diff --git a/src/pages/privacy.astro b/src/pages/privacy.astro
new file mode 100644
index 0000000..11bf235
--- /dev/null
+++ b/src/pages/privacy.astro
@@ -0,0 +1,100 @@
+---
+import BaseLayout from '../layouts/BaseLayout.astro';
+import SiteHeader from '../components/SiteHeader.astro';
+import SiteFooter from '../components/SiteFooter.astro';
+
+const operatorContact = '<TBD: controller contact email (same as imprint)>';
+const lastUpdated = '2026-04-24';
+---
+<BaseLayout
+  title="Privacy Policy — Cameleer"
+  description="Privacy policy for www.cameleer.io — what personal data we process (and don't), legal basis, and your rights under GDPR."
+>
+  <SiteHeader />
+  <main class="max-w-prose mx-auto px-6 py-16 md:py-24">
+    <h1 class="text-hero font-bold text-text mb-2">Privacy Policy</h1>
+    <p class="text-text-faint text-sm mb-10">Last updated: {lastUpdated}</p>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">1. Overview</h2>
+      <p class="text-text-muted leading-relaxed">
+        This policy describes what personal data is processed when you visit <span class="font-mono text-accent">www.cameleer.io</span>. Our goal is to collect as little data as technically possible.
+        <strong class="text-text">We do not set cookies. We do not run analytics scripts. We have no forms on this site.</strong>
+        If and when that changes, this policy will be updated and the change noted in the "Last updated" date above.
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">2. Controller</h2>
+      <p class="text-text-muted leading-relaxed">
+        The data controller responsible for processing on this site is the operator listed in our
+        <a href="/imprint" class="text-accent hover:underline">imprint</a>.
+        Contact for privacy matters: <span class="font-mono text-accent">{operatorContact}</span>.
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">3. Server access logs</h2>
+      <p class="text-text-muted leading-relaxed mb-3">
+        When you access this site, our hosting provider (Hetzner Online GmbH, Germany) automatically records standard access log data in order to operate and secure the service:
+      </p>
+      <ul class="list-disc list-inside text-text-muted space-y-1 ml-2">
+        <li>IP address</li>
+        <li>Date and time of the request</li>
+        <li>HTTP method, requested path, and response status</li>
+        <li>User-agent string and referrer</li>
+      </ul>
+      <p class="text-text-muted leading-relaxed mt-3">
+        Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the service). Logs are retained for the duration applied by our hosting provider and are not combined with other data sources.
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">4. Content delivery via Cloudflare</h2>
+      <p class="text-text-muted leading-relaxed">
+        This site is delivered through Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare inspects incoming traffic for security and performance purposes (DDoS protection, WAF, caching). Processing is governed by a Data Processing Agreement and the EU Standard Contractual Clauses.
+        Legal basis: Art. 6(1)(f) GDPR (legitimate interest in availability and security).
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">5. Cookies</h2>
+      <p class="text-text-muted leading-relaxed">
+        This site sets no cookies and uses no browser storage of any kind. No consent banner is required because no consent-requiring technology is in use.
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">6. External links</h2>
+      <p class="text-text-muted leading-relaxed">
+        Sign-in and sign-up links on this site navigate you to <span class="font-mono text-accent">auth.cameleer.io</span> (Logto identity service) and subsequently <span class="font-mono text-accent">platform.cameleer.io</span>. Those services have their own privacy policies, which apply from the moment you arrive there.
+      </p>
+    </section>
+
+    <section class="mb-10">
+      <h2 class="text-lg font-bold text-text mb-3">7. Your rights</h2>
+      <p class="text-text-muted leading-relaxed mb-3">
+        Under the GDPR, you have the right to:
+      </p>
+      <ul class="list-disc list-inside text-text-muted space-y-1 ml-2">
+        <li>request access to personal data we process about you (Art. 15)</li>
+        <li>request rectification of inaccurate data (Art. 16)</li>
+        <li>request erasure of your data (Art. 17)</li>
+        <li>request restriction of processing (Art. 18)</li>
+        <li>object to processing based on legitimate interest (Art. 21)</li>
+        <li>lodge a complaint with a supervisory authority (Art. 77)</li>
+      </ul>
+      <p class="text-text-muted leading-relaxed mt-3">
+        Contact us at <span class="font-mono text-accent">{operatorContact}</span> to exercise any of these rights.
+      </p>
+    </section>
+
+    <section>
+      <h2 class="text-lg font-bold text-text mb-3">8. Changes to this policy</h2>
+      <p class="text-text-muted leading-relaxed">
+        We may update this policy as our data processing changes (for example, if we later add analytics). The "Last updated" date at the top of this page reflects the most recent revision.
+      </p>
+    </section>
+  </main>
+  <SiteFooter />
+</BaseLayout>