Privacy Policy
Effective date: May 30, 2026
1. Introduction
This Privacy Policy explains how Winkler Technologies GmbH ("we," "us," "our"), processes personal data when you use myHERALD, our autonomous AI content engine SaaS platform ("Platform").
We take your privacy seriously and are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the German Bundesdatenschutzgesetz ("BDSG"), the Telekommunikation-Telemedien-Datenschutz-Gesetz ("TTDSG"), and any other applicable data protection legislation.
2. Data Controller
Winkler Technologies GmbH
Geschäftsführer: Fabian Winkler
Achter de Knick 4, 24980 Schafflund, Germany
Handelsregister: HRB 18225, Amtsgericht Flensburg
Tax ID: in application
Email: [email protected]
3. Data We Collect
3.1 Account & Registration Data
- Full name
- Email address
- Password (stored as a secure hash by Supabase Auth)
- Workspace name and settings
- Team member invitations (email addresses)
3.2 Platform Usage Data
- Content inputs you provide (brand voice documents, briefs, knowledge base uploads, skills)
- AI-generated content outputs (articles, social posts, research reports, drafts)
- Chat conversation history with the AI agent
- Pipeline execution metadata (timestamps, agent runs, token usage, costs)
- Workspace configuration and taxonomy settings
- Payment and billing data (processed by Stripe; we do not store full card numbers)
3.3 Third-Party Platform Data
- Authentication tokens and profile information from third-party platforms you connect (e.g. LinkedIn, Reddit, X/Twitter) for content publishing
- API keys or other credentials you provide for third-party platform integrations
3.4 Technical & Log Data
- IP address
- Browser type and version
- Operating system
- Referrer URL
- Date and time of access
- Pages visited and features used
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Platform (account creation, AI content generation, chat interface, publishing) | Art. 6(1)(b) – Performance of contract |
| Processing payments and managing subscriptions | Art. 6(1)(b) – Performance of contract |
| Sending transactional emails (confirmations, receipts, account notices) | Art. 6(1)(b) – Performance of contract |
| Security, fraud prevention, and abuse detection | Art. 6(1)(f) – Legitimate interest |
| Analytics and Platform improvement | Art. 6(1)(a) – Consent (via cookie banner) |
| Marketing communications (newsletters, product updates) | Art. 6(1)(a) – Consent (opt-in per UWG § 7) |
| Compliance with legal obligations (tax records, audit requirements) | Art. 6(1)(c) – Legal obligation |
5. AI-Powered Data Processing
myHERALD uses artificial intelligence to generate content on your behalf. When you submit content briefs, knowledge base documents, skills, or brand voice materials, this data is processed by our AI pipeline to produce content outputs.
How AI Processing Works
- Your input data (briefs, brand voice, knowledge base, skills, chat messages) is sent to Anthropic's Claude API for content generation. Anthropic processes this data as a sub-processor under our instructions.
- Document embeddings for semantic search (RAG) are generated via Voyage AI (voyage-multimodal-3.5). Only numerical vector representations are stored. The original text sent for embedding is not stored.
- AI-generated outputs are stored in your workspace within our Supabase database (EU/Frankfurt region).
Important Disclosures per EU AI Act Art. 50
- All content produced by the Platform is AI-generated. You are responsible for reviewing, editing, and labeling AI-generated content before publication, as required by the EU AI Act.
- We do not use your content inputs or outputs to train our AI models. Your data is processed solely to deliver the service you requested.
- No fully automated decisions with legal or similarly significant effects are made about you based on AI processing. AI is used exclusively to generate content at your direction.
6. Sub-Processors and International Data Transfers
We use the following third-party service providers (sub-processors) to operate the Platform. Where data is transferred outside the EEA, we rely on the transfer mechanisms indicated.
6.1 Infrastructure Sub-Processors
These services process data automatically as part of operating the Platform.
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Backend, authentication, database (PostgreSQL + pgvector) | USA (data hosted in EU/Frankfurt) | EU Data Processing Addendum; data residency in EU |
| Anthropic PBC (Claude API) | AI content generation, multi-agent orchestration | USA | Standard Contractual Clauses (SCCs); Data Processing Addendum |
| Google LLC (Gemini API) | AI image generation, URL content fetching | USA | EU–US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Voyage AI (MongoDB, Inc.) | Document embeddings / semantic search (RAG) | USA | Standard Contractual Clauses (SCCs); Data Processing Addendum |
| OpenAI Inc. | Voice input transcription (speech-to-text) | USA | Standard Contractual Clauses (SCCs); Data Processing Addendum |
| Railway Corp. | Application hosting and infrastructure | USA | Standard Contractual Clauses (SCCs) |
| Stripe Inc. | Payment processing and subscription billing | USA | EU–US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); PCI DSS compliant |
| PostHog Inc. | Product analytics and event tracking | EU (eu.posthog.com) | EU-hosted instance; no international transfer |
| Google LLC (Google Analytics 4) | Website analytics and traffic measurement | USA | EU–US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional email delivery (confirmations, receipts) | USA | Standard Contractual Clauses (SCCs); Data Processing Addendum |
| Loops Inc. | Marketing email sequences and contact management | USA | Standard Contractual Clauses (SCCs); Data Processing Addendum |
| Brave Software Inc. | Web search API for AI agent research tasks | USA | Standard Contractual Clauses (SCCs) |
| Cal.com Inc. | Scheduling and booking functionality (demo booking) | USA | Standard Contractual Clauses (SCCs) |
6.2 User-Connected Platform Integrations
When you connect a third-party platform to myHERALD for content publishing or data import, your content and, where applicable, profile information are shared with that platform. These connections are always initiated by you and may use OAuth, API keys, or other authentication methods provided by the respective platform.
myHERALD acts as a processor on your behalf when transmitting content to connected platforms. Each platform acts as an independent data controller for any data you publish to or retrieve from it. Data processing on the platform side is governed by that platform's own privacy policy.
Currently available integrations include LinkedIn for content publishing and Google Drive for exporting content you create in myHERALD. Additional platforms (such as Reddit, X/Twitter, Facebook, Instagram, Threads, and others) may be added over time. Because these integrations are user-initiated and each platform is an independent controller, the addition of new platform integrations does not constitute a material change to this Privacy Policy.
For all US-based platform providers, we rely on the EU–US Data Privacy Framework (where the provider is certified) and/or Standard Contractual Clauses (SCCs) as the transfer mechanism for any personal data transferred outside the EEA.
6.3 Google User Data
When you connect a Google account to myHERALD, we request access only to the Google Drive folder you select through Google's file picker and to the files myHERALD creates in that folder on your behalf (the drive.file scope). We do not request access to your full Google Drive and cannot see files you have not selected.
- What we access: a destination folder you choose via the Google Picker, and the export files myHERALD creates in it. If you don't choose a folder, exports go to a "myHERALD" folder we create at the root of your Google Drive.
- How we use it: solely to export content you create in myHERALD into the Google Drive location you choose. We do not read your existing Drive files, we do not use Google user data for advertising, and we do not sell it.
- How we store it: your Google access and refresh tokens are stored encrypted and used only to perform exports you initiate.
- How we share it: we do not transfer Google user data to third parties except the sub-processors listed in Section 6.1, strictly to operate this feature, and never for advertising or to train AI models.
myHERALD's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7. Cookies and Similar Technologies
We use cookies and similar technologies as described in our Cookie Policy. In accordance with § 25 TTDSG, strictly necessary cookies are set without consent. All other cookies require your prior consent via our cookie banner.
8. Data Retention
- Account data: Retained for the duration of your account. Upon account deletion, personal data is deleted within 30 days, except where retention is required by law.
- Dormant accounts: Free and expired-trial accounts (accounts without an active paid subscription) that show no activity for 12 months are deleted after advance email notice, sent 30 and 7 days beforehand. Any sign-in cancels the deletion. Accounts with an active subscription are never deleted for inactivity.
- Billing records: Invoices and payment records are retained by our payment processor in line with statutory tax retention periods.
- Content & workspace data: Retained until you delete it or close your account. Soft-deleted content is permanently purged after 30 days.
- Server logs: Automatically deleted after 90 days.
- Marketing consent records: Retained for the duration of consent plus 3 years for proof of consent.
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) – Obtain confirmation of whether your data is processed and request a copy.
- Right to rectification (Art. 16) – Correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17) – Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing (Art. 18) – Limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) – Receive your data in a structured, machine-readable format.
- Right to object (Art. 21) – Object to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent (Art. 7(3)) – Withdraw consent at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making (Art. 22) – We do not make automated decisions with legal effect about you.
To exercise any of these rights, contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.
10. Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:
- Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to correct: You may request correction of inaccurate personal information.
- Right to opt out of "sale" or "sharing": We do not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To make a request, contact us at [email protected]. We will verify your identity before fulfilling your request.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, Row Level Security (RLS) policies ensuring strict cross-tenant data isolation, regular security reviews, and access controls limiting data access to authorized personnel and systems. Despite these measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Children's Privacy
Our Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 16, we will delete it promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 30 days before taking effect. The "Effective date" at the top of this page indicates when this version was last updated.
14. Contact
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
Email: [email protected]
Postal address: Winkler Technologies GmbH, Achter de Knick 4, 24980 Schafflund, Germany