)(a)/(b) GDPR), with a notice shown before the call starts.

Payments (Stripe)

For proposals/payments we use Stripe, which processes the data necessary for the payment (Art. 6(1)(b) GDPR). This only affects clients with a corresponding proposal.

Fonts

Fonts are self-hosted at build time via next/font and served from our own server — no connection to Google servers and no transfer to third parties.

5. International transfers

Some providers (Vercel, Stripe, ElevenLabs, possibly Stehrway infrastructure) process data in the USA. Where they do, we rely on the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) for certified recipients, or on Standard Contractual Clauses (Art. 46(2)(c) GDPR) with supplementary measures.

6. Retention

We keep personal data only as long as necessary for the relevant purposes or as required by law, after which it is deleted or anonymised.

7. SSL/TLS encryption

For security, this website uses SSL/TLS encryption (shown by “https://” in the address bar).

8. Updates

We may adapt this privacy policy to meet current legal requirements. The version published on this page applies.