Privacy Policy — Legal Monitor
Version 1.1 — effective from 28.03.2026
1. Data Controller
Thorsten Ahrens, Serahr
Email: contact@serahr.de
Website: serahr.de
2. Overview: What Data Is Processed?
Account data (email, hashed password), company profile (name, industry, size, revenue range, business model), data processing details (analytics, newsletter, payment provider, hosting location), keywords, website scan results (URL, cookies, third-party services, AI-generated legal assessment including type, severity, and recommendations), contract data (subscription status, available scan tokens, post-cancellation access period), signup source (UTM parameters and referrer, captured once at registration, no tracking), payment data (via Stripe only), and server logs.
3. Legal Basis
- Art. 6(1)(b) GDPR — Contract performance (account, monitoring, scan)
- Art. 6(1)(f) GDPR — Legitimate interest (server logs, security)
- Art. 6(1)(c) GDPR — Legal obligation (retention requirements)
4. AI Processing
Legal source analysis uses an AI language model (currently Claude Sonnet via OpenRouter). No personal customer data is transmitted to the AI model. Only public legal texts, anonymized company profiles (industry, size — no name or email), and keywords are processed.
5. Website Scan
The website scan uses an automated browser (Playwright/Chromium) to visit the customer-provided URL. It captures the same information any visitor would see: cookies, loaded scripts, third-party requests, imprint, privacy policy, and terms of service. No data is shared with third parties — the scan runs on our own server.
6. Disclosure to Law Enforcement
We may be legally required to disclose stored data to law enforcement authorities on the basis of a European Production Order or Preservation Order pursuant to Regulation (EU) 2023/1543. Legal basis: Art. 6(1)(c) GDPR.
7. Processors
Supabase (database, EU Ireland), Vercel (hosting, EU Edge), Hetzner (scanner, Germany), Resend (email, USA/DPF), Stripe (payments, USA/DPF), OpenRouter (AI analysis of legal texts only, USA/DPF). Data processing agreements pursuant to Art. 28 GDPR are in place with all processors listed above. For US-based processors (Resend, Stripe, OpenRouter), Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR are additionally in place to ensure data protection independent of DPF status.
8. Retention
Account and profile data: until account deletion. Scan results: 12 months. Monitoring results: 12 months. Server logs: 30 days. Payment data: per Stripe privacy policy. After a deletion request, all data is permanently deleted within 30 days. During this period you can export your data.
9. Your Rights
Under GDPR: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Data portability (Art. 20), Objection (Art. 21). Contact: contact@serahr.de.
10. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority.
11. Automated Decision-Making
No automated decision-making within the meaning of Art. 22 GDPR takes place. The AI-based analysis of legal sources serves solely for information preparation and does not make decisions about the rights or obligations of the user. The relevance assessment and resulting recommendations are advisory only.
12. Necessity of Data Provision
Providing your email address and company profile is required for contract performance (Art. 6(1)(b) GDPR). Without this information, the monitoring service cannot be provided, as the relevance assessment is based on your company profile and results are delivered by email. Providing keywords and data processing details is voluntary but improves the quality of results.
13. Cookies and Tracking
This website uses no tracking cookies and no third-party trackers. Authentication uses Supabase Auth with secure HTTP cookies.
14. Changes
The Provider reserves the right to update this Privacy Policy. Changes will be published on this page.