Privacy Policy

⚠️ Draft — subject to legal review and revision.

1. Controller

New Life Digital UG (haftungsbeschränkt)
Managing Director: Simon Maiwald
Julius-Hatry-Straße 1, MAFINEX Technologiezentrum
68163 Mannheim
Germany
Email: hello@newlifedigital.de

2. Data Collected and Purposes of Processing

Server Logs

When you access our website, the hosting provider automatically records technical access data (IP address, browser type and version, URL accessed, date and time of access, referrer URL). This data is used exclusively to ensure operational security and for error diagnosis.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the controller: operation and security of the website).
Retention period: 7 days, then automatically deleted.

Contact Form

If you contact us via the contact form or by email, we process your name, email address and the content of your message solely to handle your enquiry.

Legal basis: Art. 6(1)(b) GDPR (initiation or performance of a contract), or subsidiarily Art. 6(1)(f) GDPR.
Retention period: Until the enquiry has been fully processed, for a maximum of 6 months; statutory retention obligations remain unaffected.

Pageview Tracking (own system)

To analyse website usage, we collect anonymised page views via our own Supabase Edge Function. No cookies are set and no personal IDs are generated. The data only includes the time, page accessed and broadly anonymised region of origin; attribution to individual persons is not possible.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: improvement of the service).
Retention period: 90 days, after which aggregated evaluation without raw data.
Disclosure to third parties: none.

Registration and User Account

Upon registration at get-ai-conform.com, we collect the company name, name and email address of the administrator, as well as the data of registered employees (first and last name, department if applicable). This data is processed for the purpose of providing the contractual service (training, certificate issuance, audit report).

Legal basis: Art. 6(1)(b) GDPR.
Retention period: For the duration of the contract; after contract termination, a 30-day retention period applies, after which the data is deleted (unless statutory retention obligations require otherwise).

3. Services Used and Data Processors

We engage the following service providers with whom we have concluded Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR:

Supabase (Hosting, Database, Serverless Functions)

Provider: Supabase Inc., 1123 Broadway Suite 401, New York, NY 10010, USA.
Purpose: Platform operations, database hosting, server-side functions (tracking, email dispatch).
Location: EU region Frankfurt (eu-west-1) — data remains within the EU.
Legal basis for third-country transfer: EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) for administrative data (e.g. support tickets).
Privacy policy: supabase.com/privacy

Stripe (Payment Processing)

Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (and Stripe Inc., USA for certain services).
Purpose: Processing of payments (Training credits and savings plans).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Third-country transfer: For US processing: EU Standard Contractual Clauses and adequacy decision (EU-US Data Privacy Framework).
Privacy policy: stripe.com/en/privacy

Resend (Email Dispatch)

Provider: Resend Inc., 303 Twin Dolphin Drive, Suite 600, Redwood City, CA 94065, USA.
Purpose: Sending transactional emails (access codes, training invitations, certificates).
Legal basis: Art. 6(1)(b) GDPR.
Third-country transfer: EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Privacy policy: resend.com/legal/privacy-policy

Vercel (Website Hosting and Delivery)

Provider: Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA.
Purpose: Static hosting and CDN delivery of this website. During delivery, Vercel processes server log data (including IP address, browser type, accessed URL, date and time of access).
Location: USA (global CDN edge network).
Third-country transfer: EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as appropriate safeguards for transfers to the USA.
Privacy policy: vercel.com/legal/privacy-policy

4. Legal Bases of Processing

We base data processing on the following legal grounds under the GDPR:

  • Art. 6(1)(a) GDPR — Consent of the data subject
  • Art. 6(1)(b) GDPR — Performance of a contract or pre-contractual measures
  • Art. 6(1)(c) GDPR — Compliance with a legal obligation
  • Art. 6(1)(f) GDPR — Protection of the legitimate interests of the controller

5. Retention Periods

Personal data is deleted or blocked as soon as the purpose for which it was stored no longer applies. Further storage only takes place if required by statutory retention obligations (e.g. tax retention obligations of up to 10 years).

6. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR) — without affecting the lawfulness of processing carried out prior to withdrawal

To exercise your rights, please contact: hello@newlifedigital.de

7. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. The competent supervisory authority for us is:

Der Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.lfdi.bwl.de

As of: July 2026