Home
About
Blog
Gallery
Contact

Privacy Policy (Datenschutzerklärung)

Last updated: April 2026 — Version 2.1This privacy policy explains how Ceren Ece Soyer, operating as Ceren Soyer Music (hereinafter referred to as "we", "us", or "the Controller"), collects, processes, stores, and protects personal data in connection with the operation of the website soyermusic.com and all associated services. This policy is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("DSGVO") and the German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG").

§1 Scope & Applicability

This privacy policy applies to all personal data processed through the website soyermusic.com, including all subdomains, landing pages, and application programming interfaces (APIs) associated therewith, as well as any communication initiated through the contact form, WhatsApp messaging, or payment processing systems integrated into the website.The provisions of this policy apply to all natural persons ("data subjects") who visit the website, submit inquiries, book lessons, or otherwise interact with our services. This includes prospective students, current students, parents or legal guardians of minor students, and any other visitors to the website.Where this policy refers to the DSGVO, it means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). References to the BDSG refer to the German Federal Data Protection Act in its current version.

§2 Definitions

For the purposes of this privacy policy, the following terms shall have the meanings ascribed to them below, consistent with Art. 4 DSGVO:
  • "Personal data" means any information relating to an identified or identifiable natural person (Art. 4 No. 1 DSGVO). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction (Art. 4 No. 2 DSGVO).
  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 DSGVO).
  • "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Art. 4 No. 8 DSGVO).
  • "Data subject" means any identified or identifiable natural person whose personal data is being processed by the controller.
  • "Consent" means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Art. 4 No. 11 DSGVO).

§3 Data Controller (Verantwortlicher)

The controller within the meaning of Art. 4 No. 7 DSGVO and other applicable data protection legislation is:Ceren Ece Soyer
Deichstraße 32, 20459 Hamburg, Germany
Email: info@soyermusic.comPursuant to Art. 37 DSGVO, we are not required to appoint a Data Protection Officer, as we do not carry out processing operations that require regular and systematic monitoring of data subjects on a large scale, nor do we process special categories of data on a large scale.

§4 Rights of the Data Subject

Under the DSGVO, you are entitled to the following rights with respect to the personal data we process about you. These rights may be subject to conditions or limitations as set out in the applicable legislation:
  • Right of access (Art. 15 DSGVO): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to the personal data and information including the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged retention period, and the existence of the right to request rectification, erasure, or restriction of processing.
  • Right to rectification (Art. 16 DSGVO): You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure (Art. 17 DSGVO): You have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds set out in Art. 17(1) DSGVO applies, for instance where the data is no longer necessary in relation to the purposes for which it was collected, or where you have withdrawn your consent on which the processing is based.
  • Right to restriction of processing (Art. 18 DSGVO): You have the right to obtain restriction of processing where you contest the accuracy of the personal data, the processing is unlawful and you oppose the erasure, we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or you have objected to processing pending the verification of legitimate grounds.
  • Right to data portability (Art. 20 DSGVO): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance, where the processing is based on consent or a contract and is carried out by automated means.
  • Right to object (Art. 21 DSGVO): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) DSGVO, including profiling based on those provisions. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
  • Right to withdraw consent (Art. 7(3) DSGVO): Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
To exercise any of the above rights, please send your request to info@soyermusic.com. We will acknowledge receipt of your request within 72 hours and provide a substantive response within one (1) month of receipt, in accordance with Art. 12(3) DSGVO. This period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests.We may request additional information to confirm your identity before processing your request, in accordance with Art. 12(6) DSGVO. This is to ensure that personal data is not disclosed to unauthorized persons.

§5 Categories of Personal Data Collected

We process personal data in accordance with the principle of data minimization (Art. 5(1)(c) DSGVO). We only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. The following categories of data may be collected:

5.1 Data Provided Voluntarily by the Data Subject

  • Contact form submissions: full name, telephone number (in E.164 format), email address, free-text message content, and the timestamp of submission
  • WhatsApp communications: telephone number (in E.164 format), message content (text, images, or voice notes), and message metadata (timestamp, message ID, delivery status)
  • Payment and billing data: name, email address, payment method details (processed and stored exclusively by Stripe, Inc.), transaction amounts, invoice references, and booking dates

5.2 Data Collected Automatically

  • Technical connection data: IP address (used transiently for rate limiting pursuant to Art. 6(1)(f) DSGVO, not persistently stored), HTTP request headers including User-Agent string, referrer URL, and accepted language preferences
  • Server log data: Vercel edge network may temporarily process request metadata (URL path, response status code, response time) for infrastructure monitoring. These logs are subject to Vercel's own data processing agreement and retention policies.
We do not knowingly collect or process special categories of personal data within the meaning of Art. 9 DSGVO (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). Should you inadvertently include such data in a message, we will delete it promptly upon becoming aware of its presence.

§6 Legal Basis for Processing

Every processing activity involving personal data requires a valid legal basis under Art. 6(1) DSGVO. The following legal bases apply to our processing activities:
  • Art. 6(1)(a) DSGVO — Consent of the data subjectProcessing of data submitted through the contact form and WhatsApp messaging is based on your freely given, informed consent. You provide this consent by voluntarily initiating contact and, in the case of the contact form, by affirmatively checking the consent checkbox before submission. You may withdraw your consent at any time with effect for the future (see §4).
  • Art. 6(1)(b) DSGVO — Performance of a contractProcessing of payment data is necessary for the performance of a contract to which you are party, specifically the booking and delivery of music lessons. This includes processing your payment through Stripe and maintaining booking records.
  • Art. 6(1)(f) DSGVO — Legitimate interests of the controllerThe transient processing of IP addresses for rate limiting and abuse prevention constitutes a legitimate interest within the meaning of Art. 6(1)(f) DSGVO. Our legitimate interest lies in ensuring the availability, integrity, and security of the website. A balancing test has been conducted confirming that this interest is not overridden by the fundamental rights and freedoms of data subjects, given that IP addresses are processed only transiently and are not stored.
  • Art. 6(1)(c) DSGVO — Compliance with a legal obligationThe retention of invoices, payment records, and booking confirmations for a period of ten (10) years is required pursuant to §147 of the German Fiscal Code (Abgabenordnung, "AO") and §257 of the German Commercial Code (Handelsgesetzbuch, "HGB").
Where processing is based on legitimate interests (Art. 6(1)(f) DSGVO), you have the right to object to such processing at any time on grounds relating to your particular situation (Art. 21(1) DSGVO). Upon receipt of your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

§7 Processing via Contact Form

When you submit an inquiry through the contact form on our website, the personal data you provide (name, telephone number, email address, and message content) is processed for the purpose of responding to your inquiry and, where applicable, managing subsequent lesson bookings.The contact form requires your affirmative consent via a checkbox referencing this privacy policy before submission. The legal basis for this processing is Art. 6(1)(a) DSGVO (consent). You may withdraw your consent at any time by contacting us at info@soyermusic.com; withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.Upon submission, your data is transmitted via an encrypted HTTPS connection to our server infrastructure hosted by Vercel, Inc. An email notification containing the inquiry details is dispatched via Resend, Inc. (email delivery service), and the data is concurrently stored in our lesson management system operated by Coda Project, Inc. for the purpose of student relationship management and lesson scheduling.

§8 Processing via WhatsApp Communication

When you contact us via WhatsApp, your messages are received and processed through the WhatsApp Business API operated by Meta Platforms Ireland Ltd. The data processed includes your telephone number, message content, and associated metadata. The legal basis for this processing is Art. 6(1)(a) DSGVO (consent), as you voluntarily initiate communication through this channel.Messages received via WhatsApp are stored in our lesson management system (Coda) for the purposes of student communication, lesson coordination, and maintaining a record of correspondence. Meta Platforms processes message data in accordance with its own privacy policy and data processing agreement. WhatsApp Business API messages may be processed on Meta's servers located in the United States and the European Union.Please note: while standard WhatsApp messages between users are end-to-end encrypted, messages sent to a WhatsApp Business API account are decrypted upon receipt and may be stored in plaintext in the connected business systems (in our case, Coda). If you have privacy concerns regarding WhatsApp, you may alternatively contact us via the contact form or email.

§9 Payment Processing & Financial Data

Payments for music lessons are processed exclusively through Stripe, Inc. (for customers outside the EEA) and Stripe Payments Europe Ltd. (for customers within the EEA). We do not collect, process, or store payment card numbers, CVV codes, or other sensitive payment authentication data on our own servers or infrastructure at any time.Stripe is certified to PCI DSS Level 1, the highest level of certification in the payment card industry. All payment data is collected directly by Stripe via their embedded payment elements and is transmitted to Stripe's PCI-compliant infrastructure. We receive only a transaction reference, payment status, and the last four digits of the card number for customer support purposes.In accordance with §147 AO (Abgabenordnung) and §257 HGB (Handelsgesetzbuch), invoices, booking confirmations, and payment records are retained for a statutory period of ten (10) years following the end of the calendar year in which the transaction occurred. During this retention period, data is stored in a read-only state and is not used for any purpose other than compliance with legal obligations and responding to official inquiries.

§10 Sub-Processors & Third-Party Service Providers

In accordance with Art. 28 DSGVO, we engage the following third-party processors to support the operation of this website and our services. Data processing agreements (Auftragsverarbeitungsverträge, "AVV") have been concluded with each processor in compliance with Art. 28(3) DSGVO:
  • Resend Inc.Transactional email delivery for contact form notifications. Headquarters: San Francisco, CA, USA. Email content is automatically purged after 30 days. Legal basis for transfer: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) DSGVO.
  • Coda (Coda Project Inc.)Lesson management, student records, and communication log storage. Headquarters: San Francisco, CA, USA. Legal basis for transfer: Standard Contractual Clauses (SCCs).
  • Stripe Inc. / Stripe Payments Europe Ltd.Payment processing, invoicing, and financial compliance. Stripe, Inc. (USA) and Stripe Payments Europe Ltd. (Dublin, Ireland). PCI DSS Level 1 certified. EEA payment data is processed within the EU by default. Legal basis for transfer: EU-US Data Privacy Framework (DPF) certification.
  • Meta Platforms Ireland Ltd.WhatsApp Business API for inbound messaging. Meta Platforms Ireland Ltd. (Dublin, Ireland). Messages may be processed in both EU and US data centers. Legal basis for transfer: EU-US Data Privacy Framework (DPF) certification.
  • Google Ireland Ltd.Google Analytics 4 (GA4) for website analytics and Google Ads conversion tracking (consent-gated). Google Ireland Ltd. (Dublin, Ireland). Legal basis for transfer: EU-US Data Privacy Framework (DPF) certification.
  • Umami Software, Inc.Privacy-first website analytics. Umami Software, Inc. Headquarters: San Francisco, CA, USA. No cookies set; collects anonymised page-view and event data only. Legal basis for transfer: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) DSGVO.
A current list of data processing agreements and their effective dates is available upon request by contacting info@soyermusic.com. We regularly review our sub-processors to ensure ongoing compliance with DSGVO requirements.

§11 International Data Transfers

Certain sub-processors listed in §10 are established in, or transfer personal data to, the United States of America and other countries outside the European Economic Area (EEA). Any such transfer of personal data is carried out in compliance with Chapter V of the DSGVO (Articles 44–49).The following safeguards are employed to ensure an adequate level of data protection for international transfers:
  • EU-US Data Privacy Framework (DPF): Where a sub-processor is certified under the DPF (adequacy decision of the European Commission of 10 July 2023, C(2023) 4745), this certification serves as the basis for the transfer pursuant to Art. 45 DSGVO.
  • Standard Contractual Clauses (SCCs): Where DPF certification is not available, we rely on the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) DSGVO (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).
  • Adequacy decisions: For transfers to countries that have been the subject of an adequacy decision by the European Commission (Art. 45 DSGVO), no additional safeguards are required.
You may obtain a copy of the relevant Standard Contractual Clauses or additional information about the safeguards in place by contacting us at info@soyermusic.com.

§12 Data Retention Periods

In accordance with the principle of storage limitation (Art. 5(1)(e) DSGVO), personal data is retained only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable statutory retention obligations. The following retention periods apply:
  • Contact form submissions: retained for the duration of the student relationship plus six (6) months following its termination, to allow for follow-up inquiries and account reconciliation
  • Email notifications (via Resend): automatically and irrecoverably purged from Resend's infrastructure after thirty (30) days
  • WhatsApp message records: retained for the duration of the student relationship plus six (6) months, unless longer retention is required for the resolution of an ongoing dispute or legal proceeding
  • Payment records, invoices, and booking confirmations: ten (10) years from the end of the calendar year of the transaction, in compliance with §147 AO and §257 HGB
  • Google Analytics data: anonymized analytics data is retained for fourteen (14) months (Google's default retention setting for GA4 properties)
  • Theme preference and cookie consent choice: stored in your browser's local storage (localStorage) with no server-side persistence; retained until manually cleared by the user or upon browser data deletion
Upon expiry of the applicable retention period, personal data is erased or anonymized within thirty (30) days. Where erasure is technically impractical (e.g., data embedded in encrypted backups), the data is restricted from further processing and is erased upon the next backup rotation cycle.

§13 Cookies, Local Storage & Tracking Technologies

This website uses cookies and browser-based storage mechanisms as detailed below. A "cookie" is a small text file placed on your device by a web server; "local storage" (localStorage) is a browser API that allows websites to store key-value data persistently on your device. We distinguish between strictly necessary storage (which does not require consent) and consent-dependent storage (which is only activated after you provide explicit consent via the cookie banner).

13.1 Strictly Necessary Storage (No Consent Required)

  • theme-preference (localStorage) — stores your selected display mode (dark or light). Purpose: functional user experience. Duration: until manually cleared. Legal basis: Art. 6(1)(f) DSGVO (legitimate interest in providing a consistent user experience).
  • cookie-consent (localStorage) — stores your cookie consent decision (accepted, rejected, or pending). Purpose: recording your consent state to avoid repeated prompts and to gate analytics/advertising scripts accordingly. Duration: until manually cleared. Legal basis: Art. 6(1)(c) DSGVO (obligation to document consent under Art. 7(1) DSGVO).
These items are classified as strictly necessary within the meaning of §25(2) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) and do not require prior consent. No personal data is transmitted to third parties through these storage mechanisms.

13.2 Analytics Cookies (Consent Required — Art. 6(1)(a) DSGVO)

The following cookies are set by Google Analytics 4 only after you click "Accept" on the cookie banner. Prior to consent, no analytics cookies are placed and no tracking data is collected (see §14 on Google Consent Mode v2):
  • _ga — Google Analytics client identifier. Distinguishes unique visitors. Duration: 2 years from last activity.
  • _ga_* — Google Analytics session-scoped identifier (measurement ID-specific). Persists session state. Duration: 2 years from last activity.
  • _gid — Google Analytics session identifier. Groups pageviews into a single session. Duration: 24 hours.

13.3 Advertising Cookies (Consent Required — Art. 6(1)(a) DSGVO)

If you accept advertising cookies via the cookie banner, Google Ads sets the following cookies to measure advertising conversions and attribute website visits to ad interactions:
  • _gcl_au — Google Ads conversion linker. Stores a unique click identifier to attribute website conversions to specific Google Ads clicks. Duration: 90 days.
  • _gcl_aw — Google Ads click identifier (GCLID). Set when you arrive at the website via a Google Ads advertisement. Used for conversion measurement. Duration: 90 days.
  • _gac_* — Google Ads campaign attribution cookie. Stores which campaign, ad group, and keyword brought you to the website. Duration: 90 days.
Without your explicit consent, no analytics or advertising cookies are set. All consent-dependent scripts are blocked by default and are only loaded after affirmative consent is recorded.You may withdraw or modify your cookie consent at any time via the "Cookie Settings" link in the website footer. Upon withdrawal, all consent-dependent cookies will be deleted and the associated tracking scripts will be deactivated. If you reject cookies, Google Ads operates in cookieless mode (using modeled conversions without personal data storage).

§14 Google Analytics 4 & Google Ads Conversion Tracking

Subject to your prior consent (Art. 6(1)(a) DSGVO), we use Google Analytics 4 ("GA4") for website usage analytics and Google Ads conversion tracking to measure the effectiveness of advertising campaigns. These services are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google acts as a processor within the meaning of Art. 28 DSGVO.
  • Data processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
  • Legal basis: Art. 6(1)(a) DSGVO — your explicit, informed, freely given consent via the cookie banner
  • Data collected upon consent: IP address (anonymized via IP masking before storage), pages visited and interaction events, session duration and engagement metrics, device type, operating system, browser type and version, screen resolution, referral source (direct, organic search, paid ad, social media), and geographic region (derived from anonymized IP, city-level precision)
  • Cookies set: _ga (client ID, 2 years), _ga_[Measurement-ID] (session state, 2 years), _gid (session ID, 24 hours). See §13.2 for detailed descriptions.
  • International data transfer: Google Ireland Ltd. may transfer data to Google LLC (USA). This transfer is protected by Google's participation in the EU-US Data Privacy Framework (DPF), certified by the U.S. Department of Commerce.
  • IP anonymization: GA4 does not log full IP addresses by default. IP addresses are used for geographic derivation and then discarded. No full IP addresses are stored in our GA4 property.
Opt-out: You may withdraw your consent at any time via the "Cookie Settings" link in the website footer. Upon withdrawal, all Google Analytics and Google Ads cookies will be deleted from your browser and tracking will cease immediately for your session.Google Consent Mode v2: We have implemented Google Consent Mode v2 ("Advanced" configuration). Prior to consent, all Google tags operate in a restricted state — no cookies are written, no personal data is collected, and no identifiable information is transmitted to Google. Only cookieless, aggregated signals (pings) may be sent to support Google's modeled conversion reporting. Full measurement is activated only upon explicit consent.For further information on Google's data processing practices, please refer to Google's Privacy Policy (https://policies.google.com/privacy) and Google's information on data usage by partner sites (https://policies.google.com/technologies/partner-sites).

§15 Technical & Organizational Security Measures

In accordance with Art. 32 DSGVO, we have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, but are not limited to:
  • Transport Layer Security (TLS): All data transmitted between your browser and our servers is encrypted using TLS 1.3. Our website enforces HTTPS via HTTP Strict Transport Security (HSTS) headers with a minimum max-age of one year.
  • Access controls: Administrative access to sub-processor accounts (Vercel, Coda, Stripe, Resend) is restricted to authorized personnel and protected by multi-factor authentication (MFA). Access credentials are stored in an encrypted password manager.
  • Data minimization by design: Our systems are designed to collect only the minimum data necessary for each processing purpose. Contact form fields are limited to essential information, and payment card details never touch our infrastructure.
  • Regular review: We periodically review our security measures, sub-processor agreements, and data processing activities to ensure continued compliance with DSGVO requirements and to address emerging threats.
While we strive to protect personal data with industry-standard security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data. In the event of a personal data breach, we will comply with the notification obligations set out in Articles 33 and 34 DSGVO.

§16 Automated Decision-Making & Profiling

We do not engage in automated decision-making, including profiling, within the meaning of Art. 22 DSGVO that produces legal effects concerning you or similarly significantly affects you. No processing activity described in this privacy policy involves a decision based solely on automated processing. Our WhatsApp message classification system uses basic keyword matching for routing purposes only and does not make decisions that affect your rights or access to services.

§17 Supervisory Authority & Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the DSGVO (Art. 77 DSGVO). The competent supervisory authority for our business is:Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7th Floor, 20459 Hamburg, Germany
Website: https://datenschutz-hamburg.deWe encourage you to contact us directly at info@soyermusic.com before filing a complaint with the supervisory authority, so that we may attempt to resolve your concern informally. However, this does not affect your right to lodge a complaint at any time.

§18 Amendments & Version History

We reserve the right to amend this privacy policy at any time to reflect changes in our data processing activities, legal requirements, or supervisory authority guidance. The current version of the privacy policy is always available at this URL. The revision date and version number at the top of this document indicate when the policy was last substantively modified.Material changes to this privacy policy — in particular changes that affect the legal basis for processing, the categories of data collected, or the rights of data subjects — will be communicated to active students via email or WhatsApp message prior to taking effect. Continued use of the website after the effective date of an amended policy constitutes acknowledgement of the updated terms.