Data Protection Information

In the following we would like to inform you in accordance with the General Data Protection Regulation (GDPR) and other data protection regulations. In particular, we hereby inform you about which personal data we collect for which purposes when using our website and electronic communication with us, how we use it, to whom we disclose it and what rights you have with regard to your personal data.

Data Processing in Detail

Below you will find the legal information about data categories, purposes, obligation to provide data, legal bases, deletion periods, recipients, third country transfer as well as revocation and objection rights per processing activity including advertising for own similar goods and services (direct marketing).

Visiting the Website

Data Categories: When visiting the platform, we process personal data or device data that is automatically transmitted from your device to our servers: browser type / browser version, operating system used, language and version of browser software, IP address, date and time of server request, access status/HTTP status code, referrer URL (previously visited website).

Purposes: The processing of this data is necessary to establish a connection to our servers, to correctly deliver the content of the website, to ensure the functionality and security of the website, and to detect and prevent misuse (e.g. attacks on IT security).

Storage Period: The data is only processed briefly and stored in server log files. Personal data is not stored permanently. Log data is regularly deleted or anonymized.

Recipients: Your data is processed on our behalf (hosting) by Scalingo (Scalingo SAS, 13, rue Jacques Peirotes, 67000 Strasbourg, France). Scalingo hosts your data at Outscale (1, rue Royale – 319 Bureaux de la Colline 92210 Saint-Cloud, France).

Legal Basis: The processing of the data is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure and functional provision of the website) and § 25 para. 2 TDDDG.

Registration, Receipt of Notifications and Direct Marketing

Data Categories: The following personal data is required for registration to use our services: first name, last name, email, username, password, consent to the terms of use (date, time). Furthermore, a cookie for your authentication (name: authData) and for the selected language (name: i18nextLng) is stored on your device.

Purposes: This data is required to confirm your registration, create a user account, conclude a usage agreement with you, authenticate you on future logins and keep you logged in, send you contractual information and system-relevant notifications (e.g. security-related notices, account or organization information).

We also use the data to send you direct marketing, provided you have not objected to the use of your data for this purpose. You may object to the use of your data for direct marketing at any time. Please refer to the information on your right to object at the end of this data protection information. Please direct your objection to the contact details mentioned above.

The provision of your data is required for the conclusion and performance of a contract for paid services. Without the required data, we cannot provide our services.

Storage Period: This data will be deleted if a user account is not confirmed within the specified period after registration. Otherwise, it will be stored for the duration of the contractual relationship. Thereafter, the data will be stored exclusively for the duration of statutory retention periods (regularly 10 years) and then deleted. The cookies have no storage duration. You can delete them in your browser's local storage at any time. Your data will no longer be used for direct marketing once you have objected to the use of your data for this purpose.

Recipients: Your data is processed on our behalf (hosting) by Scalingo (Scalingo SAS, 13, rue Jacques Peirotes, 67000 Strasbourg, France). Scalingo hosts your data at Outscale (1, rue Royale – 319 Bureaux de la Colline 92210 Saint-Cloud, France). For sending notifications and direct marketing, we use Hetzner (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen) and Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin). Brevo uses the services of OVH, Google Cloud and Cloudflare for data processing. Additional recipients may include: tax authorities, lawyers, tax advisors, auditors, collection agencies, judicial authorities.

Legal Basis: The processing of data for the purposes of registration, contract conclusion, creation of a user account, subsequent authentication and for sending contractual and system-relevant notifications is based on Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract performance) in conjunction with § 25 para. 2 TDDDG. The processing of data for sending direct marketing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in sending advertising for own similar goods or services within the meaning of § 7 para. 3 UWG).

Using the Platform: Organizations, Email Assistants and Knowledge Base

Data Categories: The following data is required to create an organization: organization name, industry, email address, optionally phone, contact person, address and additional information. The following data is required to configure an email assistant: assistant name, description, email connection data (IMAP/SMTP credentials or OAuth credentials for Gmail/Microsoft). The following data is required to use the knowledge base: FAQ entries (questions and answers), instructions for the assistant.

Purposes: This data is required to provide you with the functions of the platform, in particular to manage organizations, configure and operate email assistants, create automatic reply drafts, provide knowledge for the assistant, and send notifications to you.

Storage Period: This data will be deleted when the organization or assistant is deleted, and generally when the purpose for which the data was collected ceases to exist and processing for other legitimate purposes is not required.

Recipients: Your data is processed on our behalf by futureprojects GmbH. This uses the following service providers for data processing: Scalingo (hosting) and Brevo (email delivery). Your email connection data (passwords, access tokens) is stored exclusively with AES-256 encryption. Organization members may have access to organization and assistant data depending on their role.

Legal Basis: The processing of data on the platform is based on Art. 6 para. 1 lit. b GDPR (contract performance) for the fulfillment of the above-mentioned purposes.

AI-Powered Data Processing

Data Categories: Depending on the assistant used, different data is processed by AI models, e.g. email content, conversation histories, texts for data extraction, or other content provided by the customer. Additionally, assistant instructions and FAQ entries configured by you are processed. Furthermore, technical usage statistics are collected (e.g. AI model used, token consumption, processing duration, success status).

Purposes: The processing serves to provide the AI assistant features of the platform, in particular the creation of drafts, conducting interviews, extraction of structured data, and other assistant-specific tasks. No automated decision with legal effect takes place. The usage statistics are used for billing, quality assurance and technical optimization of the service.

Storage Period: Content that is only transmitted to the AI model for one-time processing (e.g. email content, texts for data extraction) is only processed in memory and not stored permanently. Usage statistics without content data are retained for billing and analysis purposes. Error logs may be stored temporarily if required for technical diagnostics.

Recipients:

For AI processing, data is transmitted to the following service provider:

Microsoft Corporation (Azure AI Foundry), One Microsoft Way, Redmond, WA 98052, USA (Privacy Policy).

Processing takes place primarily in data centers within the European Union. Access from third countries cannot be completely excluded due to legal obligations of the provider (e.g. US Cloud Act). Appropriate safeguards exist pursuant to Art. 46 GDPR.

Customer data is not used for the training of AI models.

Legal Basis: The processing is based on Art. 6 para. 1 lit. b GDPR (contract performance – provision of AI assistant services).

futureprojects GmbH also uses the platform and its AI assistants itself, e.g. for conducting interviews with prospective customers or for processing its own business correspondence. In this case, futureprojects GmbH is itself the controller within the meaning of Art. 4 para. 7 GDPR. The processing is based on Art. 6 para. 1 lit. b GDPR (pre-contractual measures and contract performance) or Art. 6 para. 1 lit. f GDPR (legitimate interest in the efficient processing of inquiries and business transactions).

Storage of AI Results

Data Categories: Certain assistants produce results that are stored permanently. These include in particular: complete conversation histories between user and AI assistant, analyses and summaries created by the assistant, as well as structured data extracted therefrom. Which data is specifically stored depends on the respective assistant and its configuration.

Purposes: The permanent storage serves to make the results of the AI assistants retrievable and usable for the customer, e.g. for follow-up, evaluation or further processing.

Storage Period: The results are stored until they are deleted by the customer or an authorized user, the associated assistant or organization is deleted, or the purpose of storage ceases to exist.

Recipients: The data is stored on our servers. The servers are operated by Scalingo (Scalingo SAS, 13, rue Jacques Peirotes, 67000 Strasbourg, France). The stored results are available to the customer as the controller within the meaning of data protection law. The customer is responsible for compliance with data protection regulations regarding the personal data contained in the results.

Legal Basis: The processing is based on Art. 6 para. 1 lit. b GDPR (contract performance – provision and use of assistant results within the contractual relationship).

Insofar as futureprojects GmbH uses the platform itself (see above), it is itself responsible for the personal data contained in the results. The storage and deletion of this data is governed by the principles set out in this data protection information.

Contact

Data Categories: For contacting us (e.g. if you are interested in our services), the following personal data is required: email, name, first name, content of the message, subject if applicable, username (optional) and time of contact (automatically collected).

Purposes: This data is required to receive and process your inquiry.

Storage Period: Your data will be processed for the duration of contract negotiations or for the duration of a contractual relationship if your inquiry leads to a contract with us. Otherwise, we will delete your data once processing is no longer necessary to handle and respond to your inquiry, or store it in a restricted and separate manner for the duration of legally mandatory retention periods, which may be up to 10 years.

Recipients: Your data is processed on our behalf (email hosting) by Hetzner (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen). Additional recipients may include: tax authorities, lawyers, tax advisors, auditors, collection agencies, judicial authorities.

Legal Basis: The processing of data is based on Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest in providing a means of contact and responding to inquiries).

Logging Platform Activities

Data Categories: The following data is stored: username of the executing or requested user if available, IP address of website visitor, identifier of the executed action, timestamp, user action (e.g. login successful/failed, password reset requested, confirmation of a request failed (email change, password reset, account confirmation), organization created, assistant created/configured).

Purposes: This data is required to ensure security on the platform, such as detecting problems, blocking usernames or IP addresses after too many failed attempts (brute force attack), blocking IP addresses after too many actions (spam protection), as well as for statistics.

Storage Period: This data is anonymized once a day: removal of all IP addresses from entries older than 24 hours (resulting in a maximum age of IP addresses of 48 hours). Removal of all usernames from entries older than 7 days. Further use may occur in the case of asserting or defending legal claims or for the purpose of blocking certain users or IP addresses.

Recipients: Your data is processed on our behalf by futureprojects GmbH. This uses the following service providers for data processing: Scalingo (hosting).

Legal Basis: The processing of the data is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in the security and functionality of the platform) for the fulfillment of the above-mentioned purposes.

Payment Processing

Data Categories: Name, billing address, email address, payment information (e.g. credit card data, IBAN), transaction data (e.g. amount, date, payment status), technical data (e.g. IP address, device information, fraud prevention data).

Purposes: Processing of payments, execution and management of contracts for paid services, fraud prevention and security measures, accounting and tax documentation.

The provision of your data is required for the conclusion and performance of a contract for paid services. Without the required payment data, a payment via Adyen cannot be processed.

Legal Basis: Art. 6 para. 1 lit. b GDPR (processing for contract performance), Art. 6 para. 1 lit. c GDPR (fulfillment of legal obligations, e.g. tax retention requirements), Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and efficient payment processing and fraud prevention).

Storage Period: Payment data will be stored for the duration of the contractual relationship. Thereafter, it will be stored exclusively for the duration of statutory retention periods (regularly 10 years) and then deleted.

Recipients: Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands. Adyen may also share data with affiliated companies. Adyen also uses service providers for data processing. A complete list of service providers used by Adyen can be found at https://www.adyen.com/legal/list-sub-processors. Additional recipients may include: tax authorities, lawyers, tax advisors, auditors, collection agencies, judicial authorities.

A transfer of personal data to countries outside the European Union may take place if Adyen uses service providers or affiliated companies for this purpose. Insofar as data is transferred to third countries, this is done on the basis of appropriate safeguards pursuant to Art. 44 ff. GDPR.

Error Analysis

Data Categories: The following data is collected: browser type/browser version, operating system/version used, device type, IP address, date and time of server request, URL, error message including stack trace.

Purposes: This data is required to detect, analyze and fix errors as well as to ensure the stability and functionality of the platform.

Storage Period: Error data is stored server-side in log files. Automatic deletion does not occur at fixed intervals. The data is deleted once it is no longer needed for error analysis. The data may contain personal data, particularly if it is part of error messages or stack traces.

Recipients: The data is processed exclusively on our own servers. No transfer to external service providers or to third countries takes place. The servers are operated by Scalingo (Scalingo SAS, 13, rue Jacques Peirotes, 67000 Strasbourg, France).

Legal Basis: The processing of the data is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in the stability and functionality of the platform) and § 25 para. 2 TDDDG for the fulfillment of the above-mentioned purposes.

Embedded Videos

Data Categories: Videos from the provider Videolyser (videolyser.de) are embedded on our website. When loading the page, a connection to Videolyser's servers is established. The following data is transmitted: IP address, browser type / browser version, operating system used, referrer URL, date and time of access.

Purposes: The embedding serves to provide a clear presentation of our platform and its features for prospects and users.

Storage Period: The data is processed by Videolyser in accordance with their privacy policy. We do not store any personal data in connection with the video embedding.

Recipients: When loading the video, your data is transmitted to Videolyser (videolyser.de). Videolyser is a German provider, data processing takes place within the EU.

Legal Basis: The processing of the data is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in an appealing presentation of our platform).

Sending Information and Notifications

Data Categories: We process your email address and, if applicable, your name.

Purposes: The processing is carried out to send system-relevant notifications as part of using the platform (e.g. security-related notices, account or organization information). Optional newsletters and informational emails serve to inform about new features or offers.

Storage Period: The data will be deleted when your user account is deleted or when you have unsubscribed from optional newsletters.

Recipients: Your data is processed on our behalf by futureprojects GmbH. Service providers used are Scalingo (hosting), Hetzner (email hosting) and Brevo (email delivery).

Legal Basis: System-relevant notifications are based on Art. 6 para. 1 lit. b GDPR (contract performance). The sending of optional newsletters is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in informing users) or - if required - on the basis of consent. You can object to the sending of optional newsletters at any time.

Your Rights

If personal data is processed from you, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller. You can inform us about exercising your rights using the contact details contained in the legal notice.

Right of Access

You can request confirmation from the controller as to whether personal data concerning you is being processed by us.

If such processing is taking place, you can request information from the controller about the following information:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
  4. the planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage period;
  5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
    7. all available information about the origin of the data if the personal data are not collected from the data subject;
  7. the existence of automated decision-making including profiling pursuant to Art. 22 para. 1 and 4 GDPR and - at least in these cases - meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject.

You have the right to request information about whether the personal data concerning you are transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

Right to Rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. The controller must carry out the rectification without delay.

Right to Restriction of Processing

Under the following conditions, you may request the restriction of the processing of personal data concerning you:

  1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
  4. if you have objected to processing pursuant to Art. 21 para. 1 GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.

Where the processing of personal data concerning you has been restricted, such data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted according to the above conditions, you will be informed by the controller before the restriction is lifted.

Right to Erasure

a) Obligation to erase
You may request the controller to erase personal data concerning you without delay and the controller is obliged to erase such data without delay where one of the following grounds applies:

  1. The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. You withdraw consent on which the processing is based according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
  3. You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
  4. The personal data concerning you have been unlawfully processed.
  5. The erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.

b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions
The right to erasure does not apply to the extent that processing is necessary

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  5. for the establishment, exercise or defense of legal claims.

Right to Notification

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

  1. the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where technically feasible. Freedoms and rights of other persons must not be adversely affected thereby. The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions. The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a European data protection supervisory authority. An overview of all German supervisory authorities for data protection can be found here.