Privacy Policy

Controller

Hendrik Wels
Wrangelstraße 99, 20253 Hamburg, Germany
Email: hendrik.wels1@gmail.com

Scope

This notice covers: (i) the public landing page, (ii) the Cal.com scheduling flow, (iii) the MVP web app (login via AWS Cognito), (iv) file uploads and AI processing (OpenAI API), and (v) support contact.

1. Data we process

• Technical data: IP address, timestamps, HTTP headers, user-agent, referrer, and request metadata generated by our hosting/CDN and application logs (AWS ALB/CloudFront/CloudWatch).
• Account data: name, email address, user ID and authentication tokens (AWS Cognito).
• Scheduling data: name, email address and appointment details used to book a call via the Cal.com widget.
• Product telemetry: pseudonymous event logs tied to your Cognito user_id (no IP is stored in the events table).
• Uploads & transformations: CSV files and selected columns you choose to process via the OpenAI API to generate outputs you request.

2. Purposes & legal bases

3. Processors and international transfers

We use service providers who process data on our behalf:

• Amazon Web Services (AWS) — hosting, databases, logs, and email triggers; primary region: us-east-1 (N. Virginia, USA). Transfers rely on the EU-U.S. Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
• Cal.com — scheduling widget. EU hosting options are available; otherwise, transfers rely on DPF/SCCs.
• OpenAI — API for transformations. Business/API data is not used for model training by default; a DPA is available; transfers rely on SCCs/DPF as applicable.

We maintain an up-to-date list of sub-processors in this section and will notify users where required before materially changing processors.

4. Cookies & similar technologies

We use only essential cookies required for core functionality, security, and login (Cognito session tokens). We do not use analytics or marketing cookies.

• Essential (always on) — required for authentication, session management, and security. These cannot be disabled as they are necessary for the site to function.

5. OpenAI API (uploads & transformations)

• What we send: Only the columns/content you select in the UI to generate the requested outputs.
• Personal data (PII): We do not require personal data. The interface warns against uploading PII and includes a confirmation checkbox. If you nevertheless submit PII, we process it only to perform the requested transformation.
• Use limitation: We use your data only to perform your request. OpenAI's API does not use your business data for training by default.
• Retention: Your source files remain in your workspace until you delete them; generated outputs stay with your project until deletion; API request logs are kept per §6.

6. Retention

• Server & security logs (CloudWatch/ALB): up to 90 days (or per your AWS account configuration).
• Product telemetry (DynamoDB events): 180 days (TTL).
• User files (S3) & jobs: retained until you delete in the UI or request deletion.
• Scheduling data (Cal.com): retained per operational needs or deletion request.

7. Your rights (EU/EEA/UK)

You may request access, rectification, erasure, restriction, portability, and object to processing. Where processing is based on consent, you may withdraw it at any time with effect for the future. You also have the right to lodge a complaint with a supervisory authority. In Germany, the competent authority is typically HmbBfDI (Hamburg).

8. Security

We use HTTPS/TLS, encryption at rest, least-privilege IAM, and audit logging. Access to personal data is restricted to authorized personnel with a need to know.

9. Contact

For privacy requests, contact hendrik.wels1@gmail.com.