Privacy Policy
Draft
This policy is adapted from the Possehl Digital Services privacy template and the documented Wissenstifter architecture. Review and confirm the product-specific processing details with legal before publishing.
1. Controller
Data controller pursuant to the GDPR is:
Possehl Digital Services GmbH Wilhelm-Schickard-Straße 9 76131 Karlsruhe, Germany Managing Directors: Dr. Thomas Rieger, Stephan Brauckmann Phone: +49 721 619 00 590 www.possehl-digital.services
Data Protection Officer: Info@BullProtect.de
2. Purposes and Legal Bases of Processing
| Purpose | Description | Legal Basis |
|---|---|---|
| Technical delivery | Use of the website and application without storing personal data beyond what is technically required. | GDPR Art. 6(1)(f) |
| Diagnostics & misuse prevention | Storage of IP address & user agent for 30 days for security and debugging. | GDPR Art. 6(1)(f) |
| Account & authentication | Sign-in and tenant resolution via our identity provider to give you access to your organization's workspace. | GDPR Art. 6(1)(b) |
| Use of the service | Forwarding of interview text, uploaded files and audio to our AI processors to generate transcripts, summaries and knowledge documents. | GDPR Art. 6(1)(b) |
| IP-based rate limiting | Temporary processing of IP addresses to prevent excessive or abusive requests and ensure availability. | GDPR Art. 6(1)(f) |
3. Technologies Used
We use a strictly necessary session cookie for authentication and browser LocalStorage for preferences. We do not use tracking or advertising cookies.
| Key | Purpose | Transmitted | Legal Basis |
|---|---|---|---|
| session | Keeps you signed in to your tenant workspace | yes | GDPR Art. 6(1)(b) |
| theme preference | Stores your light/dark mode preference | no | GDPR Art. 6(1)(f) |
| tenant | Remembers your last tenant so you can sign in faster | no | GDPR Art. 6(1)(f) |
4. Recipients & Processors
- Hosting (Microsoft Azure, EU regions): Infrastructure is hosted within EU regions (Germany, Sweden and France).
- Azure OpenAI Service (Microsoft, EU regions): Processes interview input and uploaded files under a data processing agreement in accordance with Art. 28 GDPR. All data is transmitted securely using encryption. Input data is not used to train foundation models.
- Google Vertex AI (EU regions): Used for selected AI processing under a data processing agreement in accordance with Art. 28 GDPR; input data is not used to train foundation models.
- Technical partner (with administrative access): Access is restricted to maintenance and support, contractually regulated under Art. 28 GDPR.
5. Retention Period
- IP address & user agent: Stored for 30 days for diagnostics and abuse prevention.
- IP address (for rate limiting): Temporarily processed and automatically deleted after a few minutes.
- Interview content and knowledge documents: Retained within your organization's workspace for as long as your organization maintains its account, and deleted in accordance with your contract or upon request.
- LocalStorage data: Remains in your browser until manually deleted.
6. No Disclosure & No Profiling
- No personal data is shared with third parties beyond the named processors.
- No profiling or automated decision-making as defined in Art. 22 GDPR is performed.
7. Your Rights
| Right | Description |
|---|---|
| Access | Information about your processed personal data |
| Rectification | Correction of inaccurate data |
| Erasure | Deletion of your data under certain conditions |
| Restriction | Restriction of processing |
| Data portability | Transfer of your data in a structured format |
| Objection | To processing based on legitimate interests |
| Withdrawal of consent | At any time, with effect for the future |
| Complaint | To a supervisory authority, e.g., in Baden-Württemberg (Germany) |
8. Supervisory Authority
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg Königstraße 10a 70173 Stuttgart, Germany Phone: +49 (0)711 615541-0 www.baden-wuerttemberg.datenschutz.de
9. Technical and Organizational Measures (TOMs)
- TLS encryption for all connections (HTTPS)
- Server-side access protection (firewalls, network segmentation)
- IP-based rate limiting to safeguard availability
- Role-based access control for administrators
- Logging of access to infrastructure
- Data processing agreements with all service providers
- Regular system updates and security patches
- Tenant isolation so each organization's knowledge stays separate
10. AI Processing
Interview input, uploaded files and audio are processed by our AI providers (Azure OpenAI and Google Vertex AI) solely to deliver the service: generating transcripts, summaries and knowledge documents. Processing occurs exclusively within the EU. Your content is not used to train foundation models and remains within your organization's workspace.
11. Contact
For questions about this policy or to exercise your rights, contact support@wissenstifter.ai.
12. Changes to this Policy
This privacy policy may be amended, for example due to changes in legal requirements or technical processes. The latest version is always available on this page. Last updated: June 2026.