Privacy Policy

1. Controller

Didier van Hooren Nexus – Automation & Implementation (operating as Solohaus) Holzmarktstraße 73 10179 Berlin, Germany Email: legal@solohaus.io

2. Data Protection Officer

We are not required to appoint a Data Protection Officer (fewer than 250 employees; no large-scale processing of special categories of data pursuant to Art. 9 or criminal data pursuant to Art. 10 GDPR).

3. Categories of personal data processed

a) Account data

Name, email address, password hash. Legal basis: Art. 6(1)(b) GDPR (performance of contract).

b) Session data

IP address, user agent string, session timestamps. This data is collected to detect suspicious access patterns, protect the security of your account, and enforce rate limiting. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security). Sessions expire after 14 days.

Legitimate interest balancing test: Our interest is preventing unauthorized access and detecting suspicious login patterns. IP addresses and user agents are the minimum data needed for device identification in the active sessions list. The intrusion is low (no profiling, no sharing with third parties), while the security value is high. Data is retained for a maximum of 30 days.

c) Financial data

Offers, invoices, transactions, bank account statements, VAT records. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (legal obligation pursuant to Section 147 AO, Section 257 HGB).

d) AI processing

Financial queries sent to AI services (Google Gemini). Legal basis: Art. 6(1)(a) GDPR (consent). Use of AI features is optional and requires your explicit consent.

AI Transparency Disclosure (EU AI Act)

In accordance with the EU AI Act (Regulation (EU) 2024/1689), Article 50, we provide the following transparency information about our use of artificial intelligence:

AI Systems Used

Solohaus uses the following third-party AI models to provide financial analysis features:

• Google Gemini 2.0 Flash (Google LLC) – model for financial queries and analysis

This is a general-purpose AI model provided by a third party. Solohaus is the deployer, not the provider, of this AI system.

Data Sent to AI Providers

When you use AI features, the following data may be sent to the selected AI provider:

• Your financial query (the question you ask)
• Relevant financial context for the selected domain (e.g., transaction summaries, account balances, revenue figures for the relevant period)
• Conversation history (last 10 messages in the current chat for continuity)

Financial data is sent only when you actively use AI features and only after you have given explicit consent. No financial data is sent to AI providers for users who have not opted in.

AI-Generated Content

All responses from the AI financial assistant are generated by artificial intelligence. They are clearly presented in the AI chat interface as AI responses. AI-generated content:

• Is advisory only and does not constitute financial, tax, or legal advice
• May contain inaccuracies, hallucinations, or incomplete information
• Must be independently verified before being used for any decision-making
• Is not used for any automated decision-making affecting the user (Art. 22 GDPR does not apply)

The user retains full control over all financial decisions. The AI assistant provides analysis and suggestions based on the data available to it, but the user is solely responsible for acting on that information.

Processing Location

AI queries are processed by the provider's infrastructure:

• Google Gemini: EU/US (via Cloudflare AI Gateway when configured)

When Cloudflare AI Gateway is configured, it acts as a proxy layer providing caching and logging capabilities. See our subprocessors page for details.

Consent and Control

Use of AI features requires explicit opt-in consent, which can be revoked at any time. Upon revocation, you may also request deletion of all AI-related data (chat history, messages, and completions). See section 8 (Your rights) for details.

e) Analytics data

Usage data via PostHog (EU-hosted) and Google Analytics 4 (via Google Tag Manager). Legal basis: Art. 6(1)(a) GDPR (consent). Collection only occurs after your explicit opt-in (consent-gated).

f) Email communication

Transactional emails via Resend (account confirmation, password reset). Legal basis: Art. 6(1)(b) GDPR (performance of contract).

g) Third-party data (offer recipients)

When an offer is viewed by a recipient, we collect the viewer's user agent string for view tracking purposes. Bot protection on response actions is provided by Cloudflare Turnstile, which processes IP addresses and browser signals ephemerally (no data is stored by Solohaus). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in enabling offer senders to track delivery and preventing abuse).

h) Payment and billing data

Email address (shared with Stripe), billing address (collected by Stripe Checkout), payment method type, Stripe customer ID, subscription status, and invoice records. Legal basis: Art. 6(1)(b) GDPR (performance of contract). Processor: Stripe, Inc. Retention: Per Stripe's retention policy and applicable tax/accounting law.

Note: Payment card details (card number, CVC, expiry) are processed directly by Stripe and are never stored on Solohaus servers. Solohaus only receives non-sensitive confirmation data (payment method type, last four digits, transaction status).

4. Subprocessors

We use the following third-party providers who process personal data on our behalf. A complete list can be found on our subprocessors page.

• Cloudflare, Inc. – DNS, CDN, Workers (API), Pages (Hosting), D1 (Database), R2 (Storage), KV (Caching), AI Gateway, Turnstile (bot protection)
• Resend, Inc. – Transactional email delivery
• Google LLC – OAuth authentication, Gemini AI (financial analysis)
• Stripe, Inc. – Payment processing, subscription management, invoicing
• PostHog, Inc. – Product analytics (consent-gated)

5. International data transfers

Some of our subprocessors are based in the United States. Where personal data is processed outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU-US Data Privacy Framework to ensure an adequate level of data protection.

6. Retention periods

• Financial data and accounting records: 10 years pursuant to Section 147 AO, Section 257 HGB
• Session data: 30 days
• AI chat histories: 90 days
• Account data: For the duration of the contractual relationship and subsequently deleted, unless statutory retention periods apply
• Analytics data: 90 days
• Offer view events: 90 days

7. Cookies and local storage

We use technically necessary cookies for authentication and session management (legal basis: Art. 6(1)(b) GDPR). Analytics cookies (PostHog, Google Analytics) are only set after your explicit consent (legal basis: Art. 6(1)(a) GDPR). For a complete list of cookies and local storage items, including their names, purposes, and durations, please see our Cookie Policy.

8. Your rights

You have the following rights with regard to your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

To exercise these rights, please contact legal@solohaus.io.

9. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for Berlin is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstr. 219 10969 Berlin
www.datenschutz-berlin.de

10. Changes to this privacy policy

We reserve the right to update this privacy policy as needed. The current version is always available at this URL.