Privacy Policy

Last updated: 21 May 2026

This Privacy Policy explains which personal data we process when you visit our website or use our SaaS platform, for what purpose we do so, and the rights you have as a data subject.

The policy is structured in two clearly separated parts:

• Part A — Website (https://contebia.ai)
• Part B — SaaS Platform (Admin Console, Desktop Agent, Digital Sales Room, and related services under the subdomains *.contebia.ai)

Where a processing activity only relates to one of the two areas, we say so explicitly.

§1. Controller

The controller responsible for data processing under the GDPR is:

contebia.ai GmbH
Sonnenhöhe 2
78476 Allensbach
Germany

Authorized Managing Director: Dr. Tizian Bonus
Commercial register: HRB 734397, Local Court of Freiburg im Breisgau
VAT ID: DE458722945

Contact:
Email: contact@contebia.ai

For data protection enquiries, please contact our external Data Protection Officer directly (see Section 2) or write to the address above marked "Data Protection".

§2. External Data Protection Officer

We have appointed an external Data Protection Officer:

heyData GmbH
Schützenstraße 5
10117 Berlin
Germany

Email: datenschutz@heydata.eu

You may contact our external Data Protection Officer directly for any data protection enquiry.

§3. Rights of Data Subjects

Under the GDPR, you have the following rights:

• Right of access to the personal data we hold about you (Art. 15 GDPR),
• Right to rectification of inaccurate data (Art. 16 GDPR),
• Right to erasure of your data, unless statutory retention obligations require otherwise (Art. 17 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Right to data portability of the data you have provided, in a structured, commonly used, machine-readable format (Art. 20 GDPR),
• Right to object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR),
• Right to withdraw consent with effect for the future (Art. 7(3) GDPR),
• Right not to be subject to a decision based solely on automated processing that produces legal effects (Art. 22 GDPR).

To exercise any of these rights, a simple message to our external Data Protection Officer (contact details in Section 2) or to contact@contebia.ai is sufficient.

§4. Right to Lodge a Complaint with the Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for us is:

State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI BW)
Königstraße 10a
70173 Stuttgart
Germany
Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Web: https://www.baden-wuerttemberg.datenschutz.de

You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or the place of the alleged infringement.

§Part A — Website (contebia.ai)

The website https://contebia.ai exists solely to provide information about our products and to enable contact with us. It is intentionally kept minimal: no cookies, no advertising or marketing trackers, no embedded third-party services, no externally loaded fonts or videos. For reach measurement, we use a self-hosted, cookieless and IP-anonymising tool — see Section A.3.

§A.1 Provision of the Website and Server Log Files

Purpose: Provision of the website, technical delivery of content to your browser, IT security (defence against attacks, abuse detection, diagnostics).

Categories of data: Each access automatically records the following data in server log files:

• IP address,
• date and time of access,
• requested URL and referrer,
• HTTP status code and amount of data transferred,
• the user-agent string of your browser.

Legal basis: Art. 6(1)(f) GDPR. Legitimate interest in the secure and stable provision of the website. No combination with other data sets takes place.

Recipients: Hosting provider (Hetzner Online GmbH, Germany). No disclosure to other third parties or to third countries.

Retention period: Log files are kept for a maximum of 14 days and are then deleted or anonymised in a way that no personal reference remains.

§A.2 Contact Form

Our website includes a contact form. When you fill it out and submit it, the data you enter is transmitted to our servers in Germany and forwarded from there as an email to our business inbox contact@contebia.ai.

Purpose: Receipt and handling of your enquiry.

Categories of data: Name, email address, message content, and any further information you voluntarily provide in the form. In addition, technical metadata (time of submission, IP address for the duration of delivery) is processed for abuse prevention (spam protection, brute-force detection).

Legal basis:

• For pre-contractual enquiries: Art. 6(1)(b) GDPR,
• for other enquiries: Art. 6(1)(f) GDPR (legitimate interest in responding to your enquiry),
• for spam-protection metadata: Art. 6(1)(f) GDPR (legitimate interest in IT security).

Recipients: The hosting provider of our servers (Hetzner Online GmbH, Germany) and our business email system at Google Workspace (contracting party: Google Ireland Limited, Ireland, with EU data residency and EU Standard Contractual Clauses covering the group affiliation with Google LLC, USA).

Retention period: Incoming enquiries are stored for as long as necessary to handle them and beyond that to the extent required by statutory retention obligations (in particular Section 257 German Commercial Code, Section 147 German Fiscal Code).

§A.3 Reach Measurement (Umami, Self-Hosted)

To analyse the reach and general use of our website, we operate the open-source tool Umami Analytics on our own servers in Germany. The processing is intentionally designed to be privacy-friendly:

• no cookies and no comparable access to information stored on your device — Section 25 of the German Telecommunications-Telemedia Data Protection Act (TDDDG) therefore does not apply, no consent is required,
• IP addresses are anonymised before storage; re-identification of individuals is not possible,
• to recognise recurring sessions, a server-side daily hash is generated which rotates every day and does not allow personal re-identification,
• no transfer to third parties, in particular no data flow to third countries.

Purpose: Statistical evaluation of website use (page views, dwell time, referrer of origin, rough geographic distribution at country level) to improve our offering.

Legal basis: Art. 6(1)(f) GDPR. Legitimate interest in privacy-friendly reach measurement without tracking cookies.

Recipients: None. The analysis runs exclusively on our own servers at Hetzner Online GmbH, Germany.

Retention period: Aggregated statistics are retained permanently; raw events are deleted or consolidated into aggregates after no more than 12 months.

Objection: You may object to reach measurement at any time by enabling the "Do Not Track" standard or an ad or tracker blocker in your browser; our Umami script respects these signals.

§Part B — SaaS Platform (contebia.ai)

This part concerns the use of our platform by our customers (hereinafter "Tenant") and the individuals who access the platform on behalf of the Tenant or whose data is processed in the platform.

Roles under the GDPR:

• Where we process data of our Tenants and their staff in order to provide them with the platform (account, authentication, configuration, billing), we are the controller within the meaning of Art. 4(7) GDPR. This Part B governs that processing.
• Where we process data within the platform that the Tenant feeds into it (customer data, CRM records, email contents, meeting transcripts, documents, etc.), this processing takes place as processing on behalf of the Tenant under a data processing agreement (Art. 28 GDPR) between contebia.ai GmbH and the respective Tenant. In that scenario, the Tenant is the controller; this Privacy Policy describes the processing at that point for information purposes only and does not replace the privacy notices the Tenant must provide to its own data subjects.

§B.1 Account Registration and Authentication

Purpose: Creation and administration of a platform account, identification and authentication of users, session management, protection against unauthorised access.

Categories of data: Name, business email address, Tenant affiliation, role and permissions, login timestamps, hashed recovery codes for multi-factor authentication. We do not process passwords in clear text.

Authentication tokens are issued via our own signing infrastructure. The Tenant may optionally configure its own identity provider (SAML 2.0 or OpenID Connect) for single sign-on; in that case, only the attributes released by the Tenant (typically email address, first name, last name) are transmitted to the platform.

Legal basis: Art. 6(1)(b) GDPR (performance of contract), additionally Art. 6(1)(f) GDPR (legitimate interest in IT security and a verifiable audit trail).

Recipients: Account data is stored in our platform database; hosting is performed by the processors listed in Section 7.

Retention period: Account data is stored for the duration of the contractual relationship and deleted in accordance with Section 9 after termination.

§B.2 Use of the Platform and Storage of Tenant Data

Purpose: Provision of the platform's functionality — consolidation of knowledge about the Tenant's market, competitors, products, and business operations; support of the Tenant's go-to-market teams in sales, marketing, and customer success through AI-supported analyses, answers, and suggestions.

Categories of data: Content that the Tenant actively feeds into the platform (documents, notes, structured data about persons and organisations, configurations, templates) as well as data that enters the platform through the third-party integrations described in Section B.6. In addition, technical metadata about usage (timestamps, invoked functions, correlation IDs) for operational stability, billing, and audit purposes.

We also explicitly process personal data of third parties that the Tenant feeds into the platform (contact data of business partners, employees of customer companies, etc.). The Tenant is the controller for this data; we process it strictly under the Tenant's instructions within the framework of the data processing agreement.

Legal basis: Art. 6(1)(b) GDPR (contract with the Tenant). For data about third parties fed in by the Tenant: processing on behalf of the Tenant under Art. 28 GDPR, together with the legal basis on which the Tenant relies vis-à-vis its data subjects.

Recipients: Server infrastructure and database (see Section 7), and, where applicable, the AI processing services (Section B.4) and third-party integrations selected by the Tenant (Section B.6).

Retention period: Tenant data is stored for the duration of the contractual relationship. Upon termination, it is deleted in accordance with Section 9. Tenant-level data separation is technically enforced at the database layer.

§B.3 Audio Capture and Transcription in the Desktop Agent

Our platform provides an optional Desktop Agent for macOS that supports the sales workflow live. This functionality processes particularly sensitive data and is therefore described separately.

Purpose: Detection of ongoing business conversations (e.g. in Zoom, Microsoft Teams, Webex, FaceTime, and browser-based meetings), automatic live transcription of the conversation while it is taking place, generation of an AI-supported conversation summary ("Summary") after the call has ended, and enrichment of the corresponding CRM record with that Summary.

Categories of data:

• Audio signal from the system output (speaker / application audio) and from the microphone (the user's own voice),
• derived transcripts of the conversation,
• conversation-detection metadata (identifier of the detecting conferencing application, timestamps, duration),
• the AI-generated summary of the conversation (topics, decisions, tasks).

What we explicitly do NOT do:

• No screen content is recorded (no screenshots, no video or pixel capture).
• Audio files are not stored persistently. Audio is streamed in short real-time packets to our transcription infrastructure operated in Germany, processed ephemerally there, and not persisted.
• Full transcripts are not stored persistently. Transcript plain text is only kept for the duration required to generate the Summary and is deleted immediately thereafter.
• The final Summary is stored in the Tenant's CRM system. Storage there is governed by the Tenant's and the CRM provider's privacy rules.

Conversation detection: The Desktop Agent detects a call either by the active application identifier or by the URL of a known meeting provider opened in a browser. Detection takes place locally on the device; the content of a browser URL does not leave the device.

Responsibility towards conversation participants: Where the Tenant uses the Desktop Agent in conversations involving other persons (customers, business partners, employees), the Tenant is responsible for the lawfulness of this processing vis-à-vis those participants. The Tenant must establish a suitable legal basis under Art. 6 GDPR and inform conversation participants where required.

Legal basis (contebia.ai ↔ Tenant): Art. 6(1)(b) GDPR. For data of third parties brought into the platform by the Tenant: processing on behalf of the Tenant under Art. 28 GDPR.

Recipients: Audio processing takes place exclusively on our GPU servers at Hetzner in Germany. No transmission of the audio signal or of full transcripts to third-party providers outside this infrastructure takes place.

Retention period: Audio signal — ephemeral (no persistence). Transcript plain text — until the Summary is generated, then deleted. Summary — in the Tenant's CRM, retention there.

§B.4 AI-Supported Processing

Purpose: Answering user questions on the basis of the knowledge stored within the Tenant (Retrieval-Augmented Generation, "RAG"), automatic conversation summarisation, semantic search, AI-supported content generation in the workflows we support.

Architecture: The majority of AI processing runs on our own infrastructure in Germany (Hetzner). Data does not leave the EU in this case. For tasks requiring a particularly capable language model, we rely on Mistral AI (Paris, France); the processing takes place within the European Union.

Categories of data: Content related to the respective function — for example user prompts, retrieved knowledge fragments from the Tenant, or redacted conversation transcripts.

PII protection prior to external AI processing: Before content from meeting transcripts or communication data enters an AI processing step, personal identifiers are automatically reduced: email addresses and phone numbers are replaced with neutral placeholders, speaker names with a tenant-specific hash, and URLs are stripped of query and fragment parts.

Legal basis: Art. 6(1)(b) GDPR. For data of third parties fed in by the Tenant: processing on behalf of the Tenant under Art. 28 GDPR.

Recipients: Our own AI infrastructure in Germany; Mistral AI (France).

No solely automated decision-making with legal effect: The platform's AI outputs are suggestions and aids for users. No decision based solely on automated processing with legal effect within the meaning of Art. 22 GDPR takes place.

§B.5 Knowledge Base and Semantic Model

Purpose: To enable the platform to answer questions based on the Tenant's knowledge, we build a searchable semantic model from the data fed in. This includes text fragments, their mathematical representations (vector embeddings), structured entities (e.g. organisations, roles, persons, products), and their relationships.

The semantic model may contain personal data (e.g. names of contact persons in CRM data). It is stored strictly on a per-tenant basis; data is never mixed across Tenants. The data is stored exclusively on our infrastructure in Germany.

Legal basis: Art. 6(1)(b) GDPR; processing on behalf of the Tenant under Art. 28 GDPR for data of third parties fed in by the Tenant.

Retention period: For the duration of the contractual relationship or until deletion or withdrawal by the Tenant. Upon the Tenant's request, the semantic model can be selectively or fully rebuilt.

§B.6 Integration with the Tenant's Third-Party Systems

The Tenant may optionally connect its platform to its own third-party systems — in particular CRM, email, calendar, and chat systems, as well as providers of meeting transcripts. The purpose of this connection is to allow content from these systems to flow into the platform and be processed together with the Tenant's other data (see Section B.2 and Section B.5).

The Tenant decides which third-party systems are connected. A connection is only established once the Tenant has actively authorised it.

Responsibility: Vis-à-vis the third-party provider, the Tenant is the controller and maintains its own legal relationship there (terms of use, where applicable a data processing agreement). Our platform does not act as a contracting party of the third-party provider in that relationship.

Categories of data: The data flowing from the third-party system into the platform depends on the chosen function (e.g. contacts and activities from a CRM, content of selected emails, calendar events, content of authorised chat channels).

Legal basis: Art. 6(1)(b) GDPR in the relationship between contebia.ai GmbH and the Tenant; processing on behalf of the Tenant under Art. 28 GDPR for the processing of data of third parties supplied by the third-party system.

Retention period: Content from third-party systems is stored in the platform only for as long as required by the functions in use and the Tenant keeps the third-party system connected. When the Tenant disconnects, the associated access data is removed; content synchronised up to that point is handled in accordance with Section 9.

§B.7 Digital Sales Room (Buyer View)

The "Digital Sales Room" is an individualised online space created by the Tenant in which it shares content (pricing, templates, action plans) with its customers ("Buyer"). If you access such a Room as a Buyer, the following applies to the processing that takes place there:

The controller vis-à-vis the Buyer is the Tenant. contebia.ai GmbH provides the technical infrastructure as processor on behalf of the Tenant. Please address access, rectification, and deletion requests directly to the Tenant that provided the Room to you. We will identify the Tenant to you upon request.

Categories of data when accessing a Room:

• Technical server log files (IP address, timestamp, user agent — to ensure delivery),
• Interaction events within the Room (e.g. which section was viewed, whether a pricing block was clicked, an action item accepted, a document downloaded, time spent per section). These events are displayed to the Tenant in relation to their Room.

The Room uses only first-party storage mechanisms required for the technical provision of the application.

Legal basis: In the relationship Tenant ↔ Buyer, the Tenant is the controller and provides the legal basis in its own privacy notice.

§B.8 Logs and Audit Trail

Purpose: Traceability of administrative and security-relevant actions, error diagnostics and operational stability, fulfilment of the documentation obligations under Art. 30 GDPR.

Categories of data: Correlation IDs, Tenant ID, timestamps, invoked function, status, technical metadata. Personal data in clear text is generally not stored in application logs; email addresses are stored exclusively in hashed or masked form where required for diagnostic purposes. Authentication tokens and passwords are never logged.

Retention period:

• Application logs (run logs) and error reports: up to 90 days,
• Audit log (records of processing activities under Art. 30 GDPR and security-relevant events): up to 7 years, to the extent necessary to fulfil the documentation obligations of the GDPR.

Legal basis: Art. 6(1)(c) GDPR (legal obligation, in particular Art. 30, 32 GDPR) and Art. 6(1)(f) GDPR (legitimate interest in a secure and verifiable platform).

§7. Processors and Transfers to Third Countries

§7.1 Processors

We use the following processors in connection with the processing activities described in Parts A and B. A data processing agreement under Art. 28 GDPR has been concluded — or will be concluded prior to the commencement of processing — with each of these processors.

§7.2 Transfers to Third Countries

Personal data is generally processed exclusively within the European Union. A third-country relationship exists in two cases:

• through the group affiliation of our database and authentication platform Supabase Pte. Ltd. (Singapore), whose operational processing, however, takes place in the EU region Frankfurt,
• through the group affiliation of Google LLC (USA) to our email provider Google Workspace (contracting party: Google Ireland Limited).

In both cases the EU Standard Contractual Clauses 2021/914 have been concluded; for Google LLC, the EU-US Data Privacy Framework applies in addition.

§8. Cookies and Similar Technologies

Website (contebia.ai): No cookies are used. For reach measurement, we use the self-hosted, cookieless tool Umami Analytics (see Section A.3).

Platform (logged-in areas, admin.contebia.ai, rooms.contebia.ai, etc.): Only strictly necessary cookies or comparable storage mechanisms are used that are required to provide the service (sign-in session, CSRF protection, language preference). These fall under Section 25(2)(2) of the German Telecommunications-Telemedia Data Protection Act (TDDDG) and do not require consent.

§9. Retention and Deletion

We store personal data only for as long as necessary for the purposes set out in Parts A and B. Once the purpose ceases, the data is deleted or anonymised in a way that no personal reference remains — unless statutory retention obligations (in particular Section 257 German Commercial Code, Section 147 German Fiscal Code, Art. 30 GDPR) require us to retain it for longer.

The retention periods stated under the individual processing activities take precedence over the general rules. For data fed in by the Tenant, retention in the internal relationship is governed by the Tenant's instructions and the data processing agreement.

Deletion on request: Requests under Art. 17 GDPR are handled through a dedicated deletion workflow that locates the data of the respective data subject across all storage locations. Successful execution is documented in an audit-proof manner.

§10. Data Security

We take appropriate technical and organisational measures under Art. 32 GDPR to protect your data against unauthorised access, loss, or alteration. Details are made available to Tenants on request as part of the data processing agreement.

§11. Changes to this Policy

We reserve the right to amend this Privacy Policy if the legal situation changes or if we change features, processors, or processing purposes. The current version is available on our website at https://contebia.ai/privacy (or /datenschutz). The version applicable at the time of processing is authoritative. Active platform users are additionally informed of material changes by email.

Effective as of: 21 May 2026.