KomplAI
EU AI Act Risk check Features Methodology FAQ Pricing Log in Try for free ENDE

Privacy policy

DRAFT — this is a draft and not legal advice. Have it legally reviewed before go-live. No assurance is given that this document has been legally reviewed, is sufficient, or is binding.

As of: 6 July 2026.

This privacy policy informs you pursuant to Art. 13 and 14 GDPR about the processing of personal data in connection with the KomplAI service (komplai.de / komplai.eu; app app.komplai.de) — an AI-supported compliance analysis (EU AI Act, DORA, GDPR) including document generators (transparency documentation, FRIA under Art. 27 AI Act, DPIA under Art. 35 GDPR).

KomplAI is aimed exclusively at entrepreneurs within the meaning of § 14 German Civil Code (BGB) (B2B only). There is no consumer right of withdrawal.

1. Controller

The controller within the meaning of the GDPR is:

Tippel — Lukas Friedrich (sole proprietorship)
Kampweg 4
34369 Hofgeismar
Germany

Email: info@tippel.ai
Phone: +49 178 5879849
Web: www.tippel.ai

2. Data protection officer

We have not appointed a data protection officer. As a sole proprietorship, the conditions for a mandatory appointment under Art. 37 GDPR or § 38 BDSG are regularly not met. Please direct data protection enquiries to info@tippel.ai.

3. Roles: controller and processor

For data protection purposes, a distinction must be made:

  • Account and usage data: For the data collected for registration, account, billing and operation of the service, Tippel is the controller within the meaning of Art. 4(7) GDPR.
  • Analysis content: For the material you upload and its contents (which may contain personal data), Tippel acts solely as a processor under Art. 28 GDPR on the basis of a data processing agreement (DPA). The customer remains the controller for this content; the customer determines the purposes and means and ensures the legal basis for the uploaded data.

Please do not upload third-party personal data without your own legal basis. Unless stated otherwise, the following processing descriptions concern processing for which Tippel is the controller.

4. Processing activities in detail

4.1 Registration and account

ItemDetails
PurposeCreation and management of the user account, authentication, contract performance.
Legal basisArt. 6(1)(b) GDPR (contract / pre-contractual measures).
Data categoriesName, email address, password (stored only as a bcrypt hash); session token in the database; CSRF token; login lock after failed attempts.
Recipients / processorsIONOS SE, Montabaur (hosting, database, email; data centres in Germany).
Storage periodUntil the account is deleted; thereafter erasure unless statutory retention obligations apply.

A strictly necessary cookie (“komplai_session”) is set for session management (§ 25(2) TDDDG). See section 5.

4.2 Analysis content (processing on behalf)

ItemDetails
PurposePerformance of the ordered compliance analysis and generation of results/documents.
Legal basisVis-à-vis the customer, Art. 6(1)(b) GDPR (contract). For the content, Tippel acts as a processor under Art. 28 GDPR (DPA); the customer is responsible for the legal basis of the personal data contained therein.
Data categoriesUploaded documents (PDF/TXT/MD) and source code/ZIP repositories and their contents; generated analysis results.
Recipients / processorsIONOS SE, Montabaur (storage of files and results, DE); OpenRouter Inc. (USA, API gateway); model provider — currently Anthropic (USA, via OpenRouter).
Third countryTransfer to the USA to OpenRouter and the model provider (see section 7).
Storage periodUploaded files and results are stored on the server (IONOS, DE), associated with the account, until deleted by the user or until the account is deleted.

Content is transmitted for analysis to the API of OpenRouter Inc. (USA) and the chosen model provider. Provider routing uses the setting data_collection: deny: no storage of the content by the provider, no use for training. Results and uploaded files are stored on the server (IONOS, Germany), associated with the account.

4.3 Payments (Stripe)

ItemDetails
PurposeProcessing of payments for credits and subscriptions.
Legal basisArt. 6(1)(b) GDPR (contract).
Data categoriesPayment and billing data. Full payment data (e.g. card details) is held exclusively by Stripe; we do not receive it. Prices are net plus statutory VAT.
Recipients / processorsStripe Payments Europe, Ltd., Dublin, Ireland.
Storage periodPayment and invoice records are retained in line with commercial and tax retention periods: 8 years (§ 147(3) AO, § 257(4) HGB; shortened from 10 to 8 years on 1 January 2025).

On the credit model: 1 analysis = 1 credit; a verification pass costs +1 credit; on registration you receive 1 free credit; purchased credits do not expire; subscription credits apply per billing month; the subscription can be cancelled monthly; a failed analysis triggers an automatic credit refund.

4.4 Server logs

ItemDetails
PurposeEnsuring operational security, stability and abuse prevention.
Legal basisArt. 6(1)(f) GDPR (legitimate interest).
Data categoriesIP address, time of access, URL requested.
Recipients / processorsIONOS SE, Montabaur (DE).
Storage periodShort-term; [to be added: specific retention period for server logs].

Balancing of interests (Art. 6(1)(f) GDPR): Our legitimate interest lies in the secure and stable operation of the service and in detecting and preventing attacks and abuse. Processing is limited to the technical data required for this and takes place only briefly; no aggregation with other data sets for analytics purposes occurs. There are therefore no overriding interests of data subjects apparent.

4.5 Email dispatch (verification / password reset)

ItemDetails
PurposeSending emails for address verification and password reset.
Legal basisArt. 6(1)(b) GDPR (contract / pre-contractual measures).
Data categoriesEmail address, verification/reset token, timestamp.
Recipients / processorsIONOS SE, Montabaur (email dispatch, DE).
Storage periodTokens only for the duration of their validity; otherwise within the account data.

4.6 Web analytics with Google Analytics 4

ItemDetails
PurposePseudonymous reach and usage analysis of the website (which pages are accessed, device/browser class, approximate region) in order to improve the site. No cross-site advertising takes place.
Legal basisConsent, Art. 6(1)(a) GDPR; for the storing of information on, or access to information already stored on, your device, § 25(1) TDDDG. Processing takes place only after you have actively consented in the cookie banner. Consent is voluntary and can be withdrawn at any time with effect for the future.
Data categoriesPseudonymous usage and device data (pages accessed, referrer, timestamp, device/browser class, approximate region), pseudonymous identifiers.
Recipients / processorsGoogle Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor on the basis of the Google Data Processing Terms); onward transfer to Google LLC, USA.
Third countryUSA — Google LLC is certified under the EU-US Data Privacy Framework; Standard Contractual Clauses are used in addition. IP addresses are not logged or stored in GA4 (GA4 does not collect IP addresses as part of the report); the IP address is used only to derive an approximate location and is not stored.
Cookies“_ga” and “_ga_5BG9HQ1619” (lifetime up to 2 years each).
Storage periodCookies up to 2 years; data collected at user and event level is deleted in accordance with the GA4 retention setting (2 or a maximum of 14 months).
WithdrawalVia the “Cookie settings” link in the page footer or by re-opening the cookie banner; effect for the future.

Google Analytics 4 is only loaded, and analytics cookies are only set, after you have consented in the cookie banner. Without consent, no web analytics takes place and no analytics cookies are set. You can withdraw a consent you have given at any time via the “Cookie settings” link in the page footer, with effect for the future.

5. Cookies and local technologies

We distinguish between strictly necessary technologies, which are permitted without consent, and analytics cookies requiring consent:

Strictly necessary technologies (permitted without consent under § 25(2) TDDDG):

  • Session cookie (“komplai_session”) — for session management/login (Art. 6(1)(f) GDPR / § 25(2) TDDDG);
  • CSRF token — to protect against cross-site request forgery;
  • Language setting — to store the selected language;
  • Consent decision — the choice you make in the cookie banner is stored locally in your browser (localStorage key “komplai_consent”) so that we can honour your selection on your next visit. This storage is strictly necessary and therefore does not require consent.

These technologies are strictly necessary to provide the service you have expressly requested or to give effect to your selection; their storage is permitted without consent under § 25(2) TDDDG.

Analytics cookies requiring consent (§ 25(1) TDDDG, Art. 6(1)(a) GDPR):

  • Analytics cookies (“_ga”, “_ga_5BG9HQ1619”; Google Analytics 4) — are set only after your consent in the cookie banner (opt-in). Without consent, no analytics cookies are set and Google Analytics is not loaded. For details of this processing, see section 4.6.

You can withdraw your consent at any time via the “Cookie settings” link in the page footer, with effect for the future. We do not use any advertising or marketing cookies.

6. Recipients and processors

We use carefully selected service providers as processors under Art. 28 GDPR; data processing agreements are in place with them. The current sub-processor list comprises:

ProviderLocationFunction
IONOS SEMontabaur, DEHosting, database, email dispatch
OpenRouter Inc.USAAPI gateway for the AI analysis
AnthropicUSAModel provider (via OpenRouter)
Stripe Payments Europe, Ltd.Dublin, IrelandPayment processing
Google Ireland LimitedDublin, IEWeb analytics (Google Analytics 4), with consent only

We provide a current version of the sub-processor list and information on the existing DPAs on request at info@tippel.ai.

7. Transfer to third countries (USA)

During analysis, content is transferred to OpenRouter Inc. (USA) and the model provider (currently Anthropic, USA). For this transfer to the USA we rely on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as appropriate safeguards. As a supplementary measure, provider routing is operated with data_collection: deny (no storage, no training at the provider). Whether a provider is additionally certified under the EU-US Data Privacy Framework is [to be checked whether provider is certified]. We provide a copy of the appropriate safeguards on request at info@tippel.ai.

For the web analytics with Google Analytics 4 (see section 4.6), data is transferred to Google LLC (USA). Google LLC is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are used. This transfer takes place only with your consent.

8. Storage periods at a glance

  • Account data: until the account is deleted, subject to statutory retention obligations thereafter.
  • Analysis results and uploaded files: until deleted by the user or until the account is deleted.
  • Server logs: short-term; [to be added: specific retention period].
  • Payment and invoice records: 8 years (§ 147(3) AO, § 257(4) HGB; shortened from 10 to 8 years on 1 January 2025).

9. Obligation to provide data

Providing account and payment data is required for the conclusion of the contract and use of the service (Art. 13(2)(e) GDPR). Without this data we cannot create the account or provide the service. Providing analysis content is at your discretion; without it, no analysis can be carried out.

10. No automated decision-making concerning users

There is no automated decision-making, including profiling, within the meaning of Art. 22 GDPR concerning you. The tool evaluates the material you upload and produces analysis results; it does not make any legally significant automated decisions about you as a person.

11. Your rights

Subject to the statutory requirements, you have the following rights:

  • access (Art. 15 GDPR),
  • rectification (Art. 16 GDPR),
  • erasure (Art. 17 GDPR),
  • restriction of processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • objection (Art. 21 GDPR) to processing based on Art. 6(1)(f) GDPR, on grounds relating to your particular situation.

To exercise your rights, contact info@tippel.ai. Where your rights concern analysis content for which we act as processor, please address them to the relevant controlling customer; we support the controller in this respect within the scope of Art. 28 GDPR.

12. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Wiesbaden, Germany

13. Data security

We take appropriate technical and organisational measures (TOMs) under Art. 32 GDPR to ensure a level of protection appropriate to the risk (including storage of passwords as a bcrypt hash, CSRF protection, login lock after failed attempts, encryption of data transmission). Further information on the TOMs is available on request.

14. Currency and changes

We adapt this privacy policy as soon as changes to the processing or the legal situation require. The version published on this page from time to time applies.

The German version is authoritative.

KomplAI
AI compliance checks: EU AI Act · DORA · GDPR
A product by Tippel
Legal Imprint
Privacy
Terms
Cookie settings
Data processing DPA
Sub-processors
TOMs
All analyses are professional support results and do not constitute legal advice.
© 2026 Tippel — Lukas Friedrich