Privacy Policy

1. Data Controller

Palveron A. Podzus
Zülpicher Str. 393
50935 Cologne, Germany
Email: [email protected]

2. Overview

We process personal data only to the extent necessary to provide our platform and services. Processing is based on the General Data Protection Regulation (GDPR) and the German Telecommunications-Digital-Services-Data-Protection Act (TDDDG).

3. Types of Data Processed

Account data: Name, email address, company (upon registration)

Usage data: Governance requests (traces), agent metadata, policy configurations

Content data: Prompts and AI responses processed through the gateway

Log data: IP address, browser type, access times, referrer URL

Contact data: Email address for waitlist registration or contact form

4. Legal Bases

Art. 6(1)(b) GDPR — Processing for contract performance (platform provision, authentication, governance processing)

Art. 6(1)(f) GDPR — Legitimate interest (security, abuse prevention, logging)

Art. 6(1)(a) GDPR — Consent (waitlist registration, contact form)

§ 25(2) No. 2 TDDDG — Technically necessary cookies without consent

5. Hosting and Content Delivery

This website is hosted on servers operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). Hetzner processes log data (IP address, access time) under the hosting agreement. All data remains in Germany.

We use Cloudflare, Inc. (101 Townsend St, San Francisco, CA, USA) as CDN and DNS provider. Cloudflare processes technical connection data (IP address) for DDoS protection and TLS termination. Processing is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

6. Web Fonts

This website uses the fonts Instrument Sans, Inter, and JetBrains Mono. All fonts are served locally from our own servers. No connection to Google or other external font services is established. Your IP address is not transmitted to third parties for font loading purposes.

7. Authentication (Kinde)

We use Kinde Technologies Pty Ltd(Australia) for user authentication and account management. Upon registration and login, your name, email address, and authentication data are transmitted to Kinde. Kinde sets session cookies to maintain your login session. The legal basis is Art. 6(1)(b) GDPR (contract performance). Transfer to Australia is based on the EU Commission's adequacy decision.

8. Database (Supabase)

Our application data is stored with Supabase Inc. (USA) on PostgreSQL servers in the EU (Frankfurt, AWS eu-central-1). Supabase does not have access to the content of your data. Processing is based on a data processing agreement and Standard Contractual Clauses (SCCs).

9. Transactional Email (Resend)

We use Resend Inc.(USA, operated in EU region eu-west-1) for sending system emails (waitlist confirmations, contact inquiries). The recipient's email address is transmitted. The legal basis is Art. 6(1)(b) GDPR. Click tracking is disabled.

10. Blockchain Attestation (Flare Network)

At the customer's discretion, governance evidence can be cryptographically anchored on the Flare Network. Only SHA-256 hash values are written to the blockchain — no personal data, no prompts, no plaintext. The hashes cannot be traced back to individuals. The legal basis is Art. 6(1)(b) GDPR (contract performance).

11. Contact Form and Waitlist

When you use our contact form or waitlist registration, your information (name, email, company if applicable, message) is processed for handling the request. The legal basis is Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future by emailing [email protected].

12. Cookies and Local Storage

We exclusively use technically necessary cookies and local storage. Consent is not required for these pursuant to § 25(2) No. 2 TDDDG.

Session cookies (Kinde): To maintain your login session. Deleted when you close the browser.

Language preference: Stores your preferred language (DE/EN) for correct UI display.

Display preference: Stores your preferred display mode (light/dark).

Pre-launch banner: Stores whether you have dismissed the launch banner.

We do not use analytics cookies, tracking cookies, or marketing cookies. No tracking of your browsing behavior takes place. For more details, see our Cookie Policy.

13. Sub-Processors

14. Data Transfers to Third Countries

Where we transfer data to service providers outside the EU/EEA (in particular Cloudflare, Supabase, Resend), this is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. For Australia (Kinde), an EU Commission adequacy decision is in place.

15. Retention Periods

Personal data is deleted once the purpose of storage ceases. For contractual data, statutory retention periods apply (6 or 10 years pursuant to German HGB/AO). Governance traces are stored according to the retention period configured by the customer. Waitlist data is deleted after completion of the pre-launch phase.

16. Your Rights

You have the right to:

Access (Art. 15 GDPR) — information about your personal data

Rectification (Art. 16 GDPR) — of inaccurate data

Erasure (Art. 17 GDPR) — unless statutory retention obligations apply

Restriction (Art. 18 GDPR) — of processing

Data portability (Art. 20 GDPR) — in a machine-readable format

Objection (Art. 21 GDPR) — to processing based on legitimate interests

Withdrawal (Art. 7(3) GDPR) — of consent at any time with effect for the future

To exercise your rights, please contact [email protected].

17. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Postfach 20 04 44, 40102 Düsseldorf, Germany
www.ldi.nrw.de

18. Changes

We reserve the right to update this privacy policy to reflect changes in legal requirements or our services. The current version is always available on this page.