Effective date: April 16, 2026.
1. Controller
Biocompile Startup Project, jointly operated by Aaron Schaller, Maximilian Bode, Aaron Riedling, and Harlin Jhyont (Art. 26 GDPR joint controllers).
[POSTAL ADDRESS PLACEHOLDER]
Email: contact@biocompile.com
The founders have agreed that [PRIMARY CONTACT FOUNDER PLACEHOLDER] is the single contact point for data-subject rights requests. All four founders remain jointly responsible. See the imprint for the current operator details.
2. Data we collect
2.1 Contact form
When you use our contact form, we collect your email address and message. By checking the consent checkbox on the form, you consent to this processing solely to respond to your inquiry (Art. 6(1)(a) GDPR). Your message is forwarded to our team inbox and not stored in a database. We retain correspondence for the duration of the inquiry thread plus six months after the last exchange. You may withdraw consent at any time by contacting us, though this does not affect the lawfulness of processing carried out before withdrawal.
2.2 Analytics (PostHog EU)
We use PostHog, hosted exclusively in the EU (Frankfurt, Germany), for privacy-preserving aggregate usage measurement. PostHog operates in one of three modes depending on your consent choice:
- Before you make a choice (anonymous mode). We record a single anonymous page-view event per visit containing only the path you are viewing, the domain of the referring site (if any), and a coarse viewport class (mobile / tablet / desktop). No cookies or localStorage entries are set, no device identifier is persisted across visits, autocapture and session recording are disabled, and we instruct PostHog to discard your IP address. Anonymous mode stores nothing on your device, so it falls outside TTDSG Section 25 consent requirements. This is based on our legitimate interest in measuring aggregate use of our public marketing site (Art. 6(1)(f) GDPR). The processing is strictly limited to what is necessary to produce aggregate statistics and cannot identify you.
- After you accept (full mode). We record page views, clicks (autocapture), Core Web Vitals, and anonymized session recordings to improve the site. Session recordings automatically mask all form inputs and text content so no personal data is visible. A visit identifier is stored in localStorage and a cookie to link events within a session. This is based on your consent (Art. 6(1)(a) GDPR). PostHog analytics data is retained for up to 12 months and aggregated thereafter.
- After you decline (no analytics). No PostHog requests are made and any in-memory analytics from anonymous mode are opted out.
Feature-flag decision endpoints and third-party data sharing are disabled in every mode.
Session recordings are only active in full mode (after you accept) and automatically mask
all form inputs and text content. We honour the Do-Not-Track (DNT) browser signal and the
Global Privacy Control (GPC) signal; when either is detected, analytics are
disabled entirely. You can withdraw or re-grant consent at any time via the "Cookie settings"
link in the footer (Art. 7(3) GDPR).
2.3 Bot protection (Cloudflare Turnstile)
Our contact form uses Cloudflare Turnstile to protect against automated abuse. Turnstile processes limited technical data (browser type, interaction patterns) to verify you are human. This is based on our legitimate interest in preventing spam (Art. 6(1)(f) GDPR).
2.4 Server logs
Our hosting provider (Scaleway) records standard server access logs containing truncated IP addresses, request paths, timestamps, and HTTP status codes. These are retained for up to 14 days and used exclusively for security monitoring and debugging.
3. Hosting and processors
This website is hosted by:
- Scaleway (Paris, France) — server infrastructure
- Cloudflare (EU data centers) — CDN, DDoS protection, Turnstile
- PostHog (Frankfurt, Germany) — analytics (consent-gated)
All processors are GDPR-compliant with appropriate data processing agreements in place. All data remains within the European Union.
4. Your rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge a complaint with [LEAD SUPERVISORY AUTHORITY PLACEHOLDER] or your local supervisory authority
To exercise any of these rights, contact us at contact@biocompile.com. We will respond within one month.
4.1 California residents
If you are a California resident, the following additional disclosures apply under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and the California Online Privacy Protection Act (CalOPPA):
- Categories of personal information collected: Internet or other electronic network activity information (anonymized pageviews in anonymous mode; pageviews, clicks, and Web Vitals in full mode); identifiers (email address via the contact form only).
- Sale or sharing: We do not sell or share your personal information as defined under CCPA. PostHog operates as a service provider under contract and does not receive data for its own commercial purposes.
- Your rights: You have the right to know what personal information we collect, to request deletion, and to request correction. To exercise these rights, email contact@biocompile.com. We will respond within 45 days.
- Do Not Track / Global Privacy Control: This site honours both the DNT browser signal and the GPC signal. When either is detected, all analytics are disabled.
5. Cookies and storage
This website sets no cookies and writes nothing to your browser's storage before you make a
choice on the consent banner. If you accept analytics, a consent preference
(__biocompile_consent) is stored in localStorage and persists until you clear it
or use the "Cookie settings" link in the footer. No third-party tracking cookies are used at
any time.
For details on what each consent mode does, see Cookie Notice.
6. Retention summary
- Contact-form correspondence: duration of the inquiry thread + 6 months
- PostHog analytics (full mode): up to 12 months, aggregated thereafter
- Server logs: up to 14 days
- Consent choice: persisted in your browser's localStorage until you clear it
7. Changes
We may update this privacy policy to reflect changes in our practices or legal requirements. The current version is always available at this URL.