Privacy Policy

Last updated: April 21, 2026

This English version is a convenience translation. The German original (Datenschutzerklärung) is the legally binding version.

§ 1 Data controller

The data controller within the meaning of Art. 4 (7) GDPR is:

Sebastian Nuss
Am Hochgericht 15
55126 Mainz, Germany
Email: support@thepitchdoctor.io
Phone: +49 176 21320759

We have not appointed a Data Protection Officer because the statutory requirements for such an appointment (in particular Art. 37 GDPR, § 38 BDSG) are not met.

§ 2 Scope

This policy applies to the online service The Pitch Doctor at thepitchdoctor.io and its subdomains. It informs you about the nature, scope, and purposes of processing personal data (Art. 13, 14 GDPR).

The service is offered exclusively to business users (entrepreneurs within the meaning of § 14 of the German Civil Code). Persons under 16 may not use the service.

§ 3 Legal bases for processing

We base processing on the following legal grounds:

Art. 6 (1) (a) GDPR — consent (e.g., newsletter, marketing pixels)
Art. 6 (1) (b) GDPR — performance of a contract (e.g., account creation, exposé generation, billing)
Art. 6 (1) (c) GDPR — legal obligation (e.g., retention periods for invoices)
Art. 6 (1) (f) GDPR — legitimate interests (e.g., abuse prevention, error monitoring)

§ 4 What data we process

Account data: Email, name, company details (company name, billing address, VAT ID), hashed password.
Usage data: Topic inputs, generated exposés, broadcaster selections, feedback on results, usage limits, number of pitches created.
Payment data: Stripe customer ID and subscription ID. Card or banking details are entered directly at Stripe; we never see full card or account numbers.
Communication data: Contents of support messages and email correspondence.
Technical data: IP address (truncated in logs), browser/device identifiers, timestamps, referrer URL, UTM parameters.
Consent data: Status and timestamp of cookie and marketing consents.

§ 5 Processors and recipients

We engage the following processors (Art. 28 GDPR) to provide the service. The contractual basis with each is the provider's standard Data Processing Agreement and associated EU Standard Contractual Clauses (SCC). Current versions are kept in our internal records; we provide a copy on request to datenschutz@autopunk.io.

Provider	Purpose	Location	Legal basis
Vercel Inc.	Hosting, edge functions, web analytics	USA (SCC + DPF)	Art. 6 (1) (b), (f)
Supabase Inc.	Database, authentication	EU (Frankfurt)	Art. 6 (1) (b)
Anthropic PBC	AI model (Claude) for exposé generation	USA (SCC)	Art. 6 (1) (b)
Stripe Payments Europe Ltd.	Payments, subscription management	Ireland (EU) / USA (SCC)	Art. 6 (1) (b), (c)
Resend Inc.	Transactional and marketing emails	USA (SCC)	Art. 6 (1) (b), (a)
Cloudflare Inc. (Turnstile)	CAPTCHA, abuse prevention	USA (SCC + DPF)	Art. 6 (1) (f)
Upstash Inc.	Rate limiting (Redis)	EU/USA (configurable)	Art. 6 (1) (f)
Inngest Inc.	Async job queue for the pipeline	USA (SCC)	Art. 6 (1) (b)
Functional Software Inc. (Sentry)	Error and performance monitoring	USA (SCC + DPF)	Art. 6 (1) (f)
LinkedIn Ireland Ltd.	Conversion measurement for ad campaigns	Ireland (EU)	Art. 6 (1) (a) — consent
DuckDuckGo Inc.	Web search for the agentic research pipeline	USA (SCC)	Art. 6 (1) (b)

§ 6 International transfers

Some of the providers listed above process data outside the EU/EEA — particularly in the USA. For these transfers:

Providers certified under the EU-US Data Privacy Framework (DPF) — e.g., Vercel, Cloudflare, Sentry — offer an adequate level of protection within the meaning of Art. 45 GDPR.
For all other US providers, transfers are secured by Standard Contractual Clauses (SCCs) adopted by the EU Commission (Art. 46 (2) (c) GDPR).
We additionally review providers' technical and organisational measures on a regular basis.

§ 7 Retention periods

Active account: for as long as the account exists.

After account deletion: profile, exposés, and usage data are deleted within 30 days. Billing-relevant records (invoices, payments) are retained for 10 years under § 147 AO and § 257 HGB (German tax and commercial law), then deleted.

Anthropic (AI inputs/outputs): retained on Anthropic servers for 30 days for abuse prevention only. Training of models on this data is contractually excluded.

Logs: server and application logs are kept for at most 30 days.

Waitlist requests: up to 12 months after submission or until the end of the beta.

Newsletter consents: until revoked; the revocation is documented.

Cookie/consent data: 12 months from consent, after which we ask again.

§ 8 Cookies and local storage

We use as few cookies and local-storage entries as possible. Non-essential items are only set with your consent pursuant to § 25 TTDSG (German Telecommunications and Telemedia Data Protection Act).

Key	Storage	Purpose	Duration	Category
sb-*	Cookie	Authentication session (Supabase)	up to 7 days	Strictly necessary
cookie-consent	LocalStorage	Your cookie preferences	12 months	Strictly necessary
tpd-utm-*	LocalStorage	First-touch attribution	30 days	Strictly necessary
_li_*	Cookie	LinkedIn Insight (campaign conversion)	up to 2 years	Marketing (consent only)
_vercel_*	Cookie	Vercel Web Analytics	Session	Statistics (consent only)
cf-*	Cookie	Cloudflare Turnstile CAPTCHA	Session	Strictly necessary

You can withdraw your consent to marketing/statistics cookies at any time via the Cookie settings link in the footer.

§ 9 Automated decisions (Art. 22 GDPR)

In the beta-program selection process we use an automated pre-classification of signup requests (Claude Haiku model; it rates relevance based on the voluntary company information you provide). The final invitation decision is always taken manually by Sebastian Nuss. No solely automated decision-making within the meaning of Art. 22 (1) GDPR takes place.

You may at any time request that your submission be evaluated without pre-classification — write to support@thepitchdoctor.io.

§ 10 Your rights as a data subject

Under the GDPR you have the following rights. A simple message to support@thepitchdoctor.io suffices. We respond within one month (Art. 12 (3) GDPR).

Access(Art. 15): what data we hold about you. You can also download a machine-readable export directly via “Export my data” in your account settings.
Rectification (Art. 16): correct inaccurate data.
Erasure(Art. 17): “right to be forgotten”. You can delete your account at any time via account settings.
Restriction (Art. 18): restrict processing of certain data.
Data portability (Art. 20): receive your data in a structured, machine-readable format or have it transmitted to third parties.
Objection (Art. 21): object to processing based on legitimate interests.
Withdrawal of consent (Art. 7 (3)): withdraw consent at any time, for the future, without giving reasons.
Complaint to the supervisory authority (Art. 77): our competent supervisory authority is:
Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI RLP)
Hintere Bleiche 34, 55116 Mainz, Germany
datenschutz.rlp.de

§ 11 Marketing communications and right to withdraw

After signup we send transactional emails required to operate the service (invoices, system notices, security alerts). Legal basis: Art. 6 (1) (b) GDPR.

Beta updates and the welcome email series are only sent if you explicitly opt in (separate checkbox at registration). Legal basis: Art. 6 (1) (a) GDPR in conjunction with § 7 (2) No. 3 UWG. You may withdraw at any time via the unsubscribe link at the bottom of each email or by writing to us.

§ 12 Obligation to provide data

Using the service requires providing certain data (particularly email and, if applicable, payment data). Without this data the contract cannot be concluded or performed. All information beyond that (e.g., company profile details) is voluntary.

§ 13 Changes to this policy

We adapt this privacy policy when processing activities, providers, or legal requirements change. The current version is always available at /datenschutz and is marked with the date above.

← Back to home