Privacy Policy

Privacy Policy

Last updated: 2 March 2026

1. Controller

This website (nuntiumbra.com) is operated by:

Patrick Holubarz
Kirchengasse 8,2.6
2345 Brunn am Gebirge
Austria
Email: holunder@nuntiumbra.com

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Austrian law.

2. Hosting (STRATO)

This website is hosted by STRATO AG.

When you access the website, STRATO (or its infrastructure) automatically processes server log data, which may include:

  • IP address
  • Date and time of access
  • Requested page/file
  • Referrer URL
  • Browser type/version
  • Operating system

Purpose & legal basis: operation, security, error analysis, and protection against misuse (Art. 6(1)(f) GDPR – legitimate interest).

A data processing agreement (Art. 28 GDPR) exists with the hosting provider where required.

3. WordPress (Technical Operation)

This website runs on WordPress. For technical functionality, WordPress may set necessary cookies (e.g., for session handling and security). These cookies are required for the site to function properly.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a functional website).

4. Cookies & Consent Management (CookieYes)

We use CookieYes | GDPR Cookie Consent to display a cookie banner and manage cookie preferences.

CookieYes may store and process:

  • your consent choice (accepted/rejected/categories)
  • a timestamp
  • (depending on configuration) technical identifiers such as IP address or consent ID

CookieYes can also connect the plugin to app.cookieyes.com to enable features such as cookie scanning, syncing settings, and showing consent data in the dashboard.

Legal basis:

  • consent management: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in documenting consent)
  • optional consent-based cookies: Art. 6(1)(a) GDPR (consent)

You can change or withdraw your consent at any time via the cookie banner/settings.

5. Newsletter (MailPoet)

We use MailPoet to manage newsletter subscriptions and send newsletters.

5.1 What data is processed

When you subscribe, we may process:

  • email address
  • subscription timestamp
  • confirmation status (double opt-in)
  • (depending on configuration) IP address at subscription/confirmation
  • (optional) engagement data such as opens/clicks, if enabled

MailPoet supports GDPR-compliant workflows including double opt-in and storing the source of subscription.

5.2 Sending methods & third-country transfers (important)

MailPoet can send newsletters in different ways (your host / SMTP provider / MailPoet Sending Service).

  • If newsletters are sent via your hosting provider / your own SMTP: subscriber data generally remains on this website/server (except routine email transport).
  • If you use “MailPoet Sending Service”: MailPoet connects your installation to MailPoet servers via API and processes sending-related data.
    MailPoet states it relies on third-party services and lists locations including EU and USA (e.g., encrypted backups in the USA).

5.3 Legal basis

Newsletter processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw consent anytime by using the unsubscribe link in any newsletter email.

5.4 Retention

Newsletter data is stored until you unsubscribe (or until deletion is requested where applicable).

6. Contact Forms (WPForms Lite)

We use WPForms Lite for contact forms.

When you submit a form, we may process:

  • name (if provided)
  • email address
  • message content
  • (depending on configuration) IP address and technical metadata for spam/security

Legal basis: Art. 6(1)(b) GDPR (pre-contractual communication) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries and preventing misuse).

Optional: CAPTCHA (Google reCAPTCHA / hCaptcha)

WPForms supports CAPTCHA integrations (e.g., Google reCAPTCHA).
If you enable Google reCAPTCHA, user data (including IP address and device/browser signals) may be processed by Google as part of abuse prevention.

If/when enabled, we will update the cookie banner and this policy accordingly and request consent where required.

7. Spam Protection (Antispam Bee)

We use Antispam Bee to reduce spam (e.g., form/comment spam). Antispam Bee can compare IP/email/URL against locally stored spam patterns and is designed to work without sending personal information to third-party services, depending on settings.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the website from spam/abuse).

Important setting note: Antispam Bee includes an option to use a public antispam database; for EU sites this should not be enabled for privacy reasons.

8. Security (Wordfence Security & Limit Login Attempts Reloaded)

We use security plugins to protect the website against attacks:

8.1 Wordfence Security

Wordfence can process security-related data such as:

  • IP addresses
  • request patterns
  • login attempts
  • blocked/threat events

Wordfence receives updates via a “Threat Defense Feed” (rules/signatures).
Depending on configuration and features used, data may be exchanged with Wordfence servers (potentially outside the EU). For details, see Wordfence’s privacy policy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and abuse prevention).

8.2 Limit Login Attempts Reloaded

This plugin limits repeated login attempts and may process:

  • IP addresses
  • lockout events / timestamps

It is used to prevent brute-force attacks (Art. 6(1)(f) GDPR).

9. Gallery (NextGEN Gallery)

We use NextGEN Gallery to display image galleries. In general, viewing galleries does not require you to provide personal data.

However, images may contain metadata (EXIF) depending on how images are uploaded/processed. For privacy reasons, we recommend removing non-essential EXIF metadata (e.g., location) before uploading.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in presenting content).

10. Embedded Content (Embed Privacy)

Some pages may include embedded content (e.g., YouTube, social media). The Embed Privacy plugin prevents such content from loading until you actively opt in. Once enabled, the external provider may receive personal data (e.g., IP address) and set cookies according to their own policies.

11. Page Builder (Elementor)

We use Elementor to design and display pages. Elementor itself typically does not require visitor personal data for basic page rendering. If additional Elementor add-ons or widgets are used (especially those that connect to third-party services), they may introduce additional data processing.

12. SEO Plugin (Yoast SEO)

We use Yoast SEO for search engine optimization. Yoast SEO mainly operates within WordPress to structure content and does not typically process visitor personal data in the frontend.

13. Google Site Kit (optional)

This website may use Google Site Kit, a WordPress plugin provided by Google, to connect the site with Google services such as Google Search Console and, depending on configuration, Google Analytics, Google Tag Manager, Google AdSense, or related Google tools.

13.1 What data may be processed

Depending on the enabled Google services, the following data may be processed:

  • IP address
  • device and browser information
  • usage data (e.g., visited pages, interactions, session duration)
  • referrer URL
  • diagnostic and performance data

Google Site Kit itself acts as a connector; data processing occurs primarily through the respective Google service.

13.2 Purpose and legal basis

  • Search Console: used to monitor and improve technical visibility in search engines (Art. 6(1)(f) GDPR – legitimate interest).
  • Analytics / Tag Manager / Advertising services: only used if enabled and only after your consent via the cookie banner (Art. 6(1)(a) GDPR – consent).

13.3 International transfers

Google may process data on servers outside the European Economic Area. Where required, transfers are based on appropriate safeguards (e.g., Standard Contractual Clauses).

13.4 Withdrawal of consent

If Analytics/Tag Manager or similar tracking is enabled, you can withdraw your consent at any time via the cookie settings on this website.

14. Data Recipients & International Transfers

We do not sell or rent personal data.

Personal data may be processed by service providers used for website operation (hosting, consent management, newsletter, security). Where data is transferred to service providers outside the EEA, we rely on appropriate safeguards such as:

  • adequacy decisions (where applicable), or
  • Standard Contractual Clauses (SCCs) and supplementary measures, where required.

Actual transfer scope depends on which features are enabled (e.g., MailPoet Sending Service, Wordfence cloud features, CookieYes web app connection, CAPTCHA providers).

15. Retention

  • Server logs: stored as required for security/operations (per hosting provider policies).
  • Newsletter data: stored until you unsubscribe or request deletion.
  • Contact requests: stored as long as necessary to respond and for administrative/legal purposes.
  • Security logs: stored as necessary to detect and prevent attacks (retention may depend on plugin settings).

16. Your Rights (GDPR)

You have the right to:

  • access (Art. 15)
  • rectification (Art. 16)
  • erasure (Art. 17)
  • restriction (Art. 18)
  • data portability (Art. 20)
  • objection (Art. 21)
  • withdraw consent at any time (Art. 7(3))

To exercise your rights, contact: holunder@nuntiumbra.com

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde).

17. Changes to this Policy

We may update this Privacy Policy to reflect technical or legal changes. The current version is always available on this page.

Scroll to Top