Table of Contents
1 · Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Helmut Balzersen
Große Howe 7
33607 Bielefeld, Germany
E-Mail: [email protected]
2 · Principles of Data Processing
We process personal data only where permitted by law or covered by consent. The legal bases are in particular:
- Art. 6(1)(b) GDPR – Performance of a contract (providing the tool after purchase)
- Art. 6(1)(f) GDPR – Legitimate interests (operation & security of the platform)
- Art. 6(1)(c) GDPR – Legal obligations (tax, accounting)
3 · Hosting & Server Logs
When you visit the site the web server automatically stores the following data in server log files:
| Data category | Purpose | Retention |
|---|---|---|
| IP address (truncated) | Security, troubleshooting | 7 days |
| Date & time of access | Error analysis | 7 days |
| URL accessed | Error analysis | 7 days |
| Browser type & OS | Compatibility | 7 days |
| HTTP status code | Error analysis | 7 days |
Important: Users' API keys are never stored in any server log. They are used solely to forward requests to Anthropic and are not persisted afterwards.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the platform).
4 · School Data in the Database
Purchasers of the AI Assistant can store the following data in a school profile, which is saved on our server in a MySQL database:
| Field | Example | Purpose |
|---|---|---|
| School name | "Surf & Kite School" | Personalising AI replies |
| Prices | "Beginner: €60/day" | AI replies to booking enquiries |
| Info | "Meeting point: South Beach" | AI replies about location etc. |
| Licence code | "KS-7X9M2" | Linking data to the user |
| Last updated | Timestamp | Technical administration |
Data is deleted on request at any time – an e-mail is sufficient. Legal basis: Art. 6(1)(b) GDPR.
5 · API Key & AI Processing
To use the AI features, users enter their own Anthropic API key. This key is:
- stored exclusively in the user's browser (localStorage)
- transmitted temporarily to our server with each AI request
- forwarded from our server to the Anthropic API
- not stored in our database
- not recorded in server logs
6 · Payment Processing (Digistore24)
Purchases are processed via Digistore24 GmbH (St.-Martin-Str. 78, 81541 Munich, Germany). Digistore24 acts as the contracting party and is independently responsible for payment processing. We only receive the e-mail address needed to deliver the product (licence code). Payment data is processed exclusively by Digistore24.
Digistore24 privacy policy: digistore24.com/en/privacy
7 · Anthropic as Data Processor
To generate AI replies, text inputs (customer enquiries, school profile data) are transmitted to the API of Anthropic, PBC (548 Market Street, Suite 98777, San Francisco, CA 94104, USA).
Anthropic processes this data as a data processor under a Data Processing Agreement (DPA). As Anthropic is based in the USA, data is transferred to a third country. The basis for this is the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
Further information: anthropic.com/privacy
8 · localStorage in the Browser
The tool stores the following data locally in the user's browser via localStorage:
| Key | Content | Purpose |
|---|---|---|
| kiCode | Licence code (e.g. KS-7X9M2) | Automatic login on next visit |
| kiApiKey | User's Anthropic API key | No need to re-enter the key |
localStorage data never leaves the user's browser and is not transmitted to us. It can be deleted at any time via browser settings. localStorage is not a cookie and therefore does not require a cookie consent banner.
9 · Cookies & Tracking
We do not use tracking cookies. For anonymous usage statistics we use Matomo Analytics – self-hosted on our own server, with no transfer of personal data to third parties. No cookie banner is required.
Matomo Analytics is operated on our own server (matomo.derkiassistent.de). Only anonymised access data is collected (pages visited, approximate country of origin, device type). IP addresses are anonymised before storage. There is no cross-session tracking and no personal data is transmitted to third parties. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous usage analysis). More info: matomo.org/privacy
10 · Your Rights
Under the GDPR you have the following rights:
| Right | Legal basis | What this means |
|---|---|---|
| Access | Art. 15 GDPR | You can find out at any time what data we hold about you. |
| Rectification | Art. 16 GDPR | Incorrect data will be corrected on request. |
| Erasure | Art. 17 GDPR | You can request deletion of your data – we delete your school profile immediately on request. |
| Restriction | Art. 18 GDPR | Processing can be restricted under certain circumstances. |
| Objection | Art. 21 GDPR | You can object to processing based on legitimate interests. |
| Portability | Art. 20 GDPR | Your data can be provided in a machine-readable format. |
| Complaint | Art. 77 GDPR | You can lodge a complaint with a supervisory authority. |
To exercise your rights contact us at: [email protected]
Competent supervisory authority (Germany): Federal Commissioner for Data Protection and Freedom of Information (BfDI)
11 · Changes to this Policy
We reserve the right to update this privacy policy when legal requirements change or new processing activities are added.