Privacy Policy

Status: June 1, 2025

1. Responsible Party

SelectCode GmbH
Oskar-vonMiller-Straße 11
82008 Unterhaching
Germany

Contact:
Email: datenschutz@meingpt.com
Telephone: +49 89 54198646
Website: https://meingpt.com

Management: Florian Baader, Reiner Conrad

Data Protection Officer:
heyData GmbH
Schützenstr. 5
10117 Berlin
Email: datenschutz@heydata.eu

Competent Supervisory Authority:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach

2. Overview of Processing

This privacy policy informs you about the nature, scope and purpose of the processing of personal data when using our B2B AI platform meinGPT.

Important note for corporate customers: As an administrator, you are responsible for ensuring that data is used in accordance with data protection regulations within your organisation, particularly when processing employee data. A data protection impact assessment (DPIA) may be required.

Types of Data Processed

Inventory data (names, company addresses, commercial register data)
Contact details (business email, telephone numbers)
Content data (AI chat entries, uploaded documents, API requests)
Usage data (access times, function usage, API calls)
Meta/communication data (IP addresses, browser information)
Contract data (subject matter of the contract, term, licence model)
Payment data (billing address, payment history via Stripe)
Employee metadata (aggregated usage statistics, never content)
Newsletter/webinar data (registrations, participation lists)

Data Subjects

Administrators and main contact persons of customer companies
End users (employees of our business customers)
API users and developers
Newsletter subscribers
Webinar participants
Website visitors

3. Legal Bases

The processing of personal data is based on the following legal bases:

Art. 6(1)(b) GDPR: Contract performance and pre-contractual enquiries
Art. 6(1)(f) GDPR: Legitimate interests (e.g. IT security, fraud prevention)
Art. 6(1)(a) GDPR: Consent (for optional functions)
Art. 6(1)(c) GDPR: Legal obligations

4. Purposes of Data Processing

4.1 Provision of the meinGPT Platform

Processed data:

Registration data (name, email, company)
Login data
Chat histories and AI interactions
Uploaded files and documents

Purpose:

Provision of AI services
Storage of chat histories
Document processing
Workflow automation

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

Storage period:

Chat histories: 12 months after last activity
Uploaded documents: 12 months after upload
Automatic deletion after expiry

4.2 User Management and Authentication

Processed data:

Email address
Password (encrypted)
IP address upon login
Session data

Purpose:

Secure authentication
Management of access rights
Multi-factor authentication

Legal basis: Art. 6(1)(b) GDPR

Storage period:

During the contract period
30 days after the end of the contract (waiting period)
After that, complete deletion

4.3 Billing and Payment Processing

Processed data:

Company data and billing address
Contact person for invoices
Payment history
Credit consumption and usage volume
Transaction data via Stripe

Purpose:

Billing for services used
Accounting and tax returns
Credit checks for large customers
Fraud prevention

Legal basis:

Art. 6(1)(b) GDPR (performance of a contract)
Art. 6(1)(c) GDPR (legal obligation)
Art. 6(1)(f) GDPR (legitimate interests for fraud prevention)

Storage period: 10 years in accordance with § 147 AO and § 257 HGB

4.4 Employee Usage Analyses (B2B)

⚠️ ATTENTION Data protection risk: The processing of employee usage data is highly sensitive in terms of data protection law. Administrators must establish their own legal basis (e.g. works agreement) before activating these functions.

Processed data:

Aggregated usage statistics (number of chats, token consumption)
Workflow usage per department
NO chat content or individual evaluations
Anonymised performance indicators

Purpose:

Licence management for corporate customers
Departmental usage overview
ROI analyses for AI use

Legal basis:

Art. 6(1)(b) GDPR (contract fulfilment with companies)
Art. 88 GDPR in conjunction with § 26 BDSG (employee data protection – responsibility of the customer)

Storage period:

Maximum 6 months
Automatic deletion of older data
Only aggregated data, no individual evaluations

Data protection guarantees:

No individual evaluations possible
Minimum group size of 5 persons
Opt-out option for companies
Privacy by default: Function is deactivated by default

5. Recipients and Categories of Recipients

5.1 AI Model Providers

Depending on the selected data protection level, your data will be transferred to the following categories of providers:

Level 1 - EU Only:

Exclusively EU providers (e.g. Mistral AI, Aleph Alpha)
No data transfer outside the EU

Level 2 - EU Hosting:

Providers with servers in the EU
Including EU subsidiaries of US corporations (e.g. Microsoft Azure)

Level 3 - Worldwide with DPF:

Additionally, US providers with Data Privacy Framework certification
OpenAI, Anthropic, Google, Microsoft Azure

Level 4 - Worldwide + PII Filter:

All providers with automatic filtering of personal data

You can find the specific list of providers for your selected level in your data processing agreement (DPA).

5.2 Infrastructure Service Provider

Hetzner Online GmbH (hosting, Germany)

Purpose: Server hosting, databases, storage
Legal basis: Art. 6(1)(b) GDPR
Server location: Germany (Nuremberg, Falkenstein)
ISO 27001 certified

5.3 Other Service Providers

DPO note: Current data processing agreements must be in place for all of the following service providers. DPF certification must be checked for US providers.

Payment Processing

Stripe (USA/Ireland)

Purpose: Payment processing, invoicing
Legal basis: Art. 6(1)(b) GDPR
Third country transfer: ✅ EU branch (Stripe Technology Europe Ltd., Dublin)
Protective measures: EU data processing possible, DPF certified

Support & Helpdesk

ProductLane GmbH (Germany) ✅

Purpose: Customer service, support tickets
Legal basis: Art. 6(1)(b) GDPR
Headquarters: Munich, Germany
EU data processing: Guaranteed

Marketing & Communication

Loops (USA)

Purpose: Newsletter distribution, marketing emails
Legal basis: Art. 6(1)(a) GDPR (consent)
Double opt-in: Implemented
Third country transfer: Standard contractual clauses + additional protective measures

Forms & Surveys

Tally (Belgium) ✅

Purpose: Forms, surveys, registrations
Legal basis: Art. 6(1)(f) GDPR
EU data processing guaranteed

Webinars & Online Events

Microsoft Teams (USA/EU)

Purpose: Webinar delivery
Legal basis: Art. 6(1)(a) GDPR (Consent)
Special feature: EU data centre available, but participant data may be processed in the USA

Integrations

Google Workspace (USA/EU)
Microsoft 365 (USA/EU)

Purpose: Optional integrations that can be activated by customers
Legal basis: Art. 6(1)(b) GDPR
Note: Customers must have their own DPAs with these providers

6. Third Country Transfers

When using AI models outside the EU (Levels 3 and 4), data transfers to third countries are based on the following safeguards:

EU-US Data Privacy Framework (for US providers)
Standard contractual clauses of the European Commission
Your explicit consent at Level 4

Despite protective measures, there is a residual risk with third country transfers, as the legal situation in third countries may differ from EU standards.

7. No Use for AI Training

Important guarantee: Your data will not be used by us or our processors for training AI models. This is contractually agreed with all providers.

8. Your Rights as a Data Subject

You have the following rights:

You can request information about your personal data processed by us.

You can request the rectification of inaccurate data or the completion of incomplete data.

You can request the erasure of your personal data ("right to be forgotten").

You can request the restriction of the processing of your data.

You have the right to receive your data in a structured, machine-readable format.

You may object to the processing of your data.

You may withdraw your consent at any time with effect for the future.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority.

How to exercise your rights:

Self-service portal: https://app.meingpt.com/settings/privacy
Alternatively: Email: datenschutz@heydata.eu
Processing time: maximum 1 month

9. Cookies and Tracking

We only use technically necessary cookies:

Session cookies: To maintain your login

Duration: Until you close your browser
Purpose: Authentication

Preference cookies: For your settings (language, theme)

Duration: 12 months
Purpose: User experience

No tracking cookies: We do not use any analysis or marketing cookies.

10. Storage Periods at a Glance

Administrator-Controlled Retention (B2B)

Full control for your organisation: As a B2B platform, we enable your administrators to set retention periods themselves in accordance with your company policies, compliance requirements and business needs.

Available Retention Options

Data Type	Admin Options	Default (if not configured)	Notes
Business Data
Chat histories & AI interactions	30 days to unlimited	12 months	Admin selectable by category
Uploaded documents	30 days to unlimited	12 months	Separate setting possible
Workflow data	30 days to unlimited	12 months	Dependent on business processes
Technical Data
API logs	7-90 days	30 days	For debugging & billing
Security logs (IP addresses)	7-180 days	90 days	Observe compliance requirements
Not Configurable
Invoice data	10 years (legal)	-	§ 147 AO, § 257 HGB
Contract data	6 years after end	-	limitation periods
Account basic data	Contract term + 30 days	-	recovery period

How Admin Control Works

Global policies: Company-wide default settings
Category-based: Different retention periods for different data types
Department-specific: Optional different policies per department
Compliance dashboard:
- Overview of all retention settings
- Warnings for unusually long retention periods
- Audit log of all changes

Legal Responsibility

Important for administrators: As an organisation, you are responsible for:

Compliance with applicable data protection laws
Setting appropriate retention periods
Informing your employees about retention policies
Regularly reviewing the necessity (especially for "unlimited")

Our shared responsibility model:

Your organisation (controller): Determines the purposes and duration of data processing
meinGPT (processor): Provides secure infrastructure and compliance tools
Legal basis: Art. 28 GDPR – We act exclusively on your instructions

Recommendations by Industry

Industry	Recommended Chat Retention	Justification
Financial services	5–7 years	Regulatory requirements (MiFID II, etc.)
Healthcare	3–10 years	Patient documentation, MDR
Public sector	2-5 years	Archiving obligations
Tech/software	6-18 months	Project cycles, support
Consulting	2-5 years	Project documentation

Additional Features

✅ Legal hold: Exclude data from deletion for legal proceedings
✅ Selective retention: Keep individual important chats/documents for longer
✅ Auto-archiving: Move older data to more cost-effective storage
✅ Deletion notifications: Optional 30 days before automatic deletion
✅ Data export: Complete export of your data at any time

Note: Employees can request the deletion of their personal data at any time, provided that there are no legal retention obligations or legitimate business interests that prevent this.