Privacy Policy

Version 1.0 — April 2026

We take the protection of your personal data seriously. This Privacy Policy explains what data we collect when you use the mobile application "SofaSites" ("App") and related services, the purposes for which we process it, and the rights available to you.

1. Data Controller

The data controller responsible for data processing under the General Data Protection Regulation (GDPR) is:

Dominik Britz
Veldio Systems
Gengesfeld 12
51688 Wipperfuerth
Germany
Email: support@sofasites.app

2. Data We Collect

2.1 Registration Data

When you create an account, we collect:

• Email address
• Password (stored in encrypted form)
• Country

2.2 Profile and Business Data

During the AI-assisted onboarding and website creation process, we collect the information you provide:

• Name
• Business name
• Industry
• Services / products offered
• Business address
• Phone number

2.3 Chat Messages and AI-Generated Content

We store the messages you send to the chat assistant and the content generated from them (text, layouts, page structures). This data is used to create and edit your website.

2.4 Uploaded Images

You may upload images (e.g., logos, photos) to the App. These are stored in our cloud storage and embedded on your website.

2.5 Generated Website Content

All AI-generated content for your website (text, design, images) is stored and made available on the hosting servers.

2.6 Usage Data

When using the App, the following technical data may be collected:

• Device information (operating system, device type, app version)
• App usage data (features accessed, time of use)

3. Purposes of Processing

We process your data for the following purposes:

• Contract performance: Creating and managing your account, generating and hosting your website, providing the chat assistant.
• AI processing: Analyzing your inputs through AI models to generate website content, text, and images.
• Communication: Responding to inquiries, notifications about your account or service changes.
• Security and abuse prevention: Detecting and preventing misuse of the App.
• Service improvement: Analyzing App usage to optimize and further develop our services.

4. Legal Bases (Art. 6 GDPR)

The processing of your data is based on the following legal grounds:

5. Recipients and Sub-Processors

We use the following sub-processors to provide our services:

All sub-processors are contractually obligated to comply with the GDPR. Where data processing is carried out on our behalf, we have entered into data processing agreements pursuant to Art. 28 GDPR.

Note on GitHub: The generated website files are stored in private GitHub repositories. These may contain personal data (e.g., business address, phone number in the legal notice). Upon account deletion, the associated GitHub repositories are also deleted.

6. International Data Transfers

Some of our sub-processors are based in the United States. The transfer of personal data to the USA is carried out on the basis of the following safeguards:

• EU Standard Contractual Clauses (SCCs): We have concluded the EU Commission-approved Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with all US-based providers.
• EU-US Data Privacy Framework: Where providers are certified under the EU-US Data Privacy Framework, we additionally rely on the EU Commission's adequacy decision pursuant to Art. 45 GDPR.
• Technical measures: Data is transmitted in encrypted form (TLS) and, where possible, processed in EU data centers (e.g., Supabase in Frankfurt, Hetzner in Germany).

If you are located outside the European Economic Area, please note that your data is primarily stored and processed in the EU (Germany). By using the App, you acknowledge that your data may be transferred to and processed in Germany and the EU.

7. Data Retention

We retain your personal data only for as long as necessary for the respective processing purposes:

• Account data: For the duration of the contractual relationship. After cancellation, data is deleted after the grace period (30 days) and any statutory retention periods.
• Website content: For the duration of the contractual relationship and 30 days after cancellation.
• Chat history: For the duration of the contractual relationship.
• Billing data: 10 years in accordance with German commercial and tax record-keeping obligations.
• Usage data: Maximum 12 months in anonymized or aggregated form.
• GitHub repositories: Deleted together with other data within the grace period (30 days) upon account deletion.

8. Your Rights Under GDPR

You have the following rights regarding your personal data under the GDPR. These rights apply to all users regardless of location:

• Right of access (Art. 15 GDPR): You have the right to obtain information about the personal data we process about you.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data or completion of incomplete data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you may request restriction of the processing of your data.
• Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format or to request its transfer to another controller.
• Right to object (Art. 21 GDPR): You may object to the processing of your data at any time where processing is based on legitimate interest (Art. 6(1)(f) GDPR).

To exercise your rights, please contact us at: support@sofasites.app

8a. Response Times

We respond to data protection requests within 30 days of receipt (Art. 12(3) GDPR). In complex cases, the deadline may be extended by an additional 60 days, of which we will inform you.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
• Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising purposes.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, please contact us at support@sofasites.app. We will verify your identity before processing your request.

10. Nevada Privacy Rights

Nevada residents may submit a request directing us not to sell their personal information. As stated above, we do not sell personal information. If you are a Nevada resident and wish to submit such a request, please contact us at support@sofasites.app.

11. Children's Privacy

SofaSites is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information. If you believe we may have collected information from a child under 13, please contact us at support@sofasites.app.

12. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

The supervisory authority responsible for us is:

Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestrasse 2-4
40213 Duesseldorf, Germany
www.ldi.nrw.de

13. Cookies and Tracking

Our landing page (sofasites.app) does not use cookies and does not employ any tracking.

The SofaSites App uses Supabase session tokens for authentication. These are technically necessary for the operation of the App and are used exclusively to maintain your session. They are not tracking cookies.

14. AI Processing

SofaSites uses artificial intelligence as a core component of the service. In the interest of transparency, we inform you about the AI processing of your data:

14.1 What data is processed by AI?

• Your chat messages to the assistant
• Your business information (name, industry, services, address, etc.)
• Uploaded images (for analysis and embedding)

14.2 For what purposes?

• Generation of website text and structures
• Generation and editing of images
• Processing your editing instructions in the chat

14.3 Which AI services are used?

AI processing is primarily performed via Google Cloud / Vertex AI (global endpoint). OpenRouter (USA) is used as fallback. The following models are used:

• Claude (Anthropic): Text generation and chat processing
• Gemini (Google): Text generation and analysis
• Imagen (Google): Image generation

14.4 Automated Decision-Making

The AI creates suggestions for website content. There is no automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you. You always have the ability to review, modify, or reject generated content.

14.5 Data Use by AI Providers

Processing uses the global Vertex AI endpoint and may occur on servers outside the EU. When the fallback provider OpenRouter is used, data is transferred to the USA. Your data is not used by the AI providers for training AI models (enterprise agreement and API terms).

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed to reflect changes in legal requirements, technical developments, or modifications to our services. The current version is always available on this page. We will notify you of material changes by email or in-app notification.