This page is provisional. Some legally-required information is still being added.

Privacy Policy

This policy explains how [TBD: legal.legalName] ("we", "our", "us") processes personal data under Regulation (EU) 2016/679 (GDPR) and applicable national law.

1. Controller

The controller responsible for processing your personal data is:

[TBD: legal.legalName]
[TBD: legal.primaryAddress]
Email: [TBD: legal.contactEmail]
Phone: [TBD: legal.contactPhone]

2. Data Protection Officer

You can reach our Data Protection Officer at: [TBD: legal.dpoEmail]

3. Categories of personal data we process

We process the following categories of data when you interact with our service:

  • Identification and contact data you provide (name, email, phone, address)
  • Account and authentication data
  • Usage and device data (IP address, user agent, page views, timestamps)
  • Communication content (messages you exchange with us or our AI assistant)
  • Transaction data when you make a purchase
  • Marketing preferences and consent records

4. Purposes and legal basis

Purpose Legal basis (Art. 6 GDPR)
Provide the requested service / contract Art. 6(1)(b) — contract
Account security and fraud prevention Art. 6(1)(f) — legitimate interests
Legal and regulatory obligations Art. 6(1)(c) — legal obligation
Analytics, marketing, advertising Art. 6(1)(a) — consent (revocable)

5. Recipients and processors

We share data with carefully selected processors who act on our behalf and under contract (Art. 28 GDPR). The current list is published at /legal/subprocessors.

Active processors include: Neon, Cloudflare, Stripe, Resend, Anthropic, OpenAI, Twilio, NATS Synadia, Sentry, Google Cloud (Places API)

6. International transfers

Where a processor is established outside the EU/EEA, we rely on:

  • An adequacy decision (Art. 45 GDPR), or
  • Standard Contractual Clauses (Art. 46(2)(c)), or
  • The EU–US Data Privacy Framework where applicable.

7. Retention

We retain personal data only as long as necessary for the purposes listed above and to meet legal retention obligations (typically 6–10 years for accounting records under HGB / AO).

8. Your rights

Under Articles 15–22 GDPR you have the right to:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure / "to be forgotten" (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3)) — without affecting prior lawful processing
  • Lodge a complaint with a supervisory authority (Art. 77)

To exercise any right, submit a request at /legal/dsr or email us at [TBD: legal.contactEmail]. We respond within one month (Art. 12(3)).

9. Automated decision-making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22 GDPR).

10. Cookies and similar technologies

Details about the cookies and tracking technologies we use, and how to manage your consent, are at /legal/cookies.

11. Changes to this policy

We update this policy when our processing changes or the law changes. The version and content hash at the bottom of the page identify the version you are viewing; previous versions are available on request.