PRIVACY NOTICE
Last Updated: 2026-04-23
This Privacy Notice explains how Genhone ("we," "us," or "our"), operated by Malte Hedderich, processes your personal data when you use our services ("Services"), including our website, web application, and API.
We are the data controller. Our contact details are in Section 16.
SUMMARY OF KEY POINTS
What personal data do we process? We collect your email address, display name from Google or Apple sign-in, and your optional product-email preference. When you subscribe, Stripe collects your billing address and payment details on our behalf. We do not collect phone numbers, mailing addresses, or sensitive personal data. Learn more.
Do we use AI? Yes. We use Amazon Web Services (Amazon Bedrock) and Perplexity AI to process idea content you enter into the Service. These services handle your idea text, not your personal data (email, name, etc.). Learn more.
Where does your personal data go? Most processing stays within the EU (Belgium). Some processors operate in the US under EU-US Data Privacy Framework certification or Standard Contractual Clauses. Learn more.
How long do we keep your data? Account data is kept while your account is active. You can delete your account at any time. Specific retention periods by data category are listed in Section 9.
What are your rights? You can access, correct, delete, port, restrict, or object to processing of your data. You can also lodge a complaint with a supervisory authority. Learn more.
How do you exercise your rights? The easiest way to exercise your rights is by visiting your account page or by contacting us. You can delete your account directly at /delete-account. We respond within 30 days.
TABLE OF CONTENTS
1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
5. INTERNATIONAL DATA TRANSFERS
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
7. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
8. HOW DO WE HANDLE YOUR THIRD-PARTY LOGINS?
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. DO WE COLLECT INFORMATION FROM MINORS?
12. WHAT ARE YOUR PRIVACY RIGHTS?
14. DO WE MAKE UPDATES TO THIS NOTICE?
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE YOUR DATA?
16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
1. WHAT INFORMATION DO WE COLLECT?
Personal data you provide
We collect the following personal data depending on how you interact with the Services:
| Data Category | When Collected | Stored By |
|---|---|---|
| Email address | Account registration (email/password, Google, or Apple sign-in) | Genhone (Firestore), Firebase Authentication |
| Display name | Provided by Google or Apple during sign-in (not collected for email/password sign-in) | Firebase Authentication |
| Product email preference | At signup, social sign-in completion, and whenever you change the setting in your account | Genhone (Firestore) |
| Billing name and address | When you subscribe (collected in Stripe Checkout) | Stripe |
| Payment instrument details | When you subscribe (collected in Stripe Checkout) | Stripe — never stored on our servers |
Content you create
When you use the Service, you create idea descriptions and chat messages. This content is about your business ideas and is not intended to contain personal data. It is stored in Genhone (Firestore) and processed by AI providers as described in Section 6. Do not include personal data of third parties in your idea content.
We do not collect: phone numbers, mailing addresses, social security numbers, or any special category data (Art. 9 GDPR).
Payment data: All payment information is collected and stored exclusively by Stripe. Your card number, CVV, and related payment details never pass through our servers. See Stripe's privacy policy: https://stripe.com/en-de/privacy.
Third-party login data: When you sign in with Google or Apple, we receive only the data described in Section 8. We do not request contacts, friends lists, or other social data.
Information collected automatically
When you visit or use the Services, we automatically collect:
- Server logs: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and HTTP request metadata. Collected by Cloudflare (as reverse proxy) and Google Cloud Run.
- Device data: Screen resolution, device type, and language preferences — collected through standard HTTP headers.
- AI service metadata: Model identifiers, request timestamps, token counts, and error codes when you use AI features — collected for service quality and abuse prevention.
- Analytics data (with consent): Page views, feature usage events, and session data — collected by PostHog only when you consent to optional analytics. In the authenticated app, analytics may be associated with your account (user ID, email, display name). See our Cookie Policy for details.
- Terms acceptance record: When you accept our Terms of Service, we record the accepted version and timestamp, linked to your user ID. Stored in Genhone (Firestore) and Firebase Authentication (as a custom claim) for legal compliance.
- Product email preference record: When you opt in, stay opted out, or later change the setting, we store the current preference in your account and log the change in our server-side audit logs with timestamp, consent version, source, and account identifier.
Google API
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
2. HOW DO WE PROCESS YOUR INFORMATION?
We process your personal data for the following specific purposes:
| Purpose | Personal Data Used |
|---|---|
| Account creation and authentication | Email, display name, authentication tokens |
| Subscription billing and invoicing | Email, billing name/address, payment details (via Stripe) |
| Service communications (e.g., subscription confirmations) | |
| Optional product emails (e.g., onboarding tips, feature updates) | Email, current product-email preference |
| Analytics and service improvement (with consent) | Usage events, user ID, email, display name |
| Security, abuse prevention, and rate limiting | IP address, user ID, request metadata |
| Legal compliance (e.g., tax records, responding to lawful requests) | Billing records, account data, terms and consent records |
Idea content and chat messages are also processed to provide the refinement and evaluation service, but these are not personal data categories. See Section 6.
3. WHAT LEGAL BASES DO WE RELY ON?
Under Art. 6 GDPR, we rely on the following legal bases for each purpose:
| Purpose | Lawful Basis | Explanation |
|---|---|---|
| Account creation and authentication | Art. 6(1)(b) — Performance of contract | Necessary to provide you with the Service you signed up for |
| Idea refinement and evaluation (including AI processing) | Art. 6(1)(b) — Performance of contract | Core service functionality you requested |
| Subscription billing | Art. 6(1)(b) — Performance of contract | Necessary to process your subscription |
| Service communications | Art. 6(1)(b) — Performance of contract | Necessary to inform you about your account and subscription |
| Optional product emails | Art. 6(1)(a) — Consent | Only sent when you explicitly opt in. You can change this preference at any time in your account settings. |
| Security, abuse prevention, rate limiting | Art. 6(1)(f) — Legitimate interest | Our legitimate interest in protecting the Service and its users from abuse. You can object; see Section 12. |
| Analytics and service improvement | Art. 6(1)(a) — Consent | Only processed when you accept optional analytics via the cookie banner. You can withdraw consent at any time. |
| Legal compliance (tax, lawful requests) | Art. 6(1)(c) — Legal obligation | Required by applicable law (e.g., German tax retention obligations) |
Withdrawing consent: Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. For analytics consent, adjust your preference via the cookie banner or clear your browser's site data. For optional product emails, update the setting in your account page or contact us.
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
We share your data only with processors acting on our behalf under data processing agreements (DPAs), or where otherwise legally required. We do not sell your personal data.
| Provider | Role | Personal Data Shared | Location | DPA Basis |
|---|---|---|---|---|
| Google Cloud Platform (Cloud Run, Firestore, Cloud Tasks) | Infrastructure, database, task orchestration | All account and idea data | EU (Belgium, europe-west1) |
Google Cloud DPA (SCCs) |
| Firebase Authentication | User authentication | Email, display name, auth tokens | EU (per GCP project config) | Google Cloud DPA (SCCs) |
| Stripe | Payment processing | Email, billing name/address, payment details | United States (EU-US DPF participant) | Stripe DPA |
| PostHog | Product analytics (consent-based) | Usage events, user ID, email, display name | EU (eu.i.posthog.com) |
PostHog DPA |
| Cloudflare | CDN, DDoS protection, WAF | IP address, request headers, traffic metadata | Global (edge network) | Cloudflare DPA (SCCs) |
For AI service providers that process idea content (not personal data), see Section 6.
All processors are contractually prohibited from using your content to train their foundation models unless we have explicitly enabled such use (we have not).
We may also disclose your data if required by law, or in connection with a merger, acquisition, or sale of assets — in which case we will notify you.
5. INTERNATIONAL DATA TRANSFERS
Your personal data is primarily processed in the EU:
- Firestore and Cloud Run:
europe-west1(Belgium) - PostHog: EU ingestion host (
eu.i.posthog.com)
Some processors transfer personal data to the United States:
| Provider | Transfer Mechanism |
|---|---|
| Stripe | EU-US Data Privacy Framework (DPF) certification |
| Cloudflare | SCCs (global edge processing) |
For AI services that process idea content (not personal data): Amazon Bedrock operates within the EU using a cross-region inference profile spanning multiple European AWS regions. Perplexity AI operates in the United States. See Section 6 for details.
Where we rely on SCCs, we have assessed that supplementary measures (encryption in transit, contractual access limitations, no government access obligations for the data types transferred) provide adequate protection. Transfer impact assessments are available on request.
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
Yes. Our core service uses AI to process the business idea content you enter. No personal data (email, name, billing details) is sent to AI providers — only the idea text and chat messages you write.
AI Service Providers
| Provider | Purpose | Content Processed | Location |
|---|---|---|---|
| Amazon Web Services (Amazon Bedrock) | Idea refinement and evaluation | Idea content, chat messages | EU (multiple European regions via cross-region inference profile) |
| Perplexity AI | Web research for evaluation | Search queries derived from your idea content | United States |
How It Works
- Idea Refinement: When you use the chat-based refinement feature, your idea content and chat messages are sent to Amazon Bedrock (Anthropic Claude Sonnet, EU cross-region inference profile) for processing.
- Direct Evaluation: Your idea content is sent to Amazon Bedrock for AI scoring against specific criteria.
- Research-Based Evaluation: For certain criteria, search queries derived from your idea content are sent to Perplexity AI for web research. The results are then processed by Amazon Bedrock to score your idea.
Safeguards
- Amazon Bedrock processes data exclusively within the EU using a cross-region inference profile; data does not leave the European Economic Area
- We do not enable training on your content with any provider
- Perplexity receives search queries derived from your idea — not your full idea text or any account data
- No personal identifiers (email, user ID, name) are included in AI requests
Your responsibility: Do not include personal data of third parties in your idea content. You must not use the AI features in violation of any AI Service Provider's terms.
7. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
We use cookies and similar client-side storage technologies. Details about each technology, its purpose, retention, and whether it requires consent are in our separate Cookie Policy.
In summary:
- Strictly necessary: Session cookies (authentication), Cloudflare security tokens, and your analytics consent preference. These do not require consent under the ePrivacy Directive.
- Optional analytics: PostHog analytics identifiers, stored only when you consent via the cookie banner. You can withdraw consent at any time.
8. HOW DO WE HANDLE YOUR THIRD-PARTY LOGINS?
Our Services allow you to register using your Google or Apple account.
When you sign in with Google, we receive:
- Your email address (verified by Google)
- Your display name
When you sign in with Apple, we receive:
- Your email address (which may be a private relay address if you use Apple's "Hide My Email")
- Your first and last name (provided only during initial sign-in)
We do not receive your friends list, contacts, photos, or any data beyond the above. We request only the minimum scopes necessary for account creation and authentication.
After a Google or Apple sign-in creates your account, we separately ask whether you want to receive optional product emails. That preference is stored in your account settings and can be changed later.
You can revoke access through your Google or Apple account settings:
- Google: https://myaccount.google.com/permissions
- Apple: Apple ID settings → Sign in with Apple
Provider privacy policies:
9. HOW LONG DO WE KEEP YOUR INFORMATION?
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| Account data (email, profile) | Duration of account | Account deletion by user or inactivity policy |
| Product email preference | Duration of account | Account deletion |
| Idea content and chat messages | Duration of account | Account deletion |
| Firebase Authentication record | Duration of account | Deleted when account is deleted |
| Billing and invoice records | 10 years after the transaction | Required by German tax law (§ 147 AO) |
| Server and audit logs (IP, request metadata, consent change events) | Up to 30 days | Automatic rotation |
| PostHog analytics data (if consented) | Up to 12 months | Automatic expiry per PostHog retention settings |
| LLM observability traces (Phoenix, self-hosted) | Up to 90 days | Automatic expiry |
When you delete your account, we delete your Firestore data (profile, ideas, conversations) and your Firebase Authentication record. Billing records retained by Stripe are subject to Stripe's retention policy and applicable tax law. Analytics data associated with your user ID in PostHog is retained per the above schedule.
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
We implement security measures appropriate to the risk, including:
- Encryption: TLS 1.2+ for all data in transit. Firestore and Cloud Run encrypt data at rest by default (Google-managed keys).
- Access control: Cloud Run IAM enforces service-to-service authentication. Firestore security rules restrict document-level access to the owning user.
- Network security: Cloudflare WAF provides DDoS protection and bot management on frontend routes.
- Rate limiting: Per-user message rate limits prevent AI feature abuse.
- No direct database access: All Firestore access routes through authenticated API endpoints.
No system is 100% secure. If you discover a security vulnerability, please report it via /contact.
11. DO WE COLLECT INFORMATION FROM MINORS?
We do not knowingly collect data from, or market to, anyone under 18 years of age. If we learn that we have collected personal data from a minor under 18, we will delete the account and associated data. Please contact us if you believe we have collected data from a minor.
12. WHAT ARE YOUR PRIVACY RIGHTS?
If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR (and equivalent UK GDPR rights):
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Contact us |
| Rectification (Art. 16) | Correct inaccurate data | Update your profile in-app, or contact us |
| Erasure (Art. 17) | Delete your account and data | Use /delete-account or contact us |
| Restriction (Art. 18) | Limit how we process your data | Contact us |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format | Contact us |
| Object (Art. 21) | Object to processing based on legitimate interest | Contact us — we will cease processing unless we have compelling legitimate grounds |
| Withdraw consent | Revoke consent for analytics or optional product emails at any time | Analytics: cookie banner or clear site data. Product emails: account page or contact us. |
Response timeline: We will respond to your request within 30 days. If we need more time due to complexity, we will notify you within the initial 30 days and may extend by up to 60 additional days.
Identity verification: We may need to verify your identity before processing your request. We will do so using the email address associated with your account.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. For users in Germany, this is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden, Germany
https://datenschutz.hessen.de
You may also contact the supervisory authority in your country of residence.
13. AUTOMATED DECISION-MAKING
Our evaluation feature uses AI to generate scores for your business ideas across multiple criteria. These scores are produced automatically by AI models based on your idea content and, in some cases, web research results.
This is not automated decision-making about you as a person within the meaning of Art. 22 GDPR. The scores assess the viability of a business idea, not your personal characteristics, creditworthiness, or eligibility for a service. The scores do not produce legal or similarly significant effects concerning you.
You can always review, disregard, or re-run evaluations. The scores are a tool to support your decision-making, not a substitute for it.
14. DO WE MAKE UPDATES TO THIS NOTICE?
We may update this Privacy Notice when our processing activities, service providers, or legal requirements change. The updated version will show a new "Last Updated" date and version number at the top.
For material changes that affect how we process personal data, your privacy rights, or international transfers, we will notify you by email or in-app notification before the change takes effect. This includes, for example, adding a new provider that will receive personal data, changing the lawful basis for a processing activity, or transferring personal data to a new country.
For other updates that do not materially affect personal data processing, your rights, or international transfers, we may update this notice by posting the revised version with a new "Last Updated" date.
We encourage you to review this notice periodically.
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE YOUR DATA?
- Review and update: You can view and update your email and optional product-email preference in-app at /account (requires active subscription) or by contacting us.
- Delete your account: Visit /delete-account. If you have an active subscription, you must cancel it first.
- Data export: To request a machine-readable export of your data, contact us using the details below.
16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
If you have questions or want to exercise your rights, contact us at:
Malte Hedderich
Friedensstr. 4
61476 Kronberg im Taunus
Germany