Privacy Policy

Last updated: February 26, 2026

1. Who We Are

SteadyFlow is a web design agency operated by Maxim Werle, established in Langen, Germany. We are the data controller responsible for your personal data.

Contact:
SteadyFlow — Maxim Werle
Im Birkenwaeldchen 31, 63225 Langen, Germany
Mailing address USA: 1337 W 43rd St, Unit #1365, Houston, TX 77018
Email: hello@steadyflow.io

2. Data We Collect

Contact Form (steadyflow.io)

When you submit our contact form, we collect:

  • Your name
  • Your email address
  • Your website URL (optional)
  • Your message

Purpose: To respond to your inquiry and discuss a potential business relationship.

Legal basis: Consent (Art. 6(1)(a) GDPR) — you explicitly agree to our Privacy Policy before submitting the form.

Website Scanner

When you use our free website scanner at steadyflow.io/scanner, the URL you enter is sent to the Google PageSpeed Insights API for analysis. We do not store the URLs you scan. Scan results are cached in your browser's localStorage for 24 hours to avoid repeated API calls.

Purpose: To provide you with a website performance analysis.

Legal basis: Consent (Art. 6(1)(a) GDPR) — you initiate the scan voluntarily.

Server Logs

Our hosting provider (Vercel) automatically collects standard server log data when you visit our website, including:

  • IP address (anonymized after 24 hours)
  • Browser type and version (User-Agent)
  • Referring URL
  • Pages visited and time of access

Purpose: Ensuring website security, preventing abuse, and maintaining service availability.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — securing our web infrastructure.

Email Communications

If we contact you by email, we may process your business email address, name, and company name. Our emails may contain tracking technology (tracking pixels and link tracking) to measure open rates and click-through rates.

Purpose: Business outreach and measuring email engagement.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — direct marketing to businesses with publicly available contact information.

If you are located in the European Union, please note that email tracking may require consent under applicable ePrivacy regulations (TDDDG § 25). If you wish to opt out of email tracking, please contact us or use the unsubscribe link in any email.

Portfolio / Demo Sites

Our portfolio websites (e.g., fitness.steadyflow.io, lawyer.steadyflow.io) are demo sites that showcase our web design capabilities. Some demo sites contain forms (e.g., contact or reservation forms), but these are non-functional — no data is transmitted or stored when you interact with them.

3. Third-Party Services

We use the following services to process your data:

  • Vercel (Vercel Inc., USA) — Website hosting and CDN. Processes server logs including IP addresses. Privacy Policy
  • Convex (Convex Inc., USA) — Database hosting. Stores contact form submissions. Privacy Policy
  • Google PageSpeed Insights API (Google LLC, USA) — Powers our website scanner. The URL you enter is sent to Google for analysis. Privacy Policy
  • Resend (Resend Inc., USA) — Sends contact form confirmation emails. Privacy Policy
  • Discord (Discord Inc., USA) — Internal team notifications when a contact form is submitted (name and inquiry subject only). Privacy Policy
  • Instantly (Instantly AI Inc., USA) — Email outreach delivery service. Privacy Policy
  • Google Gemini API (Google LLC, USA) — Used internally for visual website analysis during our lead qualification process. Your website's publicly accessible appearance may be analyzed. Privacy Policy

International Data Transfers

Several of our service providers are located in the United States. Data transfers to the US are conducted on the basis of the EU-US Data Privacy Framework (for certified providers) and/or Standard Contractual Clauses (SCCs) as adopted by the European Commission (Art. 46(2)(c) GDPR). We have entered into Data Processing Agreements (DPAs) with our key processors where required.

4. Cookies & Local Storage

Our website does not use cookies. However, we use your browser's localStorage (a client-side storage mechanism) for the following purposes:

  • Consent preference — Storing your cookie/privacy banner choice so we don't show it again (key: cookie-consent).
  • Scanner cache — Caching website scan results for 24 hours to avoid repeated API calls (key: sf_scan_*).

localStorage data is stored only in your browser and is never transmitted to our servers. You can clear this data at any time through your browser settings or by clicking "Cookie Settings" in our website footer.

5. Data Retention

We retain personal data for the following periods:

  • Contact form submissions: 12 months after your last interaction, unless a business relationship is established.
  • Email outreach data: 6 months from date of contact, or until you unsubscribe — whichever comes first.
  • Server logs: Automatically deleted by Vercel per their retention policy (typically 30 days).
  • Scanner results (localStorage): 24 hours (automatically expires), stored only in your browser.
  • Lead analysis data: 12 months from the date of analysis. Data relating to publicly available business websites only.

After the retention period expires, data is permanently deleted. You may request early deletion at any time (see Section 6).

6. Your Rights

Under GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure — Request deletion of your personal data.
  • Restriction — Request that we limit how we use your data.
  • Portability — Request your data in a machine-readable format.
  • Objection — Object to our processing of your data, including direct marketing.
  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hello@steadyflow.io. We will respond within 30 days.

7. Right to Lodge a Complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with a data protection supervisory authority. Our competent authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
https://datenschutz.hessen.de

8. Changes to This Policy

We may update this privacy policy from time to time. The latest version will always be available at this URL. We encourage you to review it periodically.

9. Automated Analysis

As part of our lead qualification process, we may automatically analyze publicly accessible business websites using technical tools and AI-based visual analysis. This analysis evaluates:

  • Website performance and loading speed
  • Mobile responsiveness
  • Design quality and visual appearance
  • SEO fundamentals

Based on these factors, websites receive a score that determines whether we reach out with our services. This scoring is applied only to publicly available business website data — not to personal data. No decisions with legal or similarly significant effects are made based solely on automated processing. You may contact us at any time to request human review, express your point of view, or contest any outreach decision.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — analyzing publicly accessible business websites to offer relevant services.

10. Children's Privacy

Our services are directed at businesses, not individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@steadyflow.io and we will promptly delete it.

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know — You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete — You may request deletion of your personal information.
  • Right to Opt-Out — You may opt out of the "sale" of personal information. We do not sell personal information as defined by the CCPA.
  • Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, email us at hello@steadyflow.io. We will verify your identity before processing your request and respond within 45 days.

12. Data Protection Contact

Given the size and scope of our data processing, we are not legally required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR. For all privacy-related inquiries, you may contact us directly at hello@steadyflow.io.