Privacy Policy

1. Data Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

2. General Information on Data Processing

We take the protection of your personal data very seriously.

Personal data is processed exclusively in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

We only process personal data to the extent necessary to provide our SaaS services or where legally required.

3. Website Access

When you access our website, the following data is automatically processed:

• IP address
• Date and time of access
• Browser type and version
• Operating system
• Referrer URL

This data is used solely for technical security and system monitoring purposes.

4. Registration and User Account

When creating a user account, we process:

• Name (optional)
• Email address
• Company name (optional)
• Selected server region (EU or USA)
• Subscription information
• Login credentials

During registration, users must select a server region (EU or US). This choice is permanent and cannot be changed after registration. The selected region determines where all account data, documents, and generated files are stored and processed.

Your email address serves as your primary account identifier (username) and is also used to send system emails, including:

• Password reset requests
• Account verification
• Important technical notifications (e.g. service changes, security alerts)

We do not send marketing or promotional emails. System emails are limited to communications necessary for the operation and security of your account.

Passwords are stored in encrypted form and are not accessible in plain text.

5. Document and Content Data

Our service enables users to upload, store, and process document data. This may include:

• Document content
• Structured template data
• Generated documents

5.1 Hosting and Processing

All document processing and storage is carried out exclusively via Google Cloud.

Users may choose between the following server regions:

• European Union
• United States of America

Each region operates fully isolated infrastructure, including separate databases, file storage, and document processing services. Data is processed exclusively within the selected region. No data is shared or replicated between regions, and no document data is shared with additional third-party service providers.

Google Cloud acts as a data processor pursuant to Art. 28 GDPR under a Data Processing Agreement.

6. Storage of Core Account Data

Core user account data is stored using Supabase, which acts as a technical database service provider. Each server region (EU and US) uses a separate, isolated database instance to ensure full data residency.

Security measures include:

• Secure database infrastructure
• Encrypted storage of sensitive data (e.g., passwords)
• Strict access control mechanisms

7. Google Analytics

Our landing page may use Google Analytics. Google Analytics is activated only upon your explicit consent via our cookie consent tool. You may withdraw your consent at any time.

Processed data may include:

• Anonymized IP address
• Device information
• Usage behavior
• Page visits

8. External Resources

Our website and application may load resources from external third-party services to ensure proper functionality and presentation. These may include:

• Fonts from external providers (e.g. Google Fonts)
• JavaScript libraries or frameworks from content delivery networks (CDNs)
• UI components or stylesheets from third-party sources

When such resources are loaded, your browser may transmit technical data (such as your IP address, browser type, and referring page) to the respective external servers. This occurs automatically as part of the HTTP request and is outside our direct control.

We aim to minimize the use of external resources and, where feasible, host them locally. However, certain dependencies may still require external loading for technical or licensing reasons.

No personal data beyond standard HTTP request data is shared with these providers through the loading of external resources.

9. Data Sharing

We do not sell, rent, or commercially distribute personal data.

Data is shared exclusively with:

• Google Cloud (hosting and document processing)
• Supabase (database infrastructure)
• OneSignal (transactional email delivery)
• Lemon Squeezy (payment processing and subscription management)

These providers act solely as data processors under contractual agreements.

When purchasing a subscription, your name, email address, and payment information are shared with Lemon Squeezy to process the transaction. Lemon Squeezy acts as the Merchant of Record and handles all payment processing, invoicing, and tax compliance. For details, see the Lemon Squeezy Privacy Policy.

10. International Data Transfers

If users select the USA region, personal data may be processed on servers located in the United States.

Data transfers outside the European Union are carried out in compliance with Art. 44 et seq. GDPR. Appropriate safeguards, such as Standard Contractual Clauses (SCCs), are implemented where required.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• SSL/TLS encryption for all communications
• Encrypted password storage
• Strict internal access controls
• Regional data isolation
• Secure cloud infrastructure

12. Data Retention

Personal data is stored:

• For the duration of an active user account
• As necessary to fulfill contractual obligations
• In accordance with statutory retention requirements

Upon account deletion, data will be deleted within reasonable timeframes unless legal obligations require further retention.

13. Your Rights Under GDPR

If you are located within the European Union, you have the following rights:

You may also withdraw consent at any time and have the right to lodge a complaint with a supervisory authority.

14. Contact

For privacy-related inquiries: