How Berserk ApS handles personal data when you visit bzrk.dev, contact us, or interact with our public-facing services. This page is the visitor-facing privacy notice; for the procurement-shaped GDPR posture see GDPR Compliance, and for processing of customer telemetry under support engagements see the DPA Template.
Controller: Berserk ApS, Denmark.
Contact: hello@bzrk.dev.
| Source | Personal data | Purpose / lawful basis (GDPR Art. 6) | Retention |
|---|---|---|---|
hello@bzrk.dev inbox | Email address, name (if provided), free-text message. | Responding to your enquiry — legitimate interest (Art. 6(1)(f)). | 12 months unless the thread relates to an open engagement or unresolved issue. |
security@bzrk.dev inbox | Email address, name (if provided), vulnerability report contents. | Triage and remediation — legitimate interest in operating a CVD process. | Until the report is closed plus the CVE-related window required for advisory follow-up. |
| CRM (sales contacts) | Name, work email, employer, conversation notes. | Sales pipeline management — legitimate interest (Art. 6(1)(f)), with opt-out at every contact. | Until objection or 3 years inactive, whichever is sooner. |
| Server logs (bzrk.dev edge / origin) | IP address, user-agent, request URL, timestamp. | Operating the site, diagnosing failures, abuse handling — legitimate interest. | 90 days, then deleted. |
| Newsletter / waitlist (if you sign up) | Email address. | Sending the content you asked for — consent (Art. 6(1)(a)). | Until you unsubscribe. |
| Job applications | Name, contact details, CV, application correspondence. | Evaluating your application — pre-contractual measures at your request (Art. 6(1)(b)). | 12 months after the role closes; longer only with your consent. |
We do not collect special categories of personal data (Art. 9). We do not sell personal data to third parties. We do not engage in automated decision-making with legal or similarly significant effects on you (Art. 22).
The bzrk.dev website does not set tracking cookies, and does not use analytics, fingerprinting, or third-party advertising trackers. The only first-party storage we use is whatever your browser may set for standard session continuity on interactive sub-pages. If we ever add analytics, we will update this page first and disclose the tool, the data category, and the retention.
Personal data above is accessible to Berserk ApS personnel on a need-to-know basis. The third parties that host the corresponding system are also recipients in the GDPR sense; they are corporate vendors of Berserk ApS, not customer-data sub-processors under Art. 28, and so are not on /legal/sub-processors/.
| System | Recipient | Location |
|---|---|---|
hello@ / security@ / sales mail | Proton AG | Switzerland (adequacy decision) |
| Server logs for bzrk.dev | Hetzner Online GmbH | Germany (EU) |
| CRM (sales contact records) | None — held in Berserk-controlled markdown stored on our git provider (GitHub, Inc. — USA, SCCs). | USA (SCCs) |
| Job applications | Proton AG (mail attachments) and Berserk-controlled local copies | Switzerland (adequacy decision) |
| Newsletter / waitlist (when active) | The provider listed in this section at the time the newsletter is active. | (declared at activation) |
All recipients are bound by their own GDPR-aligned data-processing
terms. The internal supplier register, which lists every corporate
vendor with location and personal-data category, is available to
enterprise customers under NDA on request to security@bzrk.dev.
For the CRM in particular: most contacts are obtained directly from the data subject (Art. 13 applies). A subset may be obtained from publicly available professional sources — public LinkedIn profiles, public conference speaker lists, public GitHub profiles, public company About / Team pages, or introductions through a mutual contact (Art. 14 applies). The categories of personal data and the purposes are the same in either case; we do not buy CRM lists from data brokers.
Berserk ApS operates from Denmark and uses a mix of EU/EEA-located infrastructure (Hetzner Germany), adequacy-covered providers (Proton in Switzerland — Commission adequacy decision under Art. 45), and SCC-covered providers in third countries (notably GitHub for source-controlled CRM and code; SCCs apply). We do not transfer your personal data outside the EU/EEA + adequacy set without the appropriate transfer mechanism.
You can exercise the following rights under GDPR Articles 15–22:
To exercise a right, email hello@bzrk.dev with subject
GDPR request and tell us what you want done. Response SLA: 30
days from receipt.
You also have the right to lodge a complaint with a supervisory
authority. Berserk ApS's competent authority is Datatilsynet
(Danish Data Protection Agency, dt@datatilsynet.dk); you may also
complain to the supervisory authority of your habitual residence.
We update this notice whenever the underlying processing changes (new tool, new vendor, new purpose, new retention). Material changes are flagged with a "What changed" line at the top of this page for 30 days after the change takes effect.
hello@bzrk.devsecurity@bzrk.dev2026-05-04.