KomplAI
EU AI Act Risk check Features Methodology Pricing Log in Try for free ENDE

General Terms and Conditions (GTC)

DRAFT — This is a legal draft and not legal advice. Have it reviewed by qualified advisors before go-live. This document makes no claim to legal completeness, bindingness or review.

As of: 6 July 2026.

1. Provider and scope

1.1 The provider of the KomplAI service (available via komplai.de / komplai.eu; application app.komplai.de) is:

Tippel — Lukas Friedrich (sole proprietorship)
Kampweg 4, 34369 Hofgeismar, Germany
Email: info@tippel.ai · Phone: +49 178 5879849 · Web: www.tippel.ai

1.2 These GTC apply to all contracts on the use of KomplAI between the provider and the customer.

1.3 The service is directed exclusively at entrepreneurs within the meaning of § 14 German Civil Code (BGB) as well as legal persons under public law and special funds under public law. There is no consumer right of withdrawal, as no contracts are concluded with consumers.

1.4 Only these GTC apply. Conflicting, deviating or supplementary general terms of the customer do not become part of the contract unless the provider has expressly consented to their application in text form. This also applies where the provider renders the service without reservation while aware of conflicting customer terms.

1.5 Order of precedence in the event of conflicts: individual agreements in text form take precedence, followed by any data processing agreement (DPA) for the matters governed therein, then these GTC, then the service description.

2. Subject matter and description of services

2.1 KomplAI is a Software-as-a-Service (SaaS) application for AI-assisted compliance analysis relating to selected regulatory frameworks (in particular the EU AI Act, DORA, GDPR) and document generators (including transparency documentation, FRIA under Art. 27 AI Act, DPIA under Art. 35 GDPR).

2.2 The customer may upload documents (PDF/TXT/MD) and source code/ZIP repositories. These are processed for analysis; results are provided and assigned to the account.

2.3 The results are model-based professional support results and do not constitute legal advice, a conformity assessment, or any official or governmental assessment. The analysis is performed using machine-learning methods (large language models); results may be incomplete, inaccurate or erroneous.

2.4 The provider gives no guarantee of success, completeness or correctness and in particular does not warrant that any assessed system, document or project meets regulatory requirements. The results replace neither review by qualified advisors (such as lawyers or data protection experts) nor official or conformity-assessment procedures.

2.5 The customer reviews all results on their own responsibility before any use and decides on their own responsibility about using them.

3. Registration and account

3.1 Use requires an account. Upon registration, name, email address and a password are collected. The password is stored solely as a bcrypt hash.

3.2 Login is handled via a database-backed session token and a technically necessary session cookie (“komplai_session”). CSRF tokens are used to protect against cross-site request forgery. After several failed attempts, login is temporarily blocked. No analytics, marketing or tracking cookies are used.

3.3 The customer shall keep their access credentials confidential, protect them from third-party access, and notify the provider without undue delay of any indication of misuse. The customer shall ensure that the data provided upon registration are accurate and up to date.

4. Right to use the software

4.1 For the term of the contract, the provider grants the customer a simple, non-exclusive, non-transferable and non-sublicensable right to use KomplAI over the internet within the contractually agreed scope.

4.2 There is no claim to delivery of source or object code. The customer may not, beyond contractual use, reproduce, modify, reverse-engineer or make the software available to third parties unless mandatory law permits.

5. Rights in inputs and results

5.1 The customer retains all rights in the content and data they upload (inputs). The provider acquires no rights therein beyond this contract.

5.2 The customer grants the provider the simple right, required for and limited to performance of the contract, to store and process the inputs and to transmit them for analysis to the processors/sub-processors used (Section 11). The provider does not use inputs for its own purposes, in particular not for training AI models.

5.3 Analysis results are provided to the customer for their own use within their business. To the extent the provider holds rights in generated results, it grants the customer the right of use required for contractual use.

6. Credits, prices, payment and subscription

6.1 Analyses are billed via credits: 1 analysis = 1 credit; an optional verification pass consumes +1 credit. Upon registration, 1 free credit is granted.

6.2 Purchased credits never expire. Credits provided under a subscription apply to the respective billing month.

6.3 All prices are net plus statutory VAT. The prices displayed at the time of ordering apply.

6.4 Payment processing is handled by Stripe Payments Europe, Ltd. (Dublin, Ireland). Full payment data are processed exclusively by Stripe. The payment provider’s terms additionally apply to payment processing.

6.5 Fees are due upon ordering or on the respective billing date. In the event of default, statutory provisions apply; the provider may charge default interest under § 288 BGB and suspend access until due amounts are settled.

6.6 There is no refund of fees already paid or credits already consumed where the service was duly rendered. If an analysis fails, the credit used is automatically refunded.

6.7 Subscriptions can be cancelled monthly. Without cancellation, the subscription renews automatically for a further billing month each time. Cancellation is possible in text form or via the function provided in the application.

7. Customer obligations and permitted use

7.1 The customer uploads only content they are entitled to have processed, stored and transmitted to the processors/sub-processors used (Section 11).

7.2 The customer uploads no unlawful, infringing content or content that violates statutory prohibitions.

7.3 The customer may include personal data in uploaded content only where a sound legal basis exists and the data subjects have been informed where required. The customer bears data protection responsibility for the content they upload (see Section 10).

7.4 The customer is responsible for the content of their uploads and for the use of their account and protects their credentials (Section 3.3). Abusive use or use endangering technical availability (e.g. automated bulk requests beyond the intended scope) is prohibited.

8. Data protection and data processing

8.1 The provider’s privacy policy applies in addition. The provider processes personal data in accordance with the GDPR and the German Federal Data Protection Act (BDSG).

8.2 Role differentiation:

  • For account and usage data (e.g. registration, billing and usage data), the provider is the controller within the meaning of Art. 4(7) GDPR.
  • For the content of the analysis — i.e. the documents uploaded by the customer, insofar as they contain personal data — the provider is the customer’s processor under Art. 28 GDPR; in this respect the customer is the controller.

8.3 For the processing under Section 8.2, the parties conclude a data processing agreement (DPA) under Art. 28 GDPR. The DPA forms part of the contract; it governs in particular the subject matter, duration, nature and purpose of processing, the categories of data subjects, and the technical and organisational measures. The sub-processors used are set out in Section 11.

8.4 The supervisory authority responsible for the provider is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Wiesbaden. No data protection officer has been appointed; an obligation to appoint one under Art. 37 GDPR / § 38 BDSG is generally not applicable. Data protection requests should be directed to info@tippel.ai.

9. Availability and maintenance

9.1 The provider endeavours to achieve high availability but warrants no particular availability; there is no service level agreement (SLA). There is no claim to uninterrupted availability.

9.2 The provider may perform maintenance, security and update work and may temporarily restrict or interrupt the service for this purpose (maintenance windows). Where possible, planned maintenance is scheduled during low-usage periods and, where reasonable, announced in advance.

9.3 The availability of the AI models and third-party services used (Section 11) is outside the provider’s control; their failure or change may impair the service.

10. Warranty / defects

10.1 For the time-limited provision of the SaaS application, tenancy law (§§ 535 et seq. BGB) applies accordingly, unless otherwise provided below.

10.2 There is no defect where a result is substantively incorrect, incomplete or non-compliant, to the extent this results from the model-based nature of the analysis (Sections 2.3/2.4); no particular results are owed in this respect.

10.3 The customer reports identifiable defects without undue delay in text form. The provider remedies reproducible defects of the application within a reasonable period. The strict, fault-independent liability of the lessor for initial defects under § 536a(1) 1st alternative BGB is excluded; liability under Section 12 remains unaffected.

11. Sub-processors / third-party services

To provide the service, the provider uses the following processors/sub-processors:

Service providerLocationPurpose
IONOS SEMontabaur, GermanyHosting, database, email dispatch
OpenRouter Inc.USAAPI gateway for model queries
Anthropic (model provider, via OpenRouter)USAProvision of the AI model for analysis
Stripe Payments Europe, Ltd.Dublin, IrelandPayment processing

11.1 For analysis, uploaded content is transmitted to OpenRouter Inc. (USA) and the respective model provider (currently Anthropic, USA). Provider routing is set to “data_collection: deny” (no storage, no use for training at the model provider). Results and uploaded files are stored on the server (IONOS, Germany) and assigned to the account.

11.2 For transfers to the USA, EU Standard Contractual Clauses under Art. 46(2)(c) GDPR are relied upon; the routing “data_collection: deny” serves as a supplementary measure. Whether a US provider is additionally certified under the EU-US Data Privacy Framework is [to be verified: whether provider is certified] — no such certification is asserted here as fact.

11.3 Server logs (including IP address, time, requested URL) are processed briefly on the basis of Art. 6(1)(f) GDPR.

12. Liability

12.1 The provider is liable without limitation for intent and gross negligence and for culpable injury to life, body or health.

12.2 For ordinary negligence, the provider is liable only for breach of a material contractual obligation (cardinal obligation, i.e. an obligation whose fulfilment makes the proper performance of the contract possible in the first place and on whose observance the customer may regularly rely). In such cases, liability is limited to the foreseeable, contract-typical damage at the time of conclusion of the contract.

12.3 In all other respects, liability for ordinary negligence is excluded. To the extent legally permissible, liability for indirect damage, consequential damage and lost profits is excluded.

12.4 Where liability is limited under Section 12.2, it is capped at [Proposal: value of the order over the last 12 months — to be reviewed]. The limits of § 307 BGB (content review) must be observed.

12.5 Liability under the German Product Liability Act, as well as within the scope of guarantees assumed or fraudulently concealed defects, remains unaffected.

12.6 For loss of data, the provider is liable only to the extent that would have been necessary for restoration had the customer carried out proper and regular data backups. The customer is responsible for their own backups of the content they provide.

12.7 The above liability provisions also apply for the benefit of the provider’s legal representatives and vicarious agents.

13. Indemnification

If the customer breaches Section 7 (in particular through unlawful or infringing uploads or the inclusion of personal data without a legal basis), the customer shall indemnify the provider on first demand against all resulting third-party claims and reimburse the reasonable costs of legal defence incurred by the provider as a result. Further claims of the provider remain unaffected.

14. Confidentiality

14.1 The parties treat as confidential any information of the other party designated as confidential or recognisably confidential, and use it only to perform this contract.

14.2 Excluded is information that is or becomes publicly known without breach of confidentiality, was already known to the receiving party or was independently developed, or whose disclosure is required by law or authority. The obligation survives termination of the contract.

15. Force majeure

Events of force majeure (e.g. natural disasters, war, industrial action, official measures, large-scale failures of telecommunications or internet networks, failures of indispensable third-party services) that significantly impede or render impossible the performance of the service release the affected party from its obligation to perform for the duration and extent of the disruption. The parties inform each other without undue delay.

16. Term and termination

16.1 Without a separate subscription, the contract is concluded for an indefinite period and may be terminated by either party at any time in text form without notice period; unused purchased credits do not expire as a result (Section 6.2), unless deletion of the account is expressly requested.

16.2 For subscriptions, Section 6.7 applies.

16.3 The right to extraordinary termination for good cause remains unaffected. Good cause exists for the provider in particular in the event of a material breach by the customer of Section 7.

16.4 After the end of the contract, content assigned to the account is deleted in accordance with the privacy policy and any DPA, unless statutory retention obligations (in particular under the German Commercial Code / Fiscal Code, HGB/AO) apply. Specific deletion periods: [to be added: storage/deletion periods].

17. Amendment of the GTC

17.1 The provider may amend these GTC with effect for the future, provided the amendment is reasonable for the customer taking the provider’s interests into account (e.g. changes in the legal situation, case law, technical conditions or the range of services).

17.2 The provider announces amendments at least [to be confirmed: e.g. 30] days before they take effect in text form (e.g. by email). If the customer does not object within [to be confirmed: e.g. 30] days of receipt of the announcement in text form, the amended GTC are deemed accepted; this is pointed out separately in the announcement. If the customer objects in time, either party may terminate the contract as of the date the amendment takes effect; until then the previous GTC continue to apply.

18. Final provisions

18.1 The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

18.2 If the customer is a merchant, a legal person under public law or a special fund under public law, the exclusive place of jurisdiction for all disputes arising from or in connection with this contract is the provider’s registered seat (§ 38 ZPO). The provider is also entitled to sue at the customer’s general place of jurisdiction.

18.3 Declarations and notices under this contract require at least text form (§ 126b BGB) unless otherwise provided.

18.4 Should individual provisions of these GTC be or become invalid or unenforceable, the validity of the remaining provisions remains unaffected. The parties shall replace an invalid or unenforceable provision with a valid one that most closely approximates the economic purpose of the original provision.

The German version is authoritative.

KomplAI
AI compliance checks: EU AI Act · DORA · GDPR
A product by Tippel
Legal Imprint
Privacy
Terms
Cookie settings
Data processing DPA
Sub-processors
TOMs
All analyses are professional support results and do not constitute legal advice.
© 2026 Tippel — Lukas Friedrich