Privacy Policy

1. Data Controller

The data controller responsible for data processing on this website is:

Julius Sorgner Hochstraße 8 35510 Butzbach Email: julius.sorgner@gmail.com Phone: +49 15255612505

2. Overview of Data Processing

2.1 Types of Data Processed

  • Identity Data (name, email address, username)
  • Contact Data (email address, phone number)
  • Content Data (proposals, project descriptions, AI chats)
  • Usage Data (access times, pages visited)
  • Technical Data (IP addresses, device information)
  • Transaction Data (contract details, payment information)
  • Signature Data (electronic signatures, timestamps)

2.2 Categories of Data Subjects

  • Users of our platform
  • Clients who receive proposals
  • Website visitors

2.3 Purposes of Processing

  • Provision of service and contract fulfillment
  • Creation and sending of proposals
  • Electronic signatures and contract conclusions
  • Payment processing
  • Customer communication
  • Security and fraud prevention
  • Compliance with legal obligations

3. Legal Basis

Processing of personal data is based on the following legal grounds:

  • Art. 6(1)(a) GDPR – Consent (e.g., for analytics cookies)
  • Art. 6(1)(b) GDPR – Contract performance (use of the service)
  • Art. 6(1)(c) GDPR – Legal obligation (retention requirements)
  • Art. 6(1)(f) GDPR – Legitimate interest (security, fraud prevention)

4. Data Collection During Website Visits

4.1 Server Log Files

When accessing our website, the following information is automatically collected:

  • IP address (anonymized after 7 days)
  • Date and time of request
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Hostname of the accessing device

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) Retention Period: 7-30 days

4.2 Cookies and Consent

We use different types of cookies:

Necessary Cookies (without consent)

  • Session Cookie – Authentication and session management
  • CSRF Token – Protection against Cross-Site Request Forgery
  • Cookie Consent – Storage of your cookie preferences

Optional Cookies (with consent)

  • Analytics Cookies – Website usage statistics
  • Functional Cookies – Language settings, preferences

You can change your cookie settings at any time via the cookie banner or in your account settings. You can withdraw consent at /api/dsgvo/consent-withdraw.

5. Registration and User Account

5.1 Data Collected During Registration

  • Email address (required)
  • Name (required)
  • Username (optional)
  • Password (stored encrypted)
  • Two-factor authentication (optional)

5.2 Social Login

You can sign in using the following services:

Your name and email address are transmitted during this process.

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) Retention Period: Until account deletion

6. Proposal Creation and AI Usage

6.1 Processing of Proposal Data

When creating proposals, we process:

  • Project descriptions and requirements
  • Client data (name, company, contact details)
  • Prices and terms
  • Creation and modification timestamps

6.2 AI-Powered Text Generation

Our service uses Claude by Anthropic to assist with proposal creation:

  • Your inputs are transmitted to Anthropic for text generation
  • No personal client data is passed to the AI
  • Data is not used for training AI models
  • Anthropic processes data as a data processor

Data Processing Agreement: Concluded pursuant to Art. 28 GDPR Anthropic Privacy Policy: anthropic.com/privacy

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

7. Electronic Signatures

7.1 Signature Processing

When clients electronically sign a proposal, we collect:

  • Signer's name
  • Signer's email address
  • Signature (drawn or typed)
  • Timestamp of signing
  • IP address (for evidence purposes)
  • Browser information (User-Agent)
  • Document hash at time of signature

7.2 Security Measures for Signatures

  • Signatures are stored encrypted with AES-256-GCM
  • Integrity verification through cryptographic hashes
  • Document hash to prove immutability

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) Retention Period: 10 years after contract conclusion (German Commercial Code §257)

8. File Uploads

8.1 Profile Pictures and Logos

When uploading images, they are:

  • Validated for file type and content (magic byte verification)
  • Automatically re-encoded to remove hidden data
  • Stored with server-side encryption (AES-256)
  • Placed in isolated tenant folders

Allowed File Types: JPEG, PNG, WebP, GIF Maximum File Size: 5 MB

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

9. Payment Processing

9.1 Lemon Squeezy

Payments are processed through Lemon Squeezy, LLC. Your payment data is transmitted directly to Lemon Squeezy:

  • Name and billing address
  • Payment method information
  • Transaction data

Data Processing Agreement: Concluded pursuant to Art. 28 GDPR Privacy Policy: lemonsqueezy.com/privacy Location: USA (DPF certified)

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

10. Email Sending

We use external service providers for sending emails:

  • Transactional Emails (registration, password reset)
  • Proposal Notifications (sent, accepted, rejected)
  • Reminders (expiring proposals)

Provider Privacy Policy: [See Imprint for current provider]

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

11. Hosting and Infrastructure

11.1 Vercel (Hosting)

Our website is hosted by Vercel Inc.:

  • Server location: EU (Frankfurt)
  • DPF certified for data transfer to the USA
  • Data Processing Agreement concluded

Privacy Policy: vercel.com/legal/privacy-policy

11.2 Supabase (Database)

Our database is hosted by Supabase Inc.:

  • Server location: EU (Ireland)
  • Data Processing Agreement concluded
  • Data is stored encrypted

Privacy Policy: supabase.com/privacy

12. Your Rights

12.1 Overview of Your Rights

| Right | GDPR Article | Implementation | |-------|--------------|----------------| | Access | Art. 15 | /api/dsgvo/data-export | | Rectification | Art. 16 | /api/dsgvo/data-rectify | | Erasure | Art. 17 | /api/dsgvo/data-delete | | Restriction | Art. 18 | Contact us | | Data Portability | Art. 20 | /api/dsgvo/data-export | | Objection | Art. 21 | Contact us | | Withdrawal of Consent | Art. 7(3) | /api/dsgvo/consent-withdraw |

12.2 Automated Rights Exercise

You can exercise your rights independently through your user account:

Data Export:

POST /api/dsgvo/data-export

Exports all your personal data as a JSON file.

Account Deletion:

POST /api/dsgvo/data-delete
Body: { "confirmation": "DELETE_MY_ACCOUNT" }

Deletes your account and all associated data.

Consent Withdrawal:

POST /api/dsgvo/consent-withdraw
Body: { "consentTypes": ["analytics", "functional"] }

12.3 Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence.

13. Data Security

We implement extensive technical and organizational measures:

13.1 Technical Measures

  • TLS 1.3 Encryption for all data transfers
  • AES-256-GCM Encryption for sensitive data (signatures)
  • Secure Password Storage with modern hash algorithms
  • Two-Factor Authentication optionally available
  • Rate Limiting for protection against brute-force attacks
  • CSRF Protection for all forms
  • Content Security Policy (CSP) against XSS attacks
  • Regular Security Updates

13.2 Organizational Measures

  • Access restrictions based on need-to-know principle
  • Regular employee training
  • Documented processes for data protection incidents

14. Retention Period and Deletion

| Data Category | Retention Period | Legal Basis | |---------------|------------------|-------------| | User Account | Until deletion | Contract performance | | Proposals (unsigned) | Until deletion | Contract performance | | Signed Contracts | 10 years | German Commercial Code §257 | | E-Signatures | 10 years | German Commercial Code §257 | | Server Logs | 7-30 days | Legitimate interest | | Sessions | Automatic expiration | Contract performance | | AI Chats | Until deletion | Contract performance |

15. Data Transfer to Third Countries

Some of our service providers are located outside the EU/EEA:

| Service | Country | Safeguard | |---------|---------|-----------| | Vercel | USA | EU-US Data Privacy Framework | | Lemon Squeezy | USA | EU-US Data Privacy Framework | | Anthropic | USA | Standard Contractual Clauses |

Transfers are made on the basis of adequacy decisions or Standard Contractual Clauses pursuant to Art. 46 GDPR.

16. Minors

Our service is intended for businesses and business customers. Persons under 16 years of age may not use our service.

17. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy as necessary to comply with changed legal requirements or when changes to the service occur. The current version can always be found on this page.

Registered users will be notified by email of material changes.

18. Contact

For questions about data protection, please contact:

General Contact: Email: julius.sorgner@gmail.com

Last Updated: January 2026 Version: 2.0