Privacy Policy

Controller within the meaning of Article 4 No. 7 GDPR: Ebrahim Seyfi (trading as "Senorit") Seeschwalbentwiete 23 22119 Hamburg Germany Email: kontakt@senorit.de A designated Data Protection Officer is not legally required. Privacy enquiries should be directed to the email address above.

We process personal data exclusively on the basis of one of the following legal grounds:

• Article 6 (1) (a) GDPR — consent (e.g. optional cookies, newsletter).
• Article 6 (1) (b) GDPR — performance of a contract and pre-contractual measures (account, subscription, credits).
• Article 6 (1) (c) GDPR — compliance with legal obligations (accounting, tax, e-invoicing).
• Article 6 (1) (f) GDPR — legitimate interests (IT security, abuse prevention, anonymous statistics).
• Article 9 (2) (h) GDPR — processing of special categories for healthcare purposes within the Praxis module.

Processing without a legal basis does not take place. Profiling, automated individual decisions producing legal effects under Article 22 GDPR, and advertising cookies are not used.

Authentication is operated entirely in-house. Passwords are hashed with Argon2id and never stored in clear text. Sessions use opaque cookies (HttpOnly, Secure, SameSite=Lax). Optionally we support Google sign-in via OAuth 2.0 with PKCE, WebAuthn (passkeys), and time-based one-time passwords (TOTP). Data processed: email, display name, session metadata (IP, user agent, timestamps), device and security factors. Legal basis: Article 6 (1) (b) GDPR.

Payments are processed through Stripe Payments Europe Ltd., Dublin. Stripe acts as an independent controller for the payment transaction within the meaning of Article 4 No. 7 GDPR. We only receive payment status, transaction IDs, and invoicing data — never full card details. Stripe Tax determines applicable VAT and we use the EU One Stop Shop scheme. Invoices are issued with a ZUGFeRD/XRechnung attachment and retained for ten years pursuant to Section 14b UStG. Legal basis: Article 6 (1) (b) and (c) GDPR.

Credits are an internal accounting unit pursuant to Section 2 (1) No. 10 (a)/(b) of the German Payment Services Supervision Act (ZAG, Limited Network Exemption). Cash redemption is excluded. Per-user balance is capped at EUR 250 and per-user turnover at EUR 250 per 30 days. Purchases, consumption, refunds, and balances are stored in an audit-grade ledger to fulfil the contract and tax retention obligations. Legal basis: Article 6 (1) (b) and (c) GDPR.

Certain features rely on generative language models accessed via the Vercel AI Gateway. Providers: OpenAI Ireland Ltd., Google Ireland Ltd., and selected additional model providers. Inputs (prompts) and outputs are retained for six months for abuse monitoring and to comply with the logging obligations of Regulation (EU) 2024/1689 (AI Act). Generative outputs are labelled as AI content where required by law. We do not use the data to train models. Legal basis: Article 6 (1) (b) and (f) GDPR.

Depending on the booked module, additional categories of data are processed:

Agency

Customer and project data, tasks, time tracking, outgoing invoices. Legal basis: Article 6 (1) (b) GDPR.

Creator

Content, publishing schedules, creator analytics, OAuth tokens for connected platforms. Legal basis: Article 6 (1) (b) GDPR.

Praxis

Patient records, appointments, anamnesis, and findings. These data fall under the special categories of personal data within the meaning of Article 9 GDPR. They are stored end-to-end encrypted exclusively in the Supabase Frankfurt region. Keys are managed server-side and segregated per practice. Legal basis: Article 9 (2) (h) GDPR in conjunction with Section 22 BDSG.

Merchant

Product, inventory, and order data; buyer data for contract performance. Legal basis: Article 6 (1) (b) GDPR.

Data processing agreements pursuant to Article 28 GDPR are in place with all providers listed below. Where data is transferred to third countries, we rely on the EU Standard Contractual Clauses (SCC) under Implementing Decision (EU) 2021/914 and supplementary technical measures.

Where personal data is transferred to third countries without an adequacy decision, transfers rely on the EU Standard Contractual Clauses. Transfers to the USA are additionally based on the EU-US Data Privacy Framework where the relevant provider is certified. Sensitive patient data is never processed outside the EU.

Personal data is deleted as soon as the processing purpose ceases and no statutory retention obligations conflict with deletion.

• Accounts: up to 30 days after termination, then anonymised.
• Invoices, receipts, accounting: 10 years (Section 147 AO, Section 14b UStG).
• Contractual documents: 6 years (Section 257 HGB).
• Security and session logs: 90 days.
• AI prompts and responses: 6 months (logging obligation under the EU AI Act).
• Patient data (Praxis module): according to the applicable professional retention periods, at least 10 years after the last treatment.

You have the following rights:

Access (Article 15 GDPR)

You may request information about the data concerning you.

Rectification (Article 16 GDPR)

You may have inaccurate data corrected.

Erasure (Article 17 GDPR)

You may request the erasure of your data, provided no statutory retention obligations apply.

Restriction (Article 18 GDPR)

You may request the restriction of processing.

Portability (Article 20 GDPR)

You may receive your data in a structured, commonly used, machine-readable format.

Objection (Article 21 GDPR)

You may object to processing based on legitimate interests at any time.

Withdrawal (Article 7 (3) GDPR)

You may withdraw consent at any time with effect for the future.

Complaint (Article 77 GDPR)

You may lodge a complaint with a supervisory authority, in particular at your place of residence or at our seat.

An informal message to kontakt@senorit.de is sufficient to exercise your rights. We respond within the statutory one-month period.

We use strictly necessary cookies for session security, CSRF protection, and language preference. These are permitted without consent under Section 25 (2) No. 2 TDDDG. Optional cookies for product analytics (PostHog) and error monitoring (Sentry) are only set after explicit consent and can be revoked at any time via the cookie banner. Advertising cookies, tracking pixels, and cross-site tracking are not used.

We apply technical and organisational measures pursuant to Article 32 GDPR. These include TLS transport encryption, Argon2id password hashing, opaque session cookies, multi-factor authentication, segregated development and production environments, and need-to-know access controls. Security events are centrally logged and monitored.

We adapt this privacy policy whenever legal or technical changes require it. The current version is available on this page. Material changes will be announced with reasonable notice by email or in product.