Privacy Policy Effective as of: January 2026 We appreciate your interest in our services. Protecting personal data is of great importance to us. The following information is provided in accordance with Articles 13 and 14 of the GDPR (General Data Protection Regulation) and explains how we process personal data when you use our website and services. --- 1. Controller and Contact Information * **Controller** (for the website and processing activities within our own responsibility): **talsen team GmbH** Ludwig-Zeller-Str. 35, 83395 Freilassing, Germany * **Managing Director:** Dr.-Ing. Hans Egermeier * **Phone:** +49 8654 4579728 * **E-mail:** [office@talsen.team](mailto:office@talsen.team) * **Website:** [smart-doc-builder.talsen.team](https://smart-doc-builder.talsen.team/) * **Data Protection Officer:** Not appointed, as the legal requirements under Art. 37 GDPR / § 38 BDSG are not met. For any privacy-related matters, please contact us at the above address or email. --- 2. Scope and Roles * This Privacy Policy applies to the website **https://smart-doc-builder.talsen.team/** and the services offered there (in particular, user accounts and the upload of video/audio files for AI-supported transcription and summarization), as well as our customer communication and contract handling. * **Roles:** * For the processing of **content data** (uploaded videos, generated transcripts and summaries, associated metadata), we may act as a **data processor** on behalf of our business customers under Art. 28 GDPR. In such cases, the customer is the **data controller** and responsible for the legal basis and information obligations regarding the uploaded content. * For the operation of the website, user accounts, authentication, transactional emails, and billing/payment processes, we act as the **data controller**. --- 3. Data Sources * We process data that you actively provide to us (e.g., during registration, login, uploads). * We process automatically collected technical data when you use our website or services (e.g., server log files, device/browser information). --- 4. Purposes, Categories, and Legal Bases (when we act as Controller) 4.1 Visiting the Website (Server Log Files) * **Data:** IP address, date/time, accessed content/URLs, referrer, user agent (browser/OS), possibly provider information. * **Purpose:** Website provision, stability, IT security, and error analysis. * **Legal basis:** Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation). 4.2 User Account / Registration and Login * **Data:** Email address, authentication data (e.g., password hash on the server side), account status (e.g., verified/unverified), login timestamps, and security logs. * **Purpose:** Account setup and management, authentication, fraud prevention, and provision of contractual functions. * **Legal basis:** Art. 6(1)(b) GDPR (performance or preparation of a contract); Art. 6(1)(f) GDPR (security and abuse prevention). 4.3 Transactional Emails (Email Verification, Password Reset) * **Data:** Email address, email delivery metadata (e.g., time of sending, status), and security-related tokens (verification/reset tokens). * **Purpose:** Account security (email verification), delivery of requested security functions (password reset), and communication necessary for using the service. * **Legal basis:** Art. 6(1)(b) GDPR (contract performance / providing requested functionality); Art. 6(1)(f) GDPR (legitimate interest in securing user accounts and preventing abuse). 4.4 Communication and Support (via email) * **Data:** Communication content, contact details, metadata (e.g., timestamps). * **Purpose:** Handling requests, support, and quality assurance. * **Legal basis:** Art. 6(1)(b) GDPR (contractual context) and/or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). 4.5 Contract and Payment Processing (if applicable) * **Data:** Contract and billing data (name, email, address), selected products/plans, payment details (tokenized data, transaction IDs â we do not store full credit card numbers). * **Purpose:** Contract performance, payment handling, accounting, taxation, fraud prevention. * **Legal basis:** Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (fraud prevention). --- Legal Bases Overview (Controller Role) When we act as **controller**, we process personal data based on the following legal bases under the GDPR: * **Art. 6(1)(b) GDPR** (contract performance / pre-contractual measures): e.g., account creation, login, providing the requested service. * **Art. 6(1)(c) GDPR** (legal obligation): e.g., retention obligations under tax and commercial law (if applicable). * **Art. 6(1)(f) GDPR** (legitimate interests): e.g., IT security, abuse prevention, stable operation of the website and service. --- 5. Hosting and Processors / Sub-Processors 5.1 Hosting (Website / Application Infrastructure) * **Hosting provider:** STRATO GmbH, Otto-Ostrowski-StraĂe 7, 10249 Berlin, Germany. * **Purpose:** Provision of hosting infrastructure for the website and application. * **Legal basis:** Art. 6(1)(f) GDPR (secure and efficient provision of our online offering); where applicable Art. 6(1)(b) GDPR (contract performance). * We have concluded a data processing agreement (Art. 28 GDPR) with our hosting provider. 5.2 Processing of Content Data as Data Processor (Art. 28 GDPR) If we process uploaded content data on behalf of customers, the following applies: * **Subject:** AI-supported transcription and summarization of uploaded video/audio files. * **Data categories:** Content data (image/sound, potentially personal data of third parties, possibly special categories under Art. 9 GDPR), generated transcripts/summaries, technical metadata (filename, duration, format), usage/process data (upload time, processing steps, status). * **Controller:** The respective customer (uploader/company). * **Processor:** We process content data solely on the customerâs documented instructions under a Data Processing Agreement (DPA) and only use approved sub-processors. * **Training:** We do not use content data or outputs to train our own or third-party foundation models, unless explicitly agreed in writing. 5.3 Sub-Processors and Third-Country Transfers * We use carefully selected service providers for infrastructure and AI processing. In particular, AI-supported transcription and summarization is performed exclusively using models hosted within the European Union: * **Nebius B.V.** (EU-based infrastructure) â provision of GPU compute and model hosting within the EU. * **Mistral AI** (Paris, France) â provision of AI models hosted within the EU. * A current overview/list of all sub-processors and their locations is available on request via office@talsen.team. * As of the effective date of this policy, no transfers of content data to countries outside the EU/EEA take place for AI processing purposes. All AI models used are hosted on infrastructure located within the European Union. * Should this change in the future, we will implement appropriate safeguards in accordance with Chapter V GDPR, including: * **EU Standard Contractual Clauses (SCC)** under Art. 46 GDPR and additional technical/organisational measures. * Where applicable, reliance on an adequacy decision or certification under the **EUâU.S. Data Privacy Framework (DPF)**. * Further information is available upon request at office@talsen.team. --- 6. Categories of Recipients * **Hosting/Server Operation:** STRATO GmbH (EU). * **Payment Services (if used):** Payment providers named during checkout, acting as independent controllers or processors â please refer to their privacy notices. * **Other recipients:** IT service providers (maintenance/operations), tax authorities, legal advisors or courts (for compliance or enforcement) â based on contracts or legal obligations. --- Obligation to Provide Data and Consequences of Non-Providing Providing certain personal data is necessary to conclude and perform the contract for using the Service: * **Required data:** In particular your email address and authentication data needed to create and secure your account. * **If you do not provide required data:** We may not be able to create an account, provide access to the Service, process requests (e.g., password reset), or conclude/perform the contract. Providing other data (e.g., optional profile or billing fields) is voluntary, unless explicitly marked as required during checkout. --- 7. Data Retention Periods * **Server logs:** Typically 7â14 days; longer retention only in exceptional cases (e.g., security incidents). * **User account data:** For the duration of use; deletion upon request or account deletion unless legal obligations apply. * **Content data:** According to customer instructions and/or configured retention settings. By default, we retain content only as long as needed to provide the Service and as configured in your account; you can delete content at any time. * **Contract/payment data:** Retention for 6â10 years as required by tax and commercial law. * **Support communication data:** Until completion of the request and applicable limitation periods. --- 8. Cookies and Local Storage (TTDSG) / Analytics We do **not** use tracking cookies, web analytics tools, or advertising technologies on this website. Only technically necessary storage (e.g., session/auth tokens) may be used to provide the Service. If this changes, we will inform users in advance and, where necessary, obtain consent. --- 9. Security * Data transmission between your browser and our website uses SSL/TLS encryption. * We apply appropriate technical and organisational measures to protect data (e.g., access controls, encryption at rest where applicable, logging, and least-privilege principles). --- 10. Data Subject Rights Under Articles 7(3), 15â21, and 77 GDPR, you have the following rights: * Withdraw consent at any time with future effect (where processing is based on consent). * Access your stored personal data. * Rectification of inaccurate or incomplete data. * Erasure (âright to be forgottenâ) where no overriding obligations exist. * Restriction of processing in certain cases. * Data portability in a common, machine-readable format. * Objection to processing based on Art. 6(1)(f) GDPR for reasons arising from your particular situation, and to direct marketing at any time (if applicable). * Lodge a complaint with a supervisory authority, e.g. **Bayerisches Landesamt fĂŒr Datenschutzaufsicht (BayLDA)**, Promenade 27, 91522 Ansbach, Germany, or the authority responsible for your place of residence. **Contact for rights requests:** [office@talsen.team](mailto:office@talsen.team) --- Objection to Marketing Emails We do not send marketing emails by default. If we ever send marketing communications, you can object at any time and unsubscribe with future effect, for example via an unsubscribe link in the email or by contacting us at [office@talsen.team](mailto:office@talsen.team). --- 11. Minors and Target Audience Our services are **not intended for persons under 16 years of age**. We do not knowingly process data from minors without the required consents. --- 12. Automated Decision-Making / Profiling We do **not** use automated decision-making within the meaning of Art. 22 GDPR. No profiling takes place. --- 13. Changes to this Privacy Policy We may update this Privacy Policy from time to time, for example, to reflect changes in legal requirements or service adjustments. Please check this policy regularly. The current version always applies.