Sign inRequest access

Privacy Policy

Effective date: 9 May 2026.

1. Controller

The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Lukas Beier
Seelingstraße 5
14059 Berlin
Germany
Phone: +49 1573 9030020
Email: lukas@storyteller.business

2. Overview of processing

We process personal data of users of Zahlenwerk to provide our financial planning service, to operate this website securely, to respond to enquiries, and, only with your consent, to gather aggregate usage statistics that help us improve the product.

Categories of data: account data (email, hashed credentials), content data (the financial models you create), communication data, technical access data (IP address, user agent, request timestamps).

Data subjects: users of our service, visitors to this website, communication partners.

3. Legal bases

We rely on the following legal bases under Art. 6 (1) GDPR:

  • Consent (lit. a), for optional analytics, set via the cookie banner.
  • Contract (lit. b), to provide accounts and the Zahlenwerk service to you.
  • Legal obligation (lit. c), e.g. to keep records required by law.
  • Legitimate interests (lit. f), for securing the service against abuse and ensuring availability.

4. Account & service data

When you create an account or use the Zahlenwerk app, we process the data necessary to provide the service: your email, an authenticated session, and the financial data you enter. Authentication is handled via Supabase (see “Processors” below); session cookies are strictly necessary and are not gated by the consent banner. Legal basis: Art. 6 (1) (b) GDPR.

5. Hosting & processors

We engage the following processors under data processing agreements (Art. 28 GDPR):

  • Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA), application hosting and content delivery. Transfers to the USA are safeguarded by the EU Standard Contractual Clauses and the EU–US Data Privacy Framework.
  • Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992), database, authentication and storage backend. Where EU regions are configured, data is stored within the EU; otherwise transfers are safeguarded by the EU Standard Contractual Clauses.
  • Inngest Inc. (2261 Market Street #4818, San Francisco, CA 94114, USA), background job processing for uploaded report parsing. Transfers to the USA are safeguarded by the EU Standard Contractual Clauses.
  • Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland), payment processing for paid plans. Stripe acts as an independent controller for fraud-prevention processing in line with its own privacy policy; transfers outside the EU are safeguarded by the EU Standard Contractual Clauses.
  • Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland), Gemini large-language-model API used to power the chat assistant and to extract structured data from uploaded reports. Content sent to Gemini is processed solely to return a response and is not used by Google to train its models. Transfers outside the EU are safeguarded by the EU Standard Contractual Clauses.
  • Groq, Inc. (525 University Avenue, Palo Alto, CA 94301, USA), secondary large-language-model API used as a fallback for the chat assistant. Transfers to the USA are safeguarded by the EU Standard Contractual Clauses.

Content sent to AI providers. When you chat with the assistant or upload a report, the message text and the extracted text of the document are sent to the AI providers above for the sole purpose of returning a response or extracting structured data. We do not send the raw binary file, nor data from other users in the same request. You can avoid AI processing entirely by not using the chat surface and by not uploading reports.

6. Cookies & similar technologies

We use a small number of strictly necessary cookies for authentication and session security; these are set without consent because the service cannot function without them (§ 25 (2) TDDDG).

We additionally use localStorage on your device to remember your cookie banner choice (key zw-consent-v1).

All other technologies, in particular analytics, are loaded only after you actively consent via the cookie banner. You can withdraw your consent at any time via the “Cookie settings” link in the footer; withdrawal takes effect immediately and does not affect the lawfulness of processing carried out before withdrawal.

7. Web analytics (consent only)

With your consent we use Vercel Web Analytics and Vercel Speed Insights (Vercel Inc., USA) to understand aggregate usage and page performance. These tools are designed to avoid persistent identifiers and do not build cross-site profiles. Processing takes place on Vercel infrastructure under the safeguards listed above. Legal basis: Art. 6 (1) (a) GDPR; § 25 (1) TDDDG. Without consent, no analytics scripts are loaded and no analytics requests are sent.

8. Data retention

We retain personal data only as long as necessary for the purposes set out above or to comply with statutory retention periods (e.g. tax and commercial law obligations of up to 10 years). Account data is deleted within a reasonable period after you close your account, unless overriding legal obligations require longer retention.

9. Your rights

Subject to the conditions of the GDPR, you have the right to:

  • access your personal data (Art. 15);
  • have inaccurate data rectified (Art. 16);
  • have your data erased (Art. 17);
  • have processing restricted (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21); and
  • withdraw consent at any time, with effect for the future (Art. 7 (3)).

To exercise these rights, please contact us at lukas@storyteller.business.

10. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The authority responsible for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in our service or in applicable law. The current version is always available at this URL; material changes will be communicated in the app where appropriate.