Privacy Policy

The controller responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:

We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Processing occurs only where necessary for contract performance (Art. 6(1)(b) GDPR), based on legitimate interests (Art. 6(1)(f) GDPR), or with your consent (Art. 6(1)(a) GDPR).

3.1 Account Data

Upon registration, we collect: email address, full name, organization name, and password (stored in hashed form). This data is required to provide the Service (Art. 6(1)(b) GDPR).

3.2 AI Use Cases & Platform Data

Data entered by users about AI use cases includes: descriptions, risk assessments, review histories, approval statuses, impact assessments, and associated metadata. This data is stored and processed exclusively within your organization.

3.3 Usage Data & Activity Logs

We log activities (logins, changes, approvals) in an activity log to ensure traceability and compliance. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security and integrity).

3.4 Payment Data

Payment data (credit card numbers, IBAN) is processed exclusively by Stripe, Inc. and never stored on our servers. We only receive a payment confirmation, the payment method type (last 4 digits), and the Stripe customer ID.

4.1 OpenAI (AI Features)

We use OpenAI models (OpenAI, L.L.C., San Francisco, USA) for automatic classification of AI use cases, generation of risk assessments, and the AI assistant. Description data entered by users is transmitted to OpenAI. OpenAI retains API data for a maximum of 30 days for abuse detection and does not use it for model training.

Legal basis: Art. 6(1)(b) GDPR (contract performance). A Data Processing Addendum is in place.

4.2 Stripe (Payment Processing)

Payments are processed through Stripe, Inc. (San Francisco, USA). Stripe receives the data necessary for payment processing and is PCI DSS Level 1 certified. Legal basis: Art. 6(1)(b) GDPR.

4.3 Resend (Email Delivery)

Transactional emails (invitations, password resets, notifications) are sent via Resend, Inc. (USA). Email address and message content are transmitted. Legal basis: Art. 6(1)(b) GDPR.

4.4 PostHog (Web Analytics)

We use PostHog (PostHog, Inc., USA) to analyze usage of our platform. PostHog collects anonymized usage data such as page views, clicks, and feature usage. No personal profiles are created. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the Service).

Some of our service providers (OpenAI, Stripe, Resend, PostHog) are based in the United States. Data transfers to the US are based on the following mechanisms:

• EU-US Data Privacy Framework (DPF): Stripe and OpenAI are certified under the EU-US Data Privacy Framework, which has an adequacy decision from the EU Commission (Art. 45 GDPR).
• Standard Contractual Clauses (SCCs): In addition, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are in place with all US service providers as an additional safeguard.

We regularly review whether the safeguards of our service providers meet the required level of data protection.

This platform is operated on our own infrastructure (K3s cluster) hosted by Hetzner Online GmbH in Germany. All data is stored and processed exclusively in Germany. European data protection law applies.

Server Log Files

The web server automatically collects: browser type/version, operating system, referrer URL, hostname, time of access, and IP address. This data is not combined with other data sources and is deleted after 30 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and stability of the Service).

We use only technically necessary cookies for authentication (session cookie) and language preference. These cookies are required for the operation of the platform and cannot be disabled. Legal basis: Art. 6(1)(b) GDPR, § 25(2) TDDDG.

We do not use marketing cookies or third-party tracking cookies. Web analytics are performed via PostHog without the use of cookies (see Section 4.4).

• HTTPS/TLS encryption of all connections
• Encryption of data at rest
• Passwords are hashed with bcrypt — plaintext passwords are never stored
• Role-based access control (RBAC) at the organization level
• Multi-tenancy architecture: strict data isolation between organizations
• Regular security updates and dependency monitoring
• SOPS-encrypted secrets management in infrastructure

• Access (Art. 15 GDPR) — Right to information about your stored data
• Rectification (Art. 16 GDPR) — Right to correction of inaccurate data
• Erasure (Art. 17 GDPR) — Right to deletion of your data (“right to be forgotten”)
• Restriction (Art. 18 GDPR) — Right to restriction of processing
• Data portability (Art. 20 GDPR) — Right to receive your data in a machine-readable format
• Objection (Art. 21 GDPR) — Right to object to processing based on legitimate interests
• Withdrawal of consent (Art. 7(3) GDPR) — Right to withdraw consent at any time with effect for the future

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

We reserve the right to update this Privacy Policy to reflect changes in legislation or the Service. The current version is always available on this page. For material changes, we will notify registered users by email.

For privacy-related questions, contact us at: