JVLIXICosplay · Photography · NRW
HOMEPORTFOLIOABOUT
Privacy notice (GDPR Art. 13)

Privacy Policy

As of: May 2026 Effective from: 21.05.2026

This English version is provided for international visitors. The legally binding version is the German one at <https://jvlixi.de/de/legal/datenschutz>. References to German law are kept in their original form.

1. Controller

The controller for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

IDENTIC Projects eGbR represented by: Julia Wiegenstein Kreuzberg 71 59846 Sundern Germany

  • Email (company): julia.wiegenstein@identic.pro
  • Phone: +49 151 50998427

Court of registration: Amtsgericht Arnsberg, Register of partnerships GR 1 VAT ID: DE365671448

1a. Data Protection Contact

For questions regarding the processing of your personal data or to exercise your data subject rights, please contact our internal data protection officer:

Julia Wiegenstein Email: julia.wiegenstein@identic.pro

A statutory obligation to appoint an external data protection officer does not currently apply (§ 38 (1) BDSG — the threshold of 20 persons constantly engaged in the automated processing of personal data is not reached). Should this change, this privacy policy will be updated accordingly.

2. General on Data Processing

2.1 Scope of Personal Data Processing

We process personal data of our visitors only to the extent necessary to provide a functional website and our content. Processing is regularly carried out on the basis of a statutory permission under Art. 6 GDPR; we currently do not collect consent because we do not perform any processing that requires consent.

2.2 Legal Bases

Where we need to identify a legal basis for processing operations, the following may apply:

  • Art. 6 (1) (a) GDPR — Consent (currently not relevant)
  • Art. 6 (1) (b) GDPR — Performance of a contract / pre-contractual measures (currently not relevant)
  • Art. 6 (1) (c) GDPR — Compliance with a legal obligation
  • Art. 6 (1) (f) GDPR — Legitimate interest (in particular: site security, reach measurement)

2.3 Data Erasure and Storage Duration

Personal data is deleted or blocked as soon as the purpose of storage no longer applies. Storage beyond this may take place if so provided for by European or national legislators. Specific retention periods for individual processing operations are stated below in the respective sections.

3. Hosting and Provision of the Website

The website is hosted with:

Google Cloud Platform — Cloud Run Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (acting on behalf of Google LLC, USA) Processing location: Region `europe-west1` (Frankfurt am Main, Germany)

Data processed: Each request inevitably generates technical connection data in server logs (see section 4).

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stable site operation).

Third country transfer: While Google Cloud operates the data centre in the EU, the parent company Alphabet/Google is based in the USA. Third-country transfers may occur (e.g. for support, log analysis). Such transfers are safeguarded by:

  • the EU-US Data Privacy Framework (DPF, adequacy decision of 10 July 2023, confirmed by the EU General Court in September 2025) — Google is DPF-certified
  • additionally Standard Contractual Clauses (SCCs) of the EU Commission as a fallback

Further information: <https://policies.google.com/privacy> and <https://cloud.google.com/security/compliance/eu-us-data-privacy-framework>.

4. Server Logfiles

When this website is accessed, the hosting provider automatically stores data in server logfiles, namely:

  • IP address of the requesting device (truncated / anonymised)
  • Date and time of access
  • Name and URL of the file requested
  • Volume of data transferred
  • Server status message
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited site)

Purpose: Provision of the website, ensuring stability and security (attack detection, error diagnosis).

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest).

Storage duration: Logfiles are deleted or anonymised after a maximum of 30 days, unless concrete indications of a security incident require longer retention.

5. Image Delivery (Sanity Asset CDN)

Images on this website are delivered via the Content Delivery Network (CDN) of the CMS provider Sanity.

Provider: Sanity.io ApS, Sankt Annæ Plads 11, 1250 Copenhagen K, Denmark

Data processed: When loading an image, your IP address is transmitted to the domain `cdn.sanity.io`. No data beyond image delivery is collected.

Purpose: Performant delivery of optimised images via a globally distributed CDN.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in fast, resource-efficient image delivery).

Third country transfer: Sanity is based in Denmark/EU but partly operates infrastructure in the USA. Such transfers are safeguarded by:

  • the EU-US Data Privacy Framework (DPF) — Sanity is DPF-certified
  • additionally Standard Contractual Clauses (SCCs) as a fallback

Further information: <https://www.sanity.io/legal/privacy>.

6. Reach Measurement with Plausible Analytics

We use Plausible Analytics for the statistical analysis of website usage.

Provider: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia (EU)

Data processed: Plausible does not collect personal data, sets no cookies, and uses no unique identifiers. Only aggregated values are recorded:

  • URL accessed (anonymised)
  • Referrer URL (anonymised)
  • Approximate country (derived from IP — the IP itself is not stored)
  • Device type, browser, and operating system (in categories)
  • Time and time-on-page

Plausible uses an anonymised hash value per day and IP to count repeat visits as the same session, without storing the IP. The hash cannot be used to identify a person and is discarded after 24 hours.

Purpose: Understanding reach and improving content.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in privacy-friendly reach measurement). Since Plausible does not store or read any information on end devices, the exception under § 25 (2) no. 2 TDDDG applies — no consent is required.

Storage location: Servers in Germany and Estonia (within the EU). No third-country transfer.

Further information: <https://plausible.io/data-policy>.

7. Fonts (Google Fonts via next/font)

We use the typefaces "Space Grotesk" and "JetBrains Mono". These are bundled locally at build time using the Next.js framework (`next/font/google`) and served from our own server (Cloud Run, Frankfurt).

Important: No connection to Google servers takes place when the page is loaded. The fonts are stored statically on the hosting server. There is no third-country transfer to Google for fonts.

8. External Links (Instagram Profiles)

On the detail pages of cosplay shoots, the Instagram profiles of the depicted cosplayers are linked as external links (format: `https://instagram.com/<handle>`). These are plain hyperlinks, not embedded content and not tracking pixels. No data is transmitted to Instagram/Meta when the page is loaded.

Only when you actively click such a link will you be redirected to the Instagram website — from that point on, Meta's privacy policy applies (<https://privacycenter.instagram.com/policy/>).

9. Cookies and Comparable Technologies

This website sets no cookies and uses no comparable tracking technologies that would require consent under § 25 (1) TDDDG.

For functional reasons, your browser may store a technically required entry in local storage (`localStorage`) for the language selection (German / English). Such storage is permissible under § 25 (2) no. 2 TDDDG, as it is strictly necessary to provide the "language switch" feature.

Since nothing requiring consent is loaded, there is no cookie banner on this website.

10. Content Editing in the Studio (Sanity)

Content (texts, images) is edited by the operator herself via the Sanity Studio at `https://jvlixi.sanity.studio`. This admin interface is not public and only accessible after login with a Sanity account.

Authentication cookies are set by Sanity during login. This processing concerns only the operator herself, not visitors of the public website jvlixi.de.

11. Processors

The following service providers process data — on our behalf or as joint controllers — that arises in connection with the operation of this website:

Google Ireland Ltd. (Cloud Run)

  • Purpose: Hosting
  • Location: Ireland (EU); group: USA
  • Third-country transfer: yes (USA, group access)
  • Legal basis / safeguard: Art. 6 (1) (f); DPF + SCCs

Sanity.io ApS

  • Purpose: CMS backend, asset CDN
  • Location: Denmark (EU); infrastructure partly USA
  • Third-country transfer: yes (USA, infrastructure)
  • Legal basis / safeguard: Art. 6 (1) (f); DPF + SCCs

Plausible Insights OÜ

  • Purpose: Reach measurement
  • Location: Estonia (EU)
  • Third-country transfer: no
  • Legal basis / safeguard: Art. 6 (1) (f); § 25 (2) no. 2 TDDDG

Data processing agreements (DPAs) under Art. 28 GDPR have been or will be concluded with Sanity and Google — with Sanity via the standard DPA (<https://www.sanity.io/legal/dpa>), with Google Cloud via the Cloud Data Processing Addendum (CDPA), which is automatically activated when the Cloud Run service is set up. With Plausible, due to the pseudonymous, aggregate processing, no classic processor relationship exists; the legal basis is the legitimate interest in privacy-friendly reach measurement.

12. Third Country Transfers (Summary)

Where we transfer data to third countries (outside the EU/EEA), or have data transferred for us, this is done exclusively on the basis of one of the following safeguards:

  • Adequacy decision of the EU Commission, in particular the EU-US Data Privacy Framework (DPF, valid for US recipients with active certification)
  • Standard Contractual Clauses of the EU Commission pursuant to Art. 46 (2) (c) GDPR
  • where applicable: Binding Corporate Rules of the respective group

Recipients certified under the DPF are: Google LLC, Sanity.io Inc. (US subsidiary of Sanity ApS).

13. Your Rights as a Data Subject

You have the following rights vis-à-vis us regarding personal data concerning you:

  • Art. 15 GDPR — Right of access to the data processed about you
  • Art. 16 GDPR — Right to rectification of incorrect or incomplete data
  • Art. 17 GDPR — Right to erasure ("right to be forgotten")
  • Art. 18 GDPR — Right to restriction of processing
  • Art. 20 GDPR — Right to data portability
  • Art. 21 GDPR — Right to object to processing based on legitimate interests (Art. 6 (1) (f) GDPR) — in particular against reach measurement with Plausible
  • Art. 7 (3) GDPR — Right to withdraw consent with effect for the future (currently not relevant, as no consent is collected)

To exercise these rights, an informal message to the email address provided in section 1 is sufficient.

14. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The competent authority is that of the data subject's place of residence or work, or the controller's place of establishment.

The competent authority for the controller (based in North Rhine-Westphalia) is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW) Kavalleriestraße 2-4 40213 Düsseldorf, Germany Phone: +49 211 38424-0 Email: poststelle@ldi.nrw.de Web: <https://www.ldi.nrw.de>

15. Currency and Amendment of This Privacy Policy

This privacy policy is currently valid. Due to further development of the website or changes in legal requirements, it may become necessary to adapt it. The current version is always available at <https://jvlixi.de/en/legal/datenschutz>.

UPDATED · 2026-05-05

© 2026 JVLIXIIMPRINTPRIVACY