Privacy Policy

1. Data Controller

Ulrich Diedrichsen, Kippingstraße 27, 20144 Hamburg, Germany. Email: business@moinsen.dev

2. What Data We Process

Post Text

When you click "Analyze", your post text is sent to our server and forwarded to the Anthropic Claude API for analysis. For authenticated users, the post text and analysis results are stored in our database to provide analysis history. Free-tier users' posts are processed in transit. You can request deletion of your analysis history at any time.

IP Address (Hashed)

To enforce the free usage limit (3 analyses per 30 days), we create a SHA-256 hash of your IP address combined with a server-side salt. This one-way hash is stored in Cloudflare KV with a 30-day expiry. We never store your raw IP address. The hash cannot be reversed to recover your IP.

Local Storage (Browser Only)

We use your browser's localStorage to remember two preferences: your selected theme (light/dark) and your preferred language (EN/DE). This data never leaves your browser and is not sent to our servers.

Session Cookie

When you sign in, Conrad sets a single HttpOnly session cookie (conrad_session) containing an encrypted JWT token. This cookie is strictly necessary for authentication — it is not used for tracking. It expires after 7 days or when you log out. No third-party cookies are used.

Email Address

When you create an account, we store your email address for authentication (magic link login) and account identification. We do not share your email with third parties or use it for marketing. You can request deletion at any time.

Billing Data (Stripe)

If you purchase credits or a Pro subscription, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never your credit card number or payment details. Stripe's privacy policy applies to payment data.

Wishlist Data

Feature suggestions and votes you submit to the community wishlist are stored with your user ID. Wish titles, descriptions, and vote counts are publicly visible. You can request deletion of your submissions at any time.

No Analytics or Tracking

We do not use Google Analytics, Meta Pixel, or any other analytics or tracking service. We do not collect behavioral data, browsing patterns, or usage statistics.

3. Legal Basis

We process data under Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest is providing the post analysis service. The processing is minimal (text analyzed in transit, IP hashed and auto-deleted after 30 days) and proportionate to the service provided.

4. Third-Party Processors

Anthropic (Claude API)

Your post text is sent to Anthropic's Claude API for analysis. Anthropic processes the text to generate risk scores and recommendations. Anthropic's data processing terms apply. Anthropic does not use API inputs for model training.

Stripe

Payment processing is handled by Stripe, Inc. When you make a purchase, Stripe processes your payment information directly. We never receive or store your full credit card details. Stripe's privacy policy and PCI DSS compliance apply.

Resend

We use Resend to send magic link authentication emails. Resend processes your email address solely for delivery purposes and does not use it for marketing.

Cloudflare

Our application runs on Cloudflare Pages. Cloudflare provides hosting, CDN, and the KV storage used for rate limiting. Cloudflare processes requests in accordance with their privacy policy and DPA.

Cloudflare Turnstile

We use Cloudflare Turnstile to verify that form submissions come from humans, not bots. Turnstile runs invisibly in the background without presenting puzzles or CAPTCHAs. It may analyze browser signals (mouse movements, interaction patterns) to distinguish humans from bots. No personal data is collected or stored by Turnstile beyond what is needed for the verification. Cloudflare's privacy policy applies.

5. Data Retention

Rate limit records (IP hashes) are automatically deleted after 30 days via Cloudflare KV TTL expiry. Analysis history is retained for the lifetime of your account and can be deleted on request. Account data (email, preferences) is retained until you delete your account. Billing records are retained as required by German tax law (AO §147, UStG §14b — 10 years for invoices and financial transaction metadata).

6. Consent Management

We track your consent for specific data processing activities. You can grant or revoke consent at any time through your account settings. We record proof of consent (timestamp, policy version) for audit compliance under DSGVO. The following consent types are managed:

• Terms of Service — Required for account creation
• Privacy Policy — Required for account creation
• Telegram Data — Required to use Conrad via Telegram (coming soon)
• Memory Storage — Required to save personal context for analysis (coming soon)
• Team Sharing — Required to share analysis scores with your team (coming soon)

7. Account Deletion (Art. 17)

You can delete your account at any time from your dashboard settings. When you request deletion:

1. Your active subscription (if any) is immediately canceled
2. Your post texts are anonymized — analysis scores are retained in aggregate for service improvement
3. All personal data (wishes, votes, magic links, consents) is permanently deleted
4. Your session is invalidated and the account is marked for deletion
5. After a 30-day grace period, remaining account data is permanently removed

Exception: Financial transaction metadata (amounts, dates, Stripe IDs) is retained for 10 years as required by German tax law (AO §147). This metadata does not contain personal information after account anonymization.

8. Data Export (Art. 20)

You can export all your data at any time from your dashboard settings. The export includes your profile, all analyses (with full post text), credit transactions, consent records, and wishlist entries. Exports are provided as a downloadable JSON file. You can request one export every 24 hours.

9. Your Rights (GDPR Art. 15–21)

You have the right to:

• Access — Request information about data we process about you (Art. 15)
• Rectification — Correct inaccurate data (Art. 16)
• Erasure — Delete your account and all associated data (Art. 17) — available directly in your dashboard
• Restriction — Restrict processing of your data (Art. 18)
• Data portability — Download all your data as JSON (Art. 20) — available directly in your dashboard
• Objection — Object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, you can use the self-service tools in your dashboard or contact us at business@moinsen.dev.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For Hamburg: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of Conrad after changes constitutes acceptance.