1. Data Controller & Contact Information
The data controller responsible for your personal data is:
HelloProduct UG
Düppelstraße 35
44789 Bochum, Germany
You can reach our Data Protection Officer at: team@helloproduct.ai
When we process personal data on behalf of business customers (B2B), HelloProduct acts as a data processor. In such cases, the business customer is the data controller, and we process data according to their instructions and our Data Processing Agreement (DPA).
2. Information We Collect
2.1 Account Information
When you create an account or your organization provisions one for you, we collect:
- Required: Email address, full name, company name
- Optional: Job title, industry
- Social login data: If you sign in via Google or LinkedIn, we receive your name, email, and profile picture from these providers
2.2 Learning & Usage Data
To provide personalized learning experiences and team analytics, we collect:
- Course progress and completion status
- Quiz scores and assessment results
- Simulation performance and AI feedback
- Time spent on lessons and activities
- Learning activity history
- Conversations with the AI tutor (stored for personalization and quality improvement)
2.3 Company Content
For organizations using custom courses, we may store documents, playbooks, and other materials you upload to create personalized learning content. This data is stored securely and used only for your organization's training purposes.
2.4 Payment Information
We use Stripe as our payment processor. Payment card details are collected and processed directly by Stripe and are never stored on our servers. We receive only non-sensitive transaction details (last four digits, card type, billing address) for record-keeping.
2.5 Technical Data
We automatically collect certain technical information:
- IP address and approximate location
- Browser type and version
- Device information and operating system
- Pages visited and navigation paths
- Referring website
- Server logs and error reports
3. How We Use Your Information
We use your personal data to:
- Provide our services: Deliver courses, AI tutoring, and simulations tailored to your profile
- Personalize learning: Adapt content to your role, industry, skill level, and learning progress
- Generate analytics: Provide team leads and admins with insights into learning progress
- Process payments: Handle subscriptions and billing through Stripe
- Communicate with you: Send service updates, learning reminders, and respond to support requests
- Improve our platform: Analyze usage patterns to enhance features and fix issues
- Ensure security: Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations: Meet regulatory and legal requirements
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data based on:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide our services, including account management, course delivery, and AI tutoring
- Legitimate interests (Art. 6(1)(f)): Analytics, service improvement, security measures, and marketing to existing customers
- Consent (Art. 6(1)(a)): Marketing communications to prospective customers, optional cookies, and certain data processing activities where we specifically request consent
- Legal obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements
5. AI & Machine Learning
HelloProduct uses artificial intelligence to power our AI tutor and simulation features. Here's how AI processes your data:
5.1 AI Providers
We use OpenAI models through the Vercel AI SDK and AI Gateway to power conversational tutoring and simulations. When you interact with our AI features:
- Your messages and relevant learning context are sent to OpenAI for processing
- OpenAI processes data according to their enterprise terms and does not use your data to train their models
- We use Langfuse for AI observability and quality monitoring
5.2 AI Decision-Making
Our AI provides personalized learning recommendations and feedback. These are assistive features to enhance your learning—no significant automated decisions affecting your legal rights are made solely by AI without human oversight.
6. Data Sharing & Third Parties
We share your data with the following categories of service providers:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication storage | EU (Frankfurt) |
| Vercel | Hosting & AI Gateway | EU |
| Auth0 | Authentication & identity | EU |
| OpenAI | AI model processing | USA* |
| Stripe | Payment processing | USA* |
| Resend | Transactional emails | USA* |
| Upstash | Redis caching & rate limiting | EU |
| Sentry | Error tracking & monitoring | USA* |
| Langfuse | AI observability | EU |
* Providers with USA locations operate under Standard Contractual Clauses (SCCs) or equivalent safeguards for GDPR-compliant data transfers.
6.1 Business Customers
For team and enterprise accounts, your organization's administrators may access your learning progress and analytics. Data between different organizational workspaces is strictly segregated in our database.
6.2 We Never Sell Your Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
7. International Data Transfers
Your data is primarily stored in the European Union (Supabase EU, Vercel EU). When we transfer data to service providers outside the EU/EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers to third countries
- EU-US Data Privacy Framework: Where applicable, we work with providers certified under this framework
- Supplementary measures: Additional technical and organizational safeguards as recommended by data protection authorities
8. Data Security
We implement robust security measures to protect your data:
- Encryption in transit (TLS 1.3) and at rest
- Secure authentication with Auth0, including social login and enterprise SSO options
- Role-based access controls within the platform
- Regular security assessments and monitoring
- Error tracking and anomaly detection via Sentry
- Data segregation between organizational workspaces
9. Data Retention
We retain your data according to the following practices:
- Account data: Retained while your account is active. Deleted upon account deletion at your or your organization's request.
- Learning progress & AI conversations: Retained for the lifetime of your account to provide continuous personalization and learning history.
- Server logs: Retained for security, debugging, and compliance purposes for an extended period.
- Payment records: Retained as required by tax and accounting regulations (typically 7-10 years).
10. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data ("right to be forgotten")
- Right to restrict processing: Request limitation of how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
10.1 Exercising Your Rights
To exercise any of these rights, please contact us at team@helloproduct.ai. We will respond within 30 days as required by GDPR. For data export or deletion requests, we will verify your identity and process your request manually.
10.2 Right to Lodge a Complaint
If you believe we have not handled your data properly, you have the right to lodge a complaint with a supervisory authority. In Germany, this is the relevant State Data Protection Authority (Landesbeauftragte für Datenschutz).
11. Cookies & Tracking Technologies
We use cookies and similar technologies for:
11.1 Essential Cookies
Required for the platform to function, including authentication tokens and session management. These cannot be disabled.
11.2 Analytics Cookies
Help us understand how visitors use our website and platform, enabling us to improve the user experience. You can opt out of these cookies.
11.3 Marketing Cookies
Used to deliver relevant advertisements and measure campaign effectiveness. These are only set with your consent.
You can manage your cookie preferences at any time through our cookie banner or your browser settings. Note that disabling certain cookies may affect platform functionality.
12. Children's Privacy
HelloProduct is a B2B platform designed for professional use by adults. We do not knowingly collect personal data from children under 16 years of age. If you believe we have inadvertently collected data from a child, please contact us immediately at team@helloproduct.ai, and we will promptly delete such information.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last updated" date at the top of this page
- For significant changes, we will notify you via email or a prominent notice in the platform
- We encourage you to review this policy periodically
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We are committed to resolving any privacy concerns and will work with you to address any issues promptly.
Related documents: