Privacy Policy

We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Art. 6(1)(a) GDPR – Consent: Where you have given explicit consent for the processing of your personal data for specific purposes, such as receiving marketing communications or the use of non-essential cookies.
• Art. 6(1)(b) GDPR – Performance of a Contract: Where the processing is necessary for the performance of a contract with you, including the provision of our Service, account management, and billing.
• Art. 6(1)(c) GDPR – Legal Obligation: Where the processing is necessary for compliance with a legal obligation to which we are subject, such as tax and accounting requirements.
• Art. 6(1)(f) GDPR – Legitimate Interests: Where the processing is necessary for the purposes of our legitimate interests, such as improving our Service, ensuring security, and preventing fraud, provided that such interests are not overridden by your fundamental rights and freedoms.

We may share your personal data with the following categories of third parties, strictly on a need-to-know basis and in accordance with applicable data protection laws:

• Squarespace: Our website hosting provider. Squarespace may process limited visitor data for the purpose of hosting and delivering our website content.
• Zapier: Used for workflow automation. Zapier may process data submitted through forms on our website to facilitate automated responses and internal routing.
• Google / GitHub: Authentication providers for our management platform. When you sign in using Google or GitHub, these providers may process your authentication credentials and basic profile information.
• OpenAI: Our AI infrastructure provider. Conversation data may be processed by OpenAI's API for the purpose of generating AI responses. We have a Data Processing Agreement (DPA) in place with OpenAI that ensures appropriate data protection safeguards.

We do not sell your personal data to third parties. We require all third-party service providers to process personal data only on our instructions and in accordance with applicable data protection laws.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. The following retention periods apply:

• Account data: Retained for the duration of the contractual relationship and for up to 12 months after account termination, unless longer retention is required by law.
• Conversation logs: Retained for up to 90 days for service improvement purposes, then anonymized or deleted.
• Website analytics data: Retained for up to 26 months.
• Billing and tax records: Retained for up to 10 years in accordance with German tax law (§ 147 AO, § 257 HGB).

Upon expiry of the applicable retention period, personal data is securely deleted or anonymized.

Under the GDPR, you have the following rights with regard to your personal data. You may exercise these rights at any time by contacting us at [email protected]:

We will respond to your request within one (1) month of receipt. In complex cases, this period may be extended by up to two (2) additional months, in which case we will inform you of the extension and the reasons therefor.

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in accordance with Art. 32 GDPR. These measures include, but are not limited to:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms (including multi-factor authentication)
• Regular backups and disaster recovery procedures
• Employee training on data protection and security best practices
• Monitoring and logging of system access and data processing activities

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.

Where the data breach is likely to result in a high risk to the rights and freedoms of the affected individuals, we will also notify the affected data subjects without undue delay, in accordance with Art. 34 GDPR. Such notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

Our Service uses artificial intelligence to generate product recommendations based on conversational inputs. These recommendations are generated in real-time and are based on the product catalog provided by the Client, not on personal profiles of end-user customers.

We do not engage in automated decision-making that produces legal effects or similarly significantly affects individuals, as described in Art. 22 GDPR. The AI-generated recommendations are informational in nature and do not constitute binding offers or decisions.

If you believe that an automated decision has adversely affected you, you have the right to request human intervention, express your point of view, and contest the decision by contacting us at [email protected].

Some of our third-party service providers (including OpenAI) are located outside the European Economic Area (EEA). Where personal data is transferred to countries outside the EEA that have not been deemed to provide an adequate level of data protection by the European Commission, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with all sub-processors
• EU-U.S. Data Privacy Framework certification, where applicable
• Supplementary measures such as encryption and access controls

You may request a copy of the applicable safeguards by contacting us at [email protected].

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority for our company is:

We reserve the right to update this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. Any material changes will be communicated to you through a prominent notice on our website or by direct communication to your registered email address.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

We will endeavor to respond to all inquiries within a reasonable timeframe and in any event within the timeframes required by applicable law.