Last updated: June 2, 2026
This Privacy Policy explains how I, Md Shahabub Alam, collect, use, and protect your personal information when you visit my portfolio website (https://msanabid.vercel.app) or interact with the following social media presences operated under the same business registration (Gewerbe):
I am committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
The data controller (Art. 4(7) GDPR) responsible for processing your personal data across this website and for the management of the social media presences listed in section 1 is:
Md Shahabub AlamI act in the capacity of a registered sole-trader business (Gewerbe) and as a small-business operator under § 19 UStG (Kleinunternehmerregelung). The full postal address and other statutory provider information are published in the Impressum, which forms part of this Privacy Policy by reference.
When you use the contact form on this website, the following information may be processed:
Purpose: The purpose of processing your personal data through the contact form is to answer your inquiries. When you submit a message through the contact form, I process your data solely to respond to your inquiry and provide you with the information or assistance you have requested.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Processing your personal data is necessary for my legitimate interest in answering inquiries. When you contact me through the contact form, you initiate the communication and have a reasonable expectation that I will process your data to answer your inquiry. I have conducted a balancing test and determined that my legitimate interest in answering inquiries does not override your fundamental rights and freedoms, as the processing is limited to what is necessary to answer your inquiry and you can object to the processing at any time.
Retention: Your data will be stored until you request deletion or the purpose for storage no longer applies. Contact form submissions are retained for a maximum of 12 months after the last communication, after which they are automatically deleted unless you request earlier deletion or there is a legal obligation to retain the data (e.g., for tax or legal purposes).
Right to object: You have the right to object to the processing of your personal data based on legitimate interest at any time. If you object, I will no longer process your personal data unless I can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
Rate limiting: To prevent spam and abuse, your IP address is briefly processed in server memory and stored as a cryptographic hash (SHA-256, pseudonymized) for the duration of the rate-limiting window (1 hour for the contact form). The hash is automatically discarded once the window expires. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in protecting the service from abuse.
This website includes an interactive chatbot that allows you to ask questions about my portfolio, including projects, experience, skills, publications, and certifications. When you use the chatbot, the following information is processed:
Purpose: The purpose of processing your chat messages is to provide you with relevant information about my portfolio and answer your questions. The chatbot uses artificial intelligence to understand your queries and generate responses based on my portfolio data.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Processing your chat messages is necessary for my legitimate interest in providing an interactive way for visitors to learn about my portfolio. When you use the chatbot, you initiate the interaction and have a reasonable expectation that your messages will be processed to generate responses. I have conducted a balancing test and determined that my legitimate interest in providing this interactive service does not override your fundamental rights and freedoms, as the processing is limited to what is necessary to answer your questions, conversations are not stored permanently, and you can stop using the chatbot at any time.
Data storage: Your chat conversations are not persisted on my servers. Chat messages are processed in real-time to generate responses and the message content itself is not written to any persistent application log by me. Minimal error metadata (such as HTTP status codes and error categories — without your message content) may be captured by the hosting provider's standard server logs for debugging purposes (see section 4.2). To find relevant portfolio content, your message is matched against a knowledge base on my server using keyword search (no third-party embedding service). To generate the reply text, your message and retrieved context are sent to Groq, as described in section 4.3 below. Groq acts as a data processor and may temporarily process your data according to its privacy policy and Data Processing Addendum. I do not retain copies of your conversations on my servers.
Retention: Chat messages are not retained on my servers after the response is generated. The chat history shown in the chat window is kept only in your browser's memory for the duration of the session and is cleared when you close the chat or refresh the page. Groq may retain logs for security and troubleshooting purposes for up to 30 days, as specified in its privacy policy (see section 4.3).
Rate limiting: To prevent abuse of the chatbot, your IP address is briefly processed in server memory and stored as a cryptographic hash (SHA-256, pseudonymized) for the duration of the rate-limiting window (1 minute, max. 15 messages per IP). The hash is automatically discarded once the window expires. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in protecting the service from abuse.
Right to object: You have the right to object to the processing of your chat messages. If you object, you can simply stop using the chatbot. You are not required to use the chatbot to access information on this website, as all portfolio information is also available through the regular website pages.
Please do not submit sensitive personal data (e.g. health, financial details, or other special categories of data under Article 9 GDPR) in the chat. The chatbot is intended only for general questions about my portfolio.
In addition to this website, I operate two public social media presences under the same Gewerbe (see section 2). They serve to share instructional, technical, and data-science content and to interact with viewers and followers.
On each platform, the platform operator (Google or Meta) is the primary responsible party for collection and processing of user data, cookies, and cross-border transfers. As the channel / profile administrator, I receive only aggregated, anonymized analytics from the platform and process limited public interaction data (e.g. usernames of commenters / followers). For YouTube and (where applicable) Facebook insights, the platform may treat the channel/page administrator and itself as joint controllers (Art. 26 GDPR) under the principles of the ECJ's "Wirtschaftsakademie" ruling (C-210/16). In that case, the platform acts as the lead controller and provides the corresponding joint-controller arrangement.
Channel: youtube.com/@NabidInMotion. Platform operator (and primary controller): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. See Google's Privacy Policy.
Data processing by me (YouTube Analytics & monetization): I use the built-in YouTube Analytics dashboard, which provides aggregated statistical reports (general demographics, view metrics, geographic data, engagement). I cannot trace these aggregated statistics back to identifiable individuals. As a YouTube Partner Program participant, I receive monetization payouts from Google; the underlying viewer/ad data is processed by Google, not by me.
Direct interaction: If you leave a public comment, like a video, or subscribe, your platform username and public interactions are visible to me and to other users. I process this only to interact with the community.
Profile: facebook.com/shahabubnabid. Platform operator (and primary controller): Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. See Meta's Privacy Policy.
Data processing by me: I receive aggregated, anonymized insights from Meta about the reach and engagement of my public posts/videos and (where applicable) monetization data via Facebook's Content Monetization / In-Stream Ads programs. I cannot identify individual users from these aggregated insights. The underlying viewer/ad data (cookies, device identifiers, IP addresses) is collected and processed by Meta, not by me.
Direct interaction: If you send me a friend request, follow my public posts, comment, react, or message me, your platform username and public interactions are visible to me. I process this only to interact with you and to operate the profile.
Legal basis (both platforms): Legitimate interest (Art. 6(1)(f) GDPR) in operating my professional social-media presence and interacting with my audience. Where joint controllership with the platform applies, the platform also relies on its own legal bases for its share of the processing.
Right to object: You can object to my processing at any time (see contact in section 12). To exercise rights regarding data processed by the platforms themselves (cookies, tracking, account data, advertising profiles), use the privacy controls and settings within your Google or Meta account, or contact those companies directly.
I use Resend to process and send emails from the contact form mentioned in 3.1. When you submit the contact form, Resend processes your email address and message content to deliver the email to me. Resend acts as a data processor (Article 4(8) GDPR) on my behalf for this purpose. Resend is a service provided by a company based in the United States. Your data is transferred to and processed in the United States. Resend has implemented appropriate safeguards to protect your data, including:
Please refer to Resend's Privacy Policy for more information.
This website is hosted on Vercel Inc. (Hobby / free tier) by a company based in the United States. I use Vercel's hosting service to deploy and deliver this website. Under Vercel's terms, their Data Processing Addendum (Art. 28 GDPR processor agreement) applies only to customers on Pro or Enterprise plans. On the Hobby plan I do not have a separate Art. 28 DPA with Vercel.
To the extent that hosting-related technical data (e.g. server logs, IP addresses) is processed, Vercel may act as an independent controller for such "Service-Generated Data" and processes it under its own Privacy Policy, not as my processor under a DPA. I instruct Vercel only insofar as I choose to deploy this site on their platform; I do not control their internal logging systems.
When you visit this website, certain technical information is automatically collected by the hosting provider (Vercel) in server logs. This includes:
Purpose: This data is collected automatically for technical reasons necessary for the operation and security of the website, including:
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). The collection of this technical data is necessary for the legitimate interest of ensuring the security, stability, and proper functioning of the website. This processing is essential for the website to operate and cannot be avoided. I have conducted a balancing test and determined that my legitimate interest in maintaining website security and functionality does not override your fundamental rights and freedoms, as the data collection is limited to what is technically necessary and the data is not used for profiling or marketing purposes.
Retention: Server logs are typically retained for a limited period (usually 30-90 days) by the hosting provider for security and technical purposes, after which they are automatically deleted. I do not have direct access to or control over these logs.
IP Address Anonymization: While I cannot directly control Vercel's server logs, I do not use any analytics services that would process IP addresses for tracking or profiling purposes. The IP addresses collected in server logs are used solely for technical and security purposes.
Right to object: You have the right to object to the processing of your IP address. However, please note that the collection of IP addresses in server logs is technically necessary for the website to function. If you object, you may not be able to access this website, as IP addresses are required for the technical delivery of web content.
Your data, including IP addresses, may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). Vercel participates in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) for certain transfers; see their privacy policy for details. Because I am on the Hobby plan, I rely on Vercel's published privacy and security measures as an independent controller, not on a processor DPA between us.
In its judgment of 16 July 2020 (C-311/18, Schrems II), the European Court of Justice confirmed that data transferred to third countries may be subject to access by local authorities. Further information on Vercel's data handling can be found in their Privacy Policy. I do not have direct access to or control over Vercel's server logs.
I use Groq to provide AI-powered responses in the portfolio chatbot mentioned in section 3.2. When you use the chatbot, your chat messages are sent to Groq to generate AI responses. Groq acts as a data processor (Article 4(8) GDPR) on my behalf for this purpose. Groq is a service provided by a company based in the United States. Your data is transferred to and processed in the United States.
Groq has implemented appropriate safeguards to protect your data, including:
Groq processes your chat messages solely to generate responses and does not use your data for its own purposes beyond providing the service. According to Groq's privacy policy, customer data processed through their Cloud Services (including APIs) is governed by the Groq Services Agreement and Data Processing Addendum.
Please refer to Groq's Privacy Policy and Groq's Legal Documentation for more information. The Data Processing Addendum is available through the Groq console.
The "About" section of this website loads an external image (GitHub contribution graph) from a third-party service (github-readme-activity-graph.vercel.app) to display my public GitHub activity. When you view that section, your browser may send a request to that service; the service may receive your IP address and may use cookies or similar technologies in accordance with its own privacy policy. I do not control this third party. The purpose of embedding this content is to present my public development activity. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). The request to github-readme-activity-graph.vercel.app is triggered automatically by your browser when the image component is rendered on the page. If you prefer to avoid this, you can use a browser, browser extension, or content blocker that prevents requests to that domain.
Under Article 28 GDPR, I must have a Data Processing Agreement (DPA) with each service provider that processes personal data on my behalf as a processor. Where a provider acts as an independent controller (e.g. Vercel Hobby hosting logs), a processor DPA is not applicable; instead, their own privacy policy governs that processing (see section 4.2).
The following providers process personal data on my behalf under DPAs (or equivalent addenda incorporated into their terms):
Not covered by a processor DPA on my current plans:
Where DPAs apply, they include appropriate safeguards for transfers outside the European Economic Area (e.g. Standard Contractual Clauses or participation in the EU-U.S. Data Privacy Framework), as described in each provider's documentation.
Under GDPR, you have the following rights:
To exercise these rights, please contact me at msa.nabid.cse@gmail.com.
I implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet is 100% secure.
This website uses localStorage (a browser storage mechanism) to store essential technical preferences. No cookies are used.
The website stores your theme preference (light/dark mode) in your browser's localStorage. This is necessary for the website to remember your display preference and provide a consistent user experience.
Data stored: Theme preference (e.g., "light", "dark", or "system")
Purpose: To remember your display preference so the website appears in your preferred theme on subsequent visits.
Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Storing your theme preference is necessary for my legitimate interest in providing a user-friendly website experience. This processing is minimal, does not involve personal data beyond a technical preference, and enhances your user experience.
Retention: Your theme preference is stored indefinitely in your browser until you clear your browser data or change the preference. You can delete this data at any time by clearing your browser's localStorage.
No consent required: Under GDPR, this type of storage for essential technical purposes does not require consent, as it is strictly necessary for the service you have requested (displaying the website in your preferred theme).
The hosting provider (Vercel) does not set any cookies on your device in connection with this website. Technically necessary processing (such as server-side logging) takes place without placing cookies on your browser.
This website is a Progressive Web App (PWA) and registers a service worker (/sw.js) in your browser. The service worker uses your browser's Cache API to store a small set of static, non-personal assets (the homepage HTML and favicon images) so that the website loads faster and remains partially available when you are offline.
Data stored: Cached copies of static assets served by this website (HTML, images). No personal data, no cookies, no tracking identifiers.
Purpose: Performance and offline availability (PWA functionality).
Legal basis: Legitimate interest (Article 6(1)(f) GDPR) in providing a fast, reliable user experience. Because this storage is strictly necessary for the requested service (the PWA functionality the user accesses) and contains no personal data, no consent is required under § 25(2) TTDSG / Art. 5(3) ePrivacy Directive.
Retention: Cached assets remain in your browser until they are evicted by your browser, replaced by a newer version of the service worker, or you clear your browser data. You can remove the service worker and its cached data at any time via your browser's developer tools (Application tab → Service Workers / Cache Storage) or by clearing site data.
This website does not use tracking cookies, analytics cookies, or any other tracking technologies that require consent under GDPR. No personal data is collected for analytics, marketing, or profiling purposes.
You can manage or delete data stored in localStorage at any time through your browser settings:
Note: Clearing localStorage will reset your theme preference to the default setting.
I do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
The supervisory authority responsible for me is:
Die Berliner Beauftragte für Datenschutz und InformationsfreiheitI may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised.
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact me:
Email: msa.nabid.cse@gmail.com