PRIVACY POLICY for aim2balance.ai

 

Version 1.0 | Effective: June 2026

 

Bergwaldprojekt e.V.

Otto-Hahn-Str. 13

97204 Höchberg

Germany

Registered: Amtsgericht Würzburg, VR 200215

 

Email: info@bergwaldprojekt.de

Technical Support: support@aim2balance.ai

 

1. CONTROLLER

 

The controller responsible for processing your personal data is:

 

Bergwaldprojekt e.V.

Otto-Hahn-Str. 13

97204 Höchberg

Germany

Registered: Amtsgericht Würzburg, VR 200215

 

Email: info@bergwaldprojekt.de

Support: support@aim2balance.ai

 

Data Protection Officer: support@aim2balance.ai

 

2. CATEGORIES OF PERSONAL DATA PROCESSED

 

We process the following categories of personal data:

 

2.1 Account Information: Name, email address.

 

2.2 Usage Data and AI Interactions:

 

(a) AI Inputs (Prompts). When you submit queries, instructions, or content to our AI systems ("Prompts"), these may contain personal data you voluntarily include (e.g., names, addresses, or contextual information). Prompts are transmitted to our EU-based AI Sub-processors (EU underlying LLM providers) for processing to generate responses. You are responsible for ensuring you do not input Special Category data (Art. 9 GDPR) unless strictly necessary and appropriate safeguards are in place. All prompts and resulting outputs are encrypted at rest using industry-standard AES-256-GCM encryption.

 

(b) AI Outputs. Responses generated by AI models ("Outputs") may be logged.

 

(c) Metadata. We collect token counts, model identifiers, timestamps, and environmental impact metrics associated with your usage to calculate fees and generate insights shared with you in our AI-balance bar (right side panel). IP Addresses: Full IP addresses are retained for security and fraud prevention purposes.

 

2.3 Environmental Metrics: Energy consumption estimates, carbon footprint calculations associated with your usage.

 

2.4 Technical Data: Browser type, device information, log files, cookies.

 

2.5 Communications: Support tickets, feedback, correspondence.

 

3. PURPOSES OF PROCESSING AND LEGAL BASIS

 

3.1 Contract Performance (Art. 6(1)(b) GDPR)

  • Providing the AI platform and enabling access to LLMs
  • Processing payments and managing accounts
  • Generating AI Outputs in response to your requests
  • Displaying your usage metrics and environmental impact data

 

3.2 Legitimate Interests (Art. 6(1)(f) GDPR)

  • Service maintenance, security, and improvement
  • Aggregated statistical analysis and reporting
  • Prevention of fraud and misuse
  • Environmental impact tracking and ecosystem restoration accounting

 

3.3 Legal Obligation (Art. 6(1)(c) GDPR)

  • Tax and accounting record retention
  • Compliance with legal requests from authorities

 

3.4 Consent (Art. 6(1)(a) GDPR)

  • Cookie usage (non-essential)
  • Marketing communications (if opted in)
  • Newsletter subscriptions

 

4. DATA RETENTION PERIODS

 

4.1 Account Data: Retained for the duration of your contractual relationship plus statutory limitation periods (typically 3 years).

 

4.2 Billing Records: Up to 6 years per German tax law (§ 147 AO).

 

4.3 Post-Termination: Following account termination, personal data is deleted without undue delay (typically within 30 days), unless we are legally obligated to retain it for longer periods (e.g., billing and tax records retained for up to 6 years under § 147 AO). Where deletion is technically infeasible, data will be irreversibly anonymized.

 

5. RECIPIENTS OF PERSONAL DATA

 

5.1 Internal Recipients: Authorized employees with confidentiality obligations.

 

5.2 Processors (Sub-processors):

  • Hetzner Online GmbH (hosting infrastructure, Germany/Finland)
  • AI models (LLMs, Image Generation, Speech to Text) providers and routing service providers, all based in the EU
  • Payment service providers (for transaction processing)

 

5.3 Legal Recipients: Authorities when legally required (court orders, statutory obligations).

5.4 Frontend Hosting (Webflow): We use Webflow to host the visual frontend of our website. When you visit aim2balance.ai, your browser communicates with Webflow's hosting infrastructure. Webflow may process technical metadata (such as IP addresses and browser information) and set essential cookies to ensure the website loads correctly and securely. While our core application and AI processing are hosted exclusively on EU-based infrastructure (Hetzner), the static frontend delivery is managed by Webflow. We ensure that no sensitive "Content Fields" (prompts or AI outputs) are stored or processed by Webflow; these are sent directly from your browser to our secure EU backend.

 

6. INTERNATIONAL TRANSFERS

 

6.1 Primary Location. Personal data is processed primarily within the European Union.

 

6.2 AI Processing. Through our EU-only endpoints, all AI inference processing remains within the EU.

 

7. YOUR RIGHTS AS A DATA SUBJECT

 

You have the following rights under GDPR:

 

7.1 Right of Access (Art. 15): Request information about personal data we process.

 

7.2 Right to Rectification (Art. 16): Request correction of inaccurate data.

 

7.3 Right to Erasure (Art. 17): Request deletion ("right to be forgotten") subject to legal retention obligations.

 

7.4 Right to Restriction (Art. 18): Request limitation of processing under certain conditions.

 

7.5 Right to Data Portability (Art. 20): Receive data in structured, machine-readable format.

 

7.6 Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.

 

7.7 Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior lawful processing.

 

7.8 Right to Lodge Complaint (Art. 77): File complaint with supervisory authority (Bayerisches Landesamt für Datenschutzaufsicht, Germany).

 

8. COOKIES AND TRACKING TECHNOLOGIES

 

We use cookies and similar technologies to operate our Service, enhance functionality, and respect your privacy preferences. For complete details, please refer to our separate Cookie Policy document.

 

8.1 Essential Cookies (Strictly Necessary)

 

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) and Section 25(2)(2) TTDSG.

Consent Required: No.

 

These cookies are essential for the Service to function and cannot be disabled. They enable core functionality such as authentication, security, and session management:

 

Security Features:

  • All authentication cookies use httpOnly (not readable by JavaScript)
  • secure flag enabled in production (HTTPS only)
  • sameSite: strict for authentication cookies to prevent cross-site attacks
  • sameSite: lax for OAuth cookies (required for identity provider redirects)

 

8.2 Functional Cookies (Preferences)

 

Legal Basis: Consent (Art. 6(1)(a) GDPR) and Section 25(1) TTDSG.

Consent Required: Yes.

 

These cookies enhance your experience by remembering your preferences:

 

 

 

8.3 Third-Party Cookies

 

Our Service integrates sub-processors that may set their own cookies:

 

  • Hetzner Online GmbH (Hosting): Load balancing, DDoS protection (Session to 30 days)
  • Requesty Ltd (AI Routing): API optimization, rate limiting (Session)
  • Stripe (Payments): Fraud prevention, payment security (PCI-DSS compliant)

 

8.4 Cookie Management

 

Managing Your Preferences:

 

You can control cookie usage through:

 

  1. Cookie Banner: Appears on first visit with options to "Accept All," "Essential Only," or customize settings
  2. Privacy Dashboard: Access cookie settings anytime through your Account Settings
  3. Browser Settings: Configure your browser to refuse cookies (may affect Service functionality)
  4. Contact Us: Email support@aim2balance.ai to modify preferences

 

Withdrawing Consent:

 

You can withdraw consent for non-essential cookies at any time. This will not affect the lawfulness of processing based on consent before withdrawal. Essential cookies will continue to function as they are necessary for Service operation.

 

Browser-Specific Instructions:

  • Chrome: Settings > Privacy and Security > Cookies and other site data
  • Firefox: Preferences > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Cookies and site permissions > Manage and delete cookies

 

8.5 Cookie Policy Document

 

For comprehensive information about our cookie practices, including detailed cookie inventory, retention policies, GDPR classification, and data transfer safeguards, please refer to our Cookie Policy available at [link to Cookie Policy].

 

9. DATA SECURITY & Encryption

 

We employ a multi-layered security architecture designed to ensure your data stays yours. Our security posture follows the same standards used by modern financial institutions.

 

9.1 Encryption Layers

 

Encryption in Transit: All data moving between your browser and our servers is protected using TLS 1.3, ensuring that data cannot be intercepted or read during transmission.

 

Encryption at Rest: The moment your data is written to our database, it is encrypted using AES-256-GCM. This is a symmetric encryption standard approved for highly sensitive data.

 

9.2 Field-Level Encryption Policy

 

We apply encryption granularly. While operational metadata (such as timestamps and billing identifiers) remains readable for system functionality, all "Content Fields" are encrypted. This includes:

 

  • Your prompts and AI-generated responses
  • Conversation titles and summaries
  • File attachment payloads and their text summaries

 

9.3 Key Management

 

To prevent unauthorized access, encryption keys are never stored in the database or in source code. Keys are managed via secure vaulting and are loaded directly into the backend process memory at startup, scoped strictly per environment.

 

9.4 Integrity Protection

 

By using the GCM (Galois/Counter Mode) of AES, our system identifies if any ciphertext has been tampered with. If a message is altered, the system will refuse to decrypt it, preventing the injection of corrupted data.

 

9.5 General Organizational Measures

 

In addition to encryption, we maintain:

 

  • Strict access controls and authentication for all internal systems
  • Staff confidentiality agreements
  • Hosting exclusively on EU-based infrastructure (Hetzner, Germany/Finland) to ensure data sovereignty

 

10. AUTOMATED DECISION-MAKING

 

The Service does not engage in automated decision-making (including profiling) that produces legal effects or similarly significant consequences for you without human intervention. AI Outputs are provided as information support only.

 

11. Children's Privacy

 

The Service is not intended for users under 16. If we learn that a user is under 16, we will delete their data and suspend their account. Parents/legal guardians may request deletion of a child's data by contacting support@aim2balance.ai. We do not knowingly process data from children under 13.

 

12. CHANGES TO THIS POLICY

 

We may update this Privacy Policy to reflect legal or operational changes. Material changes will be notified 30 days in advance via email or prominent Service notice.

 

13. CONTACT

 

For questions regarding this Privacy Policy or to exercise your rights:

 

Email: support@aim2balance.ai

Address: Bergwaldprojekt e.V., Otto-Hahn-Str. 13, 97204 Höchberg, Germany

 

Supervisory Authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27

91522 Ansbach

Germany

 

Document Version: 1.0

Last Updated: June 2026

Cookies Section Updated: June 2026 (reflects actual production implementation)