Looking for a user-friendly explanation? Visit our Privacy & Data Protection page for a clear overview of how we handle your data. This page contains our formal legal privacy policy.

🔐 Privacy Policy (Legal)

1. General Information

This Privacy Policy explains the type, scope, and purpose of processing personal data on the website konfuzio.com. The protection of your data is important to us.

2. Data Controller

Responsible party under the General Data Protection Regulation (GDPR):

Helm & Nagel GmbH

Rosenweg 5

35614 Asslar

Germany

Email: info@helm-nagel.com

3. Data Collection and Processing

We process personal data only when legally permitted or when you consent.

a) When visiting our website

When you access our website, your browser automatically transmits the following data to our server:

  • IP address
  • Date and time of request
  • Browser type and version
  • Operating system used
  • Referrer URL

This data is collected to ensure stable and secure operation of the site. We do not merge this data with other sources.

4. Data Processing Locations

🇪🇺 We invest significant effort to keep your data within the European Union

Unlike many SaaS providers, we have deliberately chosen EU-based infrastructure for all core operations. Our hosting, databases, AI processing, and error tracking all run on servers located in Germany and the EU. This ensures your data is protected under strict GDPR regulations and minimizes international data transfers.

✓ Services Processing Data Within the EU

  • Database Storage: PostgreSQL hosted on Hetzner Germany (Falkenstein)
  • Web Hosting: Hetzner Online GmbH, Falkenstein, Germany
  • AI Processing: Azure OpenAI with Germany resource location (West Europe region)
  • Document OCR: Azure Document Intelligence with Germany resource location
  • Error Tracking: Self-hosted Sentry on Hetzner Germany (sentry.konfuzio.com)
  • Email Delivery: Brevo (formerly Sendinblue) - EU-based email service provider (France)

⚠ Services That May Process Data Outside the EU

  • Payment Processing: Stripe (Stripe, Inc., San Francisco, USA) - Processes payment data only(credit card information, billing details). Your documents are never sent to Stripe. Stripe maintains EU infrastructure and is GDPR compliant with Standard Contractual Clauses (SCCs).
  • User Experience Monitoring (Free Tier Only): LogRocket (Cambridge, MA, USA) - Only enabled for users who have not purchased credits. Automatically disabled for paying customers. Used for debugging and UX improvement.
  • Google Services (Optional): Google OAuth and Gmail API (Google LLC, USA) - Completely optional.You can use Quick Extract with email/password authentication. If you choose to use Google login or Gmail integration, data is processed in real-time and not permanently stored on our servers.

🔒 Important Notes About Document Processing

  • Documents are ephemeral when using the API: When you use our API for document extraction, your uploaded documents are processed in memory and deleted immediately after extraction. We never store your original documents.
  • UI-uploaded documents: Documents uploaded through the web interface may be temporarily stored for review purposes, but are still processed on EU infrastructure and can be deleted at any time.
  • Only metadata persists: We only store the extracted structured data (field values), not your original documents.
  • All AI processing in Germany: Every document you upload is analyzed by AI systems running exclusively on Azure infrastructure located in Germany. Your documents never leave the EU for processing.

5. Third-Party Services Details

a) Hetzner Online GmbH (Hosting)

Location: Falkenstein, Germany
Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Data processed: Web server logs, IP addresses, access timestamps
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for service operation and security

b) Azure OpenAI & Document Intelligence (AI Processing)

Location: Germany (West Europe region)
Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Resource Location: Germany data centers
Data processed: Document content for AI analysis and extraction
Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR)
Data retention: Documents processed in real-time, not stored by Microsoft

c) PostgreSQL Database (Data Storage)

Location: Hetzner Germany (Falkenstein)
Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Data processed: User accounts, extraction metadata, usage logs
Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR)

d) Sentry (Error Tracking)

Location: Self-hosted on Hetzner Germany (sentry.konfuzio.com)
Data processed: Error logs, stack traces, performance metrics
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for service quality and debugging
Privacy note: All error tracking data stays within the EU on our own infrastructure

e) Stripe (Payment Processing Only)

Location: EU and US infrastructure
Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
Data processed: Payment information, billing details, transaction history
Important: Stripe only handles payment processing. Your documents are never sent to or processed by Stripe.
Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR)
GDPR compliance: Stripe uses Standard Contractual Clauses (SCCs) and maintains EU data centers
Privacy Policy: https://stripe.com/privacy

f) Brevo / Sendinblue (Email Delivery)

Location: European Union (France)
Provider: Sendinblue SAS (Brevo), 55 rue d'Amsterdam, 75008 Paris, France
Data processed: Email addresses, transactional email content
Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) for transactional emails
Privacy note: All email infrastructure and data processing remains within the EU

g) LogRocket (User Experience Monitoring - Free Tier Only)

Location: United States (Cambridge, MA)
Provider: LogRocket, Inc., 1 Broadway, Cambridge, MA 02142, USA
Important: LogRocket is only enabled for free tier users who have not purchased credits. Once you make a purchase, LogRocket tracking is automatically disabled to protect your privacy.
Data processed (free tier only): User interactions, performance metrics, error logs, technical data
Purpose: Debugging and UX improvement for free tier users
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
Privacy protection: Paying customers are never tracked by LogRocket

h) Google OAuth and Gmail Integration (Completely Optional)

Location: Google data centers worldwide (including EU)
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Important: Using Google services is completely optional. You can use Quick Extract with standard email/password authentication and never interact with Google services.
Google OAuth Login (Optional): If you choose to sign in with Google, we receive basic profile information (name, email, profile picture)
Gmail Integration (Optional): If you authorize Gmail access, we process email attachments for document extraction
Data processed: Only if you opt-in: Gmail messages, email metadata, email attachments
Legal basis: Your explicit consent (Art. 6(1)(a) GDPR) when authorizing access
Data retention: Gmail data processed in real-time, not permanently stored on our servers
Your control: You can disconnect your Gmail account anytime through account settings
IP anonymization: IP addresses are anonymized within the EU before transmission to Google

6. Your Rights

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

7. Contact

For questions or concerns regarding your personal data, contact us at:
Email: info@helm-nagel.com