Last updated: 2026-02-08
The data controller for this website is:
Portalix UG (haftungsbeschränkt)
Thalkirchner Str. 103
81371 Munich, Germany
Email: datenschutz@trustee.eu
Phone: +49 179 2274171
When using our platform, the following data is collected:
Your data is processed based on your explicit consent (Art. 6(1)(a) GDPR) and for contract fulfillment (Art. 6(1)(b) GDPR).
Your data is used exclusively for the following purposes:
Your data will NOT be shared with or sold to third parties.
Your data will be stored as long as your account is active or until you withdraw your consent. After deletion of your account or upon your request, your data will be deleted immediately.
You have the right at any time to:
Contact for data protection inquiries:
Email: datenschutz@trustee.eu
We use the double opt-in procedure. This means:
This protects against misuse and ensures that only you can sign up yourself.
Our website is hosted in Germany/EU. All data is transmitted encrypted (SSL/TLS). We take technical and organizational measures to protect your data.
This website does not use tracking cookies. We only use technically necessary session cookies that are automatically deleted at the end of your visit.
Rate Limiting: To protect against abuse, we use rate limiting that temporarily stores hashed IP addresses in memory. These are not permanently stored and are used solely for protection against automated attacks (Art. 6(1)(f) GDPR - legitimate interest).
We use the following third-party providers to deliver our services:
To protect our forms from automated attacks (bots, spam), we use Cloudflare Turnstile, a service provided by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.
When using our registration forms, the following data is transmitted to Cloudflare:
Cloudflare is certified under the EU-US Data Privacy Framework. Data processing is based on our legitimate interest in protection against abuse (Art. 6(1)(f) GDPR).
Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
For sending emails (confirmations, login links) we use Mailgun Technologies, Inc., 112 E Pecan St #1135, San Antonio, TX 78205, USA.
We exclusively use Mailgun's EU infrastructure (data centers in the EU), so your data does not leave the EU.
Transmitted data:
Data processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(a) GDPR (consent).
Mailgun's privacy policy: https://www.mailgun.com/legal/privacy-policy/
For payment processing we use Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA.
When you subscribe to a paid plan, the following data is transmitted to Stripe:
Stripe is certified under the EU-US Data Privacy Framework. Data processing is based on Art. 6(1)(b) GDPR (contract fulfillment).
Stripe's privacy policy: https://stripe.com/privacy
Our platform is hosted on servers provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
All data is stored exclusively in data centers in Germany. No data leaves the EU.
Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy
If you use our AI-powered features (RoPA generation, DSAR response drafts, compliance analysis, etc.), the following services may be used:
OpenRouter (AI Processing): We use OpenRouter, Inc. as an API gateway for AI model access. When you use AI features, anonymized and PII-stripped data (organization metadata, compliance metrics) is transmitted for processing. No personal data of data subjects is sent to the AI.
PrivacyMask (PII Protection): Before any data is sent to an AI model, it is processed by our PrivacyMask service (operated by Portalix UG on EU infrastructure). PrivacyMask detects and replaces personal data (names, emails, addresses, IBANs, etc.) with anonymous tokens. After AI processing, the tokens are restored. This ensures that no personal data reaches external AI models.
AI features are optional and only activated when you explicitly use them. Data processing is based on Art. 6(1)(a) GDPR (consent through active use).
We use the following sub-processors to deliver our services:
| Sub-Processor | Purpose | Location | DPF Certified |
|---|---|---|---|
| Hetzner Online GmbH | Hosting & Infrastructure | Germany (EU) | n/a (EU) |
| Mailgun Technologies, Inc. | Email Delivery | EU Infrastructure | Yes |
| Stripe, Inc. | Payment Processing | USA (DPF) | Yes |
| Cloudflare, Inc. | Bot Protection (Turnstile) | USA (DPF) | Yes |
| OpenRouter, Inc. | AI Processing (optional) | USA | — |
| Portalix UG (PrivacyMask) | PII Masking for AI | Germany (EU) | n/a (EU) |
We have concluded data processing agreements (Art. 28 GDPR) with all sub-processors where required. For US-based providers, data transfers are based on the EU-US Data Privacy Framework or Standard Contractual Clauses (Art. 46 GDPR).
You can exercise the following rights directly in your account at any time:
For all other requests, please contact: datenschutz@trustee.eu
You have the right to lodge a complaint with a data protection supervisory authority about our processing of personal data.
Competent authority in Germany:
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Phone: +49 (0)228-997799-0
Email: poststelle@bfdi.bund.de
We reserve the right to adapt this privacy policy to comply with changed legal requirements or changes to our service. The current version can always be found on this page.