Last updated: 2026-04-30

We take the protection of your personal data very seriously. We process your data exclusively on the basis of the applicable statutory provisions, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and the Austrian Telecommunications Act (TKG 2021).

This privacy policy explains how personal data is processed when you visit our websites.

1. Scope ¦ This privacy policy applies to the following websites operated by us:

- cerridan.com
- vibe.cerridan.com
- arabic.cerridan.com

If additional public websites or subdomains operated by us link to this privacy policy, this privacy policy also applies to those websites unless a separate privacy policy is provided there.

This privacy policy also applies to domains operated by us that currently redirect to the websites listed above, including aisignal.at and theaisignal.dev.

2. Controller ¦
cerridan | design e.U.
DI Christian Scherling
Langenlebarnerstr. 94-96/2/36
3430 Tulln an der Donau
Austria
Email: office@cerridan.com

3. Accessing Our Websites ¦ When you visit our websites, certain information is automatically processed in server log files for technical and security reasons.

This may include in particular:

- IP address
- date and time of access
- requested page or file
- browser type and browser version
- operating system
- referrer URL
- host name of the accessing device
- status and error information

This processing is necessary to ensure the security, stability, and proper operation of the website.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest lies in the secure and reliable provision of our website, error analysis, and protection against misuse.

cerridan.com

cerridan.com is hosted by an external hosting provider (see Section 4). We do not separately retain or analyse cerridan.com server logs beyond the hosting provider's standard log handling, which is governed by our data processing agreement pursuant to Art. 28 GDPR.

vibe.cerridan.com

vibe.cerridan.com runs on the operator's own VPS in the EU. Server log data for vibe.cerridan.com is retained as follows:

- Full-IP security log: 7 days. Used for fail2ban correlation, abuse pattern detection, error analysis, and incident response. Automatically deleted after 7 days via daily log rotation.
- IP-truncated analytics log: up to 91 days. Before use for analytics, IPv4 addresses are truncated by replacing the last octet with zero (e.g., 1.2.3.4 → 1.2.3.0); IPv6 addresses are truncated to a /48 prefix and the remaining 80 bits are zeroed. This minimised log is used only as input for aggregate GoAccess reporting and is automatically deleted after 91 days.
- Aggregate report: retained indefinitely as part of the site's editorial record. Contains counts only — pageviews per article, country distribution, browser family share, daily/weekly traffic trends — and no individual identifiers.

Compatibility assessment for further processing (vibe.cerridan.com): Aggregate analytics derived from the IP-truncated analytics log are processed on the basis of our legitimate interests under Art. 6(1)(f) GDPR and have been assessed as compatible further processing under Art. 6(4) GDPR. The original collection purpose is technical operation, security, and abuse prevention, including the network and information security interest reflected in Recital 49; the further purpose is aggregate site-usage statistics. The same server-request data is used; no client-side identifiers are added; IP addresses are minimised at log rotation, before the truncated entries become input to the daily aggregate report; and only aggregate reports are retained long-term. An internal Art. 6(4) compatibility assessment is documented and reviewed annually.

Analytics processing for vibe.cerridan.com occurs on the operator's VPS in the EU. No third-party analytics provider processes vibe.cerridan.com access logs.

arabic.cerridan.com

arabic.cerridan.com runs on the same operator-managed VPS in the EU as vibe.cerridan.com, but uses standard nginx access logging without the dual-log split described above. Logs include the fields listed at the top of this section (including IP address) and are retained for 14 days under daily log rotation. We do not run analytics, anonymisation, or aggregation on arabic.cerridan.com logs.

4. Hosting ¦ cerridan.com is hosted by an external hosting provider. vibe.cerridan.com and arabic.cerridan.com run on a separate operator-managed VPS in the EU, as described in Section 3.

Where hosting or infrastructure providers process personal data in the course of providing the underlying service, they act as processors on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Hosting provider for cerridan.com:
World4You Internet Services GmbH
Hafenstraße 47-51
4020 Linz
Austria

Data location: EU (Austria/Germany)

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest lies in the secure, efficient, and professional operation of our websites.

5. Contacting Us ¦ If you contact us by email or via a contact form, the data you provide will be processed for the purpose of handling your inquiry and any follow-up questions.

This may include:

- name
- email address
- the contents of your message
- any other information you voluntarily provide

Legal basis:

- Art. 6(1)(b) GDPR, if your inquiry relates to the initiation or performance of a contract
- Art. 6(1)(f) GDPR, for general inquiries and communication

We store such data for six months for the purpose of handling your inquiry and any follow-up communication, and longer only where statutory retention obligations apply.

6. Cookies ¦

cerridan.com

cerridan.com uses only essential cookies required for the operation of the website:

- wpEmojiSettingsSupports (session): enables emoji display in the browser.
- cookieyes-consent (1 year): stores your cookie preferences so that your selection is remembered for future visits.

Legal basis: § 165(3) TKG 2021 and, where personal data is processed, Art. 6(1)(f) GDPR. Technically necessary cookies may be used without consent where the legal requirements for the exception under § 165(3) TKG 2021 are met.

vibe.cerridan.com

The public vibe.cerridan.com site does not set cookies or use local storage on visitors' devices.

arabic.cerridan.com

The arabic.cerridan.com site does not set cookies or use local storage on visitors' devices.

7. Web Analytics and Tracking ¦

cerridan.com

cerridan.com does not use separate web analytics or tracking tools. Only standard server log processing as described in Section 3 takes place.

vibe.cerridan.com

The public vibe.cerridan.com site uses server-side log-derived aggregate analytics — pageviews, top articles, country breakdown, traffic trends — generated daily from the site's own access logs using GoAccess (an open-source log-parser that runs entirely on our server). The site does not set cookies on visitors' devices, does not load client-side tracking scripts or third-party analytics services, and does not use browser fingerprinting. No visitor data is shared with any external party as part of analytics.

Client-side animations and visual effects on vibe.cerridan.com run locally in the visitor's browser and do not transmit personal data to third parties.

Server log retention and IP minimisation for analytics are described in Section 3.

arabic.cerridan.com

arabic.cerridan.com does not use web analytics or tracking tools, does not load client-side tracking scripts or third-party analytics services, and does not use browser fingerprinting. No visitor data is shared with any external party. Server log handling is described in Section 3.

8. AI Transparency ¦ vibe.cerridan.com ("The AI Signal") is an editorial publication about AI-assisted development and related topics.

Articles published on vibe.cerridan.com may be created with the assistance of artificial intelligence systems. In particular:

- article drafts may be generated with AI tools
- certain illustrations may be AI-generated
- all published content is reviewed and approved by a human before publication

Blog posts or other editorial content on cerridan.com may also be created with AI assistance and are likewise reviewed by a human before publication.

This section is intended to provide transparency regarding how content is produced. It does not mean that automated decisions are made about website visitors. No profiling or automated decision-making concerning website visitors takes place on this basis.

9. Use of AI and Editorial Tools ¦ For editorial production and content creation, we may use external tools and service providers, including AI-based systems and content research tools. These tools are used internally for drafting, editing, research, and illustration generation.

The AI tools and services listed below (Anthropic, Black Forest Labs, Perplexity, DuckDuckGo) are used exclusively for internal editorial purposes — drafting, editing, research, and illustration generation. Visitor personal data collected through server logs or the comment system is not transmitted to any of these services. This does not affect server-side processing by our hosting provider as described in this privacy policy.

We may use service providers such as:

- Anthropic (San Francisco, USA) — AI-assisted text generation
- Black Forest Labs (Freiburg, Germany) — AI-assisted image generation
- Perplexity AI, Inc. (San Francisco, USA) — research, fact verification, and source discovery during article creation. Search queries related to article topics are sent to Perplexity's servers for processing. No visitor personal data is transmitted to Perplexity.
- DuckDuckGo (Paoli, PA, USA) — privacy-focused web search used for editorial research. No visitor personal data is transmitted to DuckDuckGo.

If and insofar as personal data is processed in connection with such providers, processing takes place only where permitted by applicable law and, where required, on the basis of appropriate safeguards.

10. Blog Comments ¦ Visitors may submit comments on articles published on The AI Signal (vibe.cerridan.com). The following data is processed:

- Name (required): displayed publicly alongside the comment. The avatar shown next to each comment is a server-rendered initial of this name; no third-party avatar service such as Gravatar is contacted.
- Comment text (required): displayed publicly after editorial approval.
- IP address: hashed using a cryptographic one-way function with a daily rotating salt. The hash is stored temporarily for spam prevention and rate limiting. IP hashes are automatically deleted after 30 days.

All comments require approval by a human editor before publication. Rejected comments are automatically deleted after 30 days.

Comment data is stored in a local database on our server. It is not transmitted to any AI service, third-party avatar service, or third-party comment platform. Comment pages do not make third-party requests for avatars or comment functionality.

Legal basis:

- Art. 6(1)(a) GDPR — consent — for submitting and publishing the name and comment text. A consent checkbox must be confirmed before submitting a comment.
- Art. 6(1)(f) GDPR — legitimate interest — for temporary IP-hash processing used for spam prevention, rate limiting, abuse prevention, and comment-system security.

Users may withdraw consent and request deletion of their comment data at any time by contacting hello@aisignal.at.

11. Google Fonts (Local Hosting) ¦ Our websites may use web fonts provided by Google for uniform representation of fonts. To protect our users' privacy, we host these fonts locally, which means the fonts are loaded from our own server and not from Google's servers. No data is transferred to Google in connection with the use of these fonts.

12. Recipients of Data ¦ Personal data may be disclosed to the following categories of recipients where necessary:

- hosting providers
- IT service providers
- email providers
- processors engaged by us under Art. 28 GDPR
- authorities or courts where there is a legal obligation

We do not sell personal data.

13. Transfers to Third Countries ¦ If we use service providers located outside the European Economic Area (EEA), personal data may be transferred to a third country only in compliance with the requirements of the GDPR.

Where personal data is transferred to providers in the United States or other countries outside the EEA, such transfers take place only on the basis of an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism under Chapter V GDPR.

Where required, such transfers are based in particular on:

- an adequacy decision by the European Commission, or
- the European Commission's Standard Contractual Clauses, or
- another lawful transfer mechanism under Chapter V GDPR

Further information on applicable safeguards can be provided upon request.

14. Storage Duration ¦ We store personal data only for as long as necessary for the respective processing purpose and as long as statutory retention obligations require.

The specific storage period depends on the type of data and the purpose of the processing, for example:

- server log data: see Section 3 for the dual-log split (security log: 7 days; IP-truncated analytics log: up to 91 days; aggregate report: retained indefinitely)
- contact inquiries: six months for handling the inquiry and any related follow-up communication
- contractual and invoicing data: according to applicable statutory retention requirements

15. Your Rights ¦ Under the GDPR, you generally have the following rights, provided the statutory requirements are met:

- right of access
- right to rectification
- right to erasure
- right to restriction of processing
- right to data portability
- right to object

If you make a request, we will respond without undue delay and in any event within one month of receipt, unless an extension is permitted under Art. 12 GDPR.

For server log records relating to cerridan.com that are processed by our hosting provider, please contact us. We will handle your request as controller and coordinate with the hosting provider where necessary.

Practical note on log deletion and objection requests (vibe.cerridan.com). Within 7 days of your visit, your full IP address may still be present in the security log. If you contact us with enough information to locate the relevant entries, we will assess your request — taking into account the GDPR rights to erasure (Art. 17) and to object (Art. 21) — and, where applicable, delete the entries without undue delay; we will respond within one month as required by Art. 12 GDPR.

After 7 days, the analytics log contains only an IP-truncated /24 prefix for IPv4 or /48 prefix for IPv6. These records are designed not to let us single out a specific visitor (Art. 11 GDPR). If we cannot identify which records relate to you from the information you provide, we will explain that. If you provide additional information that makes identification possible, we will assess the request, taking into account that deleting an entire /24 or /48 prefix may also remove unrelated visitors' aggregated entries.

If you believe that the processing of your data violates data protection law, you have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde).

16. Changes to This Privacy Policy ¦ We may update this privacy policy from time to time to reflect changes in legal requirements, technical implementation, or our services. The version published on this website is the current version.

---