Privacy Policy
Last updated: January 2026
1. Data Controller
The data controller responsible for data processing on this website is:
Carsten Wittmann
Otto-Schott-Str. 2
60438 Frankfurt am Main
Germany
Email: cw@qomplai.eu
Phone: +49 151 2262 8639
2. Your Rights as a Data Subject
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) – You can request information about your data we process.
- Right to rectification (Art. 16 GDPR) – You can request correction of inaccurate data.
- Right to erasure (Art. 17 GDPR) – You can request deletion of your data.
- Right to restriction (Art. 18 GDPR) – You can request restriction of processing.
- Right to data portability (Art. 20 GDPR) – You can request your data in a common format.
- Right to object (Art. 21 GDPR) – You can object to the processing of your data.
- Right to withdraw consent (Art. 7(3) GDPR) – You can withdraw consent at any time.
- Right to lodge a complaint (Art. 77 GDPR) – You have the right to lodge a complaint with a supervisory authority.
The competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit).
3. Processing Activities in Detail
Below we provide transparent information about each processing activity with all relevant details.
3.1 Website Hosting
| Purpose | Technical operation and provision of the website |
|---|---|
| Categories of Data | IP address, browser type, operating system, referrer URL, access time, pages visited |
| Legal Basis | Art. 6(1)(f) GDPR (legitimate interest in secure and efficient website operation) |
| Recipients | Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (data processor) |
| Third Country Transfer | Primary processing in the EU. Google LLC (USA) as sub-processor, secured by the EU-US Data Privacy Framework. |
| Retention Period | Server logs are automatically deleted after 30 days. |
3.2 Session Cookies
| Purpose | Technical functionality of the website (login status, language settings, form data) |
|---|---|
| Categories of Data | Session ID (a randomly generated, pseudonymous token) |
| Legal Basis | Art. 6(1)(f) GDPR (technically necessary); no consent required under German law (TTDSG) |
| Recipients | No disclosure to third parties |
| Third Country Transfer | None |
| Retention Period | Until browser is closed (end of session) |
Note: We do not use tracking cookies, analytics cookies, or marketing cookies.
3.3 User Account (Registration and Login)
| Purpose | Creation and management of your user account, access to your compliance analyses, storage of your settings |
|---|---|
| Categories of Data | Email address, password (stored encrypted), optional: name, company name |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance – provision of the service) |
| Recipients | No disclosure to third parties (storage at our hosting provider, see 3.1) |
| Third Country Transfer | No direct transfer; storage in the EU (see 3.1) |
| Retention Period | Until you delete your account. Invoice-related data is retained for 10 years (statutory retention requirement). |
3.4 Pilot Program Registration and Contact
| Purpose | Processing your inquiry, admission to the pilot program, communication regarding our services |
|---|---|
| Categories of Data | Email address (required), name of AI tool to be checked (required), name (optional), company name (optional) |
| Legal Basis | Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) |
| Recipients | Internal; for email delivery: Brevo (Sendinblue SAS) (see 3.6) |
| Third Country Transfer | See Email Delivery (Section 3.6) |
| Retention Period | For the duration of the business relationship. Subsequently 10 years retention per statutory requirements. |
3.5 Compliance Analysis (Core Service)
| Purpose | AI-assisted analysis of your documents for compliance with GDPR, EU AI Act, and Data Act; creation of compliance reports |
|---|---|
| Categories of Data | Documents you upload (e.g., data processing agreements, privacy policies, technical and organizational measures), chat history with the system, analysis results |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance) |
| Recipients |
Google Ireland Limited (Gemini API for document analysis) – data processor Anthropic PBC, USA (Claude API for verification) – data processor |
| Third Country Transfer |
Google: Primary processing in the EU; sub-processors in the USA under the EU-US Data Privacy Framework. Anthropic: USA, secured by EU Commission Standard Contractual Clauses. |
| Retention Period | 12 months, so you can continue and update your analysis. You can request early deletion at any time. |
Important Note: Your documents are not used by AI providers to train their models. We use API configurations that exclude training on customer data (Zero-Data-Retention).
3.6 Email Delivery
| Purpose | Delivery of analysis reports, notifications, invoices, and service messages |
|---|---|
| Categories of Data | Email address, name, email content |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance) |
| Recipients | Brevo (Sendinblue SAS), 106 Boulevard Haussmann, 75008 Paris, France (data processor for email delivery) |
| Third Country Transfer | None (Brevo is an EU-based provider headquartered in France) |
| Retention Period | At Brevo: per their retention policy. With us: see Sections 3.3 and 3.4. |
3.7 Payment Processing
| Purpose | Processing your payment, invoicing, fraud prevention |
|---|---|
| Categories of Data | Name, email address, billing address, payment information (credit card, PayPal, etc.) |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance) |
| Recipients | Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom |
| Third Country Transfer | United Kingdom (EU Commission adequacy decision). Potentially additional Paddle sub-processors. |
| Retention Period | At Paddle per their privacy policy. Invoice data with us: 10 years (statutory requirement). |
Note: Paddle acts as a reseller (Merchant of Record) and is independently responsible for payment data. More information in Paddle's Privacy Policy.
4. No Additional Processing
We do not use any additional services that process your personal data:
- No Google Analytics or other web analytics tools
- No social media plugins (Facebook, LinkedIn, etc.)
- No retargeting or advertising cookies
- No embedded YouTube videos or similar content
5. Summary of Third Country Transfers
Summary of all data transfers outside the EU:
| Recipient | Country | Safeguard |
|---|---|---|
| Google LLC | USA | EU-US Data Privacy Framework |
| Anthropic PBC | USA | EU Commission Standard Contractual Clauses |
| Brevo (Sendinblue SAS) | France (EU) | No transfer guarantee required (EU provider) |
| Paddle.com Market Ltd. | United Kingdom | EU Commission Adequacy Decision |
6. Data Security
We implement appropriate technical and organizational measures to protect your data:
- SSL/TLS encryption for all data transmissions
- Encrypted storage of sensitive data (passwords are hashed)
- Regular security updates
- Access restrictions and authentication
- Hosting in certified EU data centers
7. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to our services. The current version is always available on this page.
8. Contact for Privacy Questions
For questions about data protection or to exercise your rights, please contact:
Email: cw@qomplai.eu
Subject: "Privacy Inquiry"