Privacy Policy

1. Data Controller (Art. 4(7) GDPR)

The controller within the meaning of the GDPR is: TawiAI, Germany. For any data protection enquiries, please contact: privacy@tawi.ai. A Data Protection Officer (DPO) is not currently required by law based on our processing activities; if this changes, we will appoint one and publish their contact details here without delay.

2. Personal Data We Collect

• Contact / intake form: name, email address, company name, website URL, team size, business challenges, goals, budget range, and timeline.
• Appointment booking via Calendly: name, email address, any voluntarily provided details, and booking metadata (date, time, timezone). Processing is carried out by Calendly, LLC (see Section 5).
• Technical access data: IP address, browser type and version, operating system, referrer URL, pages visited, date and time of access. Processed by our hosting provider, Vercel, Inc. (see Section 5).
• Cookie consent: your choice made in the cookie banner is stored locally in your browser (localStorage key: 'tawi-cookie-consent') and is not transmitted to our servers.

3. Purposes and Legal Bases of Processing (Art. 6 GDPR)

• Responding to enquiries and preparing a contract – Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
• Operating the website and ensuring its technical functionality – Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and stable web presence).
• Appointment booking via Calendly – Legal basis: Art. 6(1)(b) GDPR (contract initiation) and your explicit consent when using the booking form.
• Website analytics (if activated after consent) – Legal basis: Art. 6(1)(a) GDPR. Analytics cookies are only set after your explicit consent.
• Compliance with statutory retention obligations – Legal basis: Art. 6(1)(c) GDPR.

4. Cookies and Similar Technologies (§ 25 TTDSG / ePrivacy)

• Essential local storage: stores your cookie consent choice (localStorage key: 'tawi-cookie-consent'). Not transmitted to any server. Legal basis: § 25(2)(2) TTDSG (strictly necessary).
• Calendly script and CSS (assets.calendly.com): loaded only when you actively click the booking button. Calendly may set cookies and collect your IP address and device data. Legal basis: your consent (§ 25(1) TTDSG, Art. 6(1)(a) GDPR).
• Analytics cookies: not currently active. If activated in future, this will occur only after prior consent and full disclosure in this policy.
• You may withdraw your consent at any time by adjusting your browser settings or clearing your browser's local storage.

5. Processors and Third-Party Providers (Art. 28 GDPR)

• Vercel, Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA – hosting and infrastructure. Vercel processes technical access data (including IP addresses) on our servers. Legal basis for third-country transfer: Standard Contractual Clauses (Art. 46(2)(c) GDPR). Privacy policy: vercel.com/legal/privacy-policy.
• Calendly, LLC, 3423 Piedmont Road NE, Atlanta, GA 30305, USA – appointment scheduling software. Calendly processes name, email, and booking data when you book a meeting. Legal basis for third-country transfer: Standard Contractual Clauses. Privacy notice: calendly.com/legal/privacy-notice.
• All processors are bound by Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR and may only process data on our documented instructions.

6. International Data Transfers (Art. 44–49 GDPR)

Both Vercel, Inc. and Calendly, LLC are headquartered in the United States. For transfers of personal data to the USA we rely on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Copies of the applicable SCCs are available on request at privacy@tawi.ai. Please note that the USA does not provide a level of data protection equivalent to the EU in all respects.

7. Retention Periods (Art. 5(1)(e) GDPR)

• Contact form enquiries: until the enquiry is fully resolved, and no later than 12 months thereafter if no contractual relationship arises.
• Contractual correspondence: 10 years pursuant to § 147 AO and § 257 HGB (German commercial and tax retention rules).
• Technical server logs (Vercel): typically 30 days, then automatic deletion.
• Calendly booking data: in accordance with Calendly LLC's privacy notice.
• Cookie consent (localStorage): indefinitely until you manually clear it.
• After expiry of the retention period, data is deleted or irreversibly anonymised.

8. Your Rights as a Data Subject (Art. 15–22 GDPR)

• Right of access (Art. 15): you may request confirmation of whether we process your personal data and obtain a copy.
• Right to rectification (Art. 16): you may request correction of inaccurate data.
• Right to erasure (Art. 17): you may request deletion of your data where no statutory retention obligation applies.
• Right to restriction of processing (Art. 18): you may request that we restrict processing of your data.
• Right to data portability (Art. 20): you may receive your data in a structured, machine-readable format.
• Right to object (Art. 21): you may object at any time to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): any consent given may be withdrawn at any time with future effect.
• To exercise your rights, contact: privacy@tawi.ai. We will respond within one month (Art. 12(3) GDPR).

9. Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. Our competent supervisory authority is: Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information), Friedrichstr. 219, 10969 Berlin, Germany, email: mailbox@datenschutz-berlin.de, tel.: +49 30 13889-0. You may also contact the supervisory authority of your habitual residence or place of work.

10. Automated Decision-Making (Art. 22 GDPR)

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. Our AI systems support service delivery and remain subject to human oversight at all times.

11. Data Security (Art. 32 GDPR)

We implement technical and organisational measures appropriate to the risk, including: TLS/HTTPS encryption for all data in transit, access controls and least-privilege principles, regular security reviews, and data minimisation. Our hosting infrastructure (Vercel) is SOC 2 Type II certified.

12. Children's Data

Our website and services are directed exclusively at individuals aged 18 and over. We do not knowingly collect personal data from minors. If we become aware that data of a minor has been collected, we will delete it without delay.

13. Links to Third-Party Sites

Our website contains links to external sites, in particular LinkedIn (linkedin.com). We are not responsible for the content or data protection practices of those sites. Clicking such a link takes you away from our website and the third party's own privacy policy applies.

14. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect changes in our processing activities or applicable law. The current version is always available on this page. For material changes we will, where practicable, notify you by email or by a prominent notice on the website.