Authoritative version is German. This English translation is for convenience only.

Privacy Policy

Hebepunkt — Hebepunkt — applicable to wovenkeep.com, app.wovenkeep.com and gutachten.osinova.de
As of: 30.04.2026 — Draft, please have reviewed by legal counsel before publication

1. Data Controller

Adrian Bätz – Hebepunkt
Einzelunternehmen (sole proprietorship)
Owner: Adrian Bätz
Elbinger Str. 9, 91207 Lauf a.d. Pegnitz
Email: info@wovenkeep.com

2. Overview of Processing

We process personal data only to the extent necessary for providing our services or where you have given consent.

3. Legal Basis

We process data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — Registration, use of SaaS services, billing
  • Legitimate interests (Art. 6(1)(f) GDPR) — Security, abuse prevention, debugging
  • Consent (Art. 6(1)(a) GDPR) — Analytics cookies, optional features
  • Legal obligation (Art. 6(1)(c) GDPR) — Invoices, tax records

4. Data Collected

4.1 Registration and Customer Account

  • Email address, name, password (hashed with bcrypt)
  • Optional: Address, phone, country, language
  • Legal basis: Contract performance
  • Retention: Until account deletion, then 10 years for billing data (Section 147 AO)

4.2 Usage Data

  • IP address (anonymized after 24h), timestamp, pages visited
  • Device type, browser type (no fingerprinting)
  • Legal basis: Legitimate interest (security, debugging)
  • Retention: 30 days

4.3 Payment Data

  • Payment data is processed directly by Stripe Inc.
  • We store: Stripe customer ID, billing history, payment status
  • We do NOT store: credit card numbers, bank details
  • Legal basis: Contract performance

4.4 Content Data (Wovenkeep)

  • Campaigns, NPCs, scenes, media — content created by the customer
  • Processing exclusively for service provision
  • No access by the Provider except for support purposes with consent
  • Legal basis: Contract performance, DPA (Art. 28 GDPR) where applicable

4.5 Content Data (Gutachter)

  • Appraisal texts, photos of machines, PDF documents
  • May contain personal data of third parties (clients)
  • Legal basis: Contract performance, DPA

4.6 Telemetry (anonymized)

  • Anonymized usage statistics (no personal reference)
  • IP addresses are truncated before storage
  • Session IDs are hashed (not traceable)
  • No disclosure to third parties
  • Legal basis: Legitimate interest

5. Recipients and Third-Country Transfers

5.1 Processors

Provider Purpose Location Guarantee
IONOS SE Hosting, servers Germany DPA, German data centers
Stripe Inc. Payment processing USA DPA, EU SCCs, DPF
Anthropic PBC AI features (optional) USA DPA, EU SCCs
Mistral AI SAS AI features (fallback) France (EU) DPA, processing within the EU, EU SCCs
Groq, Inc. Speech transcription (speech-to-text) USA DPA, EU SCCs
Google LLC AI image generation (character portraits) USA DPA, EU SCCs
Mailbox.org Email delivery Germany DPA, German servers

AI providers and your own AI access (BYOK)

For AI features we use one of the providers listed above depending on the function; if the primary provider is unavailable, a fallback provider named in the list (e.g. Mistral AI, EU) may be used instead. If you as a customer provide your own AI access (your own API key or your own endpoint, "Bring Your Own AI"), your AI requests are transmitted exclusively to the provider you have chosen; for that provider you are then the controller, and the above list does not apply in that respect.

5.2 Third-Country Transfers

For transfers to the USA (Stripe, Anthropic, Groq, Google) we rely on:

  • EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • Additional technical measures (encryption, pseudonymization)

6. Cookies and Tracking

6.1 Essential Cookies

  • Session cookie (authentication) — mandatory
  • Language preference — mandatory
  • Legal basis: Legitimate interest, no consent required

6.2 Analytics Cookies

  • Only with express consent (opt-in via cookie banner)
  • Anonymized usage analysis for product improvement
  • No Google Analytics, no disclosure to ad networks
  • Legal basis: Consent (Art. 6(1)(a) GDPR)
  • Revocation possible at any time via cookie settings

7. Data Subject Rights

You have the following rights:

  • Access (Art. 15 GDPR) — What data we store about you
  • Rectification (Art. 16 GDPR) — Correction of inaccurate data
  • Erasure (Art. 17 GDPR) — Deletion of your data ("right to be forgotten")
  • Restriction (Art. 18 GDPR) — Restriction of processing
  • Data portability (Art. 20 GDPR) — Export of your data in a machine-readable format
  • Objection (Art. 21 GDPR) — Objection to processing based on legitimate interests
  • Withdrawal of consent (Art. 7(3) GDPR) — At any time without giving reasons

To exercise your rights, contact: info@wovenkeep.com

Data export and account deletion are also available directly in the customer area (self-service).

8. Right to Complain

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Competent supervisory authority: Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany

9. Data Security

We implement technical and organizational measures:

  • TLS encryption (HTTPS) for all connections
  • Password hashing with bcrypt (not reversible)
  • Regular backups (encrypted with Restic)
  • Access control (role-based, two-factor authentication)
  • Servers in Germany (IONOS data centers)

10. Changes

We reserve the right to adapt this privacy policy. The current version is always available at the respective product URL.

Placeholders that must be added before publication:

  • Company name + legal form + address
  • Data protection contact address
  • Competent supervisory authority
  • URL of the privacy policy