privma

Privacy Policy

Last updated: June 23, 2025

1. Introduction

This Privacy Policy explains how Agnosphere GmbH, the provider of privma, ("we," "our," or "us") collects, uses, shares, and protects your personal information. As a European data controller based in Germany, we are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR).

2. Purpose of Processing and Legal Basis

Our service helps you manage and understand your digital privacy across various platforms and use in different ways. We process your data for the following purposes, each with its specific legal basis under Article 6(1) GDPR:

  • Service Provision – Legal basis: Performance of the contract (Art. 6(1)(b) GDPR)
    • To process your registration on one of our Sites in accordance with the applicable terms of service. To facilitate the exercise of your data portability rights according to Art. 6(9) Digital Markets Act (DMA)
    • To provide you with insights about your digital presence and transparency of data collected about you by other services
  • Platform Connections – Legal basis: Consent (Art. 6(1)(a) GDPR)
    • To enable connection with third-party platforms of your choice
    • To retrieve and analyze data from connected platforms
    • To personalize AI services based on your imported data
  • Security Measures – Legal basis: Legal Obligation (Art. 6(1)(c) GDPR)
    • To maintain the security and functionality of our service
    • To prevent unauthorized access and fraud

3. Contact Information

The following party is known as the controller under data protection law and therefore responsible for the processing of personal data within the scope of this privacy policy:

Agnosphere GmbH
Leopoldstr. 31, 80802 München, Germany
Email: contact@privma.com

4. Registration

When you register for our service, you have the option to sign up using your existing accounts of third-parties (such as Google or Facebook), or you can provide your email address and a self-chosen password. At the time of registration, the following data is also processed: your IP address, and the date/time of registration. We delete this data as soon as it's no longer necessary for the purpose of its processing.

Google Sign-In

You have the option to register in our app using Google's login function. With "Google Sign-In," you can log in to our service using your Google account. The purpose of this option is to save you the effort of creating another account and the time involved in the registration process. When you log in with your Google account, your relevant data will be transmitted from Google to us, particularly your name, email address, profile picture, and language settings. Google, in turn, has the opportunity to collect and process certain information about your user behavior within our app. If you are logged in with your Google account, Google may receive data about your user activity, your app views, and other short-term data. Google LLC also processes data in part in the USA. For data transfers to the USA, an adequacy decision from the EU Commission exists. Google LLC is certified under this framework. The legal basis for this data processing is Art. 6 (1)(f) GDPR. With the "Google Sign-In" option, we pursue the legitimate interest of making it easier for you to use our app by not having to create another account and saving time in the registration process by using your Google account. Google deletes all data at the latest when you delete your Google account (https://policies.google.com/technologies/retention?hl=en). Further information on data protection at Google can be viewed at the following link: https://policies.google.com/privacy?hl=en.
You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the "Contact" section.

Facebook Sign Up

To enable you to register in our app via your Facebook account, we have implemented a Facebook Login function using programming interfaces from Facebook (Meta Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; hereinafter: "Facebook"). If you use the offered login function of our app, you have the option to sign up for our app via Facebook. The purpose of this integration is to simplify the registration process for you, optimize our registrations, and improve the conversion of Facebook campaigns. When you use the Facebook Login function, Facebook transmits personal data about you to us, in particular your first name, last name, email address, and Facebook User ID. Facebook also processes data in part in the USA. For data transfers to the USA, an adequacy decision from the EU Commission exists. Facebook is certified under this framework. The legal basis for this data processing is Art. 6 (1)(f) GDPR. With the Facebook Login function, we pursue the legitimate interest of saving you from having to register on our platform and optimizing our offering or tailoring it individually for you. According to Facebook, it ceases data processing as soon as the data is no longer required to provide services and Facebook products. Further information on storage duration and other information on data protection at Facebook can be found in the associated privacy policy at: https://www.facebook.com/about/privacy/.
You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection using the contact details provided in the "Contact Information" section.

5. Categories of Personal Data

We process the following categories of personal data:

  • Basic account information (email, account settings)
  • Authentication data for account security
  • Platform connection data when you choose to connect third-party services
  • Data retrieved from connected platforms based on your consent
  • Technical data necessary for service operation:
    • IP addresses for security and fraud prevention
    • Browser type and version for service compatibility
    • Device identifiers for security purposes
    • Access timestamps for security logging
    • Session identifiers for secure authentication

6. Data Collection

The data collection in general contains:

  • Your data transferred via data portability APIs of platforms (see platform-specific data collection) by your request
  • Your interaction with the application
  • Your direct input when using the platform and AI tools
  • Security Monitoring: Automatically collected for authentication and security purposes.

7. Platform-Specific Data Collection

For each platform you connect, we collect specific types of data through their respective Data Portability APIs, based on your explicit consent:

Data Protection for All Platform Integrations:

  • All platform data is collected through official Data Portability APIs
  • Each platform integration follows the respective platform's security requirements
  • You have granular control over which data types we can access
  • You can modify or revoke platform permissions at any time
  • Platform data is only processed for the purposes you've explicitly consented to.

Google Services

Through Google's Data Portability API:

  • Chrome History
  • Maps Activity
  • Search Activity
  • Shopping Activity
  • YouTube Activity

TikTok

Through TikTok's Data Portability API:

  • Profile Information (username, bio, profile media)
  • Posts and Videos (including privacy settings and content information)
  • Activity Data (interactions and engagement metrics)
  • Connection Data (following/follower information)

Amazon

Through Amazon's Data Portability API:

  • Customer profile
  • Search history
  • Information about:
    • Digital subscriptions
    • Physical orders
    • Digital orders
    • Physical order returns
    • Shopping basket
    • Shopping profile preferences
    • Sports/ interested
    • Advertising preferences and clicked ads
    • Product reviews

Facebook

Through Facebook's Transfer Your Information (TYI) API:

  • Profile Information and Settings
  • Posts and Shared Content
  • Activity Log and Interactions
  • Connection Data (friends, followers, following)

All data is collected through official Data Portability APIs, in compliance with Article 20 GDPR. You can control exactly which data types we can access through granular consent settings, and you can modify or revoke these permissions at any time through your privacy settings.

We maintain strict data protection and sharing policies across all platform integrations (Google, TikTok, Amazon, and Facebook):

  • Currently, we process platform data solely for providing our service features and do not share it with third parties except as necessary for service operation (such as with our EEA-based service providers)
  • We employ industry-standard security measures to protect your personal data. These include encryption during transmission (transport encryption) and storage (encryption at rest), as well as other technical and organizational measures that comply with the state of the art and ensure the confidentiality, integrity, and availability of your data. These measures are regularly reviewed and adapted to current threats to ensure an adequate level of protection in accordance with Art. 32 GDPR
  • Access to platform data is strictly limited to authorized purposes you've consented to
  • Data from different platforms is processed separately and only combined with your explicit consent
  • All platform data is automatically deleted when you disconnect the respective platform

8. Recipients

Service Providers

We use the following service providers, all bound by data processing agreements:

  • Supabase, Inc. – Authentication and data storage. All primary data storage is in Frankfurt, Germany through Supabase's EU infrastructure.
  • Plausible Insights OÜ – Privacy-friendly analytics
    Even though the purpose of analytics is to track the usage of a website, Plausible Analytics is not collecting any personal data or personally identifiable information, and is not using cookies while respecting the privacy of your website visitors.
  • Vercel, Inc. – Application hosting and analytics

AI Model Providers

This section exclusively outlines how your data is handled during the interaction with the underlying Artificial Intelligence (AI) models (ChatGPT OpenAI, L.L.C., 3180 18th Street San Francisco, California 94110 USA; Google Gemini, Google LLC, 1600 Amphitheatre Parkway Mountain View, California 94043 USA) via our Service. When you use features of our Service that leverage AI models, you will provide Input Data based on your consent. This typically includes text, queries, or other content you enter into our application for processing by the AI.

Crucially, this Input Data is exclusively used for the immediate purpose of generating a response for you within our Service. This includes:

  • Server-Side Communication: When you submit Input Data through our Service, it is sent from our secure web server directly to the business APIs of the respective AI model provider (ChatGPT or Google Gemini). Your personal device (e.g., your computer, phone) does not directly communicate with the AI models.
  • Response Generation: The AI model processes your Input Data solely to generate a relevant output or response.
  • Temporary Processing, No Training: We have robust agreements in place with the AI model providers that explicitly guarantee the following:
    • Your Input Data is NOT used by them to train or improve their underlying AI models.
    • Your Input Data is NOT stored by them for any purpose other than fulfilling your specific request in real-time. Once the response is generated and transmitted back to our server, your Input Data is not retained by the AI model providers.

Our web servers are located in the European Union. When we transfer your input data to the AI model providers (ChatGPT, Google Gemini, Claude), this may involve transfers to countries outside the European Economic Area (EEA), such as the United States, where these providers are headquartered. We ensure that such transfers are carried out with appropriate safeguards in place to protect your personal data, in accordance with GDPR requirements. These safeguards may include:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses for data transfers to Open AI to ensure an adequate level of data protection. A copy is of course available on request.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission. Google LLC also processes data in part in the USA. For data transfers to the USA, an adequacy decision from the EU Commission exists. Google LLC is certified under this framework.

9. Cookies and Local Storage

We use only strictly necessary cookies:

  • Authentication Cookie (sb-auth-token): Session duration
  • Security Cookie (csrf-token): Session duration
  • Session Management (sb-refresh-token): 7 days

We use local storage for user preferences and temporary data, which remains on your device and is not transmitted to our servers.

9. Storage periods of processing

We retain your personal data for specific, limited periods:

  • Account Data: Immediately deleted upon account deletion request
  • Platform Data: Immediately deleted upon "platform data deletion"
  • Authentication Tokens: Automatically deleted upon expiration
  • Technical Logs: Maximum of 7 days
  • Cache Data: Deleted upon expiration

When you request deletion of your data, we ensure immediate removal across all our systems in accordance with Article 17 GDPR (Right to Erasure). Any data retained for technical purposes (such as logs) is fully anonymized.

10. Your Rights

You have the following rights with regard to the personal data concerning you that you can assert against us:

  • Right of access: You can request access to the personal data concerning you which we process, as set forth in Art. 15 GDPR.
  • Right to rectification: If the information concerning you is not (or no longer) correct, you can request its rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
  • Right to erasure: You may request the erasure of your personal data in accordance with Art. 17 GDPR.
  • Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted.
  • Right to object to processing: Pursuant to Art. 21(1) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data which occurs based on Art. 6(1) Sentence 1(e) or (f) GDPR. If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms. Processing will also continue if the processing serves to establish and exercise or defend against legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy policy, we draw your attention to this right to object when describing each processing operation.
  • Right to withdraw your consent: If you have given your consent for processing, you have a right to withdraw that consent under Art. 7(3) GDPR.
  • Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used, machine-readable format ("data portability") and the right to transfer this data to another controller, if the prerequisites of Art. 20(1)(a), (b) GDPR are fulfilled (Art. 20 GDPR). In accordance with Article 20 GDPR, you can export your data at any time in JSON format. This includes: All platform data, Account settings and preferences, Platform connection history, Generated insights and analysis

You can assert your rights by informing us using the contact details specified under "Controller" above.

If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This also includes the data protection supervisory authority responsible for the controller:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18, 91522 Ansbach, Germany

11. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you. While we may use automation to analyze data and provide insights, these processes are for informational purposes only, and all significant decisions regarding your data are made with human oversight.

12. Security

We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.

13. Children's Data

Our service is not directed at children under the age of 16, and we do not knowingly collect or process personal data from children under this age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete this information as soon as possible.

14. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to you before they take effect.