Privacy Policy — Legal Monitor

Version 1.3 — effective from 19.04.2026 (legal: marketing communication Art. 6(1)(a) GDPR, opt-in emails to free-plan users)

1. Data Controller

Thorsten Ahrens, Serahr
Email: contact@serahr.de
Website: serahr.de

2. Overview: What Data Is Processed?

Account (email, hashed password, email confirmation timestamp + IP), consent records (accepted AGB/DSE version and timestamp), marketing consent (opt-in status, timestamp, DSE version at time of consent), company profile, data processing details, keywords, website scan data (URL, cookies, third-party services, legal-page extracts, scan authorization confirmation), contract data (subscription status, Stripe IDs, scan tokens), signup source (UTM + referrer, one-time), API key (hashed), webhook URL, payment data (via Stripe), server logs (Vercel IP + request path, 30 days), scanner logs (Hetzner, 14 days).

3. Legal Basis

• Art. 6(1)(b) GDPR — Contract performance: account, monitoring, scan, webhook calls to customer-configured URLs, Stripe email sync.
• Art. 6(1)(f) GDPR — Legitimate interest: server logs, scanner logs, abuse prevention (rate limiting), pseudonymous marketing-channel analysis (UTM/referrer). Balancing results in favor of the processor, because processing is limited to what is technically necessary and does not profile individuals.
• Art. 6(1)(a) GDPR — Consent: (a) scan authorization (active confirmation that the customer is authorized to scan the given website); (b) biweekly marketing notifications to free-plan users who have opted in (see § 14).
• Art. 6(1)(c) GDPR — Legal obligation: tax retention (§ 147 AO, 10 years for invoices), disclosure to law enforcement under Regulation (EU) 2023/1543.

4. AI Processing

Legal source analysis uses an AI language model. Model provider: Anthropic PBC (USA). Access is via OpenRouter Inc. (USA) as intermediary. Both are listed as processors in § 7.

What is transmitted: public legal texts; anonymized company profile (industry, size — no name, email, or other identifying attributes); aggregated keywords of all active subscribers in pseudonymized form (without subscriber attribution). This multi-subscriber aggregation enables cross-topic relevance checks. Therefore do not enter confidential or personally identifying terms as keywords.

What is NOT transmitted: name, email, company name, payment data, webhook URL, API key, scan URL, raw customer scan results (other than the aggregated pseudonymized inputs above).

Scanner AI: During a website scan, scan results (cookies, third-party services, legal-page extracts max. 1500 characters) are sent to the AI model to obtain a structured legal assessment. These data refer exclusively to the website the customer has authorized to scan (Terms § 3).

5. Website Scan

The scanner uses Playwright/Chromium to visit the customer-provided URL, captures only what a visitor would see, identifies itself as SerahrLegalMonitor/1.0 (+https://serahr.de/legal-monitor/bot), respects robots.txt, stores only the first 1500 characters of linked legal pages, blocks internal / cloud metadata endpoints, runs on a Hetzner server in Germany. Scan requires active scan-authorization confirmation (Terms § 3), logged with a timestamp.

6. Disclosure to Law Enforcement

We may be legally required to disclose stored data to law enforcement authorities on the basis of a European Production Order or Preservation Order pursuant to Regulation (EU) 2023/1543. Legal basis: Art. 6(1)(c) GDPR.

7. Processors

Supabase Inc. (database, EU Ireland), Vercel Inc. (hosting + cron, EU Edge), Hetzner Online GmbH (scanner server, Germany), Resend Inc. (email, USA/DPF), Stripe Inc. (payments, USA/DPF), OpenRouter Inc. (AI access intermediary, USA/DPF), Anthropic PBC (AI language model Claude Sonnet 4, USA/DPF). DPAs under Art. 28 GDPR exist with all. SCCs under Art. 46(2)(c) GDPR additionally in place with US processors independent of DPF status.

8. Retention

Account data: until deletion + 30-day grace. Company profile: until deletion. Consent records (AGB/DSE version + timestamp, Art. 7(1) GDPR): until deletion + 30 days. Marketing consent (opt-in status, timestamp, DSE version — retained also after withdrawal to satisfy Art. 7(1) GDPR accountability): until deletion + 30 days. Double-opt-in evidence (email-confirmation IP + timestamp, § 7(2)(2) UWG): until deletion + 30 days. Scan results (incl. DSE extract): max 12 months. Monitoring results: max 12 months. Vercel server logs: 30 days. Hetzner scanner logs: 14 days (docker log rotation 3 × 10 MB). Resend delivery logs: up to 180 days per Resend's policy. Stripe transactions: 10 years per § 147 AO (customer removed on deletion; invoices retained for tax). Two automated jobs enforce retention: daily hard-delete for requests > 30 days, monthly purge for expired scan/monitoring data.

9. Your Rights and Deletion

Under GDPR: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21). Deletion flow: via Dashboard → Settings → Delete Account (or email contact@serahr.de); sets deletion_requested_at + cancels Stripe subscription immediately; after 30-day grace (export available), account incl. Stripe customer is permanently deleted by the hard-delete cron.

10. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority.

11. AI Transparency (Art. 50 AI Act)

Pursuant to Art. 50(2) AI Act (EU 2024/1689, transparency duties effective 02.08.2026): All topic summaries, relevance/recommendation outputs and scan assessments generated by the service are AI-generated (model: Claude Sonnet 4, Anthropic PBC, via OpenRouter). The AI outputs are machine-readable labelled (attribute data-ai-generated="true" in emails, "AI" badge in the UI) and post-processed against hard scan facts to reduce obvious hallucinations. No automated decision-making under Art. 22 GDPR. Independent professional review remains necessary.

12. Necessity of Data Provision

Email and company profile are required for contract performance (Art. 6(1)(b) GDPR). Keywords, webhook URL, and data-processing details are voluntary.

13. Cookies and Tracking

No tracking cookies, no third-party trackers. Auth uses Supabase Auth with secure HTTP cookies (httpOnly, SameSite=Lax). Legal basis for technically necessary cookies: § 25 para 2 no 2 TDDDG (Telecommunications and Digital Services Data Protection Act, replaced TTDSG on 14.05.2024).

14. Marketing Communication

Legal basis: Art. 6(1)(a) GDPR (consent). This communication is optional and strictly opt-in — no marketing emails without your consent. Paid product emails (monthly monitoring reports, invoices, transactional emails such as welcome or password reset) are contract performance under Art. 6(1)(b) GDPR and do not depend on this consent.

Scope of consent: On the free plan, we send an email after every biweekly monitoring run (1st and 15th of the month) containing an aggregated count of how many relevant legal and regulatory changes would have affected your configured keywords during that period — broken down into the internal categories "Action Required", "Monitor" and "Informational". Titles and details of the individual findings are not included in these emails; they are part of the paid Pro service.

Consent and withdrawal: You give consent actively at signup (separate from AGB/DSE acceptance) or any time later in the dashboard under Settings → Account → Email Notifications. For the accountability requirement we store your opt-in status, the timestamp, and the DSE version effective at the time of consent. Withdrawal is possible at any time via (a) the dashboard toggle, (b) the unsubscribe link in each notification email (List-Unsubscribe per RFC 8058), or (c) an informal email to contact@serahr.de. Withdrawal takes effect immediately going forward; prior sends remain lawful.

After withdrawal: Sending stops immediately. The record of your original consent (status, timestamp, DSE version) is retained until account deletion + 30 days and is used exclusively to satisfy the accountability requirement under Art. 7(1) GDPR; no further processing occurs.

No transfer: The marketing consent is not shared with third parties and is not used for personalized advertising, retargeting, or profiling. The content of notifications is derived solely from your configured keywords and publicly available legal sources.

15. Webhook Notifications

If you configure a webhook URL, we send HTTP POST on new findings: timestamp, your company name, finding status, structured topics. Legal basis: Art. 6(1)(b) GDPR (contract performance). The transfer goes directly from our server to your URL — you are responsible for the legal basis vis-à-vis the recipient system. Security: URLs are checked for internal/metadata endpoints (SSRF); only HTTP/HTTPS targets are accepted.

16. Changes

We reserve the right to update this Policy. Changes will be published on this page. Material changes are announced to subscribers by email.