top of page
Banner: Data Center

Data Protection

Authoritative language: This English translation is provided for convenience. Only the German version (“Datenschutzinformation”) is legally binding.

(Last updated: 18 August 2025)

 

 

1. Controller & Scope

 

This Privacy Notice applies to the website and any mobile offerings of NinetyPeak UG (haftungsbeschränkt) (“we”/“us”). We are the controller under the GDPR. For privacy inquiries, contact data (a) ninetypeak.com. Further company details are available in the Legal Notice (Impressum).

 

 

2. Principles

 

We process personal data only as permitted by law, following data minimization and purpose limitation. If you do not accept this Privacy Notice, please do not use our services.

 

 

3. Data We Process

 

Non-personal data (e.g., technical/aggregated usage data).

Personal data (e.g., name, email, billing/contract data, IP address, device/session data) when you provide it or when technically required to perform a contract.

 

 

4. How We Collect Data

 

  • Data you actively provide (e.g., registration, purchase, messages to us).

  • Automatically during visits/use (e.g., technical logs).

  • Via integrated services (hosting, payment processing).

  • Sign-in via third parties (if used). Details appear in the respective sections.

 

 

5. Purposes & Legal Bases

 

  • Provision & operation of our services, incl. user accounts, subscriptions, support (Art. 6(1)(b) GDPR – contract/steps prior to contract).

  • Security, stability, abuse & fraud prevention, error analysis, logging (Art. 6(1)(f) GDPR – legitimate interests).

  • Billing/tax/compliance (Art. 6(1)(c) GDPR – legal obligation).

  • Product improvement in anonymized/aggregated form (Art. 6(1)(f) GDPR).

  • Communication (e.g., service emails). Marketing emails only with opt-out (Art. 6(1)(a)/(f) GDPR).

 

 

6. Payments

 

Payments are processed by certified payment providers (e.g., Stripe) that comply with PCI-DSS. Payment data is processed through their systems; we do not store full card details.

 

 

7. Cookies & Similar Technologies

 

We use cookies and similar technologies for operation, convenience, and security. For details, see our Cookie Policy.

 

 

8. Recipients / Categories of Recipients

 

  • Hosting/platform (e.g., Wix) for operation, storage, admin functions.

  • Payment services (e.g., Stripe) for transaction processing.

  • IT service providers / processors (e.g., email, support tools).

  • OpenAI (USA) for the AI feature “Peakly” (see Section 10).

  • Authorities/law enforcement where required.

    We do not share chat content with ad networks. We do not sell personal data (also within the meaning of the CCPA).

 

 

9. Storage Locations & International Transfers

 

Data may be processed in the EU and—where necessary for the purposes—in third countries. For transfers to countries without an EU adequacy decision, we use EU Standard Contractual Clauses (SCCs) or equivalent safeguards.

 

 

10. Specifics: AI Assistant “Peakly” (OpenAI API)

 

Eligibility. Peakly is available exclusively to subscribers of Core Coral and Premium Purple. Without entering text, the service cannot be provided.

 

Flow. Your inputs (“prompts”) and session context are sent—via a server-side Velo integration—directly to the OpenAI API (not Azure) to generate responses.

 

Data Categories.

 

  • Content: text inputs. File uploads are disabled. If, despite this, an attachment is technically received, it is discarded server-side and not processed.

  • Metadata: pseudonymized user/session IDs (rotated), timestamps, technical events.

  • Sensitive content: We explicitly advise against entering financial, legal, or health information. Peakly provides only general guidance on such topics.

 

Data Minimization. We are phasing in PII masking (e.g., email, phone, IBAN) before the API call. Until fully active, free text may be transmitted unfiltered—please do not enter sensitive data.

 

Moderation. We apply a combination of OpenAI moderation and server-side heuristics. Inputs/outputs may be automatically declined, shortened, or neutralized for safety/policy reasons.

 

Legal Bases. Art. 6(1)(b) GDPR (contract performance: provision of the chat service) and Art. 6(1)(f) GDPR (security, abuse prevention, anonymized product improvement).

 

Processor / Contracts. OpenAI OpCo, LLC (USA) acts as our processor. The OpenAI Data Processing Addendum (including EU SCCs) applies.

 

Training/Model Improvement by OpenAI. According to the provider, API data is not used for model training by default; training occurs only with a separate opt-in. We do not opt in.

 

Logging at OpenAI. According to the provider, API logs may be retained for up to 30 days for security/abuse detection and are then deleted (unless legal obligations require otherwise). Details: OpenAI – Your Data. We cannot technically delete individual entries from these provider logs on request.

 

Retention (NinetyPeak/Wix). Administratively stored chat transcripts (e.g., in Wix Inbox) are deleted by us after 30 days.

 

Personalization/Profiling. Peakly personalizes per session only (pseudonymous session ID with regular rotation). There is no cross-session profiling and no decision-making producing legal effects.

 

 

11. Disclosures

 

In addition to processors, we may disclose data where necessary to establish, exercise, or defend legal claims, to investigate unlawful activities, or pursuant to official/judicial orders.

 

 

12. Retention (General)

 

We retain personal data only as long as necessary for the purposes, as required by law, or where we have legitimate interests (e.g., defense of claims). Thereafter, we delete or anonymize the data.

 

 

13. Security

 

Transmission is protected by TLS/HTTPS. API access is server-side; the API key is stored in the Wix Secrets Manager. Access follows need-to-know/least privilege; administrative access is currently limited to the founder. Despite appropriate measures, absolute security cannot be guaranteed. Use strong passwords and avoid transmitting highly sensitive information via insecure channels.

 

 

14. Minors

 

Our services are not directed at minors. We do not knowingly collect data from children. If indicated, we delete/suspend related accounts/transcripts.

 

 

15. Data Subject Rights (EU/EEA)

 

Subject to legal conditions, you have rights to access, rectification, erasure, restriction, data portability, and objection to processing based on legitimate interests. You may also lodge a complaint with a data protection authority. Contact for requests: data (a) ninetypeak.com.

Peakly/OpenAI note: We delete locally stored chat transcripts. Targeted deletion of individual entries in OpenAI security logs is not possible; these are deleted automatically per the provider’s retention (see Section 10).

 

 

16. Automated Decision-Making

 

There is no solely automated decision-making producing legal effects within the meaning of Art. 22 GDPR. Peakly is an assistive service.

 

 

17. California (CCPA)

 

We do not sell personal data. California residents may have additional rights under CCPA (access/deletion). Please contact data (a) ninetypeak.com.

 

 

18. Changes to this Notice

 

We may update this Notice. The current version published on the website applies (“Last updated”). For material changes, we will inform on the website. Continued use after notice constitutes acceptance.

 

 

19. Contact

 

Questions or privacy requests: data (a) ninetypeak.com

General contact: see contact form/legal notice on the website.

Contact

bottom of page