Privacy Policy
Last updated: May 2026
This privacy policy informs you, in accordance with Art. 13 and 14 GDPR, how AiTrain GmbH processes personal data when you use raydaa or visit our website.
1. Data Controller
The controller for data processing within the meaning of the GDPR is AiTrain GmbH, Gertigstraße 5, 22303 Hamburg, Germany, registered with the Commercial Register of Hamburg Local Court under HRB 191041. Managing Directors: Dr. Maximilian Focke, Lennart Gehl, Marc Brüggemann. Contact for data protection inquiries: info@ai-train.de.
2. Processing Purposes Overview
We process your data exclusively for clearly defined purposes: (a) service provision (account, login, content delivery), (b) personalization (curated recommendations, Marble conversations, dashboard snapshots), (c) billing for paid plans, (d) security and abuse prevention, (e) product improvement on a pseudonymized basis, (f) legal retention obligations (in particular § 147 of the German Fiscal Code for accounting documents).
3. What Data We Process
The following categories of data are processed when you use raydaa:
| Category | Contents | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account | Email, password hash, name, avatar, locale | Service provision, authentication | Art. 6 (1) (b) GDPR (contract) | Contract term + 30 days |
| Profile & Personalization | Role, industry, tools, interview answers, profile summary, personas, topics | Personalized recommendations, Marble context, dashboard snapshots | Art. 6 (1) (b) GDPR (contract) | Contract term + 30 days |
| Content Interaction | Clicked and saved assets, playlists, engagement signals | Personalization, relevance scoring | Art. 6 (1) (b) GDPR (contract), additionally Art. 6 (1) (f) GDPR (legitimate interest in product improvement) | Contract term + 30 days |
| Marble Conversations | Chat history, memories, daily summaries | Conversation continuity, contextual answers, product improvement (marble-learn) | Art. 6 (1) (b) GDPR (contract); archive additionally Art. 6 (1) (f) GDPR (legitimate interest in quality assurance) | Active conversation and archive until account deletion; daily summaries 14 days rolling |
| Billing | Stripe customer ID, billing address, invoice numbers | Processing of paid plans | Art. 6 (1) (b) GDPR (contract) and Art. 6 (1) (c) GDPR (legal retention) | Invoices 10 years (§ 147 German Fiscal Code), other billing data up to 30 days after contract end |
| Technical Logs | IP address, user agent, timestamp, request ID, HTTP status | Operation, debugging, abuse prevention | Art. 6 (1) (f) GDPR (legitimate interest in security and stability) | Up to 90 days |
| Cookies & Analytics | Session UUID (Clarity), Web Vitals (Vercel) | Product analytics, performance measurement | Art. 6 (1) (a) GDPR and § 25 (1) TDDDG (consent via cookie banner) | Up to 12 months, withdrawable at any time |
4. Legal Bases
We process data only on the basis of one of the grounds listed in Art. 6 (1) GDPR. The legal basis applicable to each processing activity is shown in the table in Section 3. Where you have given consent (in particular for optional cookies), you may withdraw that consent at any time with effect for the future.
5. Recipients and Processors
To operate raydaa we engage carefully selected service providers. We have data processing agreements pursuant to Art. 28 GDPR with all processors. Transfers to third countries are based on an adequacy decision (e.g. EU-US Data Privacy Framework, DPF) or EU Standard Contractual Clauses (SCC).
| Provider | Function | Seat / Place of processing | Transfer basis |
|---|---|---|---|
| Supabase Inc., USA (processing in EU) | Database, authentication, storage | EU (region eu-central-1) | Processing within the EU; parent in USA → SCC |
| Vercel Inc., USA | Hosting, edge functions, logging | USA with EU regions | EU-US Data Privacy Framework and SCC |
| Amazon Web Services EMEA SARL, Luxembourg | AWS Bedrock — LLM inference (Claude) and embeddings (Cohere Embed v4) for Marble and personalization | EU (region eu-central-1 with EU cross-region inference) | Processing within the EU |
| Microsoft Ireland Operations Ltd., Ireland | Microsoft Clarity — heatmaps and pseudonymized session recordings | EU with onward transfer to USA | EU-US Data Privacy Framework and SCC; only with consent |
| Stripe Payments Europe Ltd., Ireland | Payment processing | EU with onward transfer to USA | EU-US Data Privacy Framework and SCC |
| ActiveCampaign LLC (Postmark), USA | Transactional emails (magic links, notifications) | USA | SCC |
| Cloudflare Inc., USA | Cloudflare Turnstile — bot protection on sign-up and lead forms | USA | EU-US Data Privacy Framework and SCC |
| Google Ireland Ltd., Ireland | Optional Google login (OAuth) — only if you actively use it | EU with onward transfer to USA | EU-US Data Privacy Framework and SCC |
For processing publicly available content (podcasts, videos, web pages) we additionally use Groq Inc. and AssemblyAI Inc. (audio transcription) as well as ListenNotes Inc. (podcast metadata). These services process exclusively content from public sources, no personal data of our users. OpenAI is configured as a legacy embeddings provider only; in current production all embeddings are processed via AWS Bedrock (Cohere v4 in the EU region).
6. Cookies and Tracking
On your first visit we display a cookie banner with three categories: essential cookies (always active, for login and security), analytics cookies (Microsoft Clarity, Vercel Web Vitals — only after consent) and marketing cookies (currently not in use). Without consent, no analytics or marketing scripts are loaded. You can change your selection at any time by reopening the cookie settings via the button in the footer.
7. Personalization and Automated Decision-Making
raydaa personalizes content based on your profile, interactions, and conversations with the assistant Marble. We use large language models and embedding models via AWS Bedrock in the EU region eu-central-1. This personalization makes no decisions with legal effect or similarly significant impact within the meaning of Art. 22 GDPR; it only sorts learning content by relevance. You may object to personalized processing at any time (info@ai-train.de) and continue using raydaa — in that case we deliver non-personalized content.
8. Your Rights
Pursuant to Art. 15 to 21 GDPR you have the right to access your stored data, to rectify inaccurate data, to erasure ("right to be forgotten"), to restriction of processing, to data portability (data export in a structured format), and to object to processing based on legitimate interest. Where processing is based on your consent, you may withdraw consent at any time with effect for the future. To exercise your rights, please write to info@ai-train.de. We respond within the statutory period of one month.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for AiTrain GmbH is the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), Ludwig-Erhard-Straße 22, 7th floor, 20459 Hamburg, datenschutz-hamburg.de.
10. Data Protection Officer
Based on our current assessment, AiTrain GmbH is not required to appoint a data protection officer (Art. 37 (1) GDPR, § 38 of the German Federal Data Protection Act). We will reassess this if data processing changes materially. Please direct data protection inquiries to info@ai-train.de.
11. Storage and Deletion
Retention periods per data category are listed in the table in Section 3. After the applicable retention period expires we delete or anonymize your data. Invoices are retained for 10 years pursuant to § 147 of the German Fiscal Code; personal data contained therein is limited to the legally required minimum.
12. Changes to This Privacy Policy
We update this privacy policy when data processing changes materially (e.g. new processors, new features involving personal data). We will inform you of material changes in advance by email or in-product. The "last updated" date at the top of this document reflects the most recent revision.