Privacy Policy
Information on the processing of personal data pursuant to GDPR.
1. Controller
The controller within the meaning of the GDPR is Viedev GmbH, Am Hoffeld 10, 83703 Gmund a. Tegernsee, Germany. Managing Directors: Christian Ruoff, Niko Berger. Contact for privacy enquiries: support@kasimir.ai
2. Categories of data processed
We process the following categories of data: β’ Account data (name, email, company) on registration or invitation β’ Chat content: conversations, uploaded documents, transcribed audio recordings β’ Generated content: texts, workflow outputs, embeddings β’ Technical data: IP address, user agent, login timestamps β’ Optional, on beta application: name, email, company, intended use case
3. Legal bases
β’ Art. 6 (1) lit. b GDPR β performance of contract (account, chat service) β’ Art. 6 (1) lit. f GDPR β legitimate interest (security, bot protection, error-free service delivery) β’ Art. 6 (1) lit. a GDPR β consent (e.g. optional embeddings on user-uploaded documents) β’ Art. 6 (1) lit. c GDPR β legal obligation (tax-law-mandated retention)
4. Recipients and processors
β’ Cloudflare Inc. (USA) β CDN, DDoS protection, edge worker, DNS, TLS, bot protection (Turnstile). DPA via standard contractual clauses. β’ Self-hosted on Hetzner (Germany, Falkenstein) β database (Supabase), auth, object storage for documents and audio, LLM routing proxy (LiteLLM), vector embeddings (BAAI/bge-m3), audio transcription (faster-whisper), web search (SearXNG). No third-country transfers. β’ LLM providers (variable by tenant configuration): self-hosted models in Germany (default) or external providers via OpenRouter/vendor-direct, each with their own privacy policy. Tenants control model selection per conversation. β’ SendGrid (Twilio Inc., USA) β transactional emails (magic links, confirmations, contact form). DPA via standard contractual clauses. β’ Google Ireland Ltd. / Google LLC (USA) β Google Analytics (reach measurement), only with the user's consent. DPA via standard contractual clauses.
5. Transfers to third countries
Structural transfers to the USA concern Cloudflare (connection metadata, IP) and SendGrid (email content). Legal basis: EU Standard Contractual Clauses plus supplementary measures (TLS encryption, purpose limitation). Consent-based transfers to the USA arise with Google Analytics (Google Ireland Ltd. / Google LLC) if you have consented to reach measurement. Legal basis: Art. 6 (1) lit. a GDPR; the transfer takes place on the basis of the EU Standard Contractual Clauses and does not occur without your consent. Configuration-dependent transfers occur when a tenant configures a non-EU LLM model. Tenants control this via model selection: any model with slug prefix 'self-hosted-' is processed exclusively on the Hetzner infrastructure in Germany.
6. Storage period
β’ Account data: until account deletion β’ Chat content and generated texts: until user deletion; deletable by the user at any time β’ Beta applications: maximum 12 months β’ Technical logs: 14-day rotation Statutory retention periods (German Commercial Code, Tax Code) remain unaffected.
7. Data subject rights
You have the right to: β’ Information about your data (Art. 15 GDPR) β’ Rectification of inaccurate data (Art. 16) β’ Erasure (Art. 17, "right to be forgotten") β’ Restriction of processing (Art. 18) β’ Data portability (Art. 20) β’ Object to processing (Art. 21) β’ Lodge a complaint with a supervisory authority (Art. 77) If you have given consent, you may withdraw it at any time (Art. 7 (3) GDPR) without affecting the lawfulness of processing carried out before withdrawal. Contact for enquiries: support@kasimir.ai
8. Cookies
Technically necessary storage mechanisms that are used without consent: β’ Authentication session (HTTP-only cookie, Supabase SSR) β’ Theme preference (browser localStorage, no server sync) β’ Language selection (cookie for i18n routing) Legal basis for these: Art. 6 (1) lit. f GDPR in conjunction with Β§ 25 (2) no. 2 TTDSG (technically necessary for the provision of the expressly requested service). Only with your consent do we additionally set Google Analytics cookies (`_ga`, `_gid`) for pseudonymous reach measurement. Legal basis: Art. 6 (1) lit. a GDPR in conjunction with Β§ 25 (1) TTDSG. This consent is voluntary and can be withdrawn at any time with effect for the future via "Cookie settings"; until you consent, Google Analytics is not loaded.
9. Google Analytics
If you consent, we use Google Analytics 4, a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). We operate Google Analytics with IP anonymisation enabled (`anonymize_ip`); your IP address is truncated before any storage. The purpose is the pseudonymous measurement of the reach and usage of our service in order to improve content and stability. Google Analytics is loaded only after your consent β before consent no data is transmitted to Google and no analytics cookies are set. Legal basis: Art. 6 (1) lit. a GDPR in conjunction with Β§ 25 (1) TTDSG. A transfer to the USA cannot be ruled out; the basis for this is the EU Standard Contractual Clauses. You can withdraw your consent at any time via "Cookie settings". Further information: https://policies.google.com/privacy
10. Cloudflare Turnstile (bot protection)
On login and the contact form we load Cloudflare Turnstile. Turnstile is a privacy-first alternative to classic CAPTCHA services β no tracking cookies, no cross-site tracking. Technical browser signals are transmitted to Cloudflare servers (USA). Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest: protection against automated attacks). Privacy policy: https://www.cloudflare.com/cloudflare-customer-privacy-policy/
11. SSL/TLS encryption
All connections to Kasimir are TLS-encrypted (Let's Encrypt certificates on the Hetzner origin, Cloudflare edge certificates). Recognisable by https:// in the address bar and the lock icon.
12. Data processing agreements with tenants
For pilot or production contracts with corporate customers we conclude a data processing agreement (DPA) pursuant to Art. 28 GDPR. This governs the processing of employee data of tenant organisations within the Kasimir system.
13. Status
Status: May 2026. The privacy policy will be updated on changes to the service or addition of new processors.