Privacy Policy

1. Controller

The Controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

KI-Shield UG (limited liability)
Managing Director: Johanna Bringezu
Ritterstraße 2
99718 Greußen
Germany

Phone: +49 175 6486634
Email: info@ki-shield.de

Register Court Jena, HRB 524511.

Dual role (Controller / Processor):

• Account, billing and log data: KI-Shield UG acts as Controller within the meaning of Art. 4(7) GDPR.
• Chat content of business customers containing PII of their end users: KI-Shield UG acts as Processor within the meaning of Art. 28 GDPR on the basis of a Data Processing Agreement (DPA).
• Consumer users (Free/Pro private): KI-Shield UG is Controller for all of its own processing activities; the consumer consents to the processing.

2. Data Protection Officer

We are not required to appoint a data protection officer pursuant to Section 38 of the German Federal Data Protection Act (BDSG), as we employ fewer than 20 persons regularly engaged in the automated processing of personal data. For data protection inquiries, please contact: datenschutz@ki-shield.de

3. Overview of Processing Activities

KI-Shield is a compliance proxy and additional technical safeguard within the meaning of Art. 25 and Art. 32 GDPR for AI services. The service pseudonymises personal data (PII) in real time before requests are forwarded to AI providers. As a result, no personal data in plaintext leaves the European legal area.

The following overview summarises the categories of data processed, the purposes of processing, and the categories of data subjects concerned.

Categories of data processed:

• Master data (name, email address)
• Authentication data (password hashes, JWT tokens, API keys)
• Content data (chat texts for PII detection and pseudonymisation)
• Usage data (token consumption, selected AI model, latency)
• Meta/communication data (IP address, browser type, timestamps)
• Payment data (stored only at Stripe, not with us)

Categories of data subjects:

• Registered users of the KI-Shield service
• Website visitors
• Newsletter subscribers

4. Personal Data Collected

4.1 Registration and User Account

During registration, we collect:

• Name
• Email address
• Password (stored as a cryptographic bcrypt hash, not in plaintext)
• Authentication provider (email or Google)

This data is required for the establishment and performance of the service agreement.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.2 Google Login (Google Identity Services)

If you sign in via Google, we receive from Google only your name and email address. No further Google data is retrieved. Data transfer is based on EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Privacy policy: https://policies.google.com/privacy

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.3 AI Requests (Chat Data)

When you submit an AI request, we process the content of your messages exclusively for the purpose of PII detection and pseudonymisation. The process:

• Step 1 — PII detection: Your text is analysed locally on our server (Presidio + spaCy de_core_news_lg + 43 custom recognisers). Detected personal data (names, emails, IBANs, addresses, tax IDs, health data, vehicle registration plates, etc.) is replaced by pseudonyms (e.g., “PERSON_001”, “IBAN_001”).
• Step 2 — Forwarding: Only the pseudonymised text is forwarded to the selected AI provider. Your original data never leaves our server.
• Step 3 — Re-identification: The AI response is received and the pseudonyms are resolved back for you.

The mapping pseudonym ↔ original is stored encrypted with AES-256 (Fernet) in the database and automatically deleted after expiry of a configurable period (default: 24 hours). Note on terminology: In standard mode, the encryption key resides on the server — where necessary (e.g., to re-identify your own inputs) decryption is technically possible server-side. True Zero-Knowledge in the cryptographic sense (the server is unable to decrypt the data under any circumstances) is provided exclusively in the optional Browser-ZK mode, in which the encryption key remains in the user's browser.

Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(f) GDPR (legitimate interest in GDPR-compliant AI usage).

4.4 Audit Logs

For compliance purposes, we log metadata of each request: timestamp, provider, model, number of detected PII categories, latency, and token consumption. Audit logs contain no plaintext data and are digitally signed (Ed25519 + ML-DSA-65 hybrid signature) for tamper protection. Entries are linked in a cryptographic hash chain and periodically anchored on the Polygon blockchain.

Legal basis: Art. 6(1)(c) GDPR (legal obligation under the EU AI Act), Art. 6(1)(f) GDPR (legitimate interest in traceability and integrity).

4.5 Contact

When you contact us by email or phone, the data you provide (email address, name if applicable, phone number, content of your inquiry) is processed and stored for the purpose of handling your inquiry. This data is deleted after your inquiry has been fully processed, unless statutory retention obligations apply.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures), Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

4.6 Payment Data (Stripe)

Payments are processed through Stripe. We do not store any credit card or bank data ourselves. We only store the Stripe customer ID and subscription status. Stripe receives and processes:

• Email address (for invoice delivery)
• Payment information (credit card, SEPA, etc. — stored exclusively at Stripe)
• Billing history and subscription status

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland.

Privacy policy: https://stripe.com/privacy

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

5. AI Providers (Processing / Third-Country Transfers)

KI-Shield supports various AI providers. Only pseudonymised text is transmitted to them. The following providers may be used depending on user configuration and selected plan:

Important: All listed providers receive exclusively pseudonymised data. None of the providers uses API requests for training their models. In Browser-ZK mode, plaintext data never leaves the user's browser at any time.

Since only pseudonymised data is transmitted, we take the position that pseudonymised data, without access to the mapping table, does not constitute personal data for the recipient (cf. CJEU C-413/23, Recital 26 GDPR). The mapping table remains encrypted (AES-256 Fernet) on our server in Germany and is not made accessible to the AI providers. Additionally, we employ EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR as a safeguard for third-country transfers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(f) GDPR (legitimate interest), Art. 46(2)(c) GDPR (SCCs).

BYOK (Bring Your Own Key): Where you use your own API key with a third-party provider, you are an independent Controller within the meaning of Art. 4(7) GDPR vis-à-vis that third-party provider. KI-Shield acts solely as a technical intermediary in this constellation. The contract with the AI provider is concluded directly by you; you are responsible for reviewing the provider's data protection terms and any need for a Data Processing Agreement (Art. 28 GDPR).

List of sub-processors / processors (as of 13 April 2026):

• Hetzner Online GmbH (DE) — hosting; DPA pursuant to Art. 28 GDPR concluded
• Stripe Payments Europe Ltd. (IE/US) — payment processing; DPA + EU-US Data Privacy Framework (DPF)
• OpenAI L.L.C. (US) — AI inference; DPF-certified (where used as default provider; under BYOK the customer is Controller)
• Anthropic PBC (US) — AI inference; DPF-certified
• Mistral AI SAS (FR) — AI inference, EU-internal
• Groq Inc. (US) — AI inference; SCCs + Transfer Impact Assessment (TIA)
• Google LLC (US) — Gemini API; DPF
• Cohere Inc. (CA) — AI inference; SCCs
• DeepSeek (CN) — AI inference, only on active selection; SCCs + extended TIA, no adequacy decision
• Telegram (UAE/UK) — outbound security alerts only (no customer or chat content)

Changes to the list of sub-processors will be announced to customers with 30 days' prior notice; a right to object applies.

5a. Categories of Recipients

We transfer personal data to third parties only insofar as required to perform our contractual and statutory obligations. We distinguish between:

Processors (Art. 28 GDPR)

The following service providers process data on our behalf on the basis of Data Processing Agreements:

• Hetzner Online GmbH (Gunzenhausen, Germany) — server hosting, backup storage
• Stripe Payments Europe, Ltd. (Dublin, Ireland) — payment processing

Recipients of Pseudonymised Data

The AI providers listed in Section 5 receive exclusively pseudonymised text without access to the mapping table. In our view, this data does not constitute personal data for the recipient (cf. CJEU C-413/23, Recital 26 GDPR).

No Other Recipients

We do not use any analytics, tracking or advertising services (no Google Analytics, no Meta Pixel, no third-party fonts). All static resources (JavaScript, CSS, fonts) are served from our own servers. Any disclosure to other third parties only takes place where we are required to do so by law (e.g., upon order of an authority or court).

5b. Transfers to Third Countries

Where we transfer data to recipients outside the European Economic Area (EEA), we ensure an adequate level of data protection through appropriate safeguards:

• AI providers (USA, Canada, China): Only pseudonymised data is transmitted. In addition, we use EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR as a safeguard. See Section 5 for details on individual providers.
• Google Identity Services (login): Name and email address are transferred to Google Ireland Limited on the basis of SCCs. See Section 4.2.
• Stripe (payments): Payment data is processed by Stripe Payments Europe, Ltd. (Ireland). Stripe may transfer data to the USA on the basis of the EU-US Data Privacy Framework (adequacy decision) and SCCs.

Hetzner hosting: All of our own servers are located in Germany. No third-country transfer takes place here.

Legal basis: Art. 46(2)(c) GDPR (Standard Contractual Clauses), Art. 45 GDPR (adequacy decision for the EU-US Data Privacy Framework).

6. Hosting and Infrastructure

6.1 Server Hosting (Hetzner)

Our servers are operated by Hetzner Online GmbH. All data is stored and processed exclusively on servers in Germany. No transfer to third countries takes place.

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

Privacy policy: https://www.hetzner.com/legal/privacy-policy

Hetzner processes data on our behalf on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting), Art. 28 GDPR (processing on behalf).

6.2 Technical Infrastructure

We use the following technologies, all of which run exclusively on our Hetzner servers in Germany:

• PostgreSQL 16: Database for user accounts, encrypted pseudonym mappings, and audit logs (secured with mTLS)
• Redis 7: In-memory cache for rate limiting and session management (TLS-encrypted, no persistent personal data)
• Caddy: Reverse proxy with automatic TLS 1.3 termination (HTTPS), embedded Coraza WAF (OWASP CRS v4.13)

All data transfers are encrypted with TLS 1.3. Internal communication between services is additionally secured by mTLS (mutual certificate authentication). Access to the servers is restricted to SSH with public key authentication.

6b. Processing of Special Categories of Personal Data (Art. 9 GDPR)

Content data submitted in chat inputs may contain special categories of personal data within the meaning of Art. 9(1) GDPR (health data, religious or philosophical beliefs, biometric data, ethnic origin, sexual orientation, trade union membership, genetic data).

Legal basis:

• Consumers (Free/Pro private plan): Art. 9(2)(a) GDPR — explicit consent. Consent is actively obtained during onboarding (checkbox).
• Holders of professional secrecy obligations (physicians, lawyers, tax advisors): Art. 9(2)(b)/(h) GDPR — in the context of professional duties, in conjunction with appropriate safeguards (pseudonymisation, confidentiality undertaking pursuant to Section 203(4) German Criminal Code (StGB) — see Terms of Service Section 22).
• Third-country transfer of Art. 9 data: When selecting a US provider (OpenAI/Anthropic), Art. 49(1)(a) GDPR (explicit informed consent) applies as an additional layer despite prior pseudonymisation. Risks of US authority access (FISA 702, CLOUD Act) are pointed out.

Data Protection Impact Assessment (DPIA): KI-Shield UG is not required to perform its own DPIA pursuant to Art. 35 GDPR, because (a) our own processing activities (account, log and audit data without PII plaintext) do not reach the high-risk threshold; and (b) for our activities as Processor, the DPIA obligation lies with the Controller (the customer). KI-Shield supports business customers in their own DPIAs pursuant to Art. 28(3)(f) GDPR; a template is available on request (datenschutz@ki-shield.de).

7. Cookies and Local Storage

We use exclusively technically necessary cookies and local storage. No tracking, analytics, or advertising cookies are used. A cookie banner is therefore not required (Section 25(2) no. 2 of the German Telecommunications and Telemedia Data Protection Act (TDDDG)).

• JWT session token: Encrypted authentication token for maintaining your session, stored in localStorage. Ed25519-signed. Access token: 15 minutes; refresh token: max. 7 days.
• Dark mode preference: Storage of your display setting (light/dark mode) in localStorage. No personal data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functioning service), Section 25(2) no. 2 TDDDG (technical necessity).

8. Newsletter

If you subscribe to our newsletter, we process your email address for the purpose of regularly sending information about KI-Shield, product updates, and GDPR-relevant topics.

The newsletter is sent via a self-operated mail server on our Hetzner infrastructure in Germany. No data is transmitted to third-party providers.

Subscription is via the double opt-in procedure: after entering your email address, you receive a confirmation email. Only after clicking the confirmation link are you added to the mailing list. We log the subscription (timestamp, IP address, confirmation timestamp) as evidence of your consent.

You may unsubscribe from the newsletter at any time. An unsubscribe link is included in every newsletter email. Your email address will be deleted promptly after unsubscription.

Legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time with effect for the future (Art. 7(3) GDPR).

9. Server Log Files

With each access to our website, the server automatically collects and stores information in so-called server log files:

• Browser type and version
• Operating system used
• Referrer URL
• Hostname of the accessing device
• IP address (anonymised after 7 days)
• Time of server request
• HTTP status code
• Amount of data transferred

This data is not merged with other data sources and is automatically deleted after a maximum of 30 days. Collection is technically mandatory for the secure operation of the website.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and stability of the service).

10. Data Security (Technical and Organisational Measures)

We implement comprehensive technical and organisational measures (TOMs) pursuant to Art. 32 GDPR:

• Transport encryption: TLS 1.3 for all external connections, mTLS (mutual certificate authentication) for all internal services
• Encryption at rest: AES-256 (Fernet) for stored pseudonym mappings; in Browser-ZK mode the encryption key remains in the user's browser (true Zero-Knowledge in the cryptographic sense)
• Access control: API key authentication (timing-safe), JWT-based session tokens (Ed25519-signed), role-based access control, rate limiting (300 req/min)
• Network security: Web Application Firewall (Coraza WAF, OWASP CRS v4.13), CrowdSec IP reputation blocking, Fail2Ban SSH protection, UFW firewall
• Security headers: HSTS, Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin
• Audit trail: Digitally signed audit logs (Ed25519 + ML-DSA-65 post-quantum hybrid) with cryptographic hash chain for tamper detection, periodic blockchain anchoring (Polygon PoS)
• Privacy by design: PII detection with 43 recognisers (Presidio + spaCy NER + custom regex and context analysis), automatic pseudonymisation prior to any third-party communication, Unicode NFKC normalisation to mitigate bypass attempts
• Monitoring: Wazuh HIDS/IDS (host-based intrusion detection), Grafana/Loki log aggregation, automatic Telegram alerts for security events
• Backup: Encrypted backups every 30 minutes, daily offsite backups to separate Hetzner storage servers in Germany

10a. Automatic Security Suspensions (Art. 22(2)(a) GDPR)

To protect the service and its users, we operate automated security mechanisms that may temporarily suspend access in response to abusive or anomalous behaviour:

• CrowdSec: IP reputation blocking based on collaborative threat intelligence.
• Fail2Ban: Temporary SSH/HTTP bans following repeated authentication failures.
• WAF rules (Coraza, OWASP CRS v4.13): Blocking of requests matching attack patterns (SQLi, XSS, etc.).

These automated decisions are necessary for the performance of the contract within the meaning of Art. 22(2)(a) GDPR (operation of a secure service). Affected data subjects have the right to obtain human intervention, to express their point of view and to contest the decision (Art. 22(3) GDPR). Requests for review may be sent to datenschutz@ki-shield.de.

10b. Data Breach Notification Process (Art. 33/34 GDPR)

In the event of a personal data breach posing a risk to data subjects, we notify the competent supervisory authority (TLfDI) within 72 hours pursuant to Art. 33 GDPR. Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, the data subjects will additionally be informed without undue delay pursuant to Art. 34 GDPR. Business customers are notified of incidents on a contractual basis under the DPA. Notifications can be sent to: datenschutz@ki-shield.de.

11. Your Rights as a Data Subject

You have the following rights under the GDPR with respect to your personal data:

• Right of access (Art. 15 GDPR): You may request information about your personal data stored with us, its origin, recipients, and the purpose of processing at any time, free of charge.
• Right to rectification (Art. 16 GDPR): You may request the immediate rectification of inaccurate or the completion of incomplete personal data.
• Right to erasure (Art. 17 GDPR): You may request the erasure of your data (“right to be forgotten”), unless statutory retention obligations or legitimate interests apply. Account deletion is possible directly in the account settings.
• Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data under certain conditions, e.g., if you contest the accuracy of the data.
• Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to request its transfer to another Controller.
• Right to object (Art. 21 GDPR): Where processing is based on Art. 6(1)(f) GDPR (legitimate interest), you may object at any time on grounds relating to your particular situation. We will then cease processing the data unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent (e.g., newsletter), you may withdraw consent at any time with effect for the future. The lawfulness of processing carried out on the basis of consent prior to its withdrawal is not affected.

To exercise your rights, please contact: datenschutz@ki-shield.de

We will process your request without undue delay, and in any event within one month (Art. 12(3) GDPR).

12. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes the GDPR (Art. 77 GDPR). The supervisory authority responsible for us is:

Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI)
Häßlerstraße 8
99096 Erfurt, Germany
Phone: +49 361 57-3112900
Email: poststelle@datenschutz.thueringen.de
Web: https://www.tlfdi.de

12a. Right to Object (Art. 21 GDPR)

Objection to processing based on legitimate interests (Art. 21(1) GDPR):

Where we process your personal data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time, on grounds relating to your particular situation, to such processing. We will then no longer process your data for this purpose unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or where the processing serves the establishment, exercise or defence of legal claims.

Objection to direct marketing (Art. 21(2) GDPR):

Where we process your personal data for direct marketing purposes (e.g., newsletter), you have the right to object to such processing at any time. Following the exercise of the objection, your data will no longer be used for direct marketing.

To exercise your right to object, an informal notification suffices: datenschutz@ki-shield.de

13. Obligation to Provide Personal Data

The provision of personal data (name, email address, password) is required for the establishment of the service agreement and the provision of our service. Without this data, we cannot conclude the agreement and provide the service (Art. 13(2)(e) GDPR).

There is no statutory obligation to provide the data. The only consequence of not providing the data is that you cannot use the service. Visiting the website is possible without registration.

14. Automated Decision-Making and Profiling

Save for the automated security suspensions described in Section 10a, no automated decision-making, including profiling, within the meaning of Art. 22(1) and (4) GDPR takes place. We do not make any decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you.

The PII detection by KI-Shield is a purely technical safeguard and does not constitute a decision about or against data subjects.

15. Retention Period and Deletion

We retain personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations:

• Pseudonym mappings: Automatic deletion after a configurable period (default: 24 hours)
• Chat history: Stored until deletion by the user or account deletion
• Audit logs: Retention for 12 months (compliance evidence under the EU AI Act), then automatic deletion
• User account: Until account deletion by the user
• Server log files: IP anonymisation after 7 days, complete deletion after 30 days
• Newsletter data: Until withdrawal of consent (unsubscription)
• Contact inquiries: Until complete handling of the inquiry, max. 6 months
• Billing data (Stripe): In accordance with tax law retention periods (10 years, Section 147 German Fiscal Code (AO), Section 257 German Commercial Code (HGB))
• Blockchain anchors: Technically immutable and not deletable. However, no personal data is stored on the blockchain — only cryptographic hashes.

16. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to adapt it to changed legal situations, regulatory requirements, or changes to the service. The current version is always available at https://ki-shield.de/datenschutz. In the event of material changes that affect your rights, registered users will be notified by email.