Table of Contents
1 · Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Helmut Balzersen
Große Howe 7
33607 Bielefeld, Germany
E-Mail: [email protected]
2 · Principles of Data Processing
We process personal data only where permitted by law or covered by consent. The legal bases are in particular:
- Art. 6(1)(b) GDPR – Performance of a contract (providing the tool after purchase)
- Art. 6(1)(f) GDPR – Legitimate interests (operation & security of the platform)
- Art. 6(1)(c) GDPR – Legal obligations (tax, accounting)
3 · Hosting & Server Logs
When you visit the site the web server automatically stores the following data in server log files:
| Data category | Purpose | Retention |
|---|---|---|
| IP address (truncated) | Security, troubleshooting | 7 days |
| Date & time of access | Error analysis | 7 days |
| URL accessed | Error analysis | 7 days |
| Browser type & OS | Compatibility | 7 days |
| HTTP status code | Error analysis | 7 days |
Important: Users' API keys are never stored in any server log. They are used solely to forward requests to Anthropic and are not persisted afterwards.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the platform).
4 · School Data in the Database
Purchasers of the AI Assistant can store the following data in a school profile, which is saved on our server in a MySQL database:
| Field | Example | Purpose |
|---|---|---|
| School name | "Surf & Kite School" | Personalising AI replies |
| Prices | "Beginner: €60/day" | AI replies to booking enquiries |
| Info | "Meeting point: South Beach" | AI replies about location etc. |
| Licence code | "KS-7X9M2" | Linking data to the user |
| Last updated | Timestamp | Technical administration |
Data is deleted on request at any time – an e-mail is sufficient. Legal basis: Art. 6(1)(b) GDPR.
5 · API Key & AI Processing
To use the AI features, users enter their own Anthropic API key. This key is:
- stored exclusively in the user's browser (localStorage)
- transmitted temporarily to our server with each AI request
- forwarded from our server to the Anthropic API
- not stored in our database
- not recorded in server logs
6 · Payment Processing (Digistore24)
Purchases are processed via Digistore24 GmbH (St.-Martin-Str. 78, 81541 Munich, Germany). Digistore24 acts as the contracting party and is independently responsible for payment processing. We only receive the e-mail address needed to deliver the product (licence code). Payment data is processed exclusively by Digistore24.
Digistore24 privacy policy: digistore24.com/en/privacy
7 · Anthropic as Data Processor
To generate AI replies, text inputs (customer enquiries, school profile data) are transmitted to the API of Anthropic, PBC (548 Market Street, Suite 98777, San Francisco, CA 94104, USA).
Anthropic processes this data as a data processor under a Data Processing Agreement (DPA). As Anthropic is based in the USA, data is transferred to a third country. The basis for this is the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
Further information: anthropic.com/privacy
8 · localStorage in the Browser
The tool stores the following data locally in the user's browser via localStorage:
| Key | Content | Purpose |
|---|---|---|
| kiCode | Licence code (e.g. KS-7X9M2) | Automatic login on next visit |
| kiApiKey | User's Anthropic API key | No need to re-enter the key |
localStorage data never leaves the user's browser and is not transmitted to us. It can be deleted at any time via browser settings. localStorage is not a cookie and therefore does not require a cookie consent banner.
9 · Cookies & Tracking
We do not use tracking cookies and do not use any analytics or advertising services (no Google Analytics, no Facebook Pixel or similar). No cookie banner is required.
10 · Your Rights
Under the GDPR you have the following rights:
| Right | Legal basis | What this means |
|---|---|---|
| Access | Art. 15 GDPR | You can find out at any time what data we hold about you. |
| Rectification | Art. 16 GDPR | Incorrect data will be corrected on request. |
| Erasure | Art. 17 GDPR | You can request deletion of your data – we delete your school profile immediately on request. |
| Restriction | Art. 18 GDPR | Processing can be restricted under certain circumstances. |
| Objection | Art. 21 GDPR | You can object to processing based on legitimate interests. |
| Portability | Art. 20 GDPR | Your data can be provided in a machine-readable format. |
| Complaint | Art. 77 GDPR | You can lodge a complaint with a supervisory authority. |
To exercise your rights contact us at: [email protected]
Competent supervisory authority (Germany): Federal Commissioner for Data Protection and Freedom of Information (BfDI)
12 · Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
Google Analytics uses cookies and similar technologies to analyse how the website is used. The information generated about your use of this website is generally transmitted to a Google server in the USA and stored there.
What is collected: Pages visited, time spent, approximate location (country/region), device and browser used, traffic source. No personal data such as name or e-mail address is collected.
IP anonymisation: We use Google Analytics with IP anonymisation (IP masking) enabled. Your IP address is truncated before being transmitted to Google.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing and improving our service).
Third-country transfer: As Google is based in the USA, data is transferred to a third country on the basis of the EU Standard Contractual Clauses (SCCs).
Opt-out: You can prevent data collection by Google Analytics by installing the browser add-on: tools.google.com/dlpage/gaoptout
Google privacy policy: policies.google.com/privacy
11 · Changes to this Policy
We reserve the right to update this privacy policy when legal requirements change or new processing activities are added.