Privacy Policy

§ 1 General Information and Controller

(1) General Information

This Privacy Policy applies to the website apertus.ai and the platform app.apertus.ai (hereinafter collectively referred to as the “Services”).

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.

The use of our Services is generally possible without providing personal data. To the extent that personal data (such as name, address, or email addresses) is collected, this is always done on a voluntary basis. This data will not be disclosed to third parties without your express consent.

(2) Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Flynnt UG (haftungsbeschränkt)
Product: apertus.ai
Museumstraße 31
22765 Hamburg
Germany

Contact:
Email: privacy@apertus.ai
Web: https://apertus.ai

Managing Directors:
Lars Stelzer, Phil Stelzer

(3) Data Protection Officer

Due to our company size (fewer than 20 employees involved in data processing), we are not required to appoint a Data Protection Officer.

Contact for Data Protection Matters:
Lars Stelzer
Email: privacy@apertus.ai

§ 2 Data Collection on the Website (apertus.ai)

(1) Hosting and Content Delivery

Website Hosting:
Our website is hosted on Amazon Web Services (AWS) servers and delivered via the CloudFront Content Delivery Network (CDN).

Provider:
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy
L-1855 Luxembourg

Type of Processing:

• Delivery of static content (HTML, CSS, JavaScript, images)
• No storage of IP addresses in CloudFront logs
• No creation of user profiles

Legal Basis:
Article 6(1)(f) GDPR (legitimate interest in the technical provision of the website)

Place of Processing:
European Union (primarily Frankfurt/Germany)

(2) Web Analytics (PostHog EU Cloud)

We use PostHog for website usage analysis to improve our offering. PostHog is exclusively operated in the EU cloud version.

Provider:
PostHog Inc.
EU Cloud Server: Frankfurt, Germany

Type of Processing:

• Collection of anonymized usage statistics (page views, clicks, navigation)
• No collection of personal data
• No storage of IP addresses
• No cookies set
• No cross-site tracking

Legal Basis:
Article 6(1)(f) GDPR (legitimate interest in optimizing our website)

Retention Period:
Anonymized statistics are stored for a maximum of 90 days.

Right to Object:
You can block PostHog by installing a browser add-on or through your browser’s Do-Not-Track settings.

Further Information:
PostHog Privacy Policy: https://posthog.com/privacy

(3) Contact Form

When you contact us via our contact form, the data you enter will be used to process your inquiry.

Data Collected:

• Name
• Email address
• Company (optional)
• Message

Storage:
The contact form does not store data on our servers. The message is sent directly via email through AWS SES (Simple Email Service) to our support address.

Processing by AWS SES:
Amazon Web Services EMEA SARL (see above)

Legal Basis:
Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in responding to your inquiry)

Retention Period:
Your inquiry is stored in our email inbox until the inquiry is fully processed, but for a maximum of 12 months, unless statutory retention obligations apply.

(4) Meeting Booking (Microsoft 365 Booking)

For scheduling demo appointments and consultations, we use Microsoft 365 Booking.

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown, Dublin 18
Ireland

Data Collected:

• Name
• Email address
• Phone number (optional)
• Desired appointment time

Legal Basis:
Article 6(1)(b) GDPR (performance of pre-contractual measures)

Data Processing Agreement:
A Data Processing Agreement (DPA) pursuant to Article 28 GDPR has been concluded with Microsoft as part of the Microsoft 365 Business license.

Place of Processing:
European Union (Microsoft data centers in Europe)

Retention Period:
Booking data is deleted 12 months after the scheduled appointment.

Further Information:
Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement

§ 3 Data Collection on the Platform (app.apertus.ai)

(1) Registration and User Account

Registration is required to use the apertus.ai Platform. The following data is collected:

Mandatory Information:

• Email address
• Password (stored encrypted)

Optional:

• Company name
• Contact person name
• Phone number
• Additional contact details

Legal Basis:
Article 6(1)(b) GDPR (contract performance)

Storage Location:
All customer data is stored exclusively on servers of Hetzner Online GmbH in Germany (data centers in Falkenstein and Nuremberg).

Retention Period:

• As long as your account is active
• After cancellation: 30 days (for possible download of your data)
• Subsequently: Complete deletion of all data
• Exception: Invoice data (10 years pursuant to German Commercial Code/Tax Code)

(2) Platform Usage

When using our Platform, we process the following data:

Usage Data:

• Your inputs (prompts, queries to AI models)
• Generated results (outputs)
• Uploaded documents and content
• Knowledge Hives / databases

Technical Data:

• Session tokens (for authentication)
• Usage timestamps
• Error messages (for troubleshooting)

Important - No AI Model Training:
We never use your data for training AI models. Your inputs and results remain exclusively in your account and are not shared with other users or used to improve base models.

Legal Basis:
Article 6(1)(b) GDPR (contract performance)

Storage Location:
Germany (Hetzner Online GmbH)

(3) Email Communication (AWS SES)

For sending system emails (registration confirmation, password reset, security notices), we use AWS SES (Simple Email Service).

Provider:
Amazon Web Services EMEA SARL (see above)

Type of Processing:

• Sending transactional emails
• No storage of email content by AWS SES
• Exclusively sending function

Legal Basis:
Article 6(1)(b) GDPR (contract performance) and Article 6(1)(f) GDPR (legitimate interest in communication with our users)

Place of Processing:
European Union (AWS Region Frankfurt)

(4) Payment Processing (Stripe)

For payment processing, we use the payment service provider Stripe.

Provider:
Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin 2
Ireland

Type of Processing:

• Processing of payment information (credit card, SEPA direct debit)
• Payment data is stored exclusively with Stripe
• We only receive an anonymized transaction confirmation

Data Collected:

• Name
• Email address
• Billing address
• Payment information (transmitted directly to Stripe)

Legal Basis:
Article 6(1)(b) GDPR (contract performance)

Data Processing Agreement:
A Data Processing Agreement (DPA) pursuant to Article 28 GDPR has been concluded with Stripe.

Place of Processing:
European Union (primarily Ireland)

Retention Period:
Invoice data is stored for 10 years (statutory retention obligation pursuant to § 147 German Tax Code, § 257 German Commercial Code).

Further Information:
Stripe Privacy Policy: https://stripe.com/privacy

(5) Server Logs

With each access to our Platform, the following technical data is recorded in server logs:

Data Collected:

• Access timestamp
• Requested URL
• HTTP status code
• User agent (browser/operating system)
• Referrer URL
• No IP addresses (disabled)

Purpose:
Troubleshooting, security monitoring, performance optimization

Legal Basis:
Article 6(1)(f) GDPR (legitimate interest in the security and stability of our services)

Retention Period:
Maximum 30 days, then automatic deletion

§ 4 No Cookies and No Tracking

(1) No Cookies

Our website and Platform do not use cookies for tracking or marketing purposes.

Technically Necessary Session Management:
Authentication in the Platform is done via session tokens stored in your browser’s Local Storage. These serve exclusively to keep you logged in during your session.

(2) No Marketing Tracking

We do not use marketing tracking tools such as:

• Google Analytics
• Facebook Pixel
• LinkedIn Insight Tag
• Google Ads Conversion Tracking

Our only analytics software is PostHog EU Cloud (see § 2(2)), which exclusively creates anonymized, aggregated statistics.

§ 5 Legal Bases for Processing

We process personal data based on the following legal bases:

Article 6(1)(b) GDPR (Contract Performance)

• Registration and management of your account
• Provision of Platform functions
• Payment processing
• Email communication

Article 6(1)(f) GDPR (Legitimate Interests)

• Technical provision and security of services
• Anonymized web analytics (PostHog)
• Server logs for troubleshooting
• Responding to inquiries

Article 6(1)(c) GDPR (Legal Obligation)

• Retention of invoice data (10 years pursuant to German Commercial Code/Tax Code)

§ 6 Retention Periods

We store personal data only as long as necessary for the respective purposes:

After expiration of retention periods, data will be irrevocably deleted.

§ 7 Your Rights as a Data Subject

You have the following rights with respect to personal data concerning you:

(1) Right to Access (Article 15 GDPR)

You have the right to request information about your personal data processed by us.

(2) Right to Rectification (Article 16 GDPR)

You have the right to request the immediate rectification of inaccurate or completion of your personal data stored by us.

(3) Right to Erasure (Article 17 GDPR)

You have the right to request the erasure of your personal data stored by us, unless statutory retention obligations or other legal obligations preclude deletion.

(4) Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of the processing of your personal data.

(5) Right to Data Portability (Article 20 GDPR)

You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format.

Export Function:
You can request a complete export of your data in structured format (JSON) at any time via privacy@apertus.ai. We will provide you with the export within 30 days.

(6) Right to Object (Article 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you.

(7) Right to Withdraw Consent (Article 7(3) GDPR)

If the processing of your data is based on consent, you have the right to withdraw this consent at any time.

(8) Exercise of Your Rights

To exercise your rights, please contact:

Email: privacy@apertus.ai
Mail: Flynnt UG (haftungsbeschränkt), Museumstraße 31, 22765 Hamburg, Germany

§ 8 Processors and Third-Party Providers

We engage the following service providers as processors:

(1) Hosting and Infrastructure

Hetzner Online GmbH (Primary Platform Hosting)
Industriestraße 25
91710 Gunzenhausen
Germany

Service: Provision of server infrastructure and hosting
Place of Processing: Germany (Falkenstein, Nuremberg)
DPA: Available pursuant to Article 28 GDPR
Certifications: ISO 27001, TÜV-certified data centers

OVH GmbH (Inference Infrastructure for AI Processing)
Hohenzollernring 72
50672 Cologne
Germany

Service: Computing power for AI model processing
Place of Processing: Germany (Frankfurt, Limburg), France (Roubaix, Gravelines)
DPA: Available pursuant to Article 28 GDPR
Certifications: ISO 27001, ISO 27017, ISO 27018

Amazon Web Services EMEA SARL (Website Hosting, CDN, Email Delivery)
38 Avenue John F. Kennedy
L-1855 Luxembourg

Service:

• Marketing website hosting (AWS)
• Content delivery (CloudFront)
• Email delivery (SES)

Place of Processing: European Union (primarily Frankfurt/Germany)
DPA: AWS Customer Agreement contains data protection provisions pursuant to Article 28 GDPR
Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 2

(2) Payment Service Provider

Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin 2
Ireland

Service: Payment processing
Place of Processing: European Union (primarily Ireland)
DPA: Available pursuant to Article 28 GDPR
Certifications: PCI DSS Level 1

(3) Productivity and Communication Services

Microsoft Ireland Operations Limited (M365 Booking)
One Microsoft Place
South County Business Park
Leopardstown, Dublin 18
Ireland

Service: Meeting booking system
Place of Processing: European Union
DPA: Microsoft 365 Business license contains DPA pursuant to Article 28 GDPR
Certifications: ISO 27001, ISO 27018, SOC 2

PostHog Inc. (Web Analytics)
EU Cloud: Frankfurt, Germany

Service: Anonymized web analytics
Place of Processing: European Union (Frankfurt)
Special Note: No personal data is processed
Certifications: GDPR-compliant

(4) No Third Country Transfer

All our processors process data exclusively within the European Union or EEA. No transfer of personal data to third countries (outside EU/EEA) occurs.

§ 9 Data Security

(1) Technical and Organizational Measures

We implement technical and organizational measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons:

Encryption:

• TLS 1.3 for all data transmissions
• AES-256 for data storage
• Encrypted backups

Access Control:

• Multi-factor authentication (MFA) for admin accounts
• Role-based access control (RBAC)
• Need-to-know principle for employee access

Availability:

• Daily automated backups
• 30-day backup retention
• Redundant system architecture

(2) Incident Response

In the event of security incidents (e.g., data breach, unauthorized access), we will notify affected users without undue delay, but no later than within 24 hours after becoming aware.

§ 10 Updates and Changes to the Privacy Policy

This Privacy Policy is currently valid and has the status of January 2, 2026.

Due to the development of our services or due to changed legal or regulatory requirements, it may become necessary to modify this Privacy Policy.

The current Privacy Policy can be accessed at any time on our website at https://apertus.ai/privacy.

Registered users will be informed by email of material changes.

§ 11 Complaint to Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.

Competent Supervisory Authority for Hamburg:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Straße 22
20459 Hamburg
Germany

Contact:
Phone: +49 40 428 54-4040
Email: mailbox@datenschutz.hamburg.de
Web: https://datenschutz-hamburg.de

§ 12 Contact

For questions about data protection or to exercise your rights, you can reach us at:

Data Protection Contact:
Email: privacy@apertus.ai

Postal Address:
Flynnt UG (haftungsbeschränkt)
Product: apertus.ai
Museumstraße 31
22765 Hamburg
Germany

Contact Person:
Lars Stelzer (Managing Director)

End of Privacy Policy

Flynnt UG (haftungsbeschränkt)
Effective Date: January 2, 2026