Datenschutzerklärung
Privacy Policy
Version: 01.09.2025
1. Controller
Krafthub GmbH
Marktplatz 4
85567 Grafing
Germany
HRB 304667 Local Court of Munich
Email: [datenschutz@krafthub.ai]
2. General Information
This Privacy Policy informs you about the processing of personal data when using our craft business software (SaaS), our websites and related services. The software is aimed exclusively at entrepreneurs within the meaning of Section 14 BGB (German Civil Code).
3. Purposes of Processing and Legal Bases
3.1 Contract Fulfilment (SaaS Service)
- Provision of the software and user accounts
- Storage and management of content (e.g. documents, invoices, offers, emails, voice recordings, WhatsApp messages)
- Billing,
support, communication
Legal basis: Art. 6 (1) (b) GDPR
3.2 Operation and Security
- Operation of IT systems, backups, monitoring, troubleshooting
- Prevention
of misuse and fraud, IT security
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest)
3.3 Marketing and Communication
- Information about updates, new features and offers
- Direct
marketing to existing customers
Legal basis: Art. 6 (1) (f) GDPR; Sec. 7 UWG (German Act Against Unfair Competition)
3.4 Free Plan: Use of Anonymised Data for AI/LLM Training
- When using the free plan, we process content (e.g. documents, invoices, offers, emails, voice recordings, WhatsApp messages) exclusively in anonymised form in order to improve and train our AI and language models.
- Participation in the free plan requires your explicit consent. Without consent, use is only possible under a paid subscription.
- Legal basis: Art. 6 (1) (a) GDPR (consent)
Note on responsibility for AI results: AI outputs (in particular suggested formulations, price suggestions/calculations, and decisions derived from them) are provided for assistance only. Liability for content accuracy, commercial suitability, and related financial losses, including lost business, revenue, or profit, is excluded; the liability provisions in the Terms of Service apply.
4. Anonymisation
Before being used for training purposes, data is irreversibly anonymised. This includes in particular:
- Removal of names, addresses, phone numbers, email addresses
- Removal of customer/employee numbers, bank and payment data
- Removal or neutralisation of company identifiers (e.g. logos, project IDs)
- Redaction of any other features that could enable identification
Non-anonymised original data is deleted after anonymisation and not further processed.
5. Categories of Data
- Master data (e.g. name, company, contact details)
- Contract data (e.g. subscription plan, billing information)
- Usage data (e.g. log files, IP addresses, device information)
- Content entered by customers into the software (e.g. documents, invoices, emails, voice recordings, WhatsApp messages and media files)
6. Recipients / Third-Party Disclosure
- Hosting and infrastructure providers (frontend, backend, database)
- Authentication service providers (Auth0)
- Email delivery and messaging service providers
- AI inference and embedding service providers (EU/EEA regions only, see Section 6.4)
- Disclosure only within the scope of processing under Art. 28 GDPR
- Personal data is processed in the regions listed below within the EU/EEA; processing outside the EU/EEA is not planned for these services. Details in Section 6.4 and Annex 2 of the Terms of Service.
6.1 Email Account Connections (Gmail & Outlook)
krafthub.ai allows you to optionally connect your email accounts to manage your communications in one place. This section explains what information we access when you connect your Gmail or Outlook/Microsoft 365 account.
What we access when you connect your Gmail account:
- Read your emails: We access your Gmail messages, including email content, subject lines, sender and recipient information, timestamps, attachments, and attachment content. Email attachments are stored and analyzed to enable document management, AI-powered insights, and search functionality within krafthub.ai.
- Send emails: We send emails on your behalf when you compose and send messages through krafthub.ai.
- Modify and organize: We modify email properties (read/unread status, labels, folders) and delete emails when you perform these actions in krafthub.ai.
- Basic profile: We access your name, email address, and profile picture.
What we access when you connect your Outlook/Microsoft 365 account:
We access the same types of information as described above for Gmail: email messages, attachments and their content, sending capability, email organization, and basic profile information.
Important notes:
- Connecting email accounts is completely optional
- You can disconnect at any time through your krafthub.ai settings
- Our use of Google user data complies with Google API Services User Data Policy, including the Limited Use requirements
- For information about how we use, store, and protect this data, see sections 3 (Purposes), 7 (Storage Period), and 9 (Data Security) of this privacy policy
Legal basis: Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (contract performance).
6.2 Email Delivery Service (Mailgun)
krafthub.ai uses Mailgun, an email delivery service provider, to send transactional and service-related emails to users. This section explains how Mailgun processes your personal data when we send emails through their service.
What data is processed by Mailgun:
- Email addresses: Recipient email addresses are processed to deliver emails (registration confirmations, demo confirmations, service updates, feature notifications)
- Names: Recipient names may be included in email content for personalization
- Email content: Email subject lines and body content (including dates, times, and other service-related information) are processed for delivery
- Delivery metadata: Mailgun processes technical delivery information (delivery status, open rates, click tracking) for email delivery optimization and troubleshooting
Purpose of processing:
- Delivery of registration confirmation emails
- Delivery of demo appointment confirmation emails
- Delivery of service-related communications and feature update notifications
- Email delivery optimization and reliability
Important notes:
- Mailgun acts as a subprocessor under Art. 28 GDPR
- Mailgun processes data exclusively within the EU/EEA
- Data processing is limited to email delivery purposes only
- You can unsubscribe from service update emails at any time through your account settings or by using the unsubscribe link in the emails
- For more information about Mailgun's data processing, please refer to their privacy policy at https://www.mailgun.com/privacy-policy/
Legal basis: Art. 6 (1) (b) GDPR (contract performance) for transactional emails (registration confirmations, demo confirmations) and Art. 6 (1) (f) GDPR (legitimate interest) for service-related communications and feature updates.
6.3 WhatsApp Messaging Service (Twilio)
krafthub.ai integrates WhatsApp messaging functions via Twilio to enable communication with your customers. This section explains how Twilio processes personal data when you use this feature.
What data is processed by Twilio:
- Phone numbers: Sender and recipient phone numbers are processed to route messages.
- Message content: Text content of messages, including media files (images, videos, documents, voice recordings) and location data, is processed for delivery and stored in krafthub.ai.
- Profile information: WhatsApp profile names and identifiers may be processed.
- Delivery metadata: Technical information such as delivery status, read receipts, and timestamps.
Purpose of processing:
- Enabling real-time communication between businesses and their customers via WhatsApp.
- Providing message history and document management for WhatsApp communication.
- Technical delivery optimization and reliability.
Important notes:
- Twilio acts as a subprocessor under Art. 28 GDPR.
- Processing region: Ireland (EU/EEA)
- Processing is limited to messaging purposes. Media files are stored permanently in krafthub.ai secure storage.
- Use of WhatsApp messaging is optional and subject to the terms of use.
- For more information, see Twilio's privacy policy at https://www.twilio.com/legal/privacy and Meta's WhatsApp privacy policy.
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
6.4 AI Services (Inference & Embeddings)
krafthub.ai uses AI services for text recognition, generation, classification, speech processing, and embeddings. Depending on the function, content you enter into the software or obtain from connected email accounts may be transmitted to the providers listed below. Processing is solely for providing the respective function.
6.4.1 Google Cloud Vertex AI (Gemini)
Provider: Google Cloud. Purpose: AI inference (text, image, audio, document analysis). Region: EU. Subprocessor under Art. 28 GDPR. Legal basis: Art. 6 (1) (b) GDPR; Art. 6 (1) (a) GDPR where applicable for optional connections.
6.4.2 Google Cloud Storage (GCS)
Provider: Google Cloud. Purpose: Temporary storage of files for AI processing (e.g. attachments, PDFs). Region: EU. Subprocessor under Art. 28 GDPR. Legal basis: Art. 6 (1) (b) GDPR.
6.4.3 Mistral AI
Provider: Mistral AI SAS (France). Purpose: AI inference for selected functions. Region: EU — processing in Mistral data centers in the EU. Subprocessor under Art. 28 GDPR. Legal basis: Art. 6 (1) (b) GDPR. Privacy: https://mistral.ai/terms/#privacy-policy
6.4.4 Microsoft Azure (Sweden Central)
Provider: Microsoft Ireland Operations Ltd. Purpose: Azure OpenAI (embeddings, document AI, LLM inference), Azure Content Understanding (document OCR, structured extraction), Azure Speech (speech recognition, e.g. WhatsApp). Region: EU (Sweden Central). Subprocessor under Art. 28 GDPR. Legal basis: Art. 6 (1) (b) GDPR. Privacy: https://privacy.microsoft.com/
6.5 Hosting & Infrastructure (Frontend)
6.5.1 Vercel Inc. — Frontend hosting and serverless functions. Region: EU (Frankfurt). Subprocessor under Art. 28 GDPR.
6.6 Backend Services
6.6.1 Heroku (Salesforce) — Backend API; managed inference (AI). Region: EU (Frankfurt).
6.6.2 Neon Tech — PostgreSQL database. Region: EU (Frankfurt).
6.6.3 Auth0 (Okta) — Authentication. Region: EU.
6.6.4 Cloudflare R2 — File/object storage. Region: EU.
6.6.5 Pure Memcache (via Heroku) — Cache. Region: EU.
The providers listed in 6.6 act as subprocessors under Art. 28 GDPR. Legal basis: Art. 6 (1) (b) GDPR.
6.7 Cloudflare Turnstile (Public Forms)
Provider: Cloudflare Inc. Purpose: Bot protection on public forms (e.g. demo request, contact). Data processed: IP address, browser/device information, interaction data. Region: EU. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest) or Art. 6 (1) (a) GDPR (consent), depending on the form.
6.8 Subprocessor Overview
The complete list of all subprocessors with processing regions is available in Annex 2 of the Terms of Service at www.krafthub.ai/legal/krafthub_AGB_en.html.
Several of the listed subprocessors belong to groups whose parent company is based in the USA (including Vercel, Google, Microsoft, Cloudflare, Twilio, Salesforce/Heroku, Okta/Auth0). While your data is processed in the stated EU/EEA regions, where access from a third country cannot be excluded due to the corporate structure, such access is safeguarded by appropriate guarantees under Art. 46 GDPR — in particular EU Standard Contractual Clauses (SCC), supplementary technical measures, and, where applicable, certification under the EU-US Data Privacy Framework.
7. Storage Period
- Contract and billing data: according to statutory retention periods (HGB, AO)
- Content data: for the duration of the contract; deletion no later than 30 days after contract end
- Backups: automatically overwritten after max. 7 days
- Free plan raw data for training: stored only until anonymisation; afterwards only anonymised data without personal reference is used
8. Data Subject Rights
In accordance with Art. 15 et seq. GDPR you have the right to:
- Obtain information about the processed data
- Rectification of inaccurate data
- Erasure or restriction of processing
- Data portability
- Object to processing based on legitimate interests
- Withdraw consent (e.g. for free plan training) with effect for the future
Withdrawal leads to exclusion from the free plan; further use is only possible under a paid subscription.
8.1 Exercising Your Right to Erasure
To exercise your right to erasure (data deletion), please send an informal request to datenschutz@krafthub.ai. Please include the email address associated with your account. We will process your request within 30 days. Please note that certain data may be retained if required for legal or contractual reasons (e.g. for billing purposes, as described in Section 13 of our General Terms and Conditions).
9. Data Security
We implement technical and organisational measures (TOM) in accordance with Art. 32 GDPR, including:
- Encryption (in transit and at rest)
- Access control, role and rights management
- Logging, monitoring, intrusion detection
- Tenant separation
- Regular backups and recovery tests
10. Data Protection Officer
Gaitis Kasims, Marktplatz 4, Grafing, 85567, datenschutz@krafthub.ai
11. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is, for example, the Bavarian State Office for Data Protection Supervision (BayLDA).
12. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy in the event of changes to our services or legal requirements. We will provide appropriate notice of material changes.