Privacy Policy
This privacy policy explains how we collect, use, and protect your personal information.
Data Controller
David Huh - Software-as-a-Service & IT-Dienstleistungen
Lucian-Reich-Str. 16
76473 Iffezheim
Data Protection Officer
You can reach our Data Protection Officer at impressum@davidhuh.de.
Purposes of Processing
- User authentication and account management
- Organization and property management
- Meter reading and utility data processing
- Location-based property identification and proximity detection
- Security, abuse prevention, and logged API access (Art. 6(1)(f) GDPR)
- Analytics, product improvement, and measurement of completed feature usage based on your consent
Your Rights
- Right to access your personal data
- Right to restrict processing
- Right to data portability
- Right to lodge a complaint
Subprocessors
We use the following subprocessors to provide our services
Vercel Inc.
Added: Oct 5, 2025Neon Tech Inc.
Added: Oct 5, 2025Resend Inc.
Added: Oct 5, 2025Meta Platforms, Inc. / Google LLC
Added: Jan 16, 2026- Meter reading images (utility consumption data)
- Property identification data
- Timestamp and location metadata
- Processing results and accuracy metrics
Mapbox Inc.
Added: Nov 12, 2025- Property addresses (search queries)
- Geographic coordinates (latitude/longitude)
- IP address (for rate limiting)
- Browser user agent (technical requirement)
Bright Sky API / Deutscher Wetterdienst (DWD)
Added: Jan 5, 2026- Property geographic coordinates (rounded to 2 decimals for privacy)
- Weather forecast data (temperature, precipitation, snowfall)
- Location-based weather alerts
- Note: API calls are made server-side via Vercel; no user IP addresses are transmitted to DWD
Stripe, Inc.
Added: Feb 14, 2026- Payment information (credit card details, bank account info)
- Billing address
- Transaction metadata
- Customer identification data
Cookies
We use cookies and similar technologies to ensure website functionality, store your preferences, and analyze usage only after your consent. For detailed information about the cookies we use, the consent-based analytics events we collect, their purpose, retention period, and legal basis, please see our comprehensive Cookie Policy at /legal/cookie-policy.
Information about Cookie Usage
Our website uses different categories of cookies:
Strictly Necessary Cookies
These cookies are essential for the operation of the website and cannot be disabled. These include consent and preference cookies (custodi_consent, sidebar_state), authentication cookies, language settings, and fraud prevention cookies from Stripe. Legal basis: Art. 6(1)(f) GDPR.
Analytics Cookies
We use Vercel Analytics and Vercel Speed Insights to collect consent-based usage data. After your explicit consent, we also measure completed product interactions such as sign-ins, password resets, completed property, task, damage report, meter reading, waste calendar, and profile actions. We do not send direct identifiers, free text, or raw IDs. Legal basis: Art. 6(1)(a) GDPR.
Marketing Cookies
We currently do not use any marketing cookies or tracking tools for advertising purposes.
Security Measures
We implement comprehensive technical and organizational measures (TOMs) to protect your data in accordance with Art. 32 GDPR. For API calls, we use Vercel Runtime Logs as technical request logs and, for authenticated access, add minimal auth context (userId, organizationId, procedure identifier) for security analysis.
Technical and Organizational Measures (TOMs)
To protect your personal data, we have implemented the following measures:
Encryption
All data transmissions take place via HTTPS/TLS 1.3. Passwords are stored hashed with bcrypt. Session tokens are encrypted in storage. Database connections are SSL-encrypted.
Access Control
Role-based access control (RBAC) at the organization level with strict multi-tenant separation. Support for two-factor authentication (2FA/TOTP) for enhanced security. Automatic audit logs for security-relevant events (logins, password changes, 2FA activation).
Storage and Backups
Daily automated database backups with cloud provider Neon Tech in Frankfurt. 30-day backup retention with geo-redundant storage of critical data. Additional local cold storage archiving at the contractor. Blob media files that are no longer required are automatically removed according to documented retention rules.
AI Processing
For AI-powered meter reading analysis, images are transmitted via Vercel AI Gateway to Meta/Google. Processing takes place under the application of Standard Contractual Clauses (SCC). Results are cached to minimize API calls.
Monitoring
Continuous monitoring of systems for suspicious activities. Implementation of rate-limiting for API endpoints. Vercel Runtime Logs capture technical request metadata; in addition, for each authenticated tRPC access we log only minimal auth context (userId, organizationId, procedure identifier, outcome, error code) without request/response payloads. Legal basis: Art. 6(1)(f) GDPR.
Organizational Measures
Strict organization separation: Each organization can exclusively access their own data. Automatic filtering of all database queries by organization ID. No cross-organization access possible.
International Data Transfers
As a global company, we work with service providers located outside the European Economic Area (EEA). For all data transfers to third countries, we ensure appropriate safeguards in accordance with Art. 44-49 GDPR.
Information about Data Transfers
We transfer personal data to subprocessors in the USA. The following security measures apply to these transfers:
Standard Contractual Clauses (SCC)
For all data transfers to the USA, we use EU Standard Contractual Clauses (SCC) in accordance with Commission Implementing Decision (EU) 2021/914. These clauses have been concluded between us and all US service providers and contain additional technical and organizational measures.
Involved Service Providers
The following subprocessors may process data in the USA: Vercel Inc. (Hosting & CDN), Neon Tech Inc. (Database Hosting), Resend Inc. (Email Service), Meta Platforms/Google LLC (AI Analysis), Mapbox Inc. (Mapping Services), Stripe Inc. (Payment Processing). Depending on the service, processing takes place in the EU (including Frankfurt/Ireland) and in the USA.
AI Processing in the USA
For automated meter reading analysis, images are transmitted to Meta/Google servers in the USA for processing. This is done on the basis of Art. 6(1)(b) and (f) GDPR (Contract performance and legitimate interest) under application of Standard Contractual Clauses.
Additional Technical Measures
Server-side API calls to protect user IP addresses. Coordinate rounding for weather data (2 decimal places = ~1.1km precision) for data minimization. No transmission of personal data to AI services except anonymized property IDs.
Your Rights regarding International Transfers
You have the right to request a copy of the Standard Contractual Clauses from us. If you have any questions about international data transfers, please contact us at our email address.
Data Retention
How long we keep your data
- User accounts: Until the account is deleted
- Meter readings: Reading records remain until account deletion or mandatory statutory retention ends; linked photo blobs may be removed 12 months after submission
- Media and image files: Object gallery images are removed when an object is archived. Damage report photos remain until the report is permanently deleted. Meter reading photos may be removed 12 months after submission while the reading record remains.
- Activity and API access logs: Vercel Runtime Logs: up to 24 hours (plan-dependent); minimal application auth-context logs: only as long as required for security and abuse analysis
- Backups: 30 days
- Consent records: 3 years
Additional retention information: property gallery images are removed when a property is archived. Damage report photos remain until the damage report is permanently deleted. Meter reading photos may be removed 12 months after submission while the reading record remains. API request telemetry is processed via Vercel Runtime Logs. On the Pro plan, retention there is typically up to 24 hours (plan-dependent). In addition, minimal application-level auth-context logs are stored only as long as required for security and abuse analysis.
Weather Data and Attribution
Our platform uses weather data to provide location-based weather forecasts and alerts for your properties.
Data Source
Weather data provided by Bright Sky / Deutscher Wetterdienst (DWD). Licensed under CC BY 4.0.
Privacy Implementation
- API calls are made exclusively server-side via Vercel - no user IP addresses are transmitted to DWD
- Property coordinates are rounded to 2 decimal places (~1.1km precision) for data minimization
- No personal data is linked with weather data; only anonymous location coordinates are used
Last updated: April 7, 2026