Privacy Policy Agents

202-12-12

Introduction

With the following privacy policy, we inform you how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our web app.

1. Controller

The independent controller within the meaning of the GDPR for the processing of personal data in connection with the CyberComply service is:

Michael Wetz Cyber Services
Fahrgasse 84
60311 Frankfurt
Germany

Email: contact@cybercomply.ai

If you have any questions about this privacy policy or about data protection in general, you can contact us at any time using the contact details above.

2. Definitions

This privacy policy is based on the terms of the GDPR. For clarity, we explain some key terms here:

  • Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, e.g. by name, identification number, location data, online identifier or one or more factors specific to the identity of that natural person.

  • Data subject means any identified or identifiable natural person whose personal data is processed by the controller.

  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction.

  • Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not.

  • Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

3. Data Processing When Visiting Our Website / Web App

3.1 Server Log Files (Technical Data)

If you use our website or web app for purely informational purposes, without otherwise transmitting data to us (e.g. by registering or logging in), we collect technically necessary data via server log files, which are automatically transmitted to our servers or the servers of our hosting providers. This includes in particular:

  • Date and time of access

  • IP address

  • Hostname of the accessing device

  • Visited pages or endpoints (URLs)

  • Referrer URL (previously visited page, if transmitted)

  • Amount of data transferred

  • Information about browser type and version

  • Operating system and device information

  • Access status (e.g. successful request, error codes)

The temporary storage of this data is necessary to technically display the website to you and to ensure the security and stability of our systems (e.g. to detect misuse or attacks).

Legal basis:
Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in providing a secure, stable and technically functioning website).

Storage period:
The data is deleted or anonymized as soon as it is no longer required to achieve the purpose for which it was collected. Log files are usually deleted or anonymized after a short period, unless further storage is necessary for evidence purposes (e.g. in the event of security incidents).

3.2 Hosting and Technical Infrastructure

To operate our website and web app, we use professional hosting and infrastructure providers (e.g. for frontend hosting, application servers and databases). Where possible, we select data center regions within the European Economic Area (EEA).

These providers act as processors on our behalf. Appropriate data processing agreements (Art. 28 GDPR) are concluded with them.

Legal basis:
Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in using professional, secure and scalable infrastructure to provide our services).

4. Registration and User Account

To use CyberComply (e.g. the Policy Agent and policy generation packages), you need to create a user account.

4.1 Data Processed During Registration

During registration with email and password, we process the following personal data:

  • Email address

  • Password (stored only as a cryptographic hash, not in plain text)

  • User ID (internal identifier)

We do not request further personal data such as your name by default.

The purpose of processing is to create and manage your user account, authenticate you and provide the CyberComply service.

Legal basis:
Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract or steps prior to entering into a contract).

Storage period:
We delete your personal data as soon as it is no longer required for the purposes for which it was collected and no legal retention obligations apply. In relation to your account, this is generally the case when you delete your account via the account settings or request deletion, unless statutory retention periods (e.g. for invoices) prevent immediate deletion.

5. Log-in via Google (Single Sign-On)

We offer the option to log in to CyberComply using your Google account (Google Single Sign-On).

If you choose to log in via Google, we receive from Google the data necessary for authentication, typically:

  • Email address

  • Basic profile information (e.g. name) if you allow this in your Google account settings

  • A unique Google user identifier

We use this information to verify your identity and to link your Google account to your CyberComply user account. We do not store your Google password and do not gain access to your Google account beyond the information provided during the login process.

Legal basis:
Art. 6 para. 1 sentence 1 lit. a GDPR (your consent via the Google login flow), and alternatively Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract, as login is necessary to use the service).

Note on Google’s data processing:
Data protection in connection with Google Single Sign-On is additionally subject to Google’s own privacy policies. We have no influence on how Google processes your data independent of our service. Please consult Google’s privacy policy for further details.

6. Use of CyberComply (Policy Agent and Policy Generation)

CyberComply allows you to use a Policy Agent and to purchase packages for generating security and compliance policies (e.g. Security & Compliance policies, internal guidelines, etc.).

6.1 Data You Enter into CyberComply

When you use the service, we process the data you actively provide, for example:

  • Information about your organization (e.g. company name, departments)

  • Information about processes, systems and controls relevant for security & compliance

  • Text inputs and configurations used for creating policies

  • Policy drafts and final policies generated via the service

Depending on what you enter, this content may contain personal data, especially if you mention names, roles or other information about individuals. Please ensure that you only enter personal data that is necessary for the generation of your policies.

We process this data to:

  • Provide and operate the CyberComply service and Policy Agent

  • Generate security and compliance policies according to your inputs and settings

  • Store policy drafts and results in your account

  • Provide support and troubleshooting where necessary

Legal basis:
Art. 6 para. 1 sentence 1 lit. b GDPR (performance of the contract for the use of CyberComply).

6.2 Technical Usage Data

In addition to the content you enter, we process technical usage data when you use the web app, for example:

  • Anonymized or truncated IP address

  • Browser type and version

  • Operating system and device type

  • Date and time of access

  • Used functions (e.g. calls to the Policy Agent, purchasing a package)

This data is used to operate and secure our service, prevent misuse and ensure availability and performance.

Legal basis:
Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in secure and reliable operation of the service).

6.3 Use of Workflow Automation and External AI Services (Without Personal Data)

For certain internal processes, we use a workflow automation service and connect it to external AI services (e.g. for generating policy content and improving outputs). We design these workflows in such a way that:

  • No user email addresses or login credentials are processed in the workflow.

  • We restrict the content sent to external AI services to non-personal information (e.g. generic policy content, technical descriptions that do not relate to identified or identifiable individuals), as far as this is technically and contractually feasible.

  • We configure external AI services so that the data provided via our service is not used by those providers to train or improve their models for their own purposes.

Where, in exceptional situations, personal data could be contained in the content you submit (e.g. because you enter names or other identifiers into free text fields), this processing is based on the same legal basis as the use of CyberComply itself.

Legal basis:
Art. 6 para. 1 sentence 1 lit. b GDPR (performance of the contract) and Art. 28 GDPR (use of processors), in combination with our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in providing a high-quality and efficient service.

6.4 No Use of Data for Model Training

Data that you submit via CyberComply is not used by us to train our own machine learning models in a way that would identify you as an individual, and is not provided to external AI providers for their own training purposes beyond the processing necessary to fulfill your specific request.

External AI providers used in this context are contractually obligated or technologically configured so that data transmitted via our workflows is not used to train their models for their own independent purposes, to the extent that this lies within our sphere of influence and configuration options.

7. Payment Processing

To process payments for CyberComply (e.g. for policy generation packages), we use an external payment service provider.

When you make a purchase, the following categories of personal data are typically processed:

  • Billing information (e.g. email address and – where required – billing address and tax-relevant data)

  • Payment information (e.g. card type, masked card number, expiry date – we do not store full card details ourselves)

  • Transaction data (e.g. amount, currency, date and time, transaction ID, status)

The payment service provider processes your payment data under its own responsibility in accordance with its own terms and privacy policies. We receive only the information necessary to associate the payment with your account and to comply with tax and accounting obligations (e.g. invoice data).

Legal basis:

  • Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract – processing your payment), and

  • Art. 6 para. 1 sentence 1 lit. c GDPR (compliance with legal obligations, e.g. commercial and tax law retention of invoices).

7.1 International Data Transfers by the Payment Service Provider

Depending on the provider and configuration, the payment service provider may process data in countries outside the EEA (in particular the USA). In such cases, appropriate safeguards are implemented in accordance with Chapter V GDPR (e.g. adequacy decisions such as the EU–U.S. Data Privacy Framework or Standard Contractual Clauses).

You can find details in the respective privacy policy of the payment service provider.

8. Email Communication (Transactional Emails)

We use an email service provider to send transactional emails, such as:

  • Registration / login emails

  • Email verification links

  • Password reset emails

  • Important service and security notifications (e.g. changes to login, critical updates)

For this purpose, we process in particular:

  • Your email address

  • Technical metadata related to email delivery (e.g. time of sending, delivery status, bounce information)

We do not use the email service provider to send marketing newsletters at this time.

Legal basis:
Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract – communication necessary to use the service).

8.1 International Data Transfers by the Email Service Provider

Depending on the provider and configuration, the email service provider may process data in countries outside the EEA (in particular the USA). In such cases, appropriate safeguards are implemented in accordance with Chapter V GDPR (e.g. adequacy decisions such as the EU–U.S. Data Privacy Framework or Standard Contractual Clauses).

You can find details in the respective privacy policy of the email service provider.

9. Workflow Automation Service

We use a workflow automation service to automate internal processes related to CyberComply, for example:

  • Triggering transactional emails

  • Processing internal events in our system

  • Synchronizing data between internal services

In this context, the workflow automation service may process the following types of data as a processor:

  • Internal user identifiers (e.g. user ID)

  • Technical event data (e.g. “user registered”, “package purchased”)

  • Non-personal content used for policy generation workflows (e.g. anonymized or generic text blocks)

We design workflows in such a way that user email addresses are not processed in the automation workflows used for AI integration, and personal data is avoided as far as technically possible and compatible with the service.

Legal basis:
Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in efficient internal automation and error reduction) and Art. 28 GDPR (processor relationship).

10. Use of Cookies

10.1 General Information

We use cookies only to the extent that they are technically necessary for the operation of our web app (e.g. for maintaining login sessions). Cookies are small text files that are stored on your device by your browser.

We do not use:

  • Analytics cookies (e.g. web analytics tools)

  • Marketing or tracking cookies

  • Third-party tracking tools for advertising purposes

Accordingly, we do not display a cookie banner, as we only use cookies that are strictly necessary for providing our service.

10.2 Necessary Cookies

We use technically necessary cookies, for example:

  • Session cookies: to keep you logged in during a session

  • Security-related cookies: to protect against misuse and unauthorized access

These cookies are required to provide our contractual services (e.g. login, secure access to the dashboard).

Legal basis:

  • Art. 6 para. 1 sentence 1 lit. b GDPR (performance of a contract for users of the web app), and

  • Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in the technical and secure operation of the website).

Storage period:
Session cookies are deleted when you log out or close your browser. Some necessary cookies may remain stored for a limited period in order to save your preferences or security settings, but not longer than necessary.

11. Recipients and Categories of Recipients

In the course of our data processing, personal data may be transmitted to or accessed by the following categories of recipients:

  • Hosting and infrastructure providers (e.g. for servers and databases)

  • Payment service providers

  • Email service providers

  • Workflow automation services

  • External AI service providers (for policy generation, as far as configured without personal data)

  • IT service providers (maintenance, support, security)

  • Tax advisors and accountants (for fulfilling accounting and tax obligations)

  • Public authorities and courts, if required by law or necessary for legal claims

In such cases, we observe the legal requirements and conclude appropriate contracts (particularly data processing agreements under Art. 28 GDPR) with service providers who process personal data on our behalf.

12. International Data Transfers

In some cases, personal data may be transferred to recipients in countries outside the European Economic Area (EEA), in particular to third countries such as the USA. This may apply, for example, to:

  • Payment processing

  • Email delivery

  • Certain infrastructure, automation or AI services

For such transfers, we ensure an appropriate level of data protection in accordance with Chapter V GDPR, in particular through:

  • Transfers to companies in third countries for which an adequacy decision exists (e.g. under the EU–U.S. Data Privacy Framework), and/or

  • The conclusion of Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented where necessary by additional technical and organizational measures.

You can obtain further information and copies of the relevant safeguards from us using the contact details provided above.

13. Storage Period and Deletion of Data

We process and store personal data only for as long as necessary to achieve the purposes described in this privacy policy, or:

  • for as long as we are obligated to do so by statutory retention periods (e.g. commercial or tax law retention requirements for invoices), or

  • as long as we have a legitimate interest in further storage and your interests do not override this.

If the respective purpose no longer applies or a retention period expires, the personal data will be deleted or anonymized in accordance with the statutory provisions.

In particular:

  • User account data: stored for the duration of the contract; deleted or anonymized after account deletion, unless legal retention periods apply.

  • Payment data / invoices: stored for the legally required retention periods under commercial and tax law.

  • Log files and technical data: stored only as long as necessary for security and troubleshooting, then deleted or anonymized.

14. Your Rights as a Data Subject

As a data subject, you have the following rights under the GDPR (Articles 15–21 GDPR). To exercise any of these rights, you can contact us at any time using the contact details above.

14.1 Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 sentence 1 lit. e or lit. f GDPR, including profiling based on those provisions.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling related to such direct marketing.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is necessary for the establishment, exercise or defense of legal claims.

14.2 Right of Access

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and certain additional information in accordance with Art. 15 GDPR.

14.3 Right to Rectification

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the completion of incomplete personal data (Art. 16 GDPR).

14.4 Right to Erasure (“Right to be Forgotten”)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds listed in Art. 17 GDPR applies and where processing is not necessary, for example, to comply with legal obligations or for the establishment, exercise or defense of legal claims.

14.5 Right to Restriction of Processing

You have the right to obtain restriction of processing where one of the conditions of Art. 18 GDPR is met, e.g. if you contest the accuracy of the personal data or have objected to processing.

14.6 Right to Data Portability

You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit that data to another controller where the conditions of Art. 20 GDPR are met.

14.7 Right to Withdraw Consent

Where processing is based on your consent (Art. 6 para. 1 sentence 1 lit. a GDPR), you have the right to withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

14.8 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

15. Changes and Updates to this Privacy Policy

We will update this privacy policy if changes in our data processing activities or legal requirements make this necessary. We will inform you if the changes require an action on your part (e.g. renewed consent) or individual notification.

The current version of this privacy policy is always available within the CyberComply web app and on our website.