Privacy Policy

As of: March 19, 2026

1. Responsible person

Responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Nickle AI – Oreshin, Platon und Scheffler, Daniel GbR
Ludwig-Erhard-Strasse 10
34131 Kassel
Germany
Email: info@nickle.ai

This privacy policy applies to:

  • our website nickle.ai,
  • our multi-LLM application „nickle“ at app.nickle.ai,
  • our other business contacts,
  • our agency services in the areas of web, AI, automation and related digital services.

2. General information on data processing

We process personal data exclusively within the framework of the applicable data protection regulations, in particular the GDPR, the Federal Data Protection Act (BDSG) and - where relevant - the Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data is any information relating to an identified or identifiable natural person.

We process personal data in particular,

  • to provide our website,
  • to process inquiries,
  • to initiate, conclude and execute contracts,
  • to provide our agency services,
  • to provide the “nickle” app technically and organizationally,
  • to perform AI-powered functions,
  • to ensure support, security, billing and communication.

The processing takes place in particular on the following legal bases:

  • Art. 6 Abs. 1 lit. a DSGVO – consent,
  • Art. 6 Abs. 1 lit. b DSGVO – contract fulfillment and pre-contractual measures,
  • Art. 6 Abs. 1 lit. c DSGVO – fulfillment of legal obligations,
  • Art. 6 Abs. 1 lit. f DSGVO – legitimate interests,
  • Art. 9 Abs. 2 DSGVO – insofar as, exceptionally, special categories of personal data are processed and there is a special legal basis for this.

3. Categories of personal data

Depending on how you use our offer, we process the following data categories in particular:

  • Master and contact data, e.g. B. Name, email address, telephone number, company,
  • Communication data, e.g. E.g. email content, messages, support requests,
  • Contract and billing data,
  • Registration and account details,
  • Authentication data, e.g. B. login details or SSO/OAuth information,
  • Usage, device and log data,
  • Content that is processed as part of agency projects or within the app, e.g. B. Prompts, uploads, attachments, output and context data,
  • Payment and transaction metadata,
  • Consent and Preference Data.

4. Visit our website

4.1 Provision of the website and server log files

When you access our website, technically necessary data is processed automatically in order to deliver the website, ensure its stability and ward off attacks.

The following data in particular can be processed for this purpose:

  • IP address,
  • Date and time of retrieval,
  • Browser type and browser version,
  • operating system,
  • Referrer URL,
  • pages and files accessed,
  • access status,
  • amount of data transferred,
  • Device information.

Processing is based on Art. 6 Abs. 1 lit. f DSGVO. Our legitimate interest lies in the secure, stable and efficient provision of our website.

4.2 Cookies, similar technologies and consent management

We use cookies and similar technologies on our website. We differentiate between:

  • technisch erforderlichen Technologien, which are necessary for the operation and security of the website,
  • optionalen Technologien, especially for reach measurement, analysis or marketing.

To the extent that access to information in your end device or its storage is not technically necessary, this will only be done on the basis of your consent. The actual subsequent processing of personal data takes place - depending on the case - based on your consent or our legitimate interests.

You can revoke or adjust your consent at any time with future effect using our consent tool.

4.3 Contacting us

If you contact us by email, form, appointment booking or other means, we will process the data you provide to process your request.

The following data in particular can be processed:

  • Name,
  • E-mail address,
  • telephone number,
  • Company,
  • content of your message,
  • Communication metadata.

Depending on the reason, processing is carried out on the basis of Art. 6 Abs. 1 lit. b DSGVO (pre-contractual measures or contract fulfillment) or Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in efficient communication).

4.4 Newsletter and promotional communication

If we offer a newsletter or comparable information emails, we generally process your data to send such messages based on your consent in accordance with Art. 6 Abs. 1 lit. a DSGVO.

To the extent permitted by law, we can also send existing customer information about our own similar services on the basis of Art. 6 Abs. 1 lit. f DSGVO in conjunction with the relevant competition law requirements. You can object to the use of your data for advertising purposes at any time.

4.5 Social media presence

We maintain company profiles on social networks. When you interact with us there, we process the data provided to us in order to respond to messages, comments or inquiries.

Processing is based on Art. 6 Abs. 1 lit. f DSGVO. Our legitimate interest lies in the external presentation of our company, communication with interested parties and customers and the analysis of the reach of our content.

Please note that the operators of social networks regularly process personal data for their own purposes. We only have limited influence on this processing.

5. Initiation of business, contract processing and general business communication

We process personal data from interested parties, customers, contacts, service providers, partners and other business contacts to the extent that this is necessary to initiate, implement and process business relationships.

In particular, the following can be processed:

  • Name and professional contact details,
  • Company, position and function,
  • Offer, contract and project data,
  • communication content,
  • billing and payment data,
  • Documentation and evidence data.

Processing is carried out on the basis of Art. 6 Abs. 1 lit. b DSGVO, insofar as it is necessary for the initiation or execution of the contract, as well as on the basis of Art. 6 Abs. 1 lit. f DSGVO, insofar as it serves our general business communication, internal organization or legal enforcement. Legal retention obligations are based on Art. 6 Abs. 1 lit. c DSGVO.

6. Agency services from Nickle AI

6.1 Type of services

As part of our agency services, we support customers in particular with the conception, development, implementation, optimization and operation of digital solutions, especially in the areas of web, AI, automation, workflow design, integrations, prototyping, prompting, assistance systems and related services.

6.2 Processed data in the project context

Depending on the order, we can process the following data in particular as part of agency projects:

  • Contact person and communication data,
  • Project and briefing documents,
  • Access and administration data,
  • Content from customer systems,
  • Test, usage and error data,
  • Files, text, images, audio or other uploads,
  • AI-related inputs and outputs, to the extent that these are part of the service provision.

6.3 Role distribution: controller or processor

Whether we act as Verantwortlicher or Auftragsverarbeiter under data protection law depends on the specific individual case:

  • To the extent that we process personal data to initiate, manage and process our own contractual relationship, we are responsible for it ourselves.
  • To the extent that we process personal data exclusively on behalf of and according to the instructions of our customers, we act as a processor within the meaning of Art. 28 GDPR.

If we act as a processor, we process personal data exclusively on the documented instructions of the respective customer and - if necessary - conclude an order processing agreement.

6.4 Use of AI as part of agency services

If this is part of the contracted scope of services, we can use AI systems and model providers to analyze, structure, generate, transform content or support project-related processes.

In particular, prompts, uploaded files, context information and generated results can be processed. We ensure that processing is as data-efficient, purposeful and contractually secured as possible.

As far as possible and contractually provided, we choose configurations in which customer data is not used to train third-party models. Depending on the service used, processing can take place within the EU/EEA or in third countries. Further information can be found in section 9 of this data protection declaration.

6.5 Confidentiality and Project-Related Security

We take appropriate technical and organizational measures to protect project-related data from unauthorized access, loss or misuse. Access to customer environments is limited to what is necessary.

7. Use of the “nickle” app

7.1 Registration and account creation

When registering and using a user account, we process in particular:

  • Name,
  • E-mail address,
  • password in encrypted form,
  • optional telephone number,
  • optional company information,
  • Login and authentication data,
  • if applicable, data from single sign-on or OAuth logins, e.g. B. via Google or Microsoft.

Processing is based on Art. 6 Abs. 1 lit. b DSGVO.

7.2 Workspace, organization and team functions

To the extent that workspaces, teams or organizational environments are provided within the app, we process data necessary to manage roles, permissions, invitations, collaboration and administrative settings.

This may include, but is not limited to, email addresses, names, team assignments, role information and activity metadata.

Processing is based on Art. 6 Abs. 1 lit. b DSGVO and Art. 6 Abs. 1 lit. f DSGVO.

7.3 Use of AI functions

When using the app's AI functions, we process in particular:

  • Prompts and other inputs,
  • generated expenses,
  • uploaded files and attachments,
  • history entries,
  • technical metadata,
  • model or function related context information.

The processing is primarily carried out to provide the contractually agreed functions in accordance with Art. 6 Abs. 1 lit. b DSGVO. If processing also serves to prevent misuse, system security, error analysis, optimization or support, it is carried out on the basis of Art. 6 Abs. 1 lit. f DSGVO.

For certain functions, such as image or media generation, it may be necessary to store inputs together with the generated results to ensure functionality, traceability or reproducibility.

7.4 No training of third-party models with customer data

To the extent that we provide for this in the respective product configuration, in the contract or in our product communication, we generally do not use customer content to train third-party AI models. In this respect, the specific providers, regions, contracts and technical settings used are decisive.

7.5 Support, Operations, Security and Abuse Prevention

We process technical and usage-related data to the extent necessary to ensure the security, stability and integrity of the app, to identify and correct errors, to prevent misuse and to process support requests.

In particular, the following can be processed for this purpose:

  • IP addresses,
  • Device and browser information,
  • times and event logs,
  • Error and diagnostic data,
  • security-relevant logs,
  • Support communication.

Processing is based on Art. 6 Abs. 1 lit. b DSGVO and Art. 6 Abs. 1 lit. f DSGVO.

7.6 Payment Processing and Subscriptions

If paid services are used, we process billing-related data to manage payments, invoices, subscriptions and claims.

We regularly do not process your complete payment data ourselves, but rather primarily billing-related metadata. The actual payment processing takes place via specialized payment service providers.

Processing is carried out on the basis of Art. 6 Abs. 1 lit. b DSGVO and – where legally required – Art. 6 Abs. 1 lit. c DSGVO.

8. Analysis, reach measurement and product improvement

If we use analysis and statistical functions, this serves to better understand the use of our website and our app, to identify errors, to improve functions and to further develop our offering in a more user-friendly manner.

To the extent that such processing is not technically necessary, it will only take place with your consent in accordance with Art. 6 Abs. 1 lit. a DSGVO. To the extent that technical logging is only required for security or operational reasons, we base this on Art. 6 Abs. 1 lit. f DSGVO.

9. Recipients and service providers used

We use external service providers who process personal data on our behalf or – if necessary – under their own responsibility. This may include, in particular, providers from the following categories:

  • hosting and infrastructure,
  • database and storage infrastructure,
  • email and communication services,
  • authentication,
  • payment processing,
  • analysis and monitoring,
  • AI infrastructure and model deployment,
  • Search and retrieval infrastructure,
  • Development and repository infrastructure,
  • Support and security services.

The service providers we use may include in particular:

  • Render (Hosting / Infrastructure),
  • Supabase (database, authentication and storage),
  • Stripe (payment processing and subscription management),
  • Brevo (email communication),
  • Microsoft Azure (AI infrastructure / model deployment),
  • Google Cloud (AI infrastructure / model deployment),
  • Google Analytics (web analysis; only if activated and based on consent),
  • Jina AI (search and retrieval infrastructure or web search within the app, if used),
  • GitHub (repository and development infrastructure).

Additional sub-processors may be used to the extent necessary for secure and efficient operations. We ensure that service providers only have access to personal data to the extent necessary for the respective purpose.

9.1 Special information on individual service provider categories

Hosting und Dateninfrastruktur:

We use infrastructure and database services to provide our website, our app and the associated backend systems. In particular, usage, communication, account, project and content data can be processed to the extent this is necessary for operation, security, availability and performance.

Zahlungsdienstleister:

We use specialized payment service providers to process payments, subscriptions and billing processes. Payment processing is regularly carried out directly via the systems of the respective payment provider.

E-Mail- und Kommunikationsdienste:

We may use external communication service providers for transactional emails, notifications, possibly newsletters and other electronic communication.

Analyse- und Trackingdienste:

If we use analysis and tracking services, this is done - to the extent legally required - exclusively on the basis of consent.

KI- und Suchanbieter:

If you use AI functions, model access or search functions within the app, inputs, context data, uploads and results can be transmitted to the model, infrastructure or search providers used for this purpose, to the extent that this is necessary to provide the respective function.

Entwicklungs- und Repository-Dienste:

We use technical development and repository services to manage our source code, development processes and technical collaboration. In principle, personal data is only processed to the extent that this is necessary within the framework of technical protocols, commit metadata, access information, support or security processes.

10. Data transfers to third countries

Depending on the service used, the region chosen or the AI ​​model, processing of personal data can also take place outside the European Union or the European Economic Area, particularly in the USA.

If a transfer takes place to a third country, we ensure that there is an appropriate data protection basis for this. This can be done in particular by:

  • an adequacy decision by the European Commission,
  • standard contractual clauses,
  • additional contractual, technical or organizational protective measures,
  • exceptions provided for by law.

To the extent that different models or regions can be selected within the app or in the project context, the processing location may depend on the service selected.

11. Storage period

We only store personal data for as long as necessary for the respective purposes.

In principle, the following standards apply in particular:

  • We store account data for the duration of the contractual relationship,
  • We store communication and contract data for the duration of the business relationship and beyond within the framework of legal retention obligations,
  • We store billing-relevant data in accordance with commercial and tax law requirements,
  • We generally only store technical logs for a limited period of time, as long as they are necessary for operation, security and error analysis,
  • We generally store content within the app, in particular prompts, uploads and outputs, for as long as this is necessary for the provision of the service, the storage initiated by the user or the contractually agreed service,
  • deleted accounts or content may remain temporarily in backup or recovery systems before being permanently deleted or anonymized.

As soon as the respective processing purpose no longer applies and there are no legal retention obligations or legitimate reasons for further storage, we delete or anonymize the data in question.

12. Special information on the data protection-compliant use of AI

When using AI functions, if possible, no personal data should be entered if this is not necessary for the respective purpose. This applies in particular to special categories of personal data within the meaning of Art. 9 GDPR, confidential information and professional secrets.

To the extent that personal data is processed as part of AI functions, this is done exclusively for the provision, execution, security and improvement of the specific services provided within the relevant legal and contractual limits.

AI-generated results may be incomplete or incorrect. They should therefore not be adopted without checking - especially in the case of legally, economically or personally significant decisions.

13. Automated decisions

In principle, we do not make exclusively automated decisions within the meaning of Article 22 of the GDPR, which have legal effects on you or similarly significantly affect you, unless we expressly inform you of this in individual cases.

14. Data Security

We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, unauthorized disclosure or unauthorized alteration.

These include in particular:

  • encrypted data transmission (e.g. TLS/HTTPS),
  • role-based access concepts,
  • logging and monitoring,
  • Measures to ensure availability and integrity,
  • Procedure for limiting and controlling access rights.

15. Your Rights

In accordance with the legal requirements, you have the following rights in particular:

  • Right to information according to Art. 15 GDPR,
  • Right to correction according to Art. 16 GDPR,
  • Right to deletion according to Art. 17 GDPR,
  • Right to restriction of processing according to Art. 18 GDPR,
  • Right to data portability according to Art. 20 GDPR,
  • Right to object according to Art. 21 GDPR,
  • Right to revoke consent given with effect for the future,
  • Right to complain to a data protection supervisory authority.

To exercise your rights, it is sufficient to send us an informal message, for example by email to info@nickle.ai.

16. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedies, you have the right to complain to a data protection supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged infringement.

If our headquarters in Hesse is relevant, the responsible supervisory authority is generally the Hessische Beauftragte für Datenschutz und Informationsfreiheit.

17. Changes to this Privacy Policy

We reserve the right to adapt this data protection declaration with effect for the future if legal, technical or business conditions change. The current version is available on our website.