This privacy policy informs you about the nature, scope and purpose of the processing of personal data on this website (joelbarmettler.xyz). It is drafted in accordance with the Swiss Federal Act on Data Protection (FADP / revDSG, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

The controller responsible for data processing on this website is:

Joel P. Barmettler

Zürich, Switzerland

Email: [click to reveal]

2. Principles

Personal data is any information that relates to an identified or identifiable natural person. This includes, among other things, your name, email address, or IP address.

I process personal data only to the extent necessary and for the purposes stated in this policy. Processing is based on your consent (Art. 6 GDPR para. 1 lit. a; Art. 31 para. 1 FADP), the performance of a request made by you (Art. 6 GDPR para. 1 lit. b), a legal obligation (Art. 6 GDPR para. 1 lit. c), or my overriding legitimate interests in operating and securing a functional website (Art. 6 GDPR para. 1 lit. f; Art. 31 para. 1 and 2 FADP).

3. Hosting: Cloudflare

This website is hosted on Cloudflare Pages, and its backend functions (including the AI search feature) run on Cloudflare Workers. Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

When you access this website, Cloudflare automatically processes connection data in order to deliver the content, protect against attacks, and maintain availability. Processed data typically includes:

• IP address of the requesting device
• Date and time of the request
• Requested URL, referrer and HTTP status
• User agent (browser and operating system)
• Country/region derived from the IP address

Legal basis: Art. 6 GDPR para. 1 lit. f (legitimate interest in a secure, performant website); Art. 31 FADP. Data may be transferred to the United States. Cloudflare is certified under the EU-U.S. Data Privacy Framework. Cloudflare's privacy policy: cloudflare.com/privacypolicy.

4. Bot protection: Cloudflare Turnstile

The AI search function is protected against automated abuse by Cloudflare Turnstile. When the search field is rendered, Turnstile loads a small client-side widget from Cloudflare that analyses technical signals of your browser (such as user agent, screen properties, mouse/keyboard interaction, and the IP address) to determine whether the request comes from a human.

A verification token generated by Turnstile is sent together with your search query to my Cloudflare Worker, which validates the token against Cloudflare's siteverify endpoint. This verification call transmits the token and your IP address to Cloudflare.

Legal basis: Art. 6 GDPR para. 1 lit. f (legitimate interest in preventing abuse and securing the service). Provider and further information: see section 3.

5. AI search feature

This website offers an AI-powered search in the sidebar. When you submit a question, the following processing takes place:

5.1 OpenAI (embedding generation)

Your search query is sent to OpenAI in order to generate a vector embedding (model: text-embedding-3-large). Provider: OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA. Data transferred: the text of your query. OpenAI states that API inputs are not used to train its models. Privacy policy: openai.com/policies/privacy-policy.

5.2 Pinecone (vector search)

The generated embedding is sent to Pinecone to retrieve the most relevant documents from this website. Provider: Pinecone Systems, Inc., 1 New Montgomery Street, San Francisco, CA 94105, USA. Data transferred: the numerical embedding of your query (not the plain text). Privacy policy: pinecone.io/privacy.

5.3 Google Gemini (answer generation)

The retrieved documents together with your question are sent to Google's Gemini API to generate the answer that is displayed to you (model: gemini-2.5-flash-lite). Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data transferred: your question and the retrieved document excerpts. Privacy policy: policies.google.com/privacy.

5.4 Purpose and legal basis

Purpose: to provide a conversational search over the content of this website. Legal basis: Art. 6 GDPR para. 1 lit. b (performance of a service you requested) and lit. f (legitimate interest in providing useful site functionality); Art. 31 FADP.

Please do not enter personal data, confidential information or sensitive content into the search field. Queries are transmitted in plain text to the providers listed above.

5.5 Third-country transfers

OpenAI, Pinecone and Google process data in the United States. Transfers take place on the basis of Standard Contractual Clauses and/or certification under the EU-U.S. Data Privacy Framework, where applicable. Under the Swiss FADP, the FDPIC maintains a list of countries with adequate data protection; transfers to the U.S. rely on the Swiss-U.S. Data Privacy Framework and additional contractual safeguards of the providers.

6. Embedded content (YouTube, Spotify)

Some article pages contain embedded videos or podcast episodes from third-party providers.

• YouTube (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland / Google LLC, USA): YouTube videos are loaded only after you actively click the "Show video" element. From that point onward, YouTube receives your IP address and may set cookies. Privacy policy: policies.google.com/privacy.
• Spotify (Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden): Podcast players are embedded as iframes and may load when the page is opened. Spotify receives your IP address and may set cookies. Privacy policy: spotify.com/legal/privacy-policy.

Legal basis: Art. 6 GDPR para. 1 lit. f (legitimate interest in presenting my work with embedded media).

7. Fonts

Typefaces (Lato, Montserrat) are downloaded from Google Fonts at build time and served directly from this website. No connection to Google is established when you load a page.

8. Cookies and local storage

This website does not set first-party tracking cookies and does not use analytics. Cloudflare Turnstile and the iframe providers listed in section 6 may set technical cookies necessary for their functionality.

9. Contact by email

If you contact me by email, your email address and the content of your message are processed for the purpose of handling your enquiry (Art. 6 GDPR para. 1 lit. b and f; Art. 31 FADP). Messages are stored for as long as necessary to answer them and to comply with any legal retention obligations.

10. Retention

Server log data (see section 3) is retained by the hosting provider for a short period for security and troubleshooting purposes and then deleted or anonymised. Search queries are not stored by me beyond what is necessary to generate and return an answer; upstream providers (OpenAI, Pinecone, Google) may retain request data according to their own policies.

11. Your rights

Under the FADP and, where applicable, the GDPR you have the right to:

• obtain information about the personal data I process about you
• request correction of inaccurate data
• request deletion ("right to be forgotten")
• request restriction of processing
• object to processing based on legitimate interest
• data portability (GDPR only)
• withdraw consent at any time with effect for the future

To exercise any of these rights, please contact me using the email address above.

You also have the right to lodge a complaint with a supervisory authority. The competent Swiss authority is the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch). Data subjects in the EU may contact the data protection authority of their country of residence.

12. Changes to this policy

I may update this privacy policy to reflect changes in the services used on this website or changes in applicable law. The current version is always available on this page.