English
Product Privacy Notice
AUVY Cortex — In-Product
AUVY GmbH · Am Haag 8 · 82166 Gräfelfing · HRB 311039 (AG Munich) · VAT ID DE461400892
Data protection: privacy@auvy.ai · Security: security@auvy.ai · General: contact@auvy.ai
Effective: 18 May 2026
Application to consumer customers (B2C): In contracts with consumers within the meaning of § 13 German Civil Code (BGB), no processor relationship exists. AUVY is controller within the meaning of Art. 4 No. 7 GDPR for all personal data processed in that context — including content the consumer brings into their personal workspace. The purposes, legal bases, retention periods, recipients and data subject rights described below apply accordingly; this Notice replaces the DPA as the sole basis of processing. Professional secret-holder data (§ 203 German Criminal Code) remains prohibited for consumer contracts (see § 6).
§ 1 Purpose of this Notice
This Privacy Notice informs you under Art. 13 and 14 GDPR about the processing of personal data by AUVY GmbH ("AUVY") when you use Cortex as an end user of your workspace.
This notice applies in addition to the General Terms and Conditions – AUVY Cortex and the DPA; in case of conflict, the individual contractual provisions prevail.
§ 2 Controller and Contact Details
The controller for the processing activities described in this notice is:
AUVY GmbH · Am Haag 8 · 82166 Gräfelfing · Germany
Represented by managing directors Achim Ströbel and Patrick Schröppel.
Data protection: privacy@auvy.ai
Security: security@auvy.ai
General: contact@auvy.ai
We have not currently appointed an external Data Protection Officer.
§ 3 Role Allocation in Detail
| Data category | AUVY role | Legal basis |
|---|---|---|
| Workspace content, prompts, uploaded files, AI outputs ("Customer Data") | Processor for B2B workspaces; controller for B2C consumer workspaces | DPA (B2B) or this notice (B2C) |
| Account master data (name, email, workspace role) | Controller | this notice |
| Authentication, MFA factors, session tokens | Controller | this notice |
| Billing and contract data | Controller | this notice |
| Security, audit and diagnostic logs for platform operation | Controller | this notice |
| Telemetry on platform stability (pseudonymized) | Controller | this notice |
The following sections describe exclusively processing activities in which AUVY is the controller. For processing of Customer Data, the DPA applies.
§ 4 Processing Activities and Legal Bases
§ 4.1 Account Creation and Authentication
Data: name, email address, password hash, MFA factors (TOTP secret or WebAuthn key), workspace membership and role.
Purpose: service provision, access control, identity verification.
Legal basis: Art. 6 (1)(b) GDPR (contract performance) and (f) GDPR (legitimate interest in secure authentication).
§ 4.2 Workspace Administration
Data: workspace name, memberships, roles, settings, license assignments.
Purpose: configuration and administration of the customer workspace.
Legal basis: Art. 6 (1)(b) GDPR.
§ 4.3 AI Inference and Customer Data Processing
Substantive AI inference on Customer Data takes place under processor terms; insofar, the Customer is controller and AUVY is processor (see DPA).
For operational telemetry of the inference pipeline (latencies, model routing, errors), AUVY collects pseudonymized metadata as controller to ensure service operation (Art. 6 (1)(f) GDPR). Content itself is not part of this telemetry.
§ 4.4 Security and Audit Logs
Data: login events, authentication successes/failures, geo-IP, user agent, security-relevant actions (workspace settings, role changes, token creation).
Purpose: protection against unauthorized access, traceability, fulfillment of security obligations toward customers.
Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in security) in conjunction with Art. 32 GDPR.
§ 4.5 Billing and Contract Administration
Data: contractual party master data, invoice data, payment records, acceptance logs of GTC/AUP versions.
Purpose: invoicing, tax obligations, evidence of GTC inclusion.
Legal basis: Art. 6 (1)(b) GDPR (contract performance), (c) GDPR (statutory obligations, in particular § 14 UStG, §§ 147 AO, 257 HGB).
Payment processing: Stripe Payments Europe Ltd., Ireland.
§ 4.6 Support and Communication
Data: content of your inquiries, contact details, possibly workspace IDs for reproduction.
Purpose: processing of support requests.
Legal basis: Art. 6 (1)(b) and (f) GDPR.
§ 4.7 Product Improvement
Data: exclusively anonymized and aggregated usage statistics (e.g., number of active sessions, feature usage).
Purpose: stability and further development of the platform.
Legal basis: Art. 6 (1)(f) GDPR.
Important: Customer Data is not used for product improvement or training purposes (see § 5).
§ 4.8 Customer-Enabled Integrations (AUVY Connect)
When you enable third-party integrations through AUVY Connect, AUVY processes connection metadata, OAuth tokens, and tool request/response payloads needed to run the integration. The connected third-party service may process data under its own terms as an independent recipient.
Purpose: provide integrations you explicitly connect in the workspace.
Legal basis: Art. 6 (1)(b) GDPR (contract performance) and, where applicable, Art. 6 (1)(a) GDPR (consent during OAuth).
Recipients: the connected service and infrastructure required to operate Connect (see subprocessors register). AUVY does not resell a third-party integration marketplace; connections are operated through AUVY's own Connect layer.
§ 5 AI-Specific Processing
(1) No training on customer data. AUVY does not use Customer Data or AI outputs to train or fine-tune own or third-party AI models.
(2) Contractual assurances by model providers. AUVY uses AI models in particular via AWS Bedrock (EU Frankfurt) and Microsoft Azure OpenAI (EU Frankfurt and Sweden). The providers are contractually obliged not to use submitted content for model training.
(3) AI inference retention. Inference content is retained at the model providers in accordance with their contractual commitments only briefly (typically a few hours) for abuse detection, or discarded directly.
(4) Transparency under Art. 50 EU AI Act. AUVY notifies you in onboarding and the user interface that you are interacting with an AI system. Responsibility for any further labeling obligations toward the Customer's end customers lies with the Customer.
(5) High-risk AI. Cortex is by default not approved for high-risk use cases under Annex III of the AI Act; see AUP, § 6.
§ 6 Professional Secret-Holders and Special Data Categories
(1) Input of special categories of personal data within the meaning of Art. 9 GDPR by the Customer is permitted only if the Customer has a valid legal basis and AUVY has been informed in advance (see AUP § 7).
(2) Processing of professional secret-holder data within the meaning of § 203 of the German Criminal Code (in particular data of clients, patients or comparable entrustors of physicians, attorneys, tax advisors, notaries, psychotherapists) is permitted in Cortex only if the confidentiality clause in § 12 DPA has been bilaterally activated in text form — i.e., text-form confirmation by the Customer and text-form counter-confirmation by AUVY that the obligations of employees and sub-processors required under § 12(3) DPA are in place.
Until this bilateral activation has occurred, the input of professional secret-holder data is prohibited. There is no technical product feature for this; admissibility derives exclusively from the contractual activation. Because the prerequisites of the counter-confirmation are organizationally demanding, activation is in practice reserved for Enterprise Customers.
§ 7 Recipients and Sub-Processors
(1) For the operation of Cortex, AUVY engages the following sub-processors — both for Customer Data (in processor capacity) and for controller data (data processing in the strict sense under Art. 28 GDPR):
| Provider | Purpose | Location |
|---|---|---|
| AWS EMEA SARL | Compute, storage, AI inference (Bedrock) | EU (Frankfurt) |
| Microsoft Ireland | AI inference (Azure OpenAI) | EU (Frankfurt, Sweden) |
| Supabase Inc. | Database, authentication | EU (Frankfurt) |
| Railway Corp. | Backend / API hosting | EU (Amsterdam) |
| Vercel Inc. | Frontend / edge hosting | EU (Frankfurt), global edge |
| PostHog Inc. | Product telemetry (pseudonymized) | EU |
| Stripe Payments Europe Ltd. | Payment processing, tax logic | EU (Ireland) |
| Resend Inc. | Transactional email (login, confirmations) | EU |
| Gladia SAS | Speech-to-text and audio transcription (voice features) | EU (France) |
(2) The current list with update date is available at trust.auvy.ai/subprocessors. Changes are announced at least 30 days in advance; rights to object follow the DPA.
(3) Disclosure to authorities occurs only in case of mandatory legal obligation.
§ 8 Third-Country Transfers
Where personal data is transferred to third countries, AUVY relies on:
the EU-US Data Privacy Framework, where the respective provider is certified;
the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) under Module 2/3;
supplementary technical and organizational guarantees (encryption, access restrictions, EU region pinning where offered).
Copies of relevant safeguards are available via privacy@auvy.ai.
§ 9 Retention Periods
| Data category | Retention |
|---|---|
| Account master data | as long as the user account exists; lock or deletion 30 days after termination of the workspace contract |
| Authentication tokens | only as long as the session is active; max. according to expired token lifetime |
| Customer Data (workspace content) | as per DPA; export and deletion functions in product; final deletion 30 days after contract termination |
| Security / audit logs | typically 12 months; security-relevant case-by-case extension |
| Telemetry / diagnostics | pseudonymized; up to 90 days person-relatable, then aggregated/anonymized |
| Contract and invoice data | 10 years (§§ 147 AO, 257 HGB) |
| GTC/AUP acceptance logs | 10 years as evidence of contract inclusion |
§ 10 Security Measures
AUVY takes appropriate technical and organizational measures, in particular:
TLS 1.2+ in transit · AES-256 at rest;
MFA support, RBAC, logical tenant separation;
daily encrypted backups;
centralized audit logs;
documented incident response process including notification paths under Art. 33 GDPR and contractual obligations.
Full TOMs see DPA, Annex 3.
§ 11 Your Rights as a Data Subject
(1) Where AUVY is controller (see § 3), you have the following rights:
access (Art. 15 GDPR),
rectification (Art. 16 GDPR),
erasure (Art. 17 GDPR), insofar as no retention obligations preclude this,
restriction of processing (Art. 18 GDPR),
data portability (Art. 20 GDPR),
objection to processing based on legitimate interests (Art. 21 GDPR),
withdrawal of granted consent with effect for the future (Art. 7 (3) GDPR).
(2) Where AUVY is processor (Customer Data), please contact your workspace administrator or the contractual party of your company that, as controller, processes the request. AUVY supports the controller under Art. 28(3) GDPR.
(3) Requests directly to AUVY: privacy@auvy.ai. To protect against abuse, we may request additional identity verification.
§ 12 Right to Lodge a Complaint
Notwithstanding other legal remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular the authority competent at AUVY's seat:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18 · 91522 Ansbach · lda.bayern.de
§ 13 Automated Decisions
AUVY does not make solely automated decisions with legal or similarly significant effect within the meaning of Art. 22 GDPR toward end users in the Cortex product. AI-generated outputs are non-binding suggestions; their use is the Customer's responsibility; see GTC § 14.
§ 14 Changes to this Notice
AUVY adapts this notice when legal frameworks or processing activities change. Material changes are announced at least 30 days in advance via email or in-product.
§ 15 Contact
Data protection inquiries: privacy@auvy.ai
Security reports: security@auvy.ai
General: contact@auvy.ai