Privacy Policy

1. Introduction

This Privacy Policy explains how modelAIz ("we", "our", or "us") collects, processes, and protects personal data when you use our AI-powered platform for business model development.

modelAIz is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

2. Data Controller

Responsible for data processing:

3. Categories of Personal Data We Process

We may process the following categories of personal data.

3.1 Account and Authentication Data

When you create an account or sign in:

• Email address
• Name (optional)
• Authentication identifiers
• Login metadata
• Session tokens
• Profile information from authentication providers

Purpose: Account management and authentication.

Legal basis: Art. 6(1)(b) GDPR – Contract performance.

3.2 User Profile Data

Users may voluntarily provide:

• Profile picture
• Company information
• Biography
• Language preferences
• Time zone
• Notification settings
• Contact information

Purpose: Personalization of the platform experience.

Legal basis: Art. 6(1)(b) GDPR.

3.3 Project and Business Data

modelAIz processes content created by users inside the platform, including:

• Business ideas
• Business model canvas data
• One-pager content
• Market research insights
• User journeys
• Story maps
• Feature descriptions
• AI-generated artefacts

Purpose: Providing the core functionality of the platform.

Legal basis: Art. 6(1)(b) GDPR.

3.4 AI Interaction Data

When interacting with AI features, we process:

• Prompts and user input
• AI responses
• Conversation history
• Token usage statistics
• AI model configuration

Purpose: Generating AI-assisted outputs, improving platform functionality, monitoring system usage.

Legal basis: Art. 6(1)(b) GDPR.

3.5 Technical and Usage Data

When accessing the platform, our systems automatically process:

• IP address
• Browser type and version
• Operating system
• Device information
• Accessed pages
• Timestamps
• Error logs
• Performance metrics

Purpose: System security, platform stability, troubleshooting, abuse prevention.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in secure operation.

4. Cookies and Consent

We use cookies and similar technologies. Non-essential cookies are only used after explicit user consent via our cookie consent banner.

Users can withdraw or change their consent at any time.

4.1 Essential Cookies

These cookies are required for platform functionality:

• Authentication sessions
• Security and CSRF protection
• Load balancing
• User preferences

Legal basis: Art. 6(1)(f) GDPR.

4.2 Analytics Cookies

Analytics cookies help us understand how users interact with our platform. They are activated only after consent.

Legal basis: Art. 6(1)(a) GDPR.

4.3 Marketing Cookies

Marketing cookies may be used to measure advertising performance.

Legal basis: Art. 6(1)(a) GDPR.

5. Third-Party Services and Data Processors

We work with carefully selected service providers. These providers process personal data on our behalf under Data Processing Agreements (Art. 28 GDPR).

6. Infrastructure and Hosting

Hetzner Cloud

Hosting infrastructure is provided by:

Servers are located in the European Union (Nuremberg data center).

Purpose: Hosting the application, database storage, infrastructure operations.

Legal basis: Art. 6(1)(b) GDPR.

7. Authentication Services

Auth0

Authentication and identity management are provided by Auth0.

Purpose: Secure login, identity verification, session management.

Data transfers outside the EEA rely on appropriate safeguards such as Standard Contractual Clauses.

8. Payment Processing

Stripe

Payments are processed via:

Stripe processes:

• Payment information
• Billing details
• Transaction metadata

modelAIz does not store credit card data.

Legal basis: Art. 6(1)(b) GDPR.

9. Analytics Services

Plausible Analytics (Self-Hosted)

We use Plausible Analytics, which is hosted on our own infrastructure. Plausible is a privacy-friendly analytics solution that does not use personal tracking identifiers.

Collected data may include:

• Anonymized IP address
• Device type
• Browser
• Visited pages
• Referrer

Plausible does not use tracking cookies.

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in understanding platform usage.

10. Tag Management

Google Tag Manager

We use Google Tag Manager to manage scripts and integrations. Google Tag Manager itself does not set cookies but loads services such as analytics and marketing tools.

Legal basis: Art. 6(1)(a) GDPR when processing requires consent.

11. User Experience Analytics

Hotjar

We use Hotjar to better understand how users interact with our platform.

Hotjar may collect:

• Anonymized IP address
• Device type
• Browser data
• Interaction patterns
• Session recordings
• Heatmaps

Hotjar is only activated after user consent.

Legal basis: Art. 6(1)(a) GDPR.

12. Advertising Services

Google Ads

We use Google Ads to measure the effectiveness of advertising campaigns.

Data processing may include:

• Advertising identifiers
• Interaction with ads
• Website visit attribution

Google Ads tracking is only activated after consent.

Legal basis: Art. 6(1)(a) GDPR.

13. Email Communication

Mailjet

We use Mailjet for transactional emails.

Mailjet processes:

• Email addresses
• Email delivery metadata
• Communication logs

Purpose: Account verification, system notifications, service-related communication.

Legal basis: Art. 6(1)(b) GDPR.

14. AI Processing Services

modelAIz uses AI services to generate insights and structured outputs. These services may process user input to generate responses.

Providers may include:

• OpenAI
• Anthropic (Claude)
• Google (Gemini)
• Perplexity AI

Data transmitted may include:

• Prompts
• User input
• Generated outputs

AI providers process data solely for generating responses and not for unrelated purposes.

Users should avoid submitting personal data of third parties or confidential information.

Legal basis: Art. 6(1)(b) GDPR.

15. International Data Transfers

Some of our service providers are located outside the European Economic Area. Where this occurs, we ensure appropriate safeguards such as:

• Standard Contractual Clauses
• EU-US Data Privacy Framework
• Additional contractual safeguards

16. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS)
• Secure infrastructure
• Access control mechanisms
• Authentication and authorization systems
• Monitoring and logging
• Regular security updates

17. Data Retention

We retain personal data only as long as necessary. Typical retention periods include:

• Account data: Until account deletion or 3 years after last activity
• Project data: Until account deletion
• AI interaction data: Up to 24 months
• Technical logs: Up to 12 months
• Billing data: Up to 10 years (legal requirement)

18. Your Rights Under GDPR

You have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7 GDPR)

To exercise your rights, contact: privacy@modelaiz.com

19. Complaints

You have the right to lodge a complaint with a supervisory authority.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in technology, legal requirements, or our services.

Users will be notified of significant changes via the platform or email.