Forem: James

Minimum Viable DSGVO Compliance for Startups

James — Wed, 13 May 2026 23:05:43 +0000

The 5-Minute DSGVO Compliance Checklist for Web Projects

DSGVO compliance isn't a legal essay. It's a set of technical and procedural decisions. Here's the checklist we use before any project launch.

Data Collection

[ ] List all data you collect (name, email, IP, cookies, analytics)
[ ] For each: why do you need it? (purpose limitation)
[ ] For each: how long do you keep it? (storage limitation)
[ ] Can you delete it on user request? (right to erasure)

Technical Measures

[ ] HTTPS everywhere (TLS 1.3)
[ ] No third-party trackers (Google Analytics, Facebook Pixel) without consent
[ ] Cookie banner for non-essential cookies (strict opt-in)
[ ] Server location in EU (or SCCs for non-EU)
[ ] Access logs stripped of PII or rotated after 30 days
[ ] Database encryption at rest

Documentation

[ ] Privacy policy (German + English, plain language)
[ ] Data processing agreement (if using third-party services)
[ ] Incident response plan (72-hour notification requirement)
[ ] User rights procedure (how to handle access/erasure requests)

Team

[ ] Data protection officer (required for > 10 employees processing personal data)
[ ] Employee training (annual, documented)
[ ] Access controls (role-based, minimal privilege)

Quick Wins

Replace Google Analytics with Plausible (€9/month, EU-hosted, no cookies).
Replace reCAPTCHA with hCaptcha or Friendly Captcha (better privacy posture).
Host in EU (Hetzner, OVH, Scaleway — all cheaper than AWS anyway).

The Honest Truth

Most DSGVO violations aren't malicious. They're careless:

Forgetting to add a privacy policy
Logging IPs indefinitely
Using US-hosted analytics without SCCs
Not documenting data flows

This checklist fixes the careless mistakes. The hard stuff (legitimate interest assessments, DPIAs) comes later — but only after the basics are solid.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794), building DSGVO-compliant automation and privacy tools.

Launching in Germany? Run This Checklist First

James — Wed, 13 May 2026 23:04:38 +0000

The 5-Minute DSGVO Compliance Checklist for Web Projects

DSGVO compliance isn't a legal essay. It's a set of technical and procedural decisions. Here's the checklist we use before any project launch.

Data Collection

[ ] List all data you collect (name, email, IP, cookies, analytics)
[ ] For each: why do you need it? (purpose limitation)
[ ] For each: how long do you keep it? (storage limitation)
[ ] Can you delete it on user request? (right to erasure)

Technical Measures

[ ] HTTPS everywhere (TLS 1.3)
[ ] No third-party trackers (Google Analytics, Facebook Pixel) without consent
[ ] Cookie banner for non-essential cookies (strict opt-in)
[ ] Server location in EU (or SCCs for non-EU)
[ ] Access logs stripped of PII or rotated after 30 days
[ ] Database encryption at rest

Documentation

[ ] Privacy policy (German + English, plain language)
[ ] Data processing agreement (if using third-party services)
[ ] Incident response plan (72-hour notification requirement)
[ ] User rights procedure (how to handle access/erasure requests)

Team

[ ] Data protection officer (required for > 10 employees processing personal data)
[ ] Employee training (annual, documented)
[ ] Access controls (role-based, minimal privilege)

Quick Wins

The Honest Truth

Most DSGVO violations aren't malicious. They're careless:

Forgetting to add a privacy policy
Logging IPs indefinitely
Using US-hosted analytics without SCCs
Not documenting data flows

This checklist fixes the careless mistakes. The hard stuff (legitimate interest assessments, DPIAs) comes later — but only after the basics are solid.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794), building DSGVO-compliant automation and privacy tools.

DSGVO Compliance in 5 Minutes: A Practical Checklist

James — Wed, 13 May 2026 23:03:32 +0000

The 5-Minute DSGVO Compliance Checklist for Web Projects

DSGVO compliance isn't a legal essay. It's a set of technical and procedural decisions. Here's the checklist we use before any project launch.

Data Collection

[ ] List all data you collect (name, email, IP, cookies, analytics)
[ ] For each: why do you need it? (purpose limitation)
[ ] For each: how long do you keep it? (storage limitation)
[ ] Can you delete it on user request? (right to erasure)

Technical Measures

[ ] HTTPS everywhere (TLS 1.3)
[ ] No third-party trackers (Google Analytics, Facebook Pixel) without consent
[ ] Cookie banner for non-essential cookies (strict opt-in)
[ ] Server location in EU (or SCCs for non-EU)
[ ] Access logs stripped of PII or rotated after 30 days
[ ] Database encryption at rest

Documentation

[ ] Privacy policy (German + English, plain language)
[ ] Data processing agreement (if using third-party services)
[ ] Incident response plan (72-hour notification requirement)
[ ] User rights procedure (how to handle access/erasure requests)

Team

[ ] Data protection officer (required for > 10 employees processing personal data)
[ ] Employee training (annual, documented)
[ ] Access controls (role-based, minimal privilege)

Quick Wins

The Honest Truth

Most DSGVO violations aren't malicious. They're careless:

Forgetting to add a privacy policy
Logging IPs indefinitely
Using US-hosted analytics without SCCs
Not documenting data flows

This checklist fixes the careless mistakes. The hard stuff (legitimate interest assessments, DPIAs) comes later — but only after the basics are solid.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794), building DSGVO-compliant automation and privacy tools.

Search Index Architecture for Privacy-First Engines

James — Wed, 13 May 2026 23:02:26 +0000

Elasticsearch vs. PostgreSQL Full-Text: Search Engine Indexing Deep Dive

Every search engine needs an index. The question is: which technology builds it?

PostgreSQL Full-Text Search

Built-in since PostgreSQL 8.3. Surprisingly capable.

Pros:

Zero additional infrastructure
ACID compliance (index stays consistent with data)
Good for < 1M documents
Supports German stemming, compound word handling
tsvector/tsquery is fast for simple needs

Cons:

No distributed search
Limited faceting and aggregation
Relevance scoring is basic
No built-in synonym support

Elasticsearch

The industry standard for search.

Pros:

Distributed by design (shards, replicas)
Advanced relevance scoring (BM25, custom functions)
Real-time indexing
Faceting, aggregation, geospatial
Plugin ecosystem (synonyms, analyzers)

Cons:

Additional infrastructure (cluster management)
Memory hungry (heap size tuning required)
Eventually consistent (not ACID)
Complex query DSL learning curve

What We Chose (and Why)

We use both:

PostgreSQL: Primary data store, user accounts, query logs (minimal), metadata
Elasticsearch: Search index only, rebuilt from PostgreSQL nightly

This hybrid gives us ACID for critical data and search performance for queries. If Elasticsearch fails, we can rebuild from PostgreSQL. If PostgreSQL is slow for search, Elasticsearch handles it.

German Language Challenges

German search is harder than English:

Compound words ("Datenschutzgrundverordnung")
Umlaut normalization (ä → ae or a?)
Case inflection
Dialect variations

Our solution: Custom Elasticsearch analyzer chain:

ICU tokenizer (handles compound words)
German stemmer (Snowball)
Umlaut normalizer (ä → a, ö → o, ü → u)
Synonym filter (DSGVO → Datenschutzgrundverordnung)

Graham Miranda builds search infrastructure at Graham Miranda UG (Berlin, HRB 36794).

Full-Text Search at Scale: Our Indexing Choice

James — Wed, 13 May 2026 23:01:21 +0000

Elasticsearch vs. PostgreSQL Full-Text: Search Engine Indexing Deep Dive

Every search engine needs an index. The question is: which technology builds it?

PostgreSQL Full-Text Search

Built-in since PostgreSQL 8.3. Surprisingly capable.

Pros:

Zero additional infrastructure
ACID compliance (index stays consistent with data)
Good for < 1M documents
Supports German stemming, compound word handling
tsvector/tsquery is fast for simple needs

Cons:

No distributed search
Limited faceting and aggregation
Relevance scoring is basic
No built-in synonym support

Elasticsearch

The industry standard for search.

Pros:

Distributed by design (shards, replicas)
Advanced relevance scoring (BM25, custom functions)
Real-time indexing
Faceting, aggregation, geospatial
Plugin ecosystem (synonyms, analyzers)

Cons:

Additional infrastructure (cluster management)
Memory hungry (heap size tuning required)
Eventually consistent (not ACID)
Complex query DSL learning curve

What We Chose (and Why)

We use both:

PostgreSQL: Primary data store, user accounts, query logs (minimal), metadata
Elasticsearch: Search index only, rebuilt from PostgreSQL nightly

This hybrid gives us ACID for critical data and search performance for queries. If Elasticsearch fails, we can rebuild from PostgreSQL. If PostgreSQL is slow for search, Elasticsearch handles it.

German Language Challenges

German search is harder than English:

Compound words ("Datenschutzgrundverordnung")
Umlaut normalization (ä → ae or a?)
Case inflection
Dialect variations

Our solution: Custom Elasticsearch analyzer chain:

ICU tokenizer (handles compound words)
German stemmer (Snowball)
Umlaut normalizer (ä → a, ö → o, ü → u)
Synonym filter (DSGVO → Datenschutzgrundverordnung)

Graham Miranda builds search infrastructure at Graham Miranda UG (Berlin, HRB 36794).

Building a Search Index: Elasticsearch vs. PostgreSQL

James — Wed, 13 May 2026 23:00:15 +0000

Elasticsearch vs. PostgreSQL Full-Text: Search Engine Indexing Deep Dive

Every search engine needs an index. The question is: which technology builds it?

PostgreSQL Full-Text Search

Built-in since PostgreSQL 8.3. Surprisingly capable.

Pros:

Zero additional infrastructure
ACID compliance (index stays consistent with data)
Good for < 1M documents
Supports German stemming, compound word handling
tsvector/tsquery is fast for simple needs

Cons:

No distributed search
Limited faceting and aggregation
Relevance scoring is basic
No built-in synonym support

Elasticsearch

The industry standard for search.

Pros:

Distributed by design (shards, replicas)
Advanced relevance scoring (BM25, custom functions)
Real-time indexing
Faceting, aggregation, geospatial
Plugin ecosystem (synonyms, analyzers)

Cons:

Additional infrastructure (cluster management)
Memory hungry (heap size tuning required)
Eventually consistent (not ACID)
Complex query DSL learning curve

What We Chose (and Why)

We use both:

PostgreSQL: Primary data store, user accounts, query logs (minimal), metadata
Elasticsearch: Search index only, rebuilt from PostgreSQL nightly

This hybrid gives us ACID for critical data and search performance for queries. If Elasticsearch fails, we can rebuild from PostgreSQL. If PostgreSQL is slow for search, Elasticsearch handles it.

German Language Challenges

German search is harder than English:

Compound words ("Datenschutzgrundverordnung")
Umlaut normalization (ä → ae or a?)
Case inflection
Dialect variations

Our solution: Custom Elasticsearch analyzer chain:

ICU tokenizer (handles compound words)
German stemmer (Snowball)
Umlaut normalizer (ä → a, ö → o, ü → u)
Synonym filter (DSGVO → Datenschutzgrundverordnung)

Graham Miranda builds search infrastructure at Graham Miranda UG (Berlin, HRB 36794).

The Berlin Tech Ecosystem: A Founder's Guide

James — Wed, 13 May 2026 22:59:10 +0000

Running a Tech Business in Berlin: Costs, Compliance, and Community

Berlin isn't the cheapest European city for startups. But it offers something rare: a combination of technical talent, regulatory clarity, and startup density that creates genuine competitive advantage.

Real Costs (2026)

Expense	Monthly Cost
Office (WeWork / similar)	€400-800/person
Developer salary (mid-level)	€4,500-6,500
Hetzner VPS (production)	€15-45
Legal/accounting (UG)	€300-500
Health insurance (public)	€350-450/person
Rent (1BR apartment)	€1,000-1,500

Total burn for 3-person team: ~€18,000-25,000/month.

Why a UG (Not GmbH)

The Unternehmergesellschaft (UG) is Germany's "mini-GmbH":

€1 minimum capital (vs. €25,000 for GmbH)
Same liability protection
Same legal standing
Must retain 25% of profits until €25,000 reached (then convert to GmbH)

For bootstrapped founders, the UG structure removes the capital barrier entirely.

Compliance Advantage

Berlin-based means:

DSGVO compliance by default (German data protection authority)
EU AI Act jurisdiction clear
German contract law (predictable, well-tested)
Tax treaties across EU and globally

For B2B clients, "Berlin-based" signals regulatory maturity that "Delaware-based" does not.

The Community

Berlin's tech scene is dense and collaborative:

Weekly meetups for every technology stack
Strong open-source culture
EU-funded research partnerships
Talent pool from TU Berlin, HU Berlin, and international graduates

The competition for talent is real. But so is the quality.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794).

Why We Incorporated in Berlin (Not Delaware)

James — Wed, 13 May 2026 22:58:04 +0000

Running a Tech Business in Berlin: Costs, Compliance, and Community

Real Costs (2026)

Expense	Monthly Cost
Office (WeWork / similar)	€400-800/person
Developer salary (mid-level)	€4,500-6,500
Hetzner VPS (production)	€15-45
Legal/accounting (UG)	€300-500
Health insurance (public)	€350-450/person
Rent (1BR apartment)	€1,000-1,500

Total burn for 3-person team: ~€18,000-25,000/month.

Why a UG (Not GmbH)

The Unternehmergesellschaft (UG) is Germany's "mini-GmbH":

€1 minimum capital (vs. €25,000 for GmbH)
Same liability protection
Same legal standing
Must retain 25% of profits until €25,000 reached (then convert to GmbH)

For bootstrapped founders, the UG structure removes the capital barrier entirely.

Compliance Advantage

Berlin-based means:

DSGVO compliance by default (German data protection authority)
EU AI Act jurisdiction clear
German contract law (predictable, well-tested)
Tax treaties across EU and globally

For B2B clients, "Berlin-based" signals regulatory maturity that "Delaware-based" does not.

The Community

Berlin's tech scene is dense and collaborative:

Weekly meetups for every technology stack
Strong open-source culture
EU-funded research partnerships
Talent pool from TU Berlin, HU Berlin, and international graduates

The competition for talent is real. But so is the quality.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794).

Berlin Startup Costs 2026: Real Numbers

James — Wed, 13 May 2026 22:56:59 +0000

Running a Tech Business in Berlin: Costs, Compliance, and Community

Real Costs (2026)

Expense	Monthly Cost
Office (WeWork / similar)	€400-800/person
Developer salary (mid-level)	€4,500-6,500
Hetzner VPS (production)	€15-45
Legal/accounting (UG)	€300-500
Health insurance (public)	€350-450/person
Rent (1BR apartment)	€1,000-1,500

Total burn for 3-person team: ~€18,000-25,000/month.

Why a UG (Not GmbH)

The Unternehmergesellschaft (UG) is Germany's "mini-GmbH":

€1 minimum capital (vs. €25,000 for GmbH)
Same liability protection
Same legal standing
Must retain 25% of profits until €25,000 reached (then convert to GmbH)

For bootstrapped founders, the UG structure removes the capital barrier entirely.

Compliance Advantage

Berlin-based means:

DSGVO compliance by default (German data protection authority)
EU AI Act jurisdiction clear
German contract law (predictable, well-tested)
Tax treaties across EU and globally

For B2B clients, "Berlin-based" signals regulatory maturity that "Delaware-based" does not.

The Community

Berlin's tech scene is dense and collaborative:

Weekly meetups for every technology stack
Strong open-source culture
EU-funded research partnerships
Talent pool from TU Berlin, HU Berlin, and international graduates

The competition for talent is real. But so is the quality.

Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794).

Building a Privacy Frontend with Next.js

James — Wed, 13 May 2026 22:55:53 +0000

Why We Chose Next.js Over React for Our Privacy Search Engine

Frontend frameworks seem interchangeable. For a privacy-focused product, the choice matters more than you'd think.

The Privacy Problem with SPAs

Traditional React SPAs:

Execute all logic in the browser
Make API calls directly to third parties
Expose the user's IP to every service
Require JavaScript (fingerprinting surface)

For asearchz.online, this was unacceptable. Every API call a user made would expose their IP to Bing, Brave, or other search sources.

Why Next.js (Server-Side Rendering)

With Next.js SSR:

The server makes API calls to search sources
User IP stays between user and our server only
Results are rendered server-side, sent as HTML
JavaScript is optional (works without it)

Performance Benefits

SSR is actually faster for search:

First contentful paint: 200-300ms
No hydration delay (content is already HTML)
No client-side state management complexity
CDN caching of rendered pages

Trade-offs

Next.js SSR has costs:

Server compute per request (higher than static)
Less interactive without client JS
Harder to implement real-time features

For a search engine, these trade-offs are minimal. Users want fast results, not real-time collaboration.

The Architecture

User → Cloudflare CDN → Next.js Server → FastAPI Backend → Search APIs

The user's browser never talks to Bing, Brave, or any search source. Our server does. The user's IP is known only to us — and we don't log it.

Graham Miranda builds privacy-first infrastructure at Graham Miranda UG (Berlin, HRB 36794).

Next.js vs. React: Privacy Implications

James — Wed, 13 May 2026 22:54:48 +0000

Why We Chose Next.js Over React for Our Privacy Search Engine

Frontend frameworks seem interchangeable. For a privacy-focused product, the choice matters more than you'd think.

The Privacy Problem with SPAs

Traditional React SPAs:

Execute all logic in the browser
Make API calls directly to third parties
Expose the user's IP to every service
Require JavaScript (fingerprinting surface)

For asearchz.online, this was unacceptable. Every API call a user made would expose their IP to Bing, Brave, or other search sources.

Why Next.js (Server-Side Rendering)

With Next.js SSR:

The server makes API calls to search sources
User IP stays between user and our server only
Results are rendered server-side, sent as HTML
JavaScript is optional (works without it)

Performance Benefits

SSR is actually faster for search:

First contentful paint: 200-300ms
No hydration delay (content is already HTML)
No client-side state management complexity
CDN caching of rendered pages

Trade-offs

Next.js SSR has costs:

Server compute per request (higher than static)
Less interactive without client JS
Harder to implement real-time features

For a search engine, these trade-offs are minimal. Users want fast results, not real-time collaboration.

The Architecture

User → Cloudflare CDN → Next.js Server → FastAPI Backend → Search APIs

The user's browser never talks to Bing, Brave, or any search source. Our server does. The user's IP is known only to us — and we don't log it.

Graham Miranda builds privacy-first infrastructure at Graham Miranda UG (Berlin, HRB 36794).

Server-Side Rendering for Privacy: Our Frontend Choice

James — Wed, 13 May 2026 22:53:42 +0000

Why We Chose Next.js Over React for Our Privacy Search Engine

Frontend frameworks seem interchangeable. For a privacy-focused product, the choice matters more than you'd think.

The Privacy Problem with SPAs

Traditional React SPAs:

Execute all logic in the browser
Make API calls directly to third parties
Expose the user's IP to every service
Require JavaScript (fingerprinting surface)

For asearchz.online, this was unacceptable. Every API call a user made would expose their IP to Bing, Brave, or other search sources.

Why Next.js (Server-Side Rendering)

With Next.js SSR:

The server makes API calls to search sources
User IP stays between user and our server only
Results are rendered server-side, sent as HTML
JavaScript is optional (works without it)

Performance Benefits

SSR is actually faster for search:

First contentful paint: 200-300ms
No hydration delay (content is already HTML)
No client-side state management complexity
CDN caching of rendered pages

Trade-offs

Next.js SSR has costs:

Server compute per request (higher than static)
Less interactive without client JS
Harder to implement real-time features

For a search engine, these trade-offs are minimal. Users want fast results, not real-time collaboration.

The Architecture

User → Cloudflare CDN → Next.js Server → FastAPI Backend → Search APIs

The user's browser never talks to Bing, Brave, or any search source. Our server does. The user's IP is known only to us — and we don't log it.

Graham Miranda builds privacy-first infrastructure at Graham Miranda UG (Berlin, HRB 36794).