AiAuditBuddy

Information on the collection of personal data and contact details of the controller

1.1 We are pleased that you are using our application (hereinafter "app"). In the following, we will inform you about how we handle your personal data when you use our app. Personal data is all data with which you can be personally identified.

1.2 The controller in charge of data processing for this app, within the meaning of the General Data Protection Regulation (GDPR), is Sebastian Amann, AiAuditBuddy, Leopoldstraße 23, 80802 München, Deutschland, E-Mail: info@aiauditbuddy.com. The controller of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 This app uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries to the controller). You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser line.

Log files when using our app

When you use our app, we collect the personal data described below to enable convenient use of the function. If you wish to use our app, we collect the following data, which is technically necessary for us to offer you the functions of our app and to ensure stability and security:

Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request
Access status/ http status code
Amount of data sent in bytes
Source/reference from which you reached the page
Browser used
Language and version of the browser software
Operating system used and its interface
IP address used (if applicable: in anonymized form)

Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our app. The data will not be passed on or used in any other way. However, we reserve the right to check the aforementioned log files retrospectively if there are concrete indications of illegal use.

Use of single sign-on procedures

Google Sign-In

In our app, we provide a single sign-on function from the following provider Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

In addition to the transmission of data to the above-mentioned provider location, data may also be transmitted to Google LLC, USA

If you have an account with the provider, you can use this account data to create a user account or to register on our website.

When you visit this page, a direct connection can be established between your browser and the provider's servers via this login function, even if you do not have an account with the provider or are not logged into one. The provider then receives the information that you have visited our site. The information collected in this way (possibly including your IP address) is transmitted directly from your browser to a server of the provider and stored there. However, the information is not used to identify you personally and is not passed on to third parties.

These data processing operations are carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in a user-friendly and interactive design of our online presence.

If you click on the login button to register with the provider on our website using your account data, the provider transmits the general and publicly accessible information stored in your account (user ID, name, address, email address, age and gender) to us exclusively on the basis of your express consent in accordance with Art. 6 para. 1 lit. a GDPR.

We store and use the data transmitted by the provider to set up a user account with the necessary data (title, first name, surname, address data, country, email address, date of birth), provided you have released this to the provider. Conversely, based on your consent, data (e.g. information about your surfing or purchasing behavior) may be transferred from us to your account with the provider.

You can revoke your consent to us at any time with effect for the future.

For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google's data protection provisions can be found here: https://business.safety.google/intl/de/privacy/

We use cookies to make our app attractive and to enable the use of certain functions. These are small text files that are stored on your end device. Some of the cookies we use are deleted again after you close the app (so-called session cookies). Other cookies remain on your device and enable us to recognize you (persistent cookies). If cookies are set, they collect and process certain user information such as browser and location data as well as IP address values to an individual extent. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie.

In some cases, cookies are used to simplify the operation of the app by saving settings. If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR for the execution of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of consent given or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the app and a customer-friendly and effective design of the app use.

You can configure the settings of your mobile operating system and the app according to your wishes and, for example, refuse to accept third-party cookies or all cookies. However, we would like to point out that in this case you may no longer be able to use all the functions of our mobile app.

Contacting us

Personal data is collected when you contact us (e.g. via contact form or email). Which data is collected when using a contact form can be seen from the respective contact form in the app. This data is stored and used exclusively for the purpose of responding to your request or for contacting you and the associated technical administration. The legal basis for the processing of this data is our legitimate interest in responding to your request in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted after final processing of your request. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.

Data processing when opening a customer account

In accordance with Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed if you provide it to us for the execution of a contract or when opening a customer account. Which data is collected can be seen from the respective input forms. Deletion of your customer account is possible at any time and can be done by sending a message to the above-mentioned address of the controller. We store and use the data provided by you to process the contract. After completion of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial retention periods and deleted after expiry of these periods, unless you have expressly consented to further use of your data or we have reserved the right to further use of your data as permitted by law, about which we will inform you accordingly below.

Data processing for contract processing

7.1 In order to process contracts concluded via the app, we work together with the following service provider(s), who support us in whole or in part in the execution of concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.

The personal data collected by us will be passed on to the transport company commissioned with the delivery as part of the contract processing, insofar as this is necessary for the delivery of the goods. We pass on your payment data to the commissioned credit institution within the scope of payment processing, insofar as this is necessary for payment processing. If payment service providers are used, we will inform you of this explicitly below. The legal basis for the transfer of data is Art. 6 para. 1 lit. b GDPR.

7.2 - Stripe

If you choose a payment method from the payment service provider Stripe, the payment will be processed via the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will pass on the information you provided during the ordering process together with the information about your order (name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Art. 6 para. 1 lit. b GDPR. Your data will only be passed on for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only to the extent that it is necessary for this purpose. You can find more information on Stripe's data protection at the URL https://stripe.com/de/privacy#translation.

7.3 Amazon Web Services

We use the system of the following provider to host our app and display the page content: Amazon Web Services, Inc, 410 Terry Avenue North, Seattle, WA 98109, USA

All data collected on our website is processed on the provider's servers.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

7.4 Azure OpenAI (Microsoft Ireland)

For the provision of text analysis functions and the creation of embeddings, we use the system of the following provider: Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

All data collected as part of these functions is processed on the provider's servers in the European Union.

We have concluded an order processing contract with the provider, which ensures the protection of our users' data and prohibits unauthorized disclosure to third parties.

As the processing takes place exclusively within the EU region, no personal data is transferred to third countries, in particular the USA.

7.5 Sentry

This app uses a service for the automatic transmission of error reports from the following provider: Functional Software Inc, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA

In the event of technical complications or functional impairments in connection with the operation of the website, the service sends automatic error reports to the provider, which contain information on the respective source of the error and its origin. Both server information and usage parameters such as the IP address, the browser used, time stamp and the URL accessed are transmitted.

Depending on the source of the error, error reports may also contain further personal customer data that we have collected and stored in the course of concluding contracts (in particular first name and surname, address, email address). This is always conceivable if the error occurs in connection with software-based processing of customer data.

If the information transmitted in this way also includes personal data, the processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in an efficient error cause analysis to improve the reliability and functionality of our website.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

7.6 Use of the Claude API via AWS Bedrock (Anthropic / Amazon Web Services)

For AI-supported functions of our application, in particular for document analysis based on the Claude 3.5 Sonnet model, we use the system of the following provider: Amazon Web Services EMEA S.à r.l., 38 Avenue John F. Kennedy, L-1855 Luxembourg (infrastructure) and Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA (model provider).

All data collected as part of these functions is processed exclusively in the data center provided by the provider in Frankfurt am Main, Germany (eu-central-1).

We have concluded order processing contracts with the providers that ensure the protection of our users' data and prohibit unauthorized disclosure to third parties.

Personal data is not transferred to third countries, as processing takes place entirely within the European Union. Should a transfer to a third country become necessary in individual cases, this will be carried out exclusively on the basis of the standard contractual clauses provided by the European Commission.

Further information can be found at https://aws.amazon.com/bedrock/ and https://www.anthropic.com/legal/privacy.

7.7 Langfuse Inc. for LLM tracing and usage analysis of AI functions, We use the service of Langfuse GmbH, Kollwitzstraße 75, 10435 Berlin, Germany, for tracing, analysis and optimization of our AI functions. This involves processing pseudonymized usage data such as prompt logs, technical metadata, performance indicators and error rates. The processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in improving the stability, quality and transparency of our AI systems. An order processing contract has been concluded with the provider, which guarantees the protection of the processed data. Further information can be found at https://langfuse.com and in the Data Processing Addendum at https://langfuse.com/legal/dpa.

7.8 Resend

We use the system of the following provider to send our newsletter and other electronic notifications: Plus Five Five, Inc, 2261 Market Street #5039, San Francisco, CA 94114, USA.

All data collected during registration and dispatch - in particular e-mail addresses, any names provided for personal contact and technical log data from the registration and unsubscription process - are processed on the provider's servers. This also includes statistical evaluations to measure reach and conversion and to analyze interactions with our email content.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our newsletter recipients and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider uses suitable guarantees within the meaning of the GDPR, in particular the standard contractual clauses provided by the European Commission. These guarantee an appropriate level of protection for the personal data transferred.

Further information about the provider can be found at https://resend.com/ and in the privacy policy at https://resend.com/legal/privacy-policy.

7.9 Flowise AI as a self-hosted chatbot framework on our own AWS infrastructure in Frankfurt for audit support,

7.10 SimpleLocalize Sp. z o.o. for translation management (DE/EN). We use the service of SimpleLocalize Sp. z o.o., ul. Żabiniec 46/73, 31-215 Kraków, Poland, for the management, maintenance and synchronization of our translations (German/English). We process text content from our user interface and translation strings to ensure consistent localization of our website. The processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in the efficient international provision of our services. SimpleLocalize processes data exclusively within the EU; an order processing contract has been concluded. Further information can be found at https://simplelocalize.io and in the Data Processing Addendum at https://simplelocalize.io/data-processing-addendum/.

Registration in the app

You can register in our app by providing personal data. Which personal data is processed for registration is determined by the input mask used for registration. We use the so-called double opt-in procedure for registration, i.e. your registration is not complete until you have confirmed your registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If you do not confirm your registration within 24 hours, your registration will be automatically deleted from our database. Providing the above data is mandatory. You can provide all other information voluntarily by using our portal.

If you use our app, we will store your data required to fulfill the contract, including any information on payment methods, until you finally delete your access. We also store the data you provide voluntarily for the duration of your use of the portal, unless you delete it beforehand. You can manage and change all information in the protected customer area. The legal basis is Art. 6 para. 1 lit. f GDPR.

In addition, we store all content published by you (e.g. public posts, pinboard entries, guestbook entries, etc.) in order to operate the app. We have a legitimate interest in providing the app with complete user-generated content. The legal basis for this is Art. 6 para. 1 lit. f GDPR. If you delete your account, your comments published in the forum in particular will remain visible to all readers, but your account will no longer be accessible. All other data will be deleted in this case.

Use of your data for direct advertising

9.1 Subscription to our e-mail newsletter

If you subscribe to our e-mail newsletter, we will send you regular information about our offers. The only mandatory information for sending the newsletter is your e-mail address. The provision of further data is voluntary and is used to address you personally. We use the so-called double opt-in procedure for sending the newsletter. This means that we will only send you an e-mail newsletter if you have expressly confirmed to us that you consent to receiving the newsletter. We will then send you a confirmation e-mail asking you to confirm that you wish to receive the newsletter in future by clicking on a corresponding link.

By activating the confirmation link, you give us your consent to the use of your personal data in accordance with Art. 6 para. 1 lit. a GDPR. When you register for the newsletter, we store your IP address entered by the Internet service provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your e-mail address at a later date. The data collected by us when you register for the newsletter will be used exclusively for the purpose of advertising by means of the newsletter. You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending a message to the controller named at the beginning. Once you have unsubscribed, your email address will be deleted from our newsletter mailing list immediately, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

9.2 Sending the e-mail newsletter to existing customers

If you have provided us with your e-mail address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services to those already purchased from our range by e-mail. In accordance with Section 7 (3) UWG, we do not need to obtain separate consent from you for this. In this respect, data processing is carried out solely on the basis of our legitimate interest in personalized direct advertising in accordance with Art. 6 para. 1 lit. f GDPR. If you have initially objected to the use of your email address for this purpose, we will not send you any emails.

You are entitled to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by sending a message to the controller named at the beginning. You will only incur transmission costs for this in accordance with the basic rates. Upon receipt of your objection, the use of your e-mail address for advertising purposes will be discontinued immediately.

Rights of the data subject

10.1 The applicable data protection law grants you comprehensive data subject rights (rights of access and intervention) vis-à-vis the controller with regard to the processing of your personal data, about which we inform you below:

Right to information pursuant to Art. 15 GDPR: In particular, you have a right to information about your personal data processed by us, the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it was not collected by us from you, the existence of automated decision-making including profiling and, if applicable, meaningful information on the logic involved and the scope and intended effects of such processing on you, as well as your right to be informed of the guarantees pursuant to Art. 46 GDPR if your data is transferred to third countries;
Right to rectification pursuant to Art. 16 GDPR: You have the right to obtain without undue delay the rectification of inaccurate data concerning you and/or the completion of incomplete data stored by us;
Right to erasure in accordance with Art. 17 GDPR: You have the right to request the erasure of your personal data if the requirements of Art. 17 para. 1 GDPR are met. However, this right does not apply in particular if the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
Right to restriction of processing in accordance with Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is verified, if you refuse to delete your data due to inadmissible data processing and instead request the restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection for reasons of your particular situation, as long as it is not yet clear whether our legitimate reasons prevail;
Right to information in accordance with Art. 19 GDPR: If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.
Right to data portability in accordance with Art. 20 GDPR: You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller, insofar as this is technically feasible;
Right to withdraw consent given in accordance with Art. 7 para. 3 GDPR: You have the right to withdraw your consent to the processing of data at any time with effect for the future. In the event of revocation, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
Right to lodge a complaint pursuant to Art. 77 GDPR: If you consider that the processing of personal data relating to you infringes the GDPR, you have the right - without prejudice to any other administrative or judicial remedy - to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

10.2 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA AS PART OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE YOUR RIGHT TO OBJECT AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

Duration of storage of personal data

The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing and - if applicable - additionally by the respective statutory retention period (e.g. retention periods under commercial and tax law).

When processing personal data on the basis of express consent in accordance with Art. 6 para. 1 lit. a GDPR, the data concerned will be stored until you withdraw your consent.

If there are statutory retention periods for data that is processed within the scope of legal or similar obligations on the basis of Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for contract fulfillment or contract initiation and/or we no longer have a legitimate interest in further storage.

When processing personal data on the basis of Art. 6 para. 1 lit. f GDPR, this data is stored until you exercise your right to object in accordance with Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

When processing personal data for the purpose of direct marketing on the basis of Art. 6 para. 1 lit. f GDPR, this data will be stored until you exercise your right to object in accordance with Art. 21 para. 2 GDPR.

Unless otherwise stated in the other information in this statement on specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.

Copyright notice: This privacy policy was created by the specialist lawyers at IT-Recht Kanzlei and is protected by copyright(https://www.it-recht-kanzlei.de)

Status: 17.11.2025, 16:01:50

Privacy Policy