Privacy Policy

Effective Date: 15 April 2025

1.1. Who We Are

ValidFlow ("we", "us", "our") is operated by Max Henkes, Infanteriestraße 14A, Munich, Germany. Contact: henkes2max@gmail.com.

1.2. Scope

This Privacy Policy explains how we collect, use, share and protect personal data when you use ValidFlow (the "Service"). It is drafted to meet the requirements of the EU General Data Protection Regulation (GDPR).

1.3. Data We Process

Category	Examples	Purpose	Legal Basis
Account Data	Name (optional), email address, hashed password, Stripe customer ID	Account creation & log‑in	Art. 6 (1)(b) GDPR – contract performance
Business Idea Inputs & Files	Text you submit describing an idea	Core AI analysis	Art. 6 (1)(b) GDPR – contract performance
Generated Reports	PDF & dashboard output	Provide service & history	Art. 6 (1)(b)
Payment Data	Card details (processed directly by Stripe)	Billing	Art. 6 (1)(b)
Usage Data / Cookies	IP address, device type, pages visited (via Google Analytics & Vercel logs)	Analytics, security	Art. 6 (1)(f) – legitimate interests (service improvement) / Art. 6 (1)(a) – consent (non‑essential cookies)

1.4. Automated Processing & AI

We transmit your inputs to OpenAI LLC and Anthropic PBC to generate validation results. Processing is automated; no solely‑automated decision produces legal effects concerning you.

1.5. Retention

Account & idea data: kept until you delete the project or request erasure.
Generated PDF reports: same as above.
Billing records: 10 years (German tax law).
Server logs & backups: 30 days.

1.6. Sub‑processors & International Transfers

Provider	Role	Location	Safeguard
Supabase Inc.	Auth & DB	EU DC + US backup	Standard Contractual Clauses (SCCs)
Vercel Inc.	Hosting	EU & US	SCCs
OpenAI LLC	AI inference	US	SCCs
Anthropic PBC	AI inference	US	SCCs
Stripe Payments Europe Ltd. / Stripe Inc.	Payments	EU/US	Intra‑group SCCs
Google LLC (Analytics)	Analytics	US	SCCs
Resend Inc.	Transactional emails	US	SCCs

Transfers outside the EEA rely on SCCs under Art. 46 GDPR.

1.7. Your Rights

You may access, rectify, erase, restrict, object to processing, or receive a copy of your data (data portability). Contact us at the address above. You have the right to lodge a complaint with the Bavarian Data Protection Authority or your local supervisory authority.

1.8. Security

We use TLS encryption in transit, AES‑256 at rest (Supabase), role‑based access, and least‑privilege keys.

1.9. Children

The Service is not directed to anyone under 16 years. We do not knowingly collect data from children under 16; parents may contact us to delete such data.

1.10. Changes

We may update this Privacy Policy. Material changes will be announced by email or in‑app notice at least 14 days before they take effect.

Last updated: April 15, 2025