Custodi

Privacy Policy

This privacy policy explains how we collect, use, and protect your personal information.

Data Controller

David Huh - Software-as-a-Service & IT-Dienstleistungen

Lucian-Reich-Str. 16

76473 Iffezheim

impressum@davidhuh.de

Data Protection Officer

You can reach our Data Protection Officer at impressum@davidhuh.de.

Purposes of Processing

  • User authentication and account management
  • Organization and property management
  • Meter reading and utility data processing
  • Location-based property identification and proximity detection
  • Security and fraud prevention
  • Analytics and service improvement

Your Rights

  • Right to access your personal data
  • Right to restrict processing
  • Right to data portability
  • Right to lodge a complaint

Subprocessors

We use the following subprocessors to provide our services

Vercel Inc.

Added: Oct 5, 2025
Purpose:Hosting & CDN
Location:USA
Server Location:Germany (Frankfurt)
Safeguards:Standard Contractual Clauses (SCC)

Neon Tech Inc.

Added: Oct 5, 2025
Purpose:Database Hosting
Location:USA
Server Location:Germany (Frankfurt)
Safeguards:Standard Contractual Clauses (SCC)

Resend Inc.

Added: Oct 5, 2025
Purpose:Email Service
Location:USA
Server Location:Ireland
Safeguards:Standard Contractual Clauses (SCC)

Meta Platforms, Inc. / Google LLC

Added: Jan 16, 2026
Purpose:AI-powered meter reading analysis (via Vercel AI Gateway)
Location:USA
Server Location:USA
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(b) GDPR - Contract performance; Art. 6(1)(f) GDPR - Legitimate interest in automated meter reading
Data Categories:
  • Meter reading images (utility consumption data)
  • Property identification data
  • Timestamp and location metadata
  • Processing results and accuracy metrics

Mapbox Inc.

Added: Nov 12, 2025
Purpose:Address geocoding, map visualization, and location services
Location:USA
Server Location:Global CDN (EU nodes available)
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(b) GDPR - Contract performance; Art. 6(1)(f) GDPR - Legitimate interest in providing accurate location-based services
Data Categories:
  • Property addresses (search queries)
  • Geographic coordinates (latitude/longitude)
  • IP address (for rate limiting)
  • Browser user agent (technical requirement)

Bright Sky API / Deutscher Wetterdienst (DWD)

Added: Jan 5, 2026
Purpose:Weather data and forecasting services
Location:Germany
Server Location:Germany (DWD Offenbach)
Safeguards:Public sector data provider (DWD is a German federal authority); Server-side API calls only (no client IP addresses transmitted); Coordinates rounded to 2 decimals (~1.1km precision) for data minimization; Data licensed under CC BY 4.0
Legal Basis:Art. 6(1)(f) GDPR - Legitimate interest in providing weather alerts and forecasts for property management; Data minimization principles (Art. 5(1)(c) GDPR) applied through coordinate rounding and server-side processing
Data Categories:
  • Property geographic coordinates (rounded to 2 decimals for privacy)
  • Weather forecast data (temperature, precipitation, snowfall)
  • Location-based weather alerts
  • Note: API calls are made server-side via Vercel; no user IP addresses are transmitted to DWD

Stripe, Inc.

Added: Feb 14, 2026
Purpose:Payment processing and fraud prevention
Location:USA
Server Location:USA / Global
Safeguards:Standard Contractual Clauses (SCC)
Legal Basis:Art. 6(1)(b) GDPR - Contract performance; Art. 6(1)(f) GDPR - Legitimate interest in fraud prevention
Data Categories:
  • Payment information (credit card details, bank account info)
  • Billing address
  • Transaction metadata
  • Customer identification data

Cookies

We use cookies and similar technologies to ensure website functionality, analyze usage, and store your preferences. For detailed information about the cookies we use, their purpose, retention period, and legal basis, please see our comprehensive Cookie Policy at /legal/cookie-policy.

Information about Cookie Usage

Our website uses different categories of cookies:

Strictly Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled. These include authentication cookies (custodi_session), language settings (custodi_locale), theme settings (custodi_theme), and fraud prevention cookies from Stripe (__stripe_mid, __stripe_sid). Legal basis: Art. 6(1)(f) GDPR.

Analytics Cookies

We use Vercel Analytics to collect anonymized usage data. These cookies are only set after your explicit consent and help us improve performance and usability. Legal basis: Art. 6(1)(a) GDPR.

Marketing Cookies

We currently do not use any marketing cookies or tracking tools for advertising purposes.

To the comprehensive Cookie Policy

Security Measures

We implement comprehensive technical and organizational measures (TOMs) to protect your data in accordance with Art. 32 GDPR. Detailed information about our security measures can be found in our Data Processing Agreement (DPA) documentation and the measures listed below.

Technical and Organizational Measures (TOMs)

To protect your personal data, we have implemented the following measures:

Encryption

All data transmissions take place via HTTPS/TLS 1.3. Passwords are stored hashed with bcrypt. Session tokens are encrypted in storage. Database connections are SSL-encrypted.

Access Control

Role-based access control (RBAC) at the organization level with strict multi-tenant separation. Support for two-factor authentication (2FA/TOTP) for enhanced security. Automatic audit logs for security-relevant events (logins, password changes, 2FA activation).

Storage and Backups

Daily automated database backups with cloud provider Neon Tech in Frankfurt. 30-day backup retention with geo-redundant storage of critical data. Additional local cold storage archiving at the contractor.

AI Processing

For AI-powered meter reading analysis, images are transmitted via Vercel AI Gateway to Meta/Google. Processing takes place under the application of Standard Contractual Clauses (SCC). Results are cached to minimize API calls.

Monitoring

Continuous monitoring of systems for suspicious activities. Implementation of rate-limiting for API endpoints. Regular security checks and updates.

Organizational Measures

Strict organization separation: Each organization can exclusively access their own data. Automatic filtering of all database queries by organization ID. No cross-organization access possible.

International Data Transfers

As a global company, we work with service providers located outside the European Economic Area (EEA). For all data transfers to third countries, we ensure appropriate safeguards in accordance with Art. 44-49 GDPR.

Information about Data Transfers

We transfer personal data to subprocessors in the USA. The following security measures apply to these transfers:

Standard Contractual Clauses (SCC)

For all data transfers to the USA, we use EU Standard Contractual Clauses (SCC) in accordance with Commission Implementing Decision (EU) 2021/914. These clauses have been concluded between us and all US service providers and contain additional technical and organizational measures.

Involved Service Providers

The following subprocessors are located in the USA: Vercel Inc. (Hosting & CDN), Neon Tech Inc. (Database Hosting), Resend Inc. (Email Service), Meta Platforms/Google LLC (AI Analysis), Mapbox Inc. (Mapping Services), Stripe Inc. (Payment Processing). All servers of these providers are located in Germany (Frankfurt), except for Resend (Ireland).

AI Processing in the USA

For automated meter reading analysis, images are transmitted to Meta/Google servers in the USA for processing. This is done on the basis of Art. 6(1)(b) and (f) GDPR (Contract performance and legitimate interest) under application of Standard Contractual Clauses.

Additional Technical Measures

Server-side API calls to protect user IP addresses. Coordinate rounding for weather data (2 decimal places = ~1.1km precision) for data minimization. No transmission of personal data to AI services except anonymized property IDs.

Your Rights regarding International Transfers

You have the right to request a copy of the Standard Contractual Clauses from us. If you have any questions about international data transfers, please contact us at our email address.

Data Retention

How long we keep your data

  • User accounts: Until the account is deleted
  • Meter readings: Until account deletion or mandatory statutory retention ends
  • Activity logs: 12 months
  • Backups: 30 days
  • Consent records: 3 years

Additional retention information

Weather Data and Attribution

Our platform uses weather data to provide location-based weather forecasts and alerts for your properties.

Data Source

Weather data provided by Bright Sky / Deutscher Wetterdienst (DWD). Licensed under CC BY 4.0.

Privacy Implementation

  • API calls are made exclusively server-side via Vercel - no user IP addresses are transmitted to DWD
  • Property coordinates are rounded to 2 decimal places (~1.1km precision) for data minimization
  • No personal data is linked with weather data; only anonymous location coordinates are used

Last updated: February 14, 2026