Privacy policy
As of: 6 July 2026.
This privacy policy informs you pursuant to Art. 13 and 14 GDPR about the processing of personal data in connection with the KomplAI service (komplai.de / komplai.eu; app app.komplai.de) — an AI-supported compliance analysis (EU AI Act, DORA, GDPR) including document generators (transparency documentation, FRIA under Art. 27 AI Act, DPIA under Art. 35 GDPR).
KomplAI is aimed exclusively at entrepreneurs within the meaning of § 14 German Civil Code (BGB) (B2B only). There is no consumer right of withdrawal.
1. Controller
The controller within the meaning of the GDPR is:
Tippel — Lukas Friedrich (sole proprietorship)
Kampweg 4
34369 Hofgeismar
Germany
Email: info@tippel.ai
Phone: +49 178 5879849
Web: www.tippel.ai
2. Data protection officer
We have not appointed a data protection officer. As a sole proprietorship, the conditions for a mandatory appointment under Art. 37 GDPR or § 38 BDSG are regularly not met. Please direct data protection enquiries to info@tippel.ai.
3. Roles: controller and processor
For data protection purposes, a distinction must be made:
- Account and usage data: For the data collected for registration, account, billing and operation of the service, Tippel is the controller within the meaning of Art. 4(7) GDPR.
- Analysis content: For the material you upload and its contents (which may contain personal data), Tippel acts solely as a processor under Art. 28 GDPR on the basis of a data processing agreement (DPA). The customer remains the controller for this content; the customer determines the purposes and means and ensures the legal basis for the uploaded data.
Please do not upload third-party personal data without your own legal basis. Unless stated otherwise, the following processing descriptions concern processing for which Tippel is the controller.
4. Processing activities in detail
4.1 Registration and account
| Item | Details |
|---|---|
| Purpose | Creation and management of the user account, authentication, contract performance. |
| Legal basis | Art. 6(1)(b) GDPR (contract / pre-contractual measures). |
| Data categories | Name, email address, password (stored only as a bcrypt hash); session token in the database; CSRF token; login lock after failed attempts. |
| Recipients / processors | IONOS SE, Montabaur (hosting, database, email; data centres in Germany). |
| Storage period | Until the account is deleted; thereafter erasure unless statutory retention obligations apply. |
A strictly necessary cookie (“komplai_session”) is set for session management (§ 25(2) TDDDG). See section 5.
4.2 Analysis content (processing on behalf)
| Item | Details |
|---|---|
| Purpose | Performance of the ordered compliance analysis and generation of results/documents. |
| Legal basis | Vis-à-vis the customer, Art. 6(1)(b) GDPR (contract). For the content, Tippel acts as a processor under Art. 28 GDPR (DPA); the customer is responsible for the legal basis of the personal data contained therein. |
| Data categories | Uploaded documents (PDF/TXT/MD) and source code/ZIP repositories and their contents; generated analysis results. |
| Recipients / processors | IONOS SE, Montabaur (storage of files and results, DE); OpenRouter Inc. (USA, API gateway); model provider — currently Anthropic (USA, via OpenRouter). |
| Third country | Transfer to the USA to OpenRouter and the model provider (see section 7). |
| Storage period | Uploaded files and results are stored on the server (IONOS, DE), associated with the account, until deleted by the user or until the account is deleted. |
Content is transmitted for analysis to the API of OpenRouter Inc. (USA) and the
chosen model provider. Provider routing uses the setting
data_collection: deny: no storage of the content by the provider, no use
for training. Results and uploaded files are stored on the server (IONOS, Germany),
associated with the account.
4.3 Payments (Stripe)
| Item | Details |
|---|---|
| Purpose | Processing of payments for credits and subscriptions. |
| Legal basis | Art. 6(1)(b) GDPR (contract). |
| Data categories | Payment and billing data. Full payment data (e.g. card details) is held exclusively by Stripe; we do not receive it. Prices are net plus statutory VAT. |
| Recipients / processors | Stripe Payments Europe, Ltd., Dublin, Ireland. |
| Storage period | Payment and invoice records are retained in line with commercial and tax retention periods: 8 years (§ 147(3) AO, § 257(4) HGB; shortened from 10 to 8 years on 1 January 2025). |
On the credit model: 1 analysis = 1 credit; a verification pass costs +1 credit; on registration you receive 1 free credit; purchased credits do not expire; subscription credits apply per billing month; the subscription can be cancelled monthly; a failed analysis triggers an automatic credit refund.
4.4 Server logs
| Item | Details |
|---|---|
| Purpose | Ensuring operational security, stability and abuse prevention. |
| Legal basis | Art. 6(1)(f) GDPR (legitimate interest). |
| Data categories | IP address, time of access, URL requested. |
| Recipients / processors | IONOS SE, Montabaur (DE). |
| Storage period | Short-term; [to be added: specific retention period for server logs]. |
Balancing of interests (Art. 6(1)(f) GDPR): Our legitimate interest lies in the secure and stable operation of the service and in detecting and preventing attacks and abuse. Processing is limited to the technical data required for this and takes place only briefly; no aggregation with other data sets for analytics purposes occurs. There are therefore no overriding interests of data subjects apparent.
4.5 Email dispatch (verification / password reset)
| Item | Details |
|---|---|
| Purpose | Sending emails for address verification and password reset. |
| Legal basis | Art. 6(1)(b) GDPR (contract / pre-contractual measures). |
| Data categories | Email address, verification/reset token, timestamp. |
| Recipients / processors | IONOS SE, Montabaur (email dispatch, DE). |
| Storage period | Tokens only for the duration of their validity; otherwise within the account data. |
4.6 Web analytics with Google Analytics 4
| Item | Details |
|---|---|
| Purpose | Pseudonymous reach and usage analysis of the website (which pages are accessed, device/browser class, approximate region) in order to improve the site. No cross-site advertising takes place. |
| Legal basis | Consent, Art. 6(1)(a) GDPR; for the storing of information on, or access to information already stored on, your device, § 25(1) TDDDG. Processing takes place only after you have actively consented in the cookie banner. Consent is voluntary and can be withdrawn at any time with effect for the future. |
| Data categories | Pseudonymous usage and device data (pages accessed, referrer, timestamp, device/browser class, approximate region), pseudonymous identifiers. |
| Recipients / processors | Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor on the basis of the Google Data Processing Terms); onward transfer to Google LLC, USA. |
| Third country | USA — Google LLC is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses are used in addition. IP addresses are not logged or stored in GA4 (GA4 does not collect IP addresses as part of the report); the IP address is used only to derive an approximate location and is not stored. |
| Cookies | “_ga” and “_ga_5BG9HQ1619” (lifetime up to 2 years each). |
| Storage period | Cookies up to 2 years; data collected at user and event level is deleted in accordance with the GA4 retention setting (2 or a maximum of 14 months). |
| Withdrawal | Via the “Cookie settings” link in the page footer or by re-opening the cookie banner; effect for the future. |
Google Analytics 4 is only loaded, and analytics cookies are only set, after you have consented in the cookie banner. Without consent, no web analytics takes place and no analytics cookies are set. You can withdraw a consent you have given at any time via the “Cookie settings” link in the page footer, with effect for the future.
5. Cookies and local technologies
We distinguish between strictly necessary technologies, which are permitted without consent, and analytics cookies requiring consent:
Strictly necessary technologies (permitted without consent under § 25(2) TDDDG):
- Session cookie (“komplai_session”) — for session management/login (Art. 6(1)(f) GDPR / § 25(2) TDDDG);
- CSRF token — to protect against cross-site request forgery;
- Language setting — to store the selected language;
- Consent decision — the choice you make in the cookie banner is stored locally in your browser (localStorage key “komplai_consent”) so that we can honour your selection on your next visit. This storage is strictly necessary and therefore does not require consent.
These technologies are strictly necessary to provide the service you have expressly requested or to give effect to your selection; their storage is permitted without consent under § 25(2) TDDDG.
Analytics cookies requiring consent (§ 25(1) TDDDG, Art. 6(1)(a) GDPR):
- Analytics cookies (“_ga”, “_ga_5BG9HQ1619”; Google Analytics 4) — are set only after your consent in the cookie banner (opt-in). Without consent, no analytics cookies are set and Google Analytics is not loaded. For details of this processing, see section 4.6.
You can withdraw your consent at any time via the “Cookie settings” link in the page footer, with effect for the future. We do not use any advertising or marketing cookies.
6. Recipients and processors
We use carefully selected service providers as processors under Art. 28 GDPR; data processing agreements are in place with them. The current sub-processor list comprises:
| Provider | Location | Function |
|---|---|---|
| IONOS SE | Montabaur, DE | Hosting, database, email dispatch |
| OpenRouter Inc. | USA | API gateway for the AI analysis |
| Anthropic | USA | Model provider (via OpenRouter) |
| Stripe Payments Europe, Ltd. | Dublin, Ireland | Payment processing |
| Google Ireland Limited | Dublin, IE | Web analytics (Google Analytics 4), with consent only |
We provide a current version of the sub-processor list and information on the existing DPAs on request at info@tippel.ai.
7. Transfer to third countries (USA)
During analysis, content is transferred to OpenRouter Inc. (USA) and the model
provider (currently Anthropic, USA). For this transfer to the USA we rely on the
EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as appropriate
safeguards. As a supplementary measure, provider routing is operated with
data_collection: deny (no storage, no training at the provider). Whether a
provider is additionally certified under the EU-US Data Privacy Framework is
[to be checked whether provider is certified]. We provide a copy of the
appropriate safeguards on request at info@tippel.ai.
For the web analytics with Google Analytics 4 (see section 4.6), data is transferred to Google LLC (USA). Google LLC is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are used. This transfer takes place only with your consent.
8. Storage periods at a glance
- Account data: until the account is deleted, subject to statutory retention obligations thereafter.
- Analysis results and uploaded files: until deleted by the user or until the account is deleted.
- Server logs: short-term; [to be added: specific retention period].
- Payment and invoice records: 8 years (§ 147(3) AO, § 257(4) HGB; shortened from 10 to 8 years on 1 January 2025).
9. Obligation to provide data
Providing account and payment data is required for the conclusion of the contract and use of the service (Art. 13(2)(e) GDPR). Without this data we cannot create the account or provide the service. Providing analysis content is at your discretion; without it, no analysis can be carried out.
10. No automated decision-making concerning users
There is no automated decision-making, including profiling, within the meaning of Art. 22 GDPR concerning you. The tool evaluates the material you upload and produces analysis results; it does not make any legally significant automated decisions about you as a person.
11. Your rights
Subject to the statutory requirements, you have the following rights:
- access (Art. 15 GDPR),
- rectification (Art. 16 GDPR),
- erasure (Art. 17 GDPR),
- restriction of processing (Art. 18 GDPR),
- data portability (Art. 20 GDPR),
- objection (Art. 21 GDPR) to processing based on Art. 6(1)(f) GDPR, on grounds relating to your particular situation.
To exercise your rights, contact info@tippel.ai. Where your rights concern analysis content for which we act as processor, please address them to the relevant controlling customer; we support the controller in this respect within the scope of Art. 28 GDPR.
12. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Wiesbaden, Germany
13. Data security
We take appropriate technical and organisational measures (TOMs) under Art. 32 GDPR to ensure a level of protection appropriate to the risk (including storage of passwords as a bcrypt hash, CSRF protection, login lock after failed attempts, encryption of data transmission). Further information on the TOMs is available on request.
14. Currency and changes
We adapt this privacy policy as soon as changes to the processing or the legal situation require. The version published on this page from time to time applies.
The German version is authoritative.