CatalogLoom

Privacy Policy

Controller

Hendrik Wels
Wrangelstraße 99, 20253 Hamburg, Germany
Email: hendrik.wels1@gmail.com

Scope

This notice covers: (i) the public landing page, (ii) the Cal.com scheduling flow, (iii) the MVP web app (login via AWS Cognito), (iv) file uploads and AI processing (OpenAI API), and (v) support contact.

1. Data we process

  • Technical data: IP address, timestamps, HTTP headers, user-agent, referrer, and request metadata generated by our hosting/CDN and application logs (AWS ALB/CloudFront/CloudWatch).
  • Account data: name, email address, user ID and authentication tokens (AWS Cognito).
  • Scheduling data: name, email address and appointment details used to book a call via the Cal.com widget.
  • Product telemetry: pseudonymous event logs tied to your Cognito user_id (no IP is stored in the events table).
  • Uploads & transformations: CSV files and selected columns you choose to process via the OpenAI API to generate outputs you request.
  • Analytics (if consented in EEA/UK): pseudonymous events/IDs from Google Analytics 4 (GA4).

2. Purposes & legal bases

PurposeDataLegal basisNotes
Provide and secure the site/appTechnical, accountArt. 6(1)(b) GDPR for logged-in users; Art. 6(1)(f) GDPR for securityStrictly necessary storage only
Authentication & onboardingAccountArt. 6(1)(b) GDPRAWS Cognito
Scheduling callsScheduling dataArt. 6(1)(b) GDPRCal.com; auto-embed only after consent or on explicit click
Product telemetryuser_id eventsArt. 6(1)(f) GDPRTTL 180 days
AnalyticsGA4Art. 6(1)(a) GDPR (consent) in EEA/UK; Art. 6(1)(f) GDPR (legitimate interests) elsewhere where permittedGA4 loads only after consent in EEA/UK
Visitor identification & outreach attribution (Apollo.io)Page interactions, technical identifiers, company-level enrichmentArt. 6(1)(a) GDPR (consent) in EEA/UK; Art. 6(1)(f) GDPR (legitimate interests) elsewhere where permittedLoads only after marketing consent in EEA/UK; used to understand which companies visited and if outreach converted. Info: knowledge.apollo.io.
File processing (AI)Uploads/selected columnsArt. 6(1)(b) GDPRWe process only what you send to fulfill your request
Compliance/defenseRelevant dataArt. 6(1)(c)/(f) GDPRStatutory retention where required

3. Regional consent behavior

  • EEA/UK: We display a consent banner (Cookiebot). Analytics (GA4) and Functional (Cal.com auto-embed) are off by default and activate only after your opt-in. You can still schedule via click-to-load without giving Functional consent.
  • Outside EEA/UK: We rely on legitimate interests for basic analytics where allowed by local law and keep Ads features off (no Google Signals, no Ads Personalization). You can change choices anytime via Cookie settings.

4. Processors and international transfers

We use service providers who process data on our behalf:

  • Amazon Web Services (AWS) — hosting, databases, logs, and email triggers; primary region: us-east-1 (N. Virginia, USA). Transfers rely on the EU-U.S. Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
  • Cal.com — scheduling widget. EU hosting options are available; otherwise, transfers rely on DPF/SCCs.
  • OpenAI — API for transformations. Business/API data is not used for model training by default; a DPA is available; transfers rely on SCCs/DPF as applicable.
  • Google Analytics (GA4) — analytics processor; runs only after consent in EEA/UK; Consent Mode v2 is used.
  • Apollo.io — website visitor identification and outreach attribution. Apollo acts as our processor under a DPA; international transfers rely on SCCs and/or the EU-U.S. Data Privacy Framework. Loads only after marketing consent in the EEA/UK. Website: apollo.io | Phone: +1. Learn more: knowledge.apollo.io.

We maintain an up-to-date list of sub-processors in this section and will notify users where required before materially changing processors.

5. Cookies & similar technologies

  • Essential (always on) — required for core functionality, security, login (Cognito), and remembering your consent choices.
  • Functional (opt-in or click-to-load) — enables the Cal.com scheduling widget.
  • Analytics (opt-in in EEA/UK) — Google Analytics 4 to understand usage.
  • Marketing (opt-in in EEA/UK) — Apollo.io visitor tracking identifies visiting companies and measures cold outreach effectiveness; activates only after consent.

You can change your choices at any time via Cookie settings in the footer.

6. OpenAI API (uploads & transformations)

  • What we send: Only the columns/content you select in the UI to generate the requested outputs.
  • Personal data (PII): We do not require personal data. The interface warns against uploading PII and includes a confirmation checkbox. If you nevertheless submit PII, we process it only to perform the requested transformation.
  • Use limitation: We use your data only to perform your request. OpenAI’s API does not use your business data for training by default.
  • Retention: Your source files remain in your workspace until you delete them; generated outputs stay with your project until deletion; API request logs are kept per §7.

7. Retention

  • Server & security logs (CloudWatch/ALB): up to 90 days (or per your AWS account configuration).
  • Product telemetry (DynamoDB events): 180 days (TTL).
  • User files (S3) & jobs: retained until you delete in the UI or request deletion.
  • GA4: per your GA4 retention setting (e.g., 14 months) and only with consent in EEA/UK.
  • Scheduling data (Cal.com): retained per operational needs or deletion request.

8. Your rights (EU/EEA/UK)

You may request access, rectification, erasure, restriction, portability, and object to processing. Where processing is based on consent, you may withdraw it at any time with effect for the future. You also have the right to lodge a complaint with a supervisory authority. In Germany, the competent authority is typically HmbBfDI (Hamburg).

9. Security

We use HTTPS/TLS, encryption at rest, least-privilege IAM, and audit logging. Access to personal data is restricted to authorized personnel with a need to know.

10. Contact

For privacy requests, contact hendrik.wels1@gmail.com.

Changes to this Policy

We may update this notice. The latest version is published on this page with the effective date.