Privacy Policy | AllunoAI

Privacy Policy Last updated: 22.11.2025 1. Controller This Privacy Policy explains how SchmittDEV (“we”, “us”, “our”) processes your personal data when you use our website https;//schmittdev.org or our services. Controller (Data Controller under the GDPR): SchmittDEV Buchenweg 2 96138 Burgebrach, Germany Email: write@schmittdev.org If you have any questions about this Privacy Policy or our data protection practices, you can contact us at the details above. 2. Data Protection Officer (if applicable) If you have appointed a Data Protection Officer (DPO): Data Protection Officer: Felix Schmitt Email: felix@schmittdev.org If you do not have a DPO, you can delete this section. 3. What personal data we collect We may process the following categories of personal data: Technical and usage data IP address Date and time of access Browser type and version Operating system Referrer URL (previously visited page) Pages visited on our website and actions taken Approximate location (country/city based on IP) Contact data (when you contact us, e.g. via email or contact form) Name Email address Phone number (if provided) Company (if provided) Content of your message Account data (if you create an account or use a login area) Name Email address Username Password (stored in encrypted form) Profile information you provide Order and payment data (if you sell products / services online) Billing address Delivery address Purchased products/services Payment information (e.g. masked card data, payment provider) Transaction details, invoice data Newsletter data (if you run a newsletter) Name Email address Newsletter preferences (e.g. topics, language) Interaction with newsletter (opens, clicks, unsubscribe status) You will only need the categories that actually apply; you can delete the others. 4. Purposes and legal bases of processing We process your personal data for the following purposes and on the following legal bases (Art. 6 GDPR): Provision of our website and IT security To technically provide the website and ensure its stability and security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest – operation of a secure, functioning website). Responding to enquiries To process and respond to your enquiries via email, contact form, or phone. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract), and/or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). User accounts / registration (if applicable) To create and manage your user account and provide you with our services. Legal basis: Art. 6(1)(b) GDPR. Order processing and contract performance (if applicable) To process your orders, deliver products or services, and handle payments. Legal basis: Art. 6(1)(b) GDPR; For legal retention obligations: Art. 6(1)(c) GDPR (legal obligation). Newsletter and marketing communication (if applicable) To send you information about our products, services, and offers. Legal basis: Art. 6(1)(a) GDPR (consent), or Art. 6(1)(f) GDPR (legitimate interest in direct marketing, where permitted by law). You can withdraw your consent or object to direct marketing at any time (see section “Your rights”). Web analytics and statistics (if you use analytics tools) To analyse how our website is used and improve our content and services. Legal basis: Art. 6(1)(a) GDPR (consent for non-essential cookies/analytics) and Art. 6(1)(f) GDPR (legitimate interest in analysing and improving our website, where cookies are essential/strictly necessary). Compliance with legal obligations and enforcement of rights To comply with legal obligations (e.g. tax or commercial law) and to establish, exercise, or defend legal claims. Legal basis: Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interest). 5. Cookies and similar technologies We use cookies and similar technologies on our website. Essential cookies: These are necessary for the basic functioning of the website (e.g. to store your cookie preferences, keep you logged in, operate the shopping cart). Legal basis: Art. 6(1)(f) GDPR (legitimate interest) or Art. 6(1)(b) GDPR. Analytics / performance cookies (if used): These help us understand how visitors use our website (e.g. pages visited, time spent). Legal basis: Art. 6(1)(a) GDPR (your consent). Marketing / tracking cookies (if used): These are used to display personalised advertising or to track users across websites. Legal basis: Art. 6(1)(a) GDPR (your consent). You can manage your cookie preferences at any time via our [cookie banner / cookie settings link] and also adjust your browser settings to refuse cookies. 6. Recipients of personal data We may share your personal data with the following categories of recipients, only to the extent necessary: IT service providers (hosting, maintenance, email service, CRM systems) Payment service providers (e.g. [Stripe, PayPal, etc.]) Shipping providers (if you sell physical goods) Newsletter service providers (e.g. [Mailchimp, Sendinblue/Brevo, etc.]) Analytics providers (e.g. [Google Analytics, Matomo, etc.]) Professional advisors (e.g. tax advisors, lawyers) Public authorities where required by law All service providers process data based on data processing agreements according to Art. 28 GDPR, where necessary. 7. International data transfers If we transfer personal data to recipients outside the European Economic Area (EEA), we ensure an adequate level of protection, for example by: An adequacy decision by the European Commission (Art. 45 GDPR), or Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR), and, where necessary, additional safeguards. You can request a copy of the safeguards used by contacting us at [contact email]. 8. Storage periods We store your personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law. In particular: Technical data / log files: Usually stored for [e.g. 7–30 days], unless longer storage is required for security or evidence purposes. Contact enquiries: Stored for the duration of processing your request and for [e.g. 6–24 months] for follow-up questions. Contract and order data: Stored for the term of the contractual relationship and thereafter for the statutory retention periods (e.g. 6–10 years according to tax and commercial law). Newsletter data: Stored until you unsubscribe or withdraw your consent. After the relevant retention periods expire, personal data will be deleted or anonymised. 9. Your rights as a data subject Under the GDPR, you have the following rights regarding your personal data: Right of access (Art. 15 GDPR) You have the right to obtain confirmation whether we process your personal data and, if so, access to that data and further information. Right to rectification (Art. 16 GDPR) You have the right to request the correction of inaccurate or incomplete personal data. Right to erasure (“right to be forgotten”) (Art. 17 GDPR) You may request the deletion of your personal data, provided certain conditions are met. Right to restriction of processing (Art. 18 GDPR) You may request restriction of processing under certain conditions. Right to data portability (Art. 20 GDPR) You have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller where technically feasible. Right to object (Art. 21 GDPR) You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data based on Art. 6(1)(e) or (f) GDPR. You also have the right to object at any time to processing of your personal data for direct marketing purposes. Right to withdraw consent (Art. 7(3) GDPR) Where processing is based on your consent, you can withdraw that consent at any time with effect for the future. To exercise your rights, you can contact us at: [contact email]. 10. Right to lodge a complaint with a supervisory authority You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR. 11. Automated decision-making / profiling We do not use your personal data for automated individual decision-making, including profiling, within the meaning of Art. 22 GDPR. If this changes in the future, we will inform you separately and provide all information required by law. 12. Third-party links Our website may contain links to third-party websites. We are not responsible for the content and data protection practices of these external sites. We recommend that you review the privacy policies of any third-party sites you visit. 13. Changes to this Privacy Policy We may update this Privacy Policy from time to time. The updated version will be published on this page with an updated “Last updated” date. We recommend that you review this Privacy Policy regularly.