Datenschutzerklärung

Data Controller

What Data We Collect

Account & authentication: name, email, hashed password, company name, role/permissions, 2FA enrollment.

Technical & session: IP address, browser, OS and device type (phone, tablet, PC — Android/iOS), JWT session tokens, login timestamps.

Document & tenant data: uploaded files (PDF, DOCX, XLSX, PPTX, images), OCR-extracted text, folders/tags/metadata, search embeddings, team chat messages.

Billing: plan and billing cycle. Payment data is handled only by Stripe and never stored on our servers (§ 7).

Why We Collect Your Data

• Service provision: storage, search and management of your documents
• Authentication and security: identity, sessions, protection against unauthorized access
• Billing and subscription management via Stripe
• AI features: summarize, translate, analyze and compare documents (opt-in)
• Platform reliability and legal compliance

Legal Basis for Processing

• Art. 6(1)(b) — contract performance (account, access, billing)
• Art. 6(1)(f) — legitimate interest (security, fraud prevention, optimization)
• Art. 6(1)(a) — consent (optional AI features; withdrawable anytime)
• Art. 6(1)(c) — legal obligation (tax/accounting)

Data Storage and Location

All data is stored by Hetzner Online GmbH within the European Union (Germany / Finland), GDPR-compliant. Each company lives in its own dedicated database (database-per-tenant). Databases, object storage, caches and backups all stay in the EU.

AI Data Processing & Third-Country Transfers

Optional AI features may transmit document text to: OpenAI, Anthropic, Google (USA, under EU-US DPF / SCCs) or self-hosted Ollama (EU, no transfer). All run in API mode — your data is processed only for your request and is not used to train their models. The assistant works only on your own documents.

Third-Party Services

Stripe (payments) — stripe.com/privacy. We store only a reference ID, never full payment details.

Cloudflare (CDN/security) — cloudflare.com/privacypolicy.

Hetzner Online (hosting, EU) — hetzner.com/legal/privacy-policy.

Data Retention

• Account & document data: for the life of the account; deleted within 30 days of cancellation unless law requires retention
• Server/access logs: 30 days
• Encrypted backups: local 7 days, offsite (EU) 30 days
• Billing records: up to 10 years (German tax law)

Your Rights Under the GDPR

Access (Art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), withdrawal of consent (7(3)). Contact info@arti-it.de — we respond within 30 days.

Cookies

We use only strictly necessary session cookies (authentication, language preference). No tracking, analytics or advertising cookies — so no consent banner is required (GDPR recital 30, ePrivacy Directive).

Data Security

• TLS/HTTPS encryption in transit; encrypted EU backups
• Password hashing (bcrypt); two-factor authentication (2FA)
• Dedicated database per company — strict data isolation
• Antivirus (ClamAV) on every upload; container/firewall isolation
• SSH key-only server access; automated security updates

Data Breach Notification

We notify the supervisory authority within 72 hours (Art. 33) and affected users without undue delay where there is high risk (Art. 34).

Right to Lodge a Complaint

Contact for Data Protection Requests

Albert Milaqi — Arti-IT · Pinner Straße 11, 42579 Heiligenhaus, Germany · info@arti-it.de

Changes to This Policy

We may update this policy to reflect changes in practice or law. Material changes are notified by email or in-app. The “Last updated” date above reflects the latest revision.