Privacy Policy

Controller

The data controller within the meaning of GDPR is: Bernhard Lambernd Hans-Mayer-Siedlung 58 21502 Geesthacht, Germany Email: b.lambernd@gmail.com

Data protection officer

No data protection officer has been appointed; an obligation to appoint one under Art. 37 GDPR does not currently exist. [PLEASE REVIEW once headcount exceeds 20 or if regular large-scale processing of sensitive data starts.]

Categories of data processed

When using NormPilot, the following categories of data are processed:

• Account data (email address, first and last name, hashed password)
• Organisation data (company name, industry, user role)
• ISO implementation data (wizard answers, risk assessments, processes, documents, tasks)
• Contact form data (name, email, subject, message)
• Server log data (IP address, user agent, requested URL, timestamp)

Purposes of processing

• Provision of the SaaS application "NormPilot" (performance of contract per Art. 6 (1) (b) GDPR)
• Responding to inquiries via the contact form (Art. 6 (1) (b) and (f) GDPR)
• Security and stability of the service (legitimate interest, Art. 6 (1) (f) GDPR)
• Compliance with legal obligations (Art. 6 (1) (c) GDPR)

Recipients / data processors

We use the following data processors within the meaning of Art. 28 GDPR. Data Processing Agreements are in place with all providers [PLEASE REVIEW: confirm DPAs per Art. 28 (3) GDPR]:

• Vercel Inc. (hosting of the web application) — data processing in the EU and other regions. Privacy: https://vercel.com/legal/privacy-policy
• Supabase Inc. (database, authentication, file storage) — data processing in the EU region (Frankfurt). Privacy: https://supabase.com/privacy
• Resend (transactional email such as invitations and contact form notifications) — Privacy: https://resend.com/legal/privacy-policy
• Anthropic PBC (AI-assisted document generation, only for logged-in users with an active use case) — Privacy: https://www.anthropic.com/legal/privacy

Transfer to third countries

Vercel, Resend and Anthropic are headquartered in the United States. Transfers are made on the basis of EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and — where applicable — adequacy decisions (EU-US Data Privacy Framework). The production database runs in the EU region (Frankfurt) at Supabase.

Retention periods

• Account data: as long as the account exists; on deletion, the account is removed within 30 days.
• ISO implementation data: as long as the account exists; after deletion 30 days for restoration, then erased.
• Contact form data: until the inquiry is finally processed, but no longer than [PLEASE REVIEW: e.g. 12 months].
• Server logs: maximum 30 days for security purposes.
• Invoicing and tax-relevant data: 10 years (§ 147 AO, § 257 HGB).

Your rights

Under GDPR you have the following rights:

• Access to the data concerning you (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)
• Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, an informal email to b.lambernd@gmail.com is sufficient.

Right to complain

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. Competent are the supervisory authorities at your place of residence, work or the location of the alleged infringement. The supervisory authority responsible for the controller is [PLEASE REVIEW: name the supervisory authority for the operator's location, e.g. "Der Landesbeauftragte für Datenschutz und Informationsfreiheit Schleswig-Holstein, Holstenstraße 98, 24103 Kiel"].

Server logs

When the website is accessed, technically necessary data is stored in server logs (IP address, date/time, requested URL, HTTP status, user agent). This serves exclusively to ensure operation and to defend against attacks. The data is deleted after 30 days. Legal basis is Art. 6 (1) (f) GDPR.

Cookies

NormPilot uses technically necessary cookies (Supabase auth cookie for session management, language preference cookie `NEXT_LOCALE`, cookie-choice cookie `np_consent_v1`) on the basis of § 25 (2) No. 2 TDDDG without requiring consent. Optionally, and only after your explicit consent in the cookie banner, we use Vercel Analytics for anonymised reach measurement (see next section). You can revoke your consent at any time via the "Cookie settings" link in the footer. Legal basis for analytics: Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG.

Reach measurement with Vercel Analytics

If you have consented, we use Vercel Analytics by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA, for anonymised reach measurement. We record the page view, referrer, device information (browser, OS, region) and a technically-generated, daily-rotating hash identifier — no cookies, no personal data, no cross-site tracking. Data is transferred to the USA; Vercel is certified under the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission of 10 July 2023). Legal basis: Art. 6 (1) lit. a GDPR. Vercel privacy policy: https://vercel.com/legal/privacy-policy.

Contact form

If you send us a message via the contact form, we process your details (name, email, subject, message) in order to respond to your inquiry. Legal basis is Art. 6 (1) (b) GDPR (pre-contractual measures) or (f) (legitimate interest in responding).

Automated decision-making

No decisions based solely on automated processing within the meaning of Art. 22 GDPR take place.

Last updated

This privacy policy was last updated on 29 April 2026.