Privacy Policy

Controller pursuant to Art. 4 No. 7 GDPR:

Storsko

Alstertor 14

20095 Hamburg

Germany

Email: info@storsko.com

Phone: +49 (0) 40 1234 5678

Managing Director: Milan Kiele

Data Protection Officer (DPO):

Our Data Protection Officer can be reached at:

Email: dsb@storsko.com

Postal address: Storsko, Data Protection Officer, Alstertor 14, 20095 Hamburg

2.1 Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes both direct identifiers (such as name, email address) and indirect identifiers (such as account ID, IP address, cookie identifiers).

2.2 We collect personal data in the following ways:

• Directly from you: When registering, filling out forms, communicating with us, subscribing, or using the Services.
• Automatically: Through your use of our Services, technical data such as IP address, access times, device information, browser type, and usage data are automatically captured.
• From third parties: From AI third-party providers (e.g., OpenAI, Anthropic), integration partners (e.g., Jira, Slack, Microsoft 365), or payment service providers (e.g., Stripe).
• From public sources: To the extent permitted by law, we may also process data from publicly available sources.

2.3 We only process personal data that is necessary for the stated purposes (data minimization, Art. 5(1)(c) GDPR).

3.1 We process your personal data for the following purposes and on the basis of the stated legal grounds:

3.2 Where we process special categories of personal data (Art. 9 GDPR), this is done on the basis of Art. 9(2)(a), (b), (c), (d), (f), and (g) GDPR, to the extent required for the provision of our services.

5.1 We use cookies and similar tracking technologies to provide our Services, improve user experience, and conduct marketing activities.

5.2 Cookie categories:

5.3 You can change your cookie settings at any time in your browser or via our cookie consent banner. Please note that disabling cookies may limit the functionality of our Services.

5.4 Detailed information about the cookies used can be found in our Cookie Directory.

6.1 We only disclose your personal data to third parties in the following cases:

6.2 We do not sell your personal data to third parties and do not disclose it to third parties for advertising purposes.

6.3 A complete list of all sub-processors pursuant to Art. 28(2) GDPR can be requested by sending an email to privacy@storsko.com.

7.1 If personal data is transferred to countries outside the EU/EEA (third-country transfer), this occurs only under the conditions provided for in Chapter V GDPR.

7.2 The following third-country transfers take place:

• USA (OpenAI, Anthropic, Google, Vercel, Stripe): Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by technical and organizational measures.
• USA (other US companies): Where no adequacy decision exists, on the basis of Standard Contractual Clauses.

7.3For transfers to the USA, we rely on the EU Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) in its current version. We additionally implement technical protective measures (encryption, pseudonymization) and ensure that recipients provide adequate data protection guarantees.

7.4 A copy of the applicable Standard Contractual Clauses can be requested from us at: privacy@storsko.com

8.1 We store personal data only as long as necessary to achieve the processing purposes or as required by legal retention obligations.

8.2 Specific retention periods:

• Account and profile data: For the duration of the contractual relationship and thereafter until deletion is complete (max. 90 days after contract end, unless legal retention obligations apply).
• Payment data and invoices: 10 years pursuant to § 147 AO, § 257 HGB.
• Communication data: 3 years after end of communication (statute of limitations).
• Audit logs: 5 years for compliance and documentation purposes.
• AI inputs and outputs: 30 days by default, faster deletion can be activated upon request.
• Marketing data: Until consent is withdrawn or objection is made.
• Session cookies: For the duration of the session (max. 24 hours).
• Persistent cookies: Maximum 12 months or until consent is withdrawn.

8.3 After the retention periods expire, data is routinely and lawfully deleted or blocked. Data that remains necessary for other purposes (e.g., due to legal hold) remains stored in blocked form.

8.4 Further information on account deletion can be found in our Terms of Service, Section 12.

9.1 As a data subject, you have the following rights:

9.2 To exercise your rights, please send an email to privacy@storsko.com or a letter to our postal address. We will respond to your request within 30 days.

9.3 In case of reasonable doubts about your identity, we may request a copy of your identification document.

10.1 We do not use automated decision-making that produces legal effects or similarly significantly affects you (Art. 22(1) GDPR).

10.2 Profiling (Art. 4 No. 4 GDPR) is used in the following areas:

• Fraud and abuse detection: Automatic analysis of usage patterns to detect suspicious activities. This serves the security of our platform and the protection of all users.
• Payment risk assessment: Assessment of payment default risk when selecting payment methods (especially SEPA direct debit).
• Personalization: Adaptation of content and recommendations based on your preferences and use of the Services.

10.3 In all cases of profiling, you have the right to human intervention, to express your point of view, and to contest the decision (Art. 22(3) GDPR). Please contact privacy@storsko.com.

11.1 The Storsko platform is exclusively aimed at persons who have reached the age of 18 and have full legal capacity.

11.2 We do not knowingly collect personal data from persons under 18. If we become aware that data from minors has been inadvertently collected, we will delete it without undue delay.

11.3 If you are a parent or guardian and become aware that your child has provided us with personal data without your consent, please contact us immediately at privacy@storsko.com.

12.1 We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk for personal data.

12.2 The implemented security measures include, but are not limited to:

• Encryption: TLS 1.3 for all data transmissions; at-rest encryption for stored data (AES-256).
• Access control: Role-based access control (RBAC), principle of least privilege, regular access reviews.
• Network security: Firewall, DDoS protection, network segmentation, VPN for administrative access.
• IT security measures: Regular penetration tests, vulnerability scans, security updates and patch management.
• Backup strategy: Regular encrypted backups with tested restoration procedures.
• Employee awareness: Regular data protection and security training for all employees.
• Incident Response: Documented procedure for responding to data protection breaches (Art. 33, 34 GDPR).

12.3 Despite all security measures, no 100% guarantee can be given for the absolute security of data transmissions over the internet. We cannot fully guarantee the security of data you transmit to us electronically.

13.1 The Storsko platform uses AI language models from third-party providers (particularly OpenAI, Anthropic, Google). The processing of your data by these providers occurs under their responsibility as independent controllers.

13.2 When using AI services, the following data is processed:

• Your inputs (prompts, instructions, context information)
• Outputs generated by the AI models
• Metadata for billing and quality assurance

13.3 We have entered into contractual agreements with AI providers to ensure that:

• Your data is not used for training purposes (except with explicit consent)
• Adequate security measures are implemented
• Applicable data protection laws are complied with

13.4 Important: You should not include personal data or confidential information in AI inputs that you are not willing to share with the respective AI provider. While we endeavor to protect this data, the ultimate responsibility for the content you send to AI systems lies with you.

13.5 Further information on data processing by AI providers can be found in their respective privacy policies:

• OpenAI: https://openai.com/privacy
• Anthropic: https://www.anthropic.com/privacy
• Google: https://policies.google.com/privacy

13.6 You have the option to configure in your account settings that your AI inputs and outputs are not used for improving AI models. This setting can be changed at any time.

14.1 The Storsko platform enables integration with third-party services (e.g., Jira, Slack, Microsoft 365, n8n). When using these integrations, the data protection provisions of the respective providers also apply.

14.2 The following integrations are subject to separate terms:

• OAuth authorization: When connecting with OAuth-enabled services, you will be asked to grant Storsko access to certain data. The data we access is limited to the minimum required for the integration.
• API keys: API keys you provide for third-party providers are stored encrypted and used only for the specified integration.
• Webhook data: When using webhooks, data is transmitted to the endpoints you specify. Please ensure that your endpoints are secure.

14.3 We assume no responsibility for the data protection practices of integrated third-party providers. We recommend that you read the privacy policies of the respective services.

16.1 We reserve the right to update this Privacy Policy from time to time. Significant changes will be communicated to you by email at least 30 days before they take effect.

16.2 The current version is available at /privacy.

16.3 If changes may materially affect the processing of your data, we will additionally inform you of the most important changes and give you the opportunity to object or close your account.

17.1 For questions about data protection or to exercise your data subject rights, please contact:

Email: privacy@storsko.com

Data Protection Officer: dsb@storsko.com

Postal address: Storsko, Privacy Team, Alstertor 14, 20095 Hamburg

17.2 You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. The supervisory authority responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information

Klosterwall 6 (Block C)

20095 Hamburg

Phone: +49 (0) 40 42854 4040

Email: mailbox@datenschutz.hamburg.de

Website: www.datenschutz.hamburg.de

17.3 You may also contact the supervisory authority of your country of residence or any supervisory authority in the EU.