This Privacy Policy explains how BC Copilot Hangar collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Luxembourg data protection law.
This Website is operated from Luxembourg. By using the Website and its Services, you acknowledge this Policy. If you do not agree, please do not use the Website.
Who we are (Data Controller)
The data controller responsible for your personal data is:
This is a personal blog and not a commercial entity. No Data Protection Officer (DPO) is appointed, as the processing activities do not meet the threshold requiring mandatory DPO designation under Article 37 GDPR.
Legal bases for processing
We only process your personal data where we have a valid legal basis under Article 6 GDPR:
| Processing activity | Legal basis | Article |
|---|---|---|
| Contact form submission | Consent / pre-contractual steps | Art. 6(1)(a)(b) |
| Newsletter subscription | Consent | Art. 6(1)(a) |
| Blog comments | Consent | Art. 6(1)(a) |
| Website security & hosting | Legitimate interests | Art. 6(1)(f) |
| Legal obligations | Legal obligation | Art. 6(1)(c) |
What personal data we collect
We collect only the minimum data necessary for each purpose (data minimisation principle, Art. 5(1)(c) GDPR):
- Contact form: name, email address, message content.
- Newsletter: email address only, stored in our Cloudflare D1 database and synced to Resend Contacts for newsletter delivery.
- Blog comments: display name and comment text. No email is stored publicly.
- Server logs: IP addresses and request metadata processed by Cloudflare for security purposes. We do not access or store these logs ourselves.
We do not collect special category data (Art. 9 GDPR) and do not engage in automated decision-making or profiling (Art. 22 GDPR).
How we use your data
- Responding to your contact form enquiry
- Sending the newsletter you subscribed to
- Displaying your approved comment on the blog
- Ensuring the security and proper operation of the Website
- Complying with applicable legal obligations
We do not use your data for advertising, profiling, or any purpose incompatible with the purpose for which it was collected (purpose limitation, Art. 5(1)(b) GDPR).
Third-party processors
We engage the following sub-processors under Article 28 GDPR. Each processes data only on our documented instructions:
| Processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Website hosting, CDN, DDoS protection, D1 database (comments, newsletter subscriptions) | USA / global edge |
| Resend, Inc. | Transactional email, newsletter contact management, newsletter delivery | USA |
We do not sell your data or share it with any other third parties for their own purposes.
International data transfers
Both Cloudflare and Resend are US-based companies. Transfers of personal data to the United States are subject to the requirements of Chapter V GDPR. Both providers participate in the EU–US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023) and/or rely on Standard Contractual Clauses (SCCs) as an appropriate safeguard for international transfers.
You may request a copy of or information about the applicable transfer mechanisms by contacting us.
Retention periods
We retain personal data only for as long as necessary for the purpose for which it was collected (storage limitation, Art. 5(1)(e) GDPR):
- Contact form data: retained for up to 12 months from the date of correspondence, then deleted.
- Newsletter email: retained until you unsubscribe or request deletion.
- Blog comments: retained for the lifetime of the published post unless you request deletion.
- Server/access logs: managed by Cloudflare per their data retention policy.
Your rights under the GDPR
As a data subject under the GDPR, you have the following rights. You may exercise any of them free of charge by contacting us — we will respond within one month (Art. 12 GDPR):
- → Right of access (Art. 15): Obtain a copy of the personal data we hold about you and information about how it is processed.
- → Right to rectification (Art. 16): Have inaccurate or incomplete personal data corrected.
- → Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data where there is no overriding legitimate reason to continue processing.
- → Right to restriction (Art. 18): Request that we restrict processing of your data under certain circumstances.
- → Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transmit it to another controller.
- → Right to object (Art. 21): Object to processing carried out on the basis of legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
- → Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- → Right not to be subject to automated decisions (Art. 22): We do not carry out automated decision-making or profiling.
Links to other websites
The Website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We recommend reviewing the privacy policy of any website you visit via a link from our pages.
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure as required by Art. 32 GDPR. These include:
- TLS/HTTPS encryption for all data in transit
- Cloudflare WAF and DDoS protection
- Restricted access to data stores
- No unnecessary storage of personal data
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR, and affected individuals if required under Art. 34 GDPR.
Changes to this policy
We may update this Policy from time to time to reflect changes in our practices or applicable law. The "last updated" date at the bottom will always reflect the most recent revision. Where changes are material, we will make reasonable efforts to notify you.
This document was last updated on March 9, 2026. It is governed by the laws of the Grand Duchy of Luxembourg and the General Data Protection Regulation (EU) 2016/679.
Social media features
Share buttons (LinkedIn, WhatsApp, X/Twitter, copy-link) are implemented as plain HTML links. No third-party scripts are loaded and no cookies are set by these buttons unless you actively click them and are redirected to the platform. Any data processed by those platforms after redirection is governed by their respective privacy policies.