GDPRPrivacy Policy

Privacy Policy

Last updated: May 2026

English translation of our German Datenschutzerklärung. In case of conflict, the German version prevails.

1. Controller

Ferrufino Tech Solutions ("we", "us", "our")
Sole proprietorship · Owner: Davide Daniel Ferrufino-Brandeis
Braunaugenstraße 28, 80939 München, Germany
Email: privacy@ferrufino-tech-solutions.com

2. Data We Collect

2.1 Account Data

When you register, we collect your name, email address, and password (managed by our authentication provider, Clerk). This data is necessary for contract performance (Art. 6(1)(b) GDPR).

2.2 Case Data

You create case cards containing observations, root causes, resolutions, and evidence files (images, documents). This is data you choose to store in the platform. Processing is based on contract performance.

2.3 Usage Data

We collect pseudonymized, privacy-friendly analytics and error reports (via Sentry) to improve the platform. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

3. Data Processors

  • Clerk — Authentication (USA, EU Standard Contractual Clauses)
  • Anthropic (Claude) — AI-assisted features: content you enter (descriptions, AI draft, translation) and uploaded images/attachments (text recognition/OCR) are transmitted to Anthropic (USA, EU SCCs) for processing. Content is not used to train the models. Legal basis: Art. 6(1)(b) GDPR (contract performance on your instruction).
  • OpenAI — where semantic similarity search is enabled, case text is sent to OpenAI (USA, EU SCCs) to generate vector embeddings; not used for training. Legal basis: Art. 6(1)(b) GDPR.
  • Neon / PostgreSQL — Database hosting (EU region)
  • Cloudflare R2 — File storage (EU region)
  • Stripe — Payment processing (PCI DSS compliant)
  • Sentry — Error/performance analysis and Session Replay (recorded sessions for error diagnosis; text, inputs and media are technically masked/blocked, so no case content is captured). EU data center, legal basis Art. 6(1)(f) GDPR.
  • Upstash — Rate limiting / abuse prevention (briefly processes user/IP identifiers). Legal basis Art. 6(1)(f) GDPR.
  • Resend — Transactional email
  • Plausible Analytics — Privacy-friendly website analytics (EU-hosted, no cookies)
  • Vercel — Hosting infrastructure

Data processing agreements (Art. 28 GDPR) are in place with the above processors (the providers' standard DPAs). Business customers receive a data processing agreement (DPA) with us on request.

4. Data Retention

We retain account and case data for as long as your account is active. Upon account deletion, personal data is erased (or irreversibly anonymized) within 30 days; case content authored within an organization remains the organization's property and is re-attributed to a "Deleted user". Billing records are retained for 10 years per German tax law (§ 147 AO).

5. Your Rights (GDPR)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten", Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))

To exercise these rights, contact privacy@ferrufino-tech-solutions.com or use the "Delete my account" option in your profile settings.

6. International Transfers

Where data is processed outside the EU/EEA, we ensure adequate safeguards via EU Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Cookies

We use only essential cookies required for authentication and session management. No tracking or advertising cookies are used.

8. Security

We implement appropriate technical and organizational measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

9. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — www.lda.bayern.de.

10. Automated Decision-Making

We do not carry out solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning you. AI features (e.g. text suggestions, similarity search) merely assist your own work; you make the decisions.

11. Changes

We may update this policy from time to time. We will notify registered users of material changes via email.