Privacy Policy
Updated: June 15, 2026
1. Data Controller
The data controller under the General Data Protection Regulation (GDPR) is:
- Audinero AI UG (haftungsbeschränkt), registered office in Hamburg, Germany
- Service address: [to be added promptly upon formation]
- Managing Directors: Anil Colak, Jannik Wienecke
- Commercial register: [HRB number to be added promptly upon registration]
- VAT ID: [to be added promptly upon issuance]
- Phone: [to be added promptly upon formation]
- Email: hello@audinero.de
- Security contact: security@audinero.de
- Website: www.audinero.de
2. Data Protection Officer
Audinero AI UG (haftungsbeschränkt) is currently not required to appoint a Data Protection Officer under § 38 BDSG, as the statutory thresholds have not been reached. For data protection inquiries and to exercise your data subject rights, please contact:
- Data Protection Contact: Anil Colak
- Email: hello@audinero.de
A Data Protection Officer will be appointed promptly upon reaching the statutory thresholds under § 38 BDSG.
3. Data We Collect and Why
3.1 Account Registration Data (Legal Basis: Contract Performance - GDPR Art. 6(1)(b))
When you register for Audinero, we collect:
- First and last name
- Email address
- Organization name and size
- Industry and jurisdiction
- Job title
- Timezone
- Company contact details
Authentication (including password management) is handled by the Convex Auth SDK. Audinero does not directly store passwords or password hashes. The minimum password length is 8 characters.
This data is necessary to provide our services and communicate with you.
3.2 Uploaded Compliance Documents (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
When you upload compliance documents, policies, or other files:
- We store them on Convex servers in the EU (Ireland). Encryption at rest is provided by Convex infrastructure. AES-256-GCM is applied at the application level exclusively for encrypting AI provider API keys.
- These files remain under your full control
- You can view, modify, or delete them at any time
3.3 AI Processing via OpenAI API (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
Our platform uses the OpenAI API (models: gpt-4.1-nano for text analysis, gpt-4.1-mini for standards analysis, gpt-4o for image and document analysis) to analyze your documents with the AI Assistant "Nero-Ki":
- Your documents are transmitted to the OpenAI API for analysis against compliance frameworks (ISO 27001, ISO 9001, ISO 14001, SOC 2, GDPR, TISAX, NIS2)
- When analyzing images or scanned documents, these are transmitted to OpenAI via the gpt-4o model
- AI processing takes place exclusively in the eu-central-1 region (Frankfurt)
- OpenAI processes data under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs pursuant to Commission Implementing Decision (EU) 2021/914)
- All data is encrypted in transit via TLS
- Your data is NEVER used for AI model training by OpenAI (API opt-out)
- BYOM (Bring Your Own Model): The BYOM feature is available exclusively for Unlimited and Enterprise tier customers.
Supported providers: Ollama, vLLM, LM Studio, LocalAI, and any OpenAI-compatible endpoint.
3.4 Payment Data (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
Payments are processed entirely by Polar (Polar, USA). Audinero does not process or store credit card data, IBAN, or any other payment information directly:
- Polar handles all payment processing as an independent payment service provider
- Audinero stores only the Polar customer ID, email address, and subscription status
- Invoicing and payment processing are handled exclusively by Polar
3.5 Website Analytics and Cookies (Legal Basis: Consent — GDPR Art. 6(1)(a))
Our services consist of two domains:
Marketing Website (www.audinero.de):
- Anonymized, cookieless usage statistics
- Optional website usage analysis — only with your explicit consent via the cookie banner
Application (app.audinero.de):
- Authentication cookies: Via the Convex Auth SDK for session management (technically necessary, § 25(2) TDDDG/TTDSG)
- Sentry error monitoring and session replay (consent required): Collects error reports, IP addresses, user identifiers, and browser information. Session replay content is captured masked.
- Performance metrics (consent required): Web Vitals tracking (LCP, INP, CLS) with userId and sessionId context
Sentry and performance metrics are only activated after your explicit consent. Legal basis: GDPR Art. 6(1)(a) in conjunction with § 25(1) TDDDG/TTDSG.
For full details, see our separate Cookie Policy.
3.6 AI Credit Usage and Token Consumption (Legal Basis: Contract Performance — GDPR Art. 6(1)(b))
As part of platform usage, we collect data on AI credit consumption and token usage per workspace. This data is used for billing and fair-use monitoring.
3.7 Performance Monitoring Data (Legal Basis: Consent — GDPR Art. 6(1)(a))
When performance monitoring is enabled, we collect technical identifiers (userId, sessionId, correlationId) for diagnosing performance issues. This data is collected only with your consent.
4. Data Retention
We retain your personal data only as long as necessary. Retention periods differ by data category:
Data Category: Registration and account data
Retention Period: During contract term + 7 business days after account deletion
Legal Basis / Criteria: GDPR Art. 6(1)(b); deletion after contract end
Data Category: Uploaded compliance documents
Retention Period: During contract term; deletable at any time; after account deletion: 7 business days
Legal Basis / Criteria: GDPR Art. 6(1)(b)
Data Category: Audit data and findings
Retention Period: During contract term; after account deletion: 7 business days
Legal Basis / Criteria: GDPR Art. 6(1)(b)
Data Category: AI credit usage / token consumption
Retention Period: During contract term; after account deletion: 7 business days
Legal Basis / Criteria: GDPR Art. 6(1)(b)
Data Category: Invoice data (at Polar)
Retention Period: 10 years (statutory retention obligation, German tax law)
Legal Basis / Criteria: GDPR Art. 6(1)(c); § 147 AO, § 257 HGB
Data Category: Sentry error reports
Retention Period: 90 days (Sentry default)
Legal Basis / Criteria: GDPR Art. 6(1)(a) (consent)
Data Category: Performance monitoring data
Retention Period: Session duration
Legal Basis / Criteria: GDPR Art. 6(1)(a) (consent)
Data Category: Session cookies (Convex Auth)
Retention Period: End of session
Legal Basis / Criteria: § 25(2) TDDDG/TTDSG (technically necessary)
Deletion of your personal data after account deletion is completed within 7 business days. This includes: account data, uploaded documents, audit findings, extracted document content, and AI analysis results.
5. Your Rights
Under GDPR, you have the following rights:
- Access: Request what data we hold about you (Art. 15 GDPR)
- Rectification: Correct inaccurate data (Art. 16 GDPR)
- Erasure: Request deletion of your data (Art. 17 GDPR). Deletion is completed within 7 business days.
- Restrict Processing: Limit how we use your data (Art. 18 GDPR)
- Data Portability: Receive your data in structured format (Art. 20 GDPR)
- Object: Oppose processing based on legitimate interest (Art. 21 GDPR)
- Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent (e.g., Sentry, performance monitoring), you have the right to withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw your consent via: (a) cookie settings on www.audinero.de, (b) the consent mechanism in app.audinero.de, or (c) by email to hello@audinero.de.
- Not Be Subject to Automated Decisions: See AI Processing section (Art. 22 GDPR)
To exercise your rights, email: hello@audinero.de. We will process your request within 30 days.
Requirement to Provide Data (GDPR Art. 13(2)(e))
The provision of the following data is contractually required to use the Audinero platform:
- Name and email address (for registration and authentication)
- Organization name (for workspace setup)
Without this data, a user account cannot be created and the service cannot be provided.
The provision of the following data is voluntary:
- Job title, industry, jurisdiction, timezone (for an improved user experience)
- Consent for analytics cookies and performance monitoring (for product improvement and error resolution)
There is no statutory obligation to provide data. However, failure to provide the contractually required data means the service cannot be used.
International Data Transfers (GDPR Chapter V, Art. 44–49)
As we use US-based service providers, data transfers to the USA and other third countries occur. Each sub-processor has a specific transfer mechanism:
Sub-Processor: Convex, Inc.
Location: USA (servers EU/Ireland)
Processing Purpose: Backend infrastructure, database, all application data
Transfer Mechanism: EU-US Data Privacy Framework (DPF) + SCCs (2021/914)
Sub-Processor: OpenAI, L.P.
Location: USA (processing in eu-central-1 region, Frankfurt)
Processing Purpose: AI document analysis
Transfer Mechanism: DPF + SCCs (2021/914)
Sub-Processor: Polar
Location: USA
Processing Purpose: Payment processing
Transfer Mechanism: DPF + SCCs (2021/914)
Sub-Processor: Resend, Inc.
Location: USA
Processing Purpose: Transactional emails
Transfer Mechanism: DPF + SCCs (2021/914)
Sub-Processor: Sentry / Functional Software, Inc.
Location: USA
Processing Purpose: Error monitoring, session replay (text masked)
Transfer Mechanism: DPF + SCCs (2021/914)
Sub-Processor: Tavily, Inc.
Location: USA
Processing Purpose: Web research for checklists
Transfer Mechanism: DPF + SCCs (2021/914); no direct PII processing, but search queries may indirectly contain personal data from compliance documents
Supplementary measures per EDPB Recommendation 01/2020:
- TLS encryption for all data transfers
- AES-256-GCM encryption for API keys at application level
- Pseudonymization where possible (e.g., internal IDs instead of plain names)
- Contractual commitments by sub-processors to GDPR compliance
All Standard Contractual Clauses are based on Commission Implementing Decision (EU) 2021/914.
8. AI and Automated Decision-Making (GDPR Art. 13(2)(f), Art. 22)
Our AI Assistant "Nero-Ki" processes your documents for compliance analysis. Below we disclose the logic, significance, and consequences of this processing:
Processing logic: The text of your uploaded documents is transmitted to OpenAI models (eu-central-1 region, Frankfurt), which analyze the content against selected compliance frameworks (e.g., ISO 27001, SOC 2, GDPR). Results are stored as findings with severity ratings (Critical, High, Medium, Low) in your workspace.
Significance and consequences:
- A Data Protection Impact Assessment (DPIA) has been conducted
- No automated decisions within the meaning of Art. 22 GDPR: AI analyses are recommendations and decision aids, not legally binding assessments
- You have the right to request manual review of AI results by qualified personnel at any time
- AI results are stored exclusively in your workspace and are not accessible to other customers
- Model training: Your data is NEVER used for training or improving AI models
9. Security Measures (GDPR Art. 32)
We protect your data with:
- Encryption at rest: Infrastructure encryption by Convex. AES-256-GCM at application level exclusively for AI provider API keys.
- Encryption in transit: TLS encryption provided by infrastructure providers
- Infrastructure: Convex Cloud (EU/Ireland)
- Access controls: Role-based access control (RBAC) within the platform
- Error and performance monitoring: Sentry-based monitoring of application errors and performance metrics (consent required only)
- Planned security reviews: Regular review of security measures and infrastructure, with the goal of introducing formal penetration testing
- Rate limiting: Protection against automated attacks on authentication endpoints
Please direct security-related notices and reports to security@audinero.de.
10. Data Processing on Behalf of the Customer (GDPR Art. 28)
Where Audinero AI processes personal data on behalf of the customer, this is done on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. The DPA is concluded automatically upon acceptance of the Terms during registration and governs in particular:
- Subject matter and duration of processing
- Compliance with instructions and obligations of the processor
- Approved sub-processors (see table in Section 7)
- Technical and organizational measures (TOMs) pursuant to Art. 32 GDPR
- Deletion and return of data after contract end (within 7 business days)
- Third-country transfers under the EU-US and, where applicable, the Swiss-US Data Privacy Framework plus SCCs; the Swiss revised Data Protection Act (revDSG) applies as an additional legal basis alongside the GDPR where Swiss data subjects are concerned
The full DPA is available as a separate document and can be requested at hello@audinero.de.
11. Contact & Complaints
For privacy questions:
- Email: hello@audinero.de
- Contact form: https://www.audinero.de/kontakt
The competent supervisory authority for Audinero AI UG (haftungsbeschränkt) is:
- The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
- Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany
- Phone: +49 40 428 54 4040
- Email: mailbox@datenschutz.hamburg.de
- Web: https://datenschutz-hamburg.de
You also have the right to lodge a complaint with the supervisory authority in your member state of residence.
12. Additional Information for Users / Data Subjects in Austria
Where our service concerns users or data subjects in Austria, the following additional information applies:
- The disclosure and information obligations under § 5 ECG and § 25 MedienG apply.
- In addition to the GDPR, the Austrian Data Protection Act (DSG) applies.
- The competent supervisory authority in Austria is the Austrian Data Protection Authority (Datenschutzbehörde, DSB).
- For the use of cookies and comparable technologies, § 165 TKG 2021 (consent requirement) applies in addition.
13. Additional Information for Users / Data Subjects in Austria
Where data of persons in Switzerland is processed, the following additional information applies:
- The revised Swiss Federal Act on Data Protection (revDSG, in force since 01 September 2023) applies.
- The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB).
- Data transfers to the USA are based on the Swiss-US Data Privacy Framework and, in addition, the Standard Contractual Clauses (SCCs).
- Note: A representative in Switzerland may be required under Art. 14 revDSG.
14. Policy Changes
We may update this Privacy Policy to reflect changes in legal requirements, new services, or technical developments. The current version is always available on our website. Registered users will be notified by email of material changes.
