Privacy Policy
Last updated: July 2026
This privacy policy explains how Johannes Hayer (“The AI Engineer”, jhayer.tech) processes personal data when you use this website, subscribe to the newsletter, create an account, or purchase courses and memberships.
1. Controller
The controller is Johannes Hayer, contact@jhayer.tech. A postal address is listed in the legal notice (Impressum).
For privacy questions, email the address above at any time.
2. Cookies and consent
We use cookies and similar technologies. Under Section 25 TDDDG (German Telecommunications Digital Services Data Protection Act), storing or accessing information on your device requires consent unless the technology is strictly necessary.
Strictly necessary cookies are set without separate consent — including your cookie choice (`mc_consent`), login sessions, and a pseudonymous visitor cookie (`mc_anon`) to protect the site from abuse, automated traffic, and bot attacks (rate limits, anomaly detection).
Analytics and marketing measurement run only if you explicitly accept in the cookie banner. Decline and accept are equally accessible. Without consent we do not use `mc_anon` for reach or marketing analytics.
You can change your choice anytime via “Cookie settings” in the footer.
| Name | Category | Purpose | Duration |
|---|---|---|---|
| mc_consent | Necessary | Stores your cookie choice (accept/decline). | 12 months |
| mc_anon | Necessary | Pseudonymous visitor ID to protect the site (abuse/bot mitigation, rate limits). Analytics use only with consent. | 24 months |
| better-auth.* (session) | Necessary | Keeps you logged in. | Session / short cache |
| _fbp / _fbc | Marketing (consent) | Meta conversion measurement; only if Meta Pixel is active and you consented. | per Meta |
Marketing cookies (_fbp/_fbc) are set only when Meta conversion tracking is enabled on this site and you have consented.
3. First-party analytics
With your consent we measure anonymous visitor usage (first-party analytics): page views, content consumed, acquisition source, and conversion steps.
When signed in we record usage events to operate and improve the platform (e.g. page views, course and membership context) under the service contract — independent of the cookie banner choice for marketing analytics.
For linked reporting we use the pseudonymous visitor cookie `mc_anon` (hashed) only where cookie consent applied during anonymous phases. Marketing (Meta) always requires consent.
4. Newsletter
When you subscribe, we process your email address and optionally language and signup context (e.g. blog article) to send you content from The AI Engineer.
Legal basis: consent (Art. 6(1)(a) GDPR). You can unsubscribe anytime via the link in any email or contact@jhayer.tech.
Delivery is via Resend (processor). We do not maintain a separate newsletter contacts table in our database.
5. Account and login
You may create an account for courses, membership, and your dashboard. We process account data, session cookies, and — under contract — usage events on the platform (progress, purchases, areas visited).
Legal basis: contract performance (Art. 6(1)(b) GDPR). Sign-in accepts the Terms of Service, which describe platform analytics for signed-in users.
OAuth providers (Google, GitHub) perform their own processing; their privacy policies apply in addition.
6. Courses, membership, and payments
Purchases and subscriptions are handled by Stripe. We store purchase and subscription state in our database; payment card data is processed by Stripe directly and not stored by us.
Legal basis: contract performance (Art. 6(1)(b) GDPR). Stripe is a processor.
7. Email automation
We send transactional and automated emails (e.g. welcome sequences, course reminders) based on your account, language, and progress. Email clicks are measured via opaque links—never with plaintext email in the URL.
Legal basis: consent (newsletter), contract (transactional mail), or legitimate interest in functional service emails where applicable.
8. Hosting and server logs
The site is hosted on Vercel. Connection data (IP address, timestamp, requested URL, user agent) is processed in server logs.
Legal basis: legitimate interest in secure, reliable operation (Art. 6(1)(f) GDPR). The database (PostgreSQL) runs on Neon.
9. Processors
We use service providers including: Vercel (hosting), Neon (database), Stripe (payments), Resend (email), Google/GitHub (login), Meta Platforms (conversion measurement, consent only), Anthropic (AI-assisted analysis of aggregated admin metrics).
We conclude Art. 28 GDPR data processing agreements where required.
10. International transfers
Some providers are located in the US or process data there. Transfers use appropriate safeguards (e.g. EU Standard Contractual Clauses or EU-US Data Privacy Framework certification) where applicable.
Meta tracking and AI analysis are used only with your consent and/or where contractually secured for the respective service.
11. Retention
We retain analytics and attribution data as long as needed for reporting and compliance, then aggregate or delete per internal retention rules.
Processed Stripe webhook snapshots are redacted per defined retention (currently up to 35 days for processed snapshots).
Newsletter data at Resend until unsubscribe. Account data until account deletion unless legal retention applies.
mc_consent cookie: 12 months. mc_anon cookie (security): 24 months.
12. Your rights
You have the right of access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests.
You may withdraw consent at any time with future effect (e.g. via cookie settings or newsletter unsubscribe).
13. Complaints
You may lodge a complaint with a supervisory authority, e.g. the authority responsible for your place of residence in the EU.
14. Changes
We update this policy when law, technology, or services change. The current version is always on this page.