Privacy Policy

1. Data Controller

Responsible for data processing:

Orangize Digital
Owner: Naumche Joshevski
Brüderstraße 11
32547 Bad Oeynhausen, Germany
Email: hello@dversum.com
Phone: +49 (0) 15122031093

2. Types of Data Processed

The following data is processed when using the SaaS application:

Account Data

  • Name
  • Email address
  • Password (stored encrypted)

Organization Data

  • Company and customer data
  • Invoice data
  • Quote data
  • Client data
  • Supplier information
  • Tax information
  • Payment information
  • Time entries
  • Calendar data
  • Support tickets
  • Whiteboard content
  • Documents and files

Technical Data

  • IP address
  • Log files
  • Device information
  • Access data

Payment Data

  • Subscription information
  • Payment status
  • (Processed via Stripe)

AI Interactions

  • User-submitted content
  • AI-generated content

3. Purpose of Processing

Data is processed for:

  • Providing the SaaS application
  • Contract performance
  • Invoicing
  • Subscription management
  • Customer support
  • System and security monitoring
  • Improving functionality
  • AI-powered features

Legal basis:
Art. 6(1)(b) GDPR (contract performance)
Art. 6(1)(f) GDPR (legitimate interest in security and operations)

4. Hosting

The application is hosted by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Servers are located in Germany. A data processing agreement is in place with Hetzner.

Backups are provided through Hetzner's backup services.

5. Payment Processing

Payment processing is handled by:

Stripe Payments Europe Ltd.

Stripe processes payment data as an independent controller. Stripe's privacy policy applies. Stripe uses technically necessary cookies for fraud prevention, which are only loaded on payment pages.

6. AI Service Providers

The following providers are used for AI features:

  • OpenAI, Inc. (USA) — for the AI assistant and content generation
  • Anthropic, PBC (USA) — as an alternative AI provider (BYOK)

Data is transmitted solely for performing the AI function requested by the user. Only user-submitted content and the context required for processing are transmitted.

Data may be transferred to the USA. Transfers are based on Standard Contractual Clauses pursuant to Art. 46 GDPR.

Data protection measures: Communication with AI providers uses encrypted connections (TLS) exclusively. API keys are stored encrypted on the server (AES-256-GCM). For BYOK (Bring Your Own Key), user-provided keys are encrypted per user and only decrypted for the respective session. AI providers have no access to the database or other user data beyond the explicit request.

7. Google User Data (OAuth & Calendar)

Google OAuth may be used for login and calendar synchronization.

Google user data processed:

  • Google Account ID and profile information (name, email)
  • OAuth access tokens and refresh tokens
  • Calendar events (title, date, time, description, attendees, location)
  • Google Meet links (when created through the application)

Google data is only accessed after the user's explicit consent through the Google authorization process.

Sharing and transfer of Google user data:

Google user data is not sold, rented, or shared for advertising purposes. Data is processed exclusively for the purpose requested by the user (calendar synchronization). Data is only shared in the following cases:

  • Hosting provider (Hetzner): Calendar data is stored on servers in Germany. A data processing agreement is in place with Hetzner.
  • AI assistant (only on explicit user request): When the user actively asks the AI assistant about calendar entries, relevant context may be transmitted to the configured AI provider (OpenAI or Anthropic). This only occurs upon the user's explicit instruction.

Protection of Google user data:

  • OAuth tokens are stored encrypted on the server (AES-256-GCM)
  • All communication uses TLS-encrypted connections
  • Access to calendar data is restricted to the respective user through role-based permissions
  • Users can disconnect their Google account at any time in the settings, which deletes all stored tokens and synchronized calendar data
  • Multi-tenant architecture ensures strict separation of data between organizations

The use of Google user data complies with the Google API Services User Data Policy, including the Limited Use Requirements.

8. Telegram Integration

When using the optional Telegram integration, the following data is processed:

  • Telegram ID and username
  • Chat content within AI interactions

Telegram is a third-party provider (Telegram FZ-LLC, Dubai). Their privacy policy applies. The connection can be disconnected at any time in the settings.

9. Cookies and Local Storage

No tracking, analytics, or marketing cookies are used. The application only uses technically necessary storage technologies required for providing the service requested by the user:

TechnologyTypePurpose
auth_tokenCookieAuthentication (JWT token)
i18n_localeCookieLanguage preference
theme-preferencelocalStorageSelected theme (Light/Dark/System)
sidebar-nav-preferenceslocalStorageSidebar configuration
Stripe cookiesCookieFraud prevention for payments (payment pages only)

All listed technologies are exempt from the consent requirement under § 25(2)(2) TDDDG, as they are technically necessary for providing the service explicitly requested by the user.

10. Data Retention

Personal data is retained:

  • as long as the user account exists
  • until termination of the contract
  • in accordance with legal retention obligations (e.g., tax retention periods: up to 10 years)

After account deletion, personal data is deleted unless legal retention obligations apply.

11. Data Security

The following technical and organizational measures are in place to protect personal data:

  • TLS encryption for all communications
  • Encrypted storage of sensitive data (AES-256-GCM)
  • Hosting in German data centers (Hetzner)
  • Role-based access controls
  • Multi-tenant data separation per organization
  • Regular backups
  • Two-factor authentication (TOTP) as optional account security
  • Passwords stored exclusively as bcrypt hashes

12. Data Subject Rights

Users have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

To exercise these rights, please contact: hello@dversum.com

You also have the right to lodge a complaint with the competent supervisory authority:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4, 40213 Düsseldorf, Germany
www.ldi.nrw.de

13. Last Updated

As of: March 2026

This privacy policy is updated as needed to reflect changes in data processing or legal requirements.