Legal

Privacy

What we collect, why, and how to ask us to stop. Plain English. Last updated 2026.

1. The short version

We collect the minimum we need to reply to you, build your site, and keep this one running. We do not sell or trade your data. We do not use third-party advertising or tracking cookies. You can email faris@fifthaveweb.com at any time to see, export, correct, or delete whatever we hold about you, and we will reply within 30 days.

2. Who is responsible (the controller)

Fifth Ave Web
Faris Brni, sole proprietor
Jarrestraße 42a, 22303 Hamburg, Germany
Email: faris@fifthaveweb.com

We are the data controller under Article 4 (7) of the General Data Protection Regulation (GDPR). Because we are a small business below the relevant thresholds, we have not appointed a separate data protection officer; the controller is also the direct contact for all data requests.

3. What we collect, and why

  • Form & email submissions — your name, business name, email address, and message when you contact us. Used to reply to you and prepare a proposal. Legal basis: GDPR Art. 6 (1) (b) (steps prior to a contract) and 6 (1) (f) (legitimate interest in responding to enquiries).
  • Booking calls via Calendly — your name, email, time zone, and any text you add. Calendly Inc. is a processor under a signed DPA. Legal basis: GDPR Art. 6 (1) (b).
  • Payments via Stripe — billing details, country, and the amount. We see the receipt; Stripe sees the card. Legal basis: GDPR Art. 6 (1) (b) and 6 (1) (c) (compliance with tax law, §147 AO).
  • Server logs — IP, user agent, requested URL, timestamp. Retained for 30 days to prevent abuse and diagnose outages. Legal basis: GDPR Art. 6 (1) (f).
  • Vercel Web Analytics — anonymised, aggregate page views via our host (Vercel). No advertising cookies, no cross-site tracking, no profiling. Legal basis: GDPR Art. 6 (1) (f).

4. Cookies

This site uses no advertising cookies and no cross-site tracking. The only cookies we set are strictly necessary functional cookies (e.g. to remember that you have dismissed a notice). These do not require consent under §25 (2) TTDSG.

5. Who sees your data

We share data only with the processors strictly required to deliver the service:

  • Our hosting provider — site delivery (EU + US, EU SCCs in place).
  • Stripe Payments Europe Ltd. — payment processing.
  • Calendly LLC — booking calls.
  • Our email provider — to send replies to you.

We do not transfer your data to anyone else. We never sell, trade, or rent it.

6. International transfers

Some of our processors are based in the United States. Where that applies, transfers are protected by the EU–US Data Privacy Framework and/or Standard Contractual Clauses. Copies are available on request.

7. How long we keep it

  • Enquiry emails: up to 24 months.
  • Active client records: for the duration of the engagement.
  • Invoices & accounting data: 10 years (German tax law, §147 AO).
  • Server logs: 30 days.

8. Your rights under GDPR

You may, at any time:

  • Ask what we hold about you (Art. 15).
  • Receive a copy in a portable format (Art. 20).
  • Have it corrected (Art. 16) or deleted (Art. 17).
  • Restrict (Art. 18) or object to (Art. 21) processing.
  • Withdraw any consent you have given, without affecting the lawfulness of processing already done (Art. 7 (3)).
  • Lodge a complaint with your local supervisory authority — for US visitors, that may be your state Attorney General; EU/German visitors may contact the relevant Landesdaten- schutzbeauftragter (Art. 77).

To exercise any of these, email faris@fifthaveweb.comwith “privacy” in the subject. We reply within 30 days.

9. US-resident notes (CCPA/CPRA)

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). California residents may still exercise rights to access, delete, and correct their data by emailing the address above. We will not discriminate against you for exercising these rights.

10. Security

Everything is served over HTTPS. Form submissions and email are encrypted in transit. Backups are encrypted at rest. Access to client data is limited to the controller.

11. Changes to this policy

We will update this page if our processors or practices change, and note the new date at the top. Material changes that affect your rights will be announced by email to active clients.