Privacy Policy

This policy explains the nature, scope and purpose of personal-data processing on aisthetix.de and in the associated compliance check. Effective: May 2026.

1. Controller

Aisthetix
[Owner: full legal name]
[Street and number]
[Postcode and city], Germany
Email: hallo@aisthetix.de

2. Data collected when visiting the website

On every request to aisthetix.de, the hosting provider records technically required data (IP address, date/time, requested page, user-agent). This data is used to operate the service and defend against attacks (legal basis: Art. 6(1)(f) GDPR). It is deleted after 30 days at the latest. No cookies are set and no third-party tracking is used.

3. Processing within the compliance check

When you use the compliance check at aisthetix.de/en/compliance-check, we process the following data:

• Email address and company name — to provide the PDF report and to send the result by email (legal basis: Art. 6(1)(b) GDPR, pre-contractual). Retention: 30 days from report generation.
• Uploaded file — to perform the requested validation (Art. 6(1)(b) GDPR). Where the file contains personal data of third parties (e.g. client records), the user is the controller and Aisthetix acts as processor; see data-processing agreement. The file and derived report are automatically and irrevocably deleted after 30 days.
• IP address and email domain — for abuse-related rate limiting (3 uploads per IP per hour, 5 uploads per email domain per day). Legal basis: Art. 6(1)(f) GDPR, legitimate interest in protection from abuse. Retention: 24 hours maximum.

4. Processors

We engage the following processors under Art. 28 GDPR. Written data-processing agreements are in place with all of them.

• Hosting (Cloud Hub and compliance check): Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — servers in region eu-central-1 (Germany).
• Marketing-website hosting: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Transfer to the US based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework where applicable. Processed data: technical server logs (IP, user-agent), no content data.
• Transactional email: Resend, Inc., 2261 Market St #4667, San Francisco, CA 94114, USA. Used solely for delivering the compliance-check report to the address you provided. Transfer to the US based on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.
• Rate limiting: Redis instance on the same Hetzner infrastructure in Germany — no third-country transfer.

5. No cloud-API processing of content data

Uploaded files are processed exclusively on Aisthetix-owned infrastructure within the EU. No content data is transmitted to external cloud APIs (OpenAI, Anthropic, Google, AWS Bedrock or similar). The validation logic runs deterministically on a local node and is documented in full at Validators.

6. Your rights

You have the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). Send requests to hallo@aisthetix.de. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

7. Retention at a glance

• Server logs: 30 days
• Uploaded files and PDF reports: 30 days
• Email address / company name (lead magnet): 30 days
• Rate-limit counters: 24 hours
• Resend send-log: per Resend DPA

Effective: May 2026 · Aisthetix · hallo@aisthetix.de