1. Data Protection at a Glance and Responsibility
1.1. General Information on Data Processing
The following notes provide a detailed overview of what happens to your personal data when you visit our website or use our application. Personal data is any data with which you could be personally identified, such as your name, your email address, or your IP address.
1.2. Controller for Data Processing
The controller responsible for data processing on this website and in the application within the meaning of Art. 4 No. 7 GDPR is:
NeuronCard AC UG (haftungsbeschränkt)i.G.
Fischbachstr. 78
50127 Bergheim
Email: Support@neuroncard.com
Imprint: https://neuroncard.com/impressum
The following notes provide a detailed overview of what happens to your personal data when you visit our website or use our application. Personal data is any data with which you could be personally identified, such as your name, your email address, or your IP address.
1.2. Controller for Data Processing
The controller responsible for data processing on this website and in the application within the meaning of Art. 4 No. 7 GDPR is:
NeuronCard AC UG (haftungsbeschränkt)i.G.
Fischbachstr. 78
50127 Bergheim
Email: Support@neuroncard.com
Imprint: https://neuroncard.com/impressum
2. Hosting and Technical Provision
To ensure maximum reliability, scalability, and security, we use specialized hosting service providers.
2.1. Hosting of the Website via Netlify
The provision and hosting of our website is carried out via the service provider Netlify (Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, California 94104, USA). When you visit our website, information is automatically sent to Netlify's servers by the browser used on your device. This includes:
Third-Country Transfer: Netlify processes data in the USA. The transfer is based on the Standard Contractual Clauses (SCC) of the EU Commission and the EU-US Data Privacy Framework (DPF). A Data Processing Agreement (DPA) has been concluded.
2.2. Hosting of the Application via Render
The backend and databases of our application are hosted via Render (Render Services Inc., 525 Brannan St Suite 300, San Francisco, CA 94107, USA). Render collects access log files (such as IP addresses) to monitor the stability and security of the application and to ward off attacks. We expressly point out that the application does not collect or process any specific device data (such as advertising IDs, precise location data, or camera access).
Purpose and Legal Basis: Processing is carried out on the basis of Art. 6 (1) lit. b GDPR (contract performance when using the app) and Art. 6 (1) lit. f GDPR (legitimate interest in a secure IT infrastructure).
Third-Country Transfer: Render is certified under the EU-US Data Privacy Framework (DPF). A Data Processing Agreement (DPA) has been signed.
2.1. Hosting of the Website via Netlify
The provision and hosting of our website is carried out via the service provider Netlify (Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, California 94104, USA). When you visit our website, information is automatically sent to Netlify's servers by the browser used on your device. This includes:
- The IP address of the requesting computer,
- Date and time of access,
- Name and URL of the retrieved file,
- The website from which access is made (referrer URL),
- The browser used and, if applicable, the operating system of your computer.
Third-Country Transfer: Netlify processes data in the USA. The transfer is based on the Standard Contractual Clauses (SCC) of the EU Commission and the EU-US Data Privacy Framework (DPF). A Data Processing Agreement (DPA) has been concluded.
2.2. Hosting of the Application via Render
The backend and databases of our application are hosted via Render (Render Services Inc., 525 Brannan St Suite 300, San Francisco, CA 94107, USA). Render collects access log files (such as IP addresses) to monitor the stability and security of the application and to ward off attacks. We expressly point out that the application does not collect or process any specific device data (such as advertising IDs, precise location data, or camera access).
Purpose and Legal Basis: Processing is carried out on the basis of Art. 6 (1) lit. b GDPR (contract performance when using the app) and Art. 6 (1) lit. f GDPR (legitimate interest in a secure IT infrastructure).
Third-Country Transfer: Render is certified under the EU-US Data Privacy Framework (DPF). A Data Processing Agreement (DPA) has been signed.
3. General Legal and Technical Protective Measures
3.1. SSL or TLS Encryption
To protect your data during transmission, this site and the app use modern SSL or TLS (Transport Layer Security) encryption. You can recognize an encrypted connection by the fact that the browser's address line changes from "http://" to "https://" and by the lock symbol.
3.2. Storage Duration and Deletion Periods
We process and store your personal data only for the period necessary to achieve the purpose of storage or if this is provided for by law (e.g., through tax retention periods of up to 10 years). If the storage purpose ceases to apply or the period expires, the data will be deleted or blocked.
To protect your data during transmission, this site and the app use modern SSL or TLS (Transport Layer Security) encryption. You can recognize an encrypted connection by the fact that the browser's address line changes from "http://" to "https://" and by the lock symbol.
3.2. Storage Duration and Deletion Periods
We process and store your personal data only for the period necessary to achieve the purpose of storage or if this is provided for by law (e.g., through tax retention periods of up to 10 years). If the storage purpose ceases to apply or the period expires, the data will be deleted or blocked.
4. Data Collection on the Website and in the App
4.1. Use of Cookies and Local Storage
Our internet pages and the app use so-called "cookies" or the "Local Storage" function of your browser. We primarily use technically necessary storage elements (e.g., session cookies to maintain the login).
Legal Basis: The use of strictly necessary cookies is based on § 25 (2) No. 2 TTDSG. Downstream processing is based on Art. 6 (1) lit. b GDPR (contract execution) or Art. 6 (1) lit. f GDPR (legitimate interest in the operation of the platform).
4.2. Local Integration of Web Resources (Privacy by Design)
To optimize loading times and make our web offerings appealing, we use the following technologies:
Our internet pages and the app use so-called "cookies" or the "Local Storage" function of your browser. We primarily use technically necessary storage elements (e.g., session cookies to maintain the login).
Legal Basis: The use of strictly necessary cookies is based on § 25 (2) No. 2 TTDSG. Downstream processing is based on Art. 6 (1) lit. b GDPR (contract execution) or Art. 6 (1) lit. f GDPR (legitimate interest in the operation of the platform).
4.2. Local Integration of Web Resources (Privacy by Design)
To optimize loading times and make our web offerings appealing, we use the following technologies:
- Google Fonts: For displaying fonts.
- Tailwind CSS: As a design framework.
- Cloudflare / Font Awesome: For displaying icons.
5. Registration, User Account, and Contract Fulfillment
5.1. Registration Process
To fully use our SaaS service, creating a user account is required. We collect the following mandatory data: email address, username, and a password.
Purpose and Legal Basis: This data is processed exclusively to provide the account and execute the user agreement. The legal basis is Art. 6 (1) lit. b GDPR.
5.2. Storage Duration of the Account
Your registration data will be stored by us as long as you have an active account on our platform. Upon deletion of the account, the profile data will be irrevocably deleted, unless statutory retention obligations prevent this.
To fully use our SaaS service, creating a user account is required. We collect the following mandatory data: email address, username, and a password.
Purpose and Legal Basis: This data is processed exclusively to provide the account and execute the user agreement. The legal basis is Art. 6 (1) lit. b GDPR.
5.2. Storage Duration of the Account
Your registration data will be stored by us as long as you have an active account on our platform. Upon deletion of the account, the profile data will be irrevocably deleted, unless statutory retention obligations prevent this.
6. Payment Processing and Financial Data
6.1. Use of Stripe
For the secure processing of payments, we use the payment service provider Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). The data required for the payment (e.g., name, email address, amount, credit card details) is transmitted directly to Stripe via a secure interface. We do not store complete credit card numbers.
Legal Basis: Processing takes place to fulfill the contract concluded with you in accordance with Art. 6 (1) lit. b GDPR and for fraud prevention (Art. 6 (1) lit. f GDPR).
Third-Country Transfer: Stripe may transmit data to its parent company in the USA (secured via DPF and Standard Contractual Clauses).
For the secure processing of payments, we use the payment service provider Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). The data required for the payment (e.g., name, email address, amount, credit card details) is transmitted directly to Stripe via a secure interface. We do not store complete credit card numbers.
Legal Basis: Processing takes place to fulfill the contract concluded with you in accordance with Art. 6 (1) lit. b GDPR and for fraud prevention (Art. 6 (1) lit. f GDPR).
Third-Country Transfer: Stripe may transmit data to its parent company in the USA (secured via DPF and Standard Contractual Clauses).
7. Use of Artificial Intelligence (AI)
7.1. Google Gemini API (Vertex AI)
A core component of our SaaS service is the AI-supported generation of learning content. For this purpose, we integrate the Google Gemini API.
Processing Operation: When you enter a prompt into our application, this text is transmitted to Google's servers, analyzed there, and the corresponding output is generated.
Important Note on Data Entry: Even though our application primarily serves the creation of learning content and the entry of private data seems unlikely for the system's purpose, we expressly instruct you, to preserve your own informational self-determination, not to enter any sensitive personal data of third parties or real names into the AI input fields.
Legal Basis: Data transmission is strictly necessary for contract fulfillment under Art. 6 (1) lit. b GDPR. Data transmission to the USA is secured via the DPF and Standard Contractual Clauses.
A core component of our SaaS service is the AI-supported generation of learning content. For this purpose, we integrate the Google Gemini API.
Processing Operation: When you enter a prompt into our application, this text is transmitted to Google's servers, analyzed there, and the corresponding output is generated.
Important Note on Data Entry: Even though our application primarily serves the creation of learning content and the entry of private data seems unlikely for the system's purpose, we expressly instruct you, to preserve your own informational self-determination, not to enter any sensitive personal data of third parties or real names into the AI input fields.
Legal Basis: Data transmission is strictly necessary for contract fulfillment under Art. 6 (1) lit. b GDPR. Data transmission to the USA is secured via the DPF and Standard Contractual Clauses.
8. Communication and Emails (via Brevo)
For our email communication, we use the service Brevo (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany). A Data Processing Agreement (DPA) according to Art. 28 GDPR is in place. Processing takes place on servers in the EU.
8.1. Transactional Emails
We send contract-relevant system messages (e.g., registration confirmations, invoices, password resets) via Brevo.
Legal Basis: Processing takes place according to Art. 6 (1) lit. b GDPR (contract performance).
8.2. Marketing and Promotional Emails (Newsletter)
If you have explicitly consented, we use your email address to send you information about our products and services. For registration, we use a so-called double opt-in procedure to ensure that you are the owner of the email address.
Legal Basis: Processing is based on your consent according to Art. 6 (1) lit. a GDPR.
Right of Withdrawal: You can revoke this consent at any time with effect for the future (e.g., via the unsubscribe link at the end of each marketing email).
8.1. Transactional Emails
We send contract-relevant system messages (e.g., registration confirmations, invoices, password resets) via Brevo.
Legal Basis: Processing takes place according to Art. 6 (1) lit. b GDPR (contract performance).
8.2. Marketing and Promotional Emails (Newsletter)
If you have explicitly consented, we use your email address to send you information about our products and services. For registration, we use a so-called double opt-in procedure to ensure that you are the owner of the email address.
Legal Basis: Processing is based on your consent according to Art. 6 (1) lit. a GDPR.
Right of Withdrawal: You can revoke this consent at any time with effect for the future (e.g., via the unsubscribe link at the end of each marketing email).
9. Consent Management, Web Analytics, and Advertising
9.1. Self-Developed Consent Management System (Cookie Banner)
To obtain and manage your consents (especially for analytics and advertising services) in a legally compliant manner, we use a self-developed consent solution. In this context, no data is transferred to external third-party providers of consent management platforms. Your selection (consent or rejection) is stored in a technically necessary cookie or in the Local Storage on your device to recognize you on future visits.
Legal Basis: The storage of this setting is based on Art. 6 (1) lit. f GDPR (legitimate interest in the legally secure documentation of consent) or § 25 (2) No. 2 TTDSG.
9.2. Google Analytics
Provided you have given your explicit consent via our Consent Management System, we use Google Analytics on this website, a web analytics service from Google Ireland Limited. We have activated IP anonymization.
Legal Basis: Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.
9.3. Google AdSense (Website) and Google AdMob (App)
Provided you have explicitly consented, we use advertising services from Google to display personalized ads to you.
Legal Basis: Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.
Withdrawal: You can revoke your granted consents at any time for the future via our privacy settings.
To obtain and manage your consents (especially for analytics and advertising services) in a legally compliant manner, we use a self-developed consent solution. In this context, no data is transferred to external third-party providers of consent management platforms. Your selection (consent or rejection) is stored in a technically necessary cookie or in the Local Storage on your device to recognize you on future visits.
Legal Basis: The storage of this setting is based on Art. 6 (1) lit. f GDPR (legitimate interest in the legally secure documentation of consent) or § 25 (2) No. 2 TTDSG.
9.2. Google Analytics
Provided you have given your explicit consent via our Consent Management System, we use Google Analytics on this website, a web analytics service from Google Ireland Limited. We have activated IP anonymization.
Legal Basis: Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.
9.3. Google AdSense (Website) and Google AdMob (App)
Provided you have explicitly consented, we use advertising services from Google to display personalized ads to you.
Legal Basis: Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG.
Withdrawal: You can revoke your granted consents at any time for the future via our privacy settings.
10. Social Media
Links to the social networks YouTube, Instagram, and TikTok are integrated on our website.
These are not social plugins (which transfer data as soon as the page loads), but simple hyperlinks. When you visit our site, no personal data is generally transferred to these platforms. Only when you click on the corresponding button/link will you be forwarded to the provider's page. From this point on, data processing is carried out by the respective operator of the social network according to their data protection regulations. We have no influence on the processing there.
These are not social plugins (which transfer data as soon as the page loads), but simple hyperlinks. When you visit our site, no personal data is generally transferred to these platforms. Only when you click on the corresponding button/link will you be forwarded to the provider's page. From this point on, data processing is carried out by the respective operator of the social network according to their data protection regulations. We have no influence on the processing there.
11. Your Rights as a Data Subject
Within the framework of the applicable legal provisions, you have the right at any time to:
Right of Appeal to the Competent Supervisory Authority (Art. 77 GDPR)
In the event of violations of the GDPR, data subjects have a right of appeal to a supervisory authority, in particular in the member state of their habitual residence, their place of work, or the place of the alleged violation.
- Information (Art. 15 GDPR): You can request information about your personal data processed by us.
- Correction (Art. 16 GDPR): You can request the correction of incorrect data or the completion of your data stored by us.
- Deletion (Art. 17 GDPR): You can request the deletion of your data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest, or for asserting, exercising, or defending legal claims.
- Restriction of Processing (Art. 18 GDPR): You can request the restriction of the processing of your data.
- Data Portability (Art. 20 GDPR): You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format.
- Right to Object (Art. 21 GDPR): If your data is processed on the basis of legitimate interests (Art. 6 (1) lit. f GDPR), you have the right to object to the processing for reasons arising from your particular situation.
Right of Appeal to the Competent Supervisory Authority (Art. 77 GDPR)
In the event of violations of the GDPR, data subjects have a right of appeal to a supervisory authority, in particular in the member state of their habitual residence, their place of work, or the place of the alleged violation.