Privacy Policy – DealFilter.ai

1. Controller

omninoo GmbH
Waldstr. 2, 78098 Triberg, Germany
Email: [JavaScript erforderlich]
Represented by: Robin Rudahl

2. Overview of Processing Activities

DealFilter.ai is an AI-powered SaaS CRM for IT freelancers. We process personal data exclusively to provide our service. The following overview summarises the types of data processed, the purposes, and the legal bases.

3. Legal Bases

Contract performance (Art. 6(1)(b) GDPR) - providing the service, account management
Legitimate interests (Art. 6(1)(f) GDPR) - security, fraud prevention, technical optimisation
Consent (Art. 6(1)(a) GDPR) - learning feature (opt-in), optional
Legal obligation (Art. 6(1)(c) GDPR) - statutory retention obligations (e.g. tax and commercial law)

4. What Data We Process

4.1 Account Data

When registering via Magic Link (email-based), we store: email address, name (optional), time of registration. Legal basis: contract performance.

4.2 Profile Data

To use the service, you may voluntarily provide: CV (PDF), skills, hourly rates, industries, languages, location, past projects. This data is used exclusively for AI-powered analysis and response generation.

4.3 Project Inquiries and Recruiter Data

You add project inquiries from recruiters to DealFilter. These texts may contain personal data of third parties (recruiter name, email, company details). We process this data exclusively for the purpose of analysing the inquiry on your behalf. Note: As a user, you are responsible for ensuring that you are authorised to process this data (e.g. based on legitimate interests under Art. 6(1)(f) GDPR in managing incoming business inquiries). DealFilter.ai acts as a data processor within the meaning of Art. 28 GDPR for this data on behalf of the user. The corresponding data processing terms are part of the Terms of Service.

4.4 AI-Generated Data

The AI analysis generates: deal scores, market rate assessments, critical factors, response suggestions, recruiter assignments. This data is stored in your personal pipeline.

4.5 Communication Data

Within the pipeline, you can log communication histories (email, phone). This data is stored only in your account.

4.6 Payment Data

When concluding a paid subscription, payment data (payment method, billing address, VAT ID if applicable) is processed exclusively by our payment service provider Polar Software Inc. (Merchant of Record). DealFilter.ai receives from Polar only the transaction data necessary for processing (e.g. subscription status, invoice number, payment timestamp). We do not see or store credit card details or bank account information. Legal basis: contract performance (Art. 6(1)(b) GDPR). For further information on Polar's data processing, please refer to the Polar Privacy Policy.

4.7 Technical Data and Logs

When accessing DealFilter.ai, technical data is automatically processed: IP address, time of access, requested resource, user agent (browser/device), session ID. This data is used exclusively for operation, security, and error analysis. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). Server logs are automatically deleted after 30 days.

4.8 Google Calendar Data

If you connect your Google Calendar (optional feature, requires explicit activation), we process the following data:

Data transferred: OAuth 2.0 access token and refresh token (stored encrypted), Google account ID, calendar event data you create or edit within DealFilter (event title, date, time, location if provided)
Purpose: Synchronising project appointments and deadlines from your DealFilter pipeline with your personal Google Calendar
Retention: OAuth tokens are stored encrypted and immediately revoked with Google and deleted from our database upon disconnection. Calendar events created in Google Calendar via DealFilter remain in your Google Calendar by default - they can be removed via the “Clear Events” function in the calendar settings before disconnecting. DealFilter stores sync metadata (event IDs) in the database; this is removed upon disconnection, explicit event deletion, or account deletion.
Data transfer: The connection uses the Google Calendar API (Google LLC, Mountain View, USA). The transfer to the USA is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR). OAuth scopes used: https://www.googleapis.com/auth/calendar.app.created (create and manage events created by this application only) and https://www.googleapis.com/auth/userinfo.email (read the Google account email address for account identification).
Access limited to own calendar entries: DealFilter creates and manages only events it has created itself as part of the sync. Other existing calendar entries of the user are not read or processed. The OAuth scope used (calendar.app.created) technically limits access to events created by this application only.

Disconnect: You can disconnect your Google Calendar at any time via Settings → Integrations → Google Calendar within the app. Upon disconnection, all OAuth tokens are immediately revoked with Google and deleted from our database. To remove created events from your Google Calendar beforehand, use the “Clear Events” button in the calendar settings. You can additionally revoke access via your Google Account at myaccount.google.com/permissions. Legal basis: consent (Art. 6(1)(a) GDPR) - the connection is only established after explicit authorisation via Google OAuth. Google processes data in connection with the OAuth authorisation as an independent controller pursuant to the Google Privacy Policy.

5. AI Processing via Anthropic (Claude API)

For the analysis of project inquiries and the generation of responses, we send the text of your inquiry to the Claude API of Anthropic, PBC (San Francisco, USA).

Data transmitted: the inquiry text you entered, your profile context (skills, hourly rates), mail snippets, and potentially recruiter data contained therein
Anthropic does not use data sent via the API to train their models
The data transfer to the USA is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR)
AI responses are cached locally (SHA-256 hash) to avoid repeated API calls

The AI analysis (deal score, market rate assessment) serves exclusively as a decision-support tool for the user. No fully automated decision-making within the meaning of Art. 22 GDPR takes place.

6. AI Learning Feature (Opt-In)

DealFilter offers an optional learning feature that is activated exclusively upon explicit consent (opt-in, Art. 6(1)(a) GDPR). When activated, we process:

Changes to generated responses (before/after comparison of your edited response drafts)
Score corrections (when you manually adjust the AI score)
Style preferences for response generation

Transmission to Anthropic: Your edited response drafts are transmitted to the Claude API of Anthropic, PBC (USA) as part of the learning feature to derive a personalised style profile. The transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

No model training: Anthropic explicitly does not use data transmitted via the API to train its own models. The data is used exclusively to create your personal style profile within DealFilter.ai.

Withdrawal: Consent can be withdrawn at any time with future effect in the settings. Upon withdrawal, all stored learning data will be immediately and irrevocably deleted. The lawfulness of processing carried out prior to withdrawal remains unaffected. Data already transmitted to Anthropic will be handled in accordance with the data processing agreement with Anthropic and their applicable data retention policies.

7. Processors (Sub-processors)

We use the following service providers:

Provider	Purpose	Location
Anthropic, PBC	AI analysis and response generation (Claude API)	USA (SCC)
Supabase, Inc.	Database (PostgreSQL)	Frankfurt, EU (SCC)
Vercel, Inc.	Hosting and serverless functions	Frankfurt, EU (SCC)
Resend, Inc.	Transactional emails (Magic Link)	USA (SCC)
Polar Software Inc.	Payment processing (Merchant of Record)	USA (SCC)
Sentry (Functional Software, Inc.)	Error monitoring (technical error data without personal reference)	Germany (EU)
PostHog, Inc.	Product analytics (anonymised usage statistics)	EU (eu.i.posthog.com)
Google LLC	Google Calendar integration (optional, only when connected). Basis: Google API Data Processing Addendum.	USA (SCC)

Data processing agreements pursuant to Art. 28 GDPR are in place with all processors. Standard Contractual Clauses (SCC) serve as the transfer mechanism for US-based providers.

8. Cookies, Error Monitoring and Product Analytics

DealFilter.ai uses exclusively one technically necessary session cookie for authentication. No advertising cookies, no advertising tracking, and no social media plugins are used.

We additionally use two privacy-friendly services that process exclusively technical and anonymised data:

Sentry (Error Monitoring): Records technical error messages and stack traces for debugging. IP addresses are not stored, cookies and request contents are not transmitted. Anonymous internal user ID (not traceable). Servers in Germany. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical operation).
PostHog (Product Analytics): Records anonymised usage statistics (pages visited, features used). No autocapture of form inputs, no sharing of email or name. Anonymous internal user ID (not traceable). No cookies - data is held exclusively in the browser's session storage (no persistent identifier across sessions). On public marketing pages (homepage, blog, pricing etc.), session recording is active, capturing anonymised click and scroll patterns; in the logged-in app area (/app/*) session recording is disabled. Servers in the EU (eu.i.posthog.com). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement); no consent requirement under German TDDDG §25 as no cookies are used.

9. Data Retention and Deletion

Account data: stored for as long as your account exists
Project inquiries and pipeline data: stored for as long as your account exists, or until you delete them manually
Server logs: automatically deleted after 30 days
AI cache: automatically deleted after a maximum of 7 days
Learning data: deleted immediately upon withdrawal of consent
Payment data: stored by Polar in accordance with their retention policies and legal obligations (e.g. 10-year invoice retention)
Google Calendar tokens: immediately revoked with Google and deleted from our database upon disconnection
Account deletion: upon deletion of your account, all personal data will be irrevocably deleted within 30 days, unless statutory retention obligations apply

10. Your Rights

You have the following rights under the GDPR:

Access (Art. 15) - what data we store about you
Rectification (Art. 16) - correction of inaccurate data
Erasure (Art. 17) - deletion of your data
Restriction (Art. 18) - restriction of processing
Data portability (Art. 20) - export of your data
Objection (Art. 21) - objection to processing
Withdrawal of consent (Art. 7(3)) - at any time with future effect

To exercise your rights, please contact: [JavaScript erforderlich]

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany

12. Changes

We reserve the right to update this privacy policy to reflect changes in the legal situation or changes to the service. The current version will always be available on this page. For material changes that affect your rights or the way we process your personal data, registered users will be informed by email.