Privacy policy

Last updated: April 20, 2026

1. Controller

The controller responsible for processing personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Nickle AI – Oreshin, Platon und Scheffler, Daniel GbR
Ludwig-Erhard-Straße 10
34131 Kassel
Germany
Email: info@nickle.ai

This Privacy Policy applies to:

  • our website nickle.ai,
  • our other business contacts,
  • our agency services in the field of web, AI, automation and related digital services.

2. General information on data processing

We process personal data exclusively within the scope of the applicable data protection regulations, in particular the GDPR, the Federal Data Protection Act (BDSG) and – where relevant – the Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data is all information relating to an identified or identifiable natural person.

We process personal data in particular

  • to provide our website,
  • to process requests,
  • to initiate, conclude and perform contracts,
  • to provide our agency services,
  • to run AI-supported functions,
  • to ensure support, security, billing and communication.

Processing is carried out in particular on the following legal bases:

  • Art. 6 para. 1 lit. a GDPR – consent,
  • Art. 6 para. 1 lit. b GDPR – performance of contract and pre-contractual measures,
  • Art. 6 para. 1 lit. c GDPR – compliance with legal obligations,
  • Art. 6 para. 1 lit. f GDPR – legitimate interests,
  • Art. 9 para. 2 GDPR – insofar as special categories of personal data are processed and there is a special legal basis for this.

3. Categories of personal data

Depending on your use of our offering, we process in particular the following categories of data:

  • master and contact data, e.g. name, email address, telephone number, company,
  • communication data, e.g. email content, messages, support requests,
  • contract and billing data,
  • usage, device and log data,
  • content processed in the context of agency projects, e.g. uploads, attachments, outputs and context data,
  • payment and transaction metadata,
  • consent and preference data.

4. Visit our website

4.1 Providing the website and server log files

When accessing our website, technically required data is processed automatically to deliver the website, to ensure its stability and to prevent attacks.

In particular, the following data can be processed for this purpose:

  • IP address,
  • date and time of access,
  • browser type and browser version,
  • operating system,
  • referrer URL,
  • viewed pages and files,
  • access status,
  • amount of data transferred,
  • device information.

Processing is based on Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the secure, stable and efficient provision of our website.

4.2 Cookies, similar technologies and consent management

We use cookies and comparable technologies on our website. We distinguish between:

  • technically required technologies, which are necessary for the operation and security of the website,
  • optional technologies, in particular for reach measurement, analytics or marketing.

Insofar as access to information in your end device or its storage is not technically necessary, this is done only on the basis of your consent. The actual subsequent processing of personal data is based – depending on the case – on your consent or our legitimate interests.

You can revoke or adjust consent you have given at any time with effect for the future via our consent tool.

4.3 Contact us

If you contact us by email, form, appointment booking or otherwise, we process the data you provide to handle your request.

In particular, the following data may be processed:

  • Name,
  • e-mail address,
  • telephone number,
  • company,
  • content of your message,
  • communication metadata.

Processing is carried out, depending on the occasion, on the basis of Art. 6 para. 1 lit. b GDPR (pre-contractual measures or contract performance) or Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient communication).

4.4 Newsletter and commercial communication

If we offer a newsletter or comparable informational emails, we generally process your data to send such messages on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR.

Where legally permitted, we may also send existing customer information about similar own services on the basis of Art. 6 para. 1 lit. f GDPR in conjunction with the relevant competition law requirements. You may object to commercial use of your data at any time.

4.5 Social media presences

We maintain company profiles on social networks. If you interact with us there, we process the data transmitted to us in order to respond to messages, comments or requests.

Processing is based on Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the external presentation of our company, communication with interested parties and customers, and analysis of the reach of our content.

Please note that social network operators regularly process personal data for their own purposes. We have only limited influence over this processing.

5. Business initiation, contract processing and general business communication

We process personal data of interested parties, customers, contact persons, service providers, partners and other business contacts to the extent necessary to initiate, perform and process business relationships.

In particular, the following may be processed:

  • name and professional contact details,
  • company, position and function,
  • offer, contract and project data,
  • communication content,
  • invoice and payment data,
  • documentation and evidence data.

Processing is based on Art. 6 para. 1 lit. b GDPR to the extent that it is necessary to initiate or perform the contract, and on Art. 6 para. 1 lit. f GDPR to the extent that it serves our general business communication, internal organisation or legal enforcement. Statutory retention obligations are based on Art. 6 para. 1 lit. c GDPR.

6. Agency services of Nickle AI

6.1 Type of services

As part of our agency services, we support customers in particular in the conception, development, implementation, optimization and operation of digital solutions, especially in the areas of web, AI, automation, workflow design, integrations, prototyping, prompting, assistant systems and related services.

6.2 Processed data in the project context

Depending on the order, we may process in particular the following data in the context of agency projects:

  • contact and communication data,
  • project and briefing documents,
  • access and administration data,
  • content from customer systems,
  • test, usage and error data,
  • files, texts, images, audio or other uploads,
  • AI-related inputs and outputs, insofar as these are part of the service provision.

6.3 Role distribution: Controller or processor

Whether we act as a controller or processor under data protection law depends on the specific case:

  • Insofar as we process personal data to initiate, administer and process our own contractual relationship, we ourselves are the controller.
  • Insofar as we process personal data exclusively on behalf of and on documented instructions from our customers, we act as a processor within the meaning of Art. 28 GDPR.

When we act as a processor, we process personal data exclusively on documented instructions from the respective customer and conclude – where required – a data processing agreement.

6.4 Use of AI as part of agency services

If this is part of the commissioned scope of services, we may use AI systems and model providers to analyze, structure, generate or transform content, or to support project-related processes.

In particular, prompts, uploaded files, context information and generated results may be processed. We pay attention to processing that is as data-minimizing, purpose-bound and contractually secured as possible.

Where possible and contractually provided, we select configurations in which customer data is not used to train third-party models. Depending on the service used, processing may take place within the EU/EEA or in third countries. For further information, see section 8 of this privacy policy.

6.5 Confidentiality and project-related security

We take appropriate technical and organisational measures to protect project-related data from unauthorized access, loss or misuse. Access to customer environments is limited to what is necessary.

6.6 Processors for agency services

Depending on the services included in the respective project, the following processors may be used:

  • Render Services, Inc. (USA) for hosting and workflow infrastructure (SCCs),
  • Sendinblue GmbH / Sendinblue SAS / Brevo (EU) for e-mail delivery via contact forms,
  • Microsoft Azure / Azure OpenAI (USA) for AI-based chatbot functions (SCCs),
  • Supabase, Inc. (USA) for the infrastructure of the chatbot knowledge database (SCCs).

The processors used for a specific project depend on the services agreed in the respective contract and are listed in the DPA appendix at https://nickle.ai/dpa.

7. Analytics, reach measurement and optimization

Where we use analytics and statistics functions, this serves to better understand the use of our website, identify errors and develop our offering in a more user-friendly way.

Insofar as such processing is not technically necessary, it takes place only with your consent pursuant to Art. 6 para. 1 lit. a GDPR. Where only security or operational technical logs are involved, we rely on Art. 6 para. 1 lit. f GDPR.

7.1 Google Analytics (GA4)

If you consent to analytics cookies, we use Google Analytics (GA4) on this website.

  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Depending on the processing operation, data may be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
  • Purpose: Statistical evaluation of website use and optimization of our online offer.
  • Legal basis: Consent pursuant to Art. 6 para. 1 lit. a GDPR and – where applicable – § 25 para. 1 TDDDG.
  • Data categories: Pseudonymous identifiers (e.g. cookie IDs), usage and event data, browser/device information, approximate location data, referrer information and timestamp.
  • Data protection configuration: GA is activated only after consent; revocation is possible at any time via our cookie settings; IP anonymization is activated; advertising personalization signals and Google Signals are disabled.
  • Storage period: In our current GA4 configuration, retention of event data is set to 2 months and user-related retention is set to 14 months.
  • Third-country transfer: A transfer to the USA cannot be excluded. Such transfers are made on the basis of an adequacy decision (where relevant) or appropriate safeguards, in particular EU standard contractual clauses.

8. Recipients and service providers

We use external service providers that process personal data on our behalf or – where necessary – on their own responsibility. This may include providers from the following categories:

  • hosting and infrastructure,
  • database and storage infrastructure,
  • e-mail and communication services,
  • analytics and monitoring,
  • AI infrastructure and model provision,
  • development and repository infrastructure,
  • support and security services.

Our service providers may include:

  • Render (hosting / infrastructure),
  • Supabase (database and storage),
  • Brevo (Sendinblue) (e-mail communication),
  • Microsoft Azure (AI infrastructure / model provision),
  • Google Cloud (AI infrastructure / model provision),
  • Google Analytics (web analysis; only if activated and based on consent),
  • GitHub (Repository and development infrastructure).

Additional subprocessors may be used to the extent necessary for secure and efficient operation. We ensure that service providers receive access to personal data only to the extent necessary for the respective purpose.

8.1 Special notes on individual service provider categories

Hosting and data infrastructure:

We use infrastructure and database services to provide our website and the associated backend systems. In particular, usage, communication, project and content data may be processed to the extent necessary for operation, security, availability and performance.

E-mail and communication services:

We may use external communication service providers for transactional emails, notifications and other electronic communications.

Analytics and tracking services:

Insofar as we use analysis and tracking services, this takes place – if legally required – exclusively on the basis of consent.

AI providers:

To the extent we use AI functions or model access as part of our agency services, inputs, context data, uploads and results may be transmitted to the model or infrastructure providers used for this purpose, insofar as this is necessary to provide the respective function.

Development and repository services:

We use technical development and repository services to manage our source code, our development processes and technical collaboration. Personal data is generally processed in this context only to the extent necessary in connection with technical logs, commit metadata, access information, support or security processes.

9. Data transfers to third countries

The processing of personal data can also take place – depending on the service, selected region or AI model used – outside the European Union or the European Economic Area, in particular in the USA.

Insofar as a transfer to a third country takes place, we ensure that there is an appropriate data protection basis for this. This may be done in particular through:

  • an adequacy decision of the European Commission,
  • standard contractual clauses,
  • additional contractual, technical or organisational safeguards,
  • statutory exceptions.

Where different models or regions can be selected in the project context, the processing location may depend on the selected service.

10. Storage period

We store personal data only for as long as this is necessary for the respective purposes.

In principle, the following criteria apply in particular:

  • We store contractual master data for the duration of the contractual relationship,
  • We store communication and contract data for the duration of the business relationship as well as in the context of statutory retention obligations,
  • we store billing-relevant data in accordance with commercial and tax law requirements,
  • we generally store technical logs only for a limited period, insofar as they are necessary for operation, security and error analysis,
  • deleted content may temporarily remain in backups or recovery systems before it is permanently deleted or anonymized.

As soon as the respective processing purpose no longer applies and there are no statutory retention obligations or legitimate reasons for further storage, we delete or anonymize the relevant data.

11. Special notes on privacy-compliant use of AI

When using AI functions, personal data should not be entered where possible if this is not necessary for the respective purpose. This applies in particular to special categories of personal data within the meaning of Art. 9 GDPR, confidential information and professional secrets.

Insofar as personal data is processed within the scope of AI functions, this is done exclusively for the provision, execution, security and improvement of the specifically provided services within the relevant legal and contractual limits.

AI-generated results may be incomplete or incorrect. They should therefore – particularly in the case of legally, economically or personally significant decisions – not be adopted without review.

12. Automated decisions

We generally do not carry out solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you, unless we expressly inform you of this in individual cases.

13. Data security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorized access, unauthorized disclosure or unauthorized alteration.

These include in particular:

  • encrypted data transmission (e.g. TLS/HTTPS),
  • role-based access concepts,
  • logging and monitoring,
  • measures to ensure availability and integrity,
  • procedures for limiting and controlling access rights.

14. Your rights

In accordance with the legal requirements, you have in particular the following rights:

  • right of access under Art. 15 GDPR,
  • right to rectification under Art. 16 GDPR,
  • right to erasure under Art. 17 GDPR,
  • right to restriction of processing under Art. 18 GDPR,
  • right to data portability under Art. 20 GDPR,
  • right to object under Art. 21 GDPR,
  • Right to revoke a given consent with effect for the future,
  • Right to complain to a data protection supervisory authority.

To exercise your rights, an informal message to us is sufficient, for example by email to info@nickle.ai.

15. Right to lodge a complaint with a supervisory authority

Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement.

If our registered office in Hesse is relevant, the competent supervisory authority is generally the Hessian Commissioner for Data Protection and Freedom of Information.

16. Changes to this privacy policy

We reserve the right to amend this privacy policy with effect for the future if legal, technical or business conditions change. The current version is available on our website.