src/config/legal.ts and still contain bracketed placeholders. This page is not legally binding until those are filled in and the text is reviewed by a German/EU lawyer. Last template revision: [YYYY-MM-DD].Last updated: [YYYY-MM-DD]
1. Data controller
The controller responsible for processing your personal data within the meaning of Art. 4(7) GDPR is:
[LEGAL_ENTITY_NAME] ([ENTITY_TYPE])
[ADDRESS_LINE1]
[POSTAL_CODE] [CITY], Germany
Email: [CONTACT_EMAIL]
2. What we store
- Account. Email, name, password hash, role, email-verification status, last-login timestamp.
- Organization. Workspace name, slug, membership list with role assignments.
- Subscription. Plan, status, trial / period end dates, payment-provider identifiers (when a paid provider is connected).
- Scan results. Score history per domain you audit, including the full audit report payload (robots.txt, llms.txt, bot-access matrix, structured-data findings).
- Alert rules & events. Rules you configure and the events they emit.
- Server logs. IP address, timestamp, and request metadata for security and abuse prevention.
3. Legal bases (Art. 6 GDPR)
- Art. 6(1)(b) — performance of a contract: account data, subscription data, scan results you request.
- Art. 6(1)(c) — legal obligation: retention of invoices and tax records.
- Art. 6(1)(f) — legitimate interest: security logging, abuse prevention, product analytics in aggregated form.
- Art. 6(1)(a) — consent: marketing emails and any optional analytics; you can withdraw consent at any time.
4. Processors
We use the following sub-processors. Each is governed by a data processing agreement (Auftragsverarbeitungsvertrag) under Art. 28 GDPR:
[PROCESSORS — list hosting, email, payment, analytics processors]
5. Retention
Account data is retained for the duration of your subscription and deleted on account closure, subject to legal retention obligations (typically 10 years for invoices under HGB / AO).
Per-domain score history is retained according to your plan'sscore_history_monthslimit (up to 24 months on the top plan). Older rows remain in the database but are hidden until you upgrade; they are permanently purged on account closure.
6. Your rights
Under Articles 15–22 GDPR you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase your data (“right to be forgotten”);
- restrict or object to processing;
- data portability;
- lodge a complaint with a supervisory authority — in Germany this is the data protection authority of your federal state (Land).
Send requests to [CONTACT_EMAIL]. We respond within one month per Art. 12(3) GDPR.
7. International transfers
Where a sub-processor is located outside the EU/EEA, transfers rely on Standard Contractual Clauses (Art. 46 GDPR) or another approved transfer mechanism. The current list is in section 4 above.
8. Changes
We update this policy as the Service evolves. Material changes will be announced via email or in-app. The current version date is shown at the top of this page.