Privacy Policy
This privacy policy describes how Kompetenz Int. Consulting GmbH (hereinafter „we“) processes personal data when using the AI assistant „Ben“ on trennungsnothilfe.de.
1. Controller
The controller within the meaning of Art. 4 No. 7 DSGVO (GDPR) is:
Kompetenz Int. Consulting GmbH
Fliederstr. 8
90530 Wendelstein
E-Mail: rossnagel@kompetenzgroup.de
Data protection officer
According to the current assessment, the company is not obliged to appoint a data protection officer pursuant to § 38 BDSG. Please direct data protection enquiries to the email address stated under item 1.
2. What data we process
2.1 Account data
Upon registration we store:
- Email address
- Name / display name
- Password (only as a salted bcrypt hash, never in plain text)
- optional: federal state (for more relevant legal information, e.g. the competent family court)
- time of consent to the Terms + Privacy Policy
- optional: marketing consent
- email verification status (verified yes/no)
2.1a Email verification and password reset
During registration as well as for a password reset, we send you an email from noreply@trennungsnothilfe.de via Microsoft Azure Communication Services (Europe region). Only your email address is transmitted to the service in this process. Verification and reset tokens are deleted after use or expiry (24 hours or 1 hour respectively). Legal basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — account activation).
2.2 Chat content
When you ask Ben questions, we store your messages and Ben's answers in your account. You can delete these conversations at any time.
2.3 Anonymous use
If you chat without an account, we create a random session ID (UUID) that is stored in your browser (localStorage). We delete the contents of your anonymous conversation completely after no more than 24 hours — unless you register and expressly transfer it to your account.
2.4 IP address for abuse prevention
We do not store your IP address in plain text. Instead, we form a SHA-256 hash from the IP + a secret salt, of which we keep only the first 16 hex characters. With this we count how many anonymous conversations originate from one IP within 7 days — as protection against abuse. The hash is deleted after 30 days. Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in abuse prevention).
2.5 Voice dialogue (speech input / output)
When starting a voice dialogue, your spoken audio is transmitted in real time to Microsoft Azure OpenAI (region Sweden Central) and processed there. Speech output (text-to-speech) takes place via Azure Speech Services in the Germany West Central region. Both locations are within the EU. We do not store any audio recordings; only the transcript is stored in the respective chat history.
2.6 Payment data
For purchases or when concluding a supporter subscription, the payment data is processed directly by Stripe Payments Europe Ltd. We ourselves do not see any card data. We store only purchase metadata (amount, package, Stripe session ID, timestamp, status) for accounting and credit allocation.
3. Purposes and legal bases
| Purpose | Data | Legal basis |
|---|---|---|
| Provision of the AI assistant | Chat content, account data | Art. 6 Abs. 1 lit. b DSGVO (contract performance) |
| Account management | Email, password hash, name | Art. 6 Abs. 1 lit. b DSGVO |
| Abuse prevention (rate limit) | IP hash, session counter | Art. 6 Abs. 1 lit. f DSGVO |
| Payment processing | Stripe customer ID, purchase metadata | Art. 6 Abs. 1 lit. b DSGVO |
| Supporter subscription (membership contribution) | Stripe subscription data | Art. 6 Abs. 1 lit. b DSGVO |
| Marketing emails (optional) | Email address | Art. 6 Abs. 1 lit. a DSGVO (consent) |
| Accounting obligations | Purchase records | Art. 6 Abs. 1 lit. c DSGVO i.V.m. AO/HGB |
4. Recipients / processors
We use the following service providers:
| Provider | Purpose | Processing location |
|---|---|---|
| Microsoft Ireland Operations Ltd. (Azure VM) | Hosting of the app servers + SQLite database | Azure West Europe (Amsterdam, Netherlands — EU) |
| Microsoft Ireland Operations Ltd. (Azure OpenAI) | AI generation for chat + voice (Realtime API) | Azure Sweden Central (Sweden — EU) |
| Microsoft Ireland Operations Ltd. (Azure Speech) | Text-to-speech (speech output) | Azure Germany West Central (Frankfurt — EU) |
| Stripe Payments Europe Ltd. | Payment processing for purchase + supporter subscription | Ireland (EU); for the card backbone possibly USA (Stripe Inc.) |
| Microsoft Ireland Operations Ltd. (Azure Communication Services) | Sending of verification and password reset emails | Azure Europe (EU) |
Contracts pursuant to Art. 28 DSGVO (commissioned processing) exist with all processors.
5. Transfer to third countries
The core processing of your chat and voice data takes place exclusively within the EU (Sweden, Germany, Netherlands — see table in item 4). A third-country transfer to e.g. the USA does not take place here.
A limited third-country transfer can occur exclusively in connection with payment processing via Stripe (card backbone). Stripe is certified under the EU-U.S. Data Privacy Framework; additionally, EU standard contractual clauses (Art. 46 DSGVO) exist as a safeguard.
6. Storage period
- Account data: until your account is deleted
- Chat histories (logged in): until you delete them yourself or delete your account
- Anonymous sessions: automatically after 24 hours
- IP hash (rate limit log): 30 days
- Purchase records: 10 years (commercial + tax retention periods)
- Marketing consent: until withdrawal
7. Cookies and local browser storage
We use the following storage elements in the browser:
| Key | Purpose | Storage type | Lifetime |
|---|---|---|---|
| chatbot_auth_token | JWT login token after login (session authentication) | localStorage | until logout or 90 days (token expiry) |
| anon_session_id | Random UUID for anonymous conversation (rate limit + history persistence within the browser tab) | sessionStorage | until the tab is closed |
| chatbot_active_conversation | Remembers the last open conversation in the tab | sessionStorage | until the tab is closed |
No separate consent is required for these storage processes, as they are strictly technically necessary for the service you have requested to function (§ 25 Abs. 2 Nr. 2 TDDDG): without a session token there is no login, without an anonymous session ID there is no abuse prevention (rate limit) and no continuation of your conversation within the tab.
Stripe sets its own cookies for fraud prevention in the checkout window. These are necessary for contract processing (Art. 6 Abs. 1 lit. b DSGVO / § 25 Abs. 2 Nr. 2 TDDDG) and are set directly by Stripe.
We use exclusively technically necessary storage elements. Tracking or advertising cookies are not used. A cookie banner is therefore not required (§ 25 Abs. 2 Nr. 2 TDDDG).
7a. Website analytics (Umami)
To analyse usage patterns, we use Umami Analytics, privacy-friendly analytics software that we host ourselves on our Azure server (analytics.trennungsnothilfe.de, West Europe region).
Umami stores no cookies and no IP addresses. Only aggregated, anonymous metrics are recorded (page views, time on site, referrer). Conclusions about individual persons are not possible.
Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in website optimisation). Consent is not required, as no personal data is processed.
8. Your rights
You have the right at any time to:
- Access to the data stored about you (Art. 15 DSGVO)
- Rectification of inaccurate data (Art. 16 DSGVO)
- Erasure of your data (Art. 17 DSGVO)
- Restriction of processing (Art. 18 DSGVO)
- Data portability (Art. 20 DSGVO)
- Objection to processing based on legitimate interest (Art. 21 DSGVO)
- Withdrawal of consents granted, with effect for the future (Art. 7 Abs. 3 DSGVO)
- Complaint to a data protection supervisory authority (Art. 77 DSGVO) — competent: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach
Self-service: You can exercise the following rights directly in your profile (gear icon in the chat):
- Data export (Art. 15 + 20 DSGVO): „Download my data“ — exports your profile, consents and all chat histories as a JSON file.
- Rectification (Art. 16 DSGVO): change display name, federal state and marketing consent directly.
- Erasure (Art. 17 DSGVO): „Delete account“ — deletes your account and all associated data (profile, chat histories, credits) immediately and irreversibly. Purchase receipts are retained in pseudonymised form for 10 years pursuant to § 147 AO (tax retention obligation).
- Withdrawal of marketing consent: the marketing toggle in the profile can be deactivated at any time.
For all other matters, an informal email to rossnagel@kompetenzgroup.de is sufficient.
9. Automated decisions / AI notice
The assistant „Ben“ is based on a Large Language Model (Azure OpenAI). Answers are generated automatically and may contain errors. No legally binding individual-case decision takes place; the outputs are general information and do not replace legal advice from a lawyer (§ 2 RDG).
10. Security
We use TLS encryption (Let's Encrypt) for the entire transmission. We store passwords only as a bcrypt hash. Database backups are stored encrypted and rotated after 30 days.
11. Changes to this policy
We adapt this privacy policy when legal requirements or our processing change. The current version is available at this URL.
As of: May 2026