Privacy Policy

1. Controller and Contact

The controller responsible for the processing of personal data within the meaning of Art. 4(7) GDPR is:

Crowdee GmbH Zehdenicker Str. 5 10119 Berlin, Germany Managing Directors: Dr.-Ing. Tim Polzehl, André Beyer Telephone: +49 30 330 210 64 E-mail: hello [at] crowdee.ai VAT ID: DE304624889

For privacy-related enquiries you can also reach us at privacy@crowdee.ai. We have not appointed a Data Protection Officer because the statutory thresholds of § 38 BDSG are not met; the persons named above are the responsible points of contact for data protection matters.

2. Key Terms and Legal Bases

We use the terms defined in Art. 4 GDPR (in particular “personal data”, “processing”, “controller”, “processor”, “data subject”, “recipient”, “third party”, and “consent”). The legal bases we rely on are:

• Art. 6(1)(a) GDPR — consent (e.g. optional analytics cookies, marketing communications).
• Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures (e.g. booking a demo, sending you requested information).
• Art. 6(1)(c) GDPR — compliance with a legal obligation (e.g. statutory retention obligations under tax or commercial law).
• Art. 6(1)(f) GDPR — legitimate interests (e.g. ensuring IT security, preventing abuse of our services, responding to general enquiries, conducting direct B2B communication, fraud prevention).
• § 25(1) and (2) TDDDG for the storage of, and access to, information on your end-device (cookies, local storage and similar technologies).

Where we rely on legitimate interests, you have the right to object under Art. 21 GDPR (see section 13).

3. Data We Process and from Whom

Depending on how you interact with Crowdee, we process different categories of personal data:

• Website visitors — the technical access data described in section 4, plus any data you voluntarily submit through the contact form, chat widget, demo booking, or content-verification tool.
• Platform users — account credentials, profile information, uploaded content (images, text, audio, video), project configurations, and verification results.
• Customers — billing and payment information (invoices, transactions), contractual correspondence, and the personal data needed to provide the agreed services.

4. Server Log Files and Technical Access Data

When you access the Website, our hosting infrastructure and our application logs may automatically record the following technical data:

• the IP address (or, behind a trusted reverse proxy, the client-facing IP forwarded via standard headers),
• date and time of the request,
• the URL requested, HTTP method, status code, and response size,
• the referring URL,
• browser type and version, operating system, and language settings (user-agent),
• rate-limit counters keyed against the IP address (in-memory, short-lived).

Purpose: ensuring the stable and secure delivery of the Website, detecting and preventing attacks and abuse (e.g. brute-force, denial-of-service, spam submissions), enforcing per-IP and global rate limits, diagnosing technical errors, and improving performance.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure and functional website. Where IP addresses are processed for security we balance this interest against your interests in accordance with Recital 49 GDPR.

Retention: log files are deleted within a maximum of 30 days unless an incident requires longer retention for security investigation purposes. Rate-limit counters are kept in memory only and reset automatically at the end of the rate-limit window.

5. Contact Form, Email, Telephone and Chat

a) Contact form

When you submit our contact form at /contact we process the data you provide: full name, email address, and (optionally) company, phone number, subject, employee count and the content of your message. The form is protected against automated abuse by ALTCHA (see section 9(b)).

Your submission is transmitted to our self-hosted workflow backend, which runs on infrastructure controlled by Crowdee within the European Union, where it triggers an internal email notification to the relevant Crowdee team.

Purpose: handling and responding to your enquiry; pre-contractual communication if you are interested in our products.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) where your enquiry relates to our services; otherwise Art. 6(1)(f) GDPR (legitimate interest in answering enquiries directed at us).
Retention: until your enquiry is fully resolved, plus the period required to comply with statutory retention obligations (in particular §§ 147 AO, 257 HGB — up to 6 or 10 years for tax-relevant correspondence).

b) Direct email and telephone contact

If you contact us directly (e.g. via hello@crowdee.ai, sales@crowdee.ai, support@crowdee.ai, press@crowdee.ai, security@crowdee.ai, or by telephone) we process the data you provide for the purpose of handling your enquiry. The legal basis and retention rules outlined under section 5(a) apply accordingly.

c) Chat assistant (“Nova”)

Our Website features an embedded chat widget powered by our self-hosted automation backend (“Nova”). When you start a conversation, the messages you type, a session identifier generated client-side, and the technical data described in section 4 are transmitted to our workflow backend. To produce a response, the message content may be forwarded to one or more third-party large-language-model (LLM) providers acting as our processors under Art. 28 GDPR; see section 9(d).

Please do not enter special-category data (Art. 9 GDPR), passwords, or other confidential information into the chat. Conversations may be reviewed for quality assurance and abuse prevention.
Purpose: answering visitor questions, qualifying enquiries, improving our service.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in providing automated customer support).
Retention: conversation logs are deleted within 90 days unless a specific enquiry requires longer processing or statutory retention applies.

6. Demo Booking (Calendly)

On /demo we embed the Calendly scheduling widget operated by Calendly LLC, 271 17th Street NE, Atlanta, GA 30363, USA. The widget loads inside an iframe only after you visit the page; we have disabled Calendly’s own consent banner because we obtain consent for non-essential cookies via our own consent manager (section 7).

When you book a meeting through the widget, Calendly processes the data you enter into its booking form (name, email, optional company information, your selected time slot, and any answers to screening questions) as well as basic technical data (IP address, device/browser information). Calendly may set cookies and similar identifiers on your device.

Purpose: scheduling and conducting product demonstrations and sales calls.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) for the booking itself; § 25(1) TDDDG / Art. 6(1)(a) GDPR for any non-essential cookies set by Calendly (where applicable, based on your consent in our consent banner).
Recipient and transfer: Calendly is established in the United States. Transfers are safeguarded by the EU-US Data Privacy Framework, to which Calendly LLC has self-certified, and additionally by the Standard Contractual Clauses adopted by the European Commission (Art. 46(2)(c) GDPR). See section 9.
More information: calendly.com/privacy.

7. Content Verification Service

At /content-verification you can submit a single image for free, AI-assisted authenticity analysis. The following data are processed when you use this service:

• the image file you upload (up to 10 MB; only common image formats are accepted),
• a SHA-256 cryptographic hash of the file (used as a cache key and to bind your subsequent result-email submission to the original verification),
• the model variant you select (if any),
• the technical access data described in section 3, including your IP address where the deployment is configured to trust proxy headers,
• a session-bound HMAC-signed result token (no personal data, valid for one hour, used to authenticate your follow-up email submission),
• a strictly necessary cookie cv_daily_used set on your device after a successful verification to enforce the one-free-verification-per-day fair-use limit (24 hours, HttpOnly, SameSite=Strict).

The image is forwarded to our self-hosted workflow backend for analysis. Within the verification pipeline, the image (or model-specific derivatives of it) is sent to one or more third-party AI model providers acting as our processors under Art. 28 GDPR (see section 9(d)) to compute the authenticity assessment. Verification results (verdict, confidence score, supporting indicators) are cached on the server in memory keyed by the image hash for up to 24 hours so that repeated uploads of the same image return a stable answer without re-running the analysis.

Image content and people in images: if the image you upload contains identifiable individuals or other personal data, that data is processed only for the technical purpose of producing the verification result. You confirm that you are entitled to submit the image for this purpose. Please do not upload images containing special-category data (Art. 9 GDPR) unless you have a clear lawful basis to do so. Uploaded images and inference outputs are not used to train third-party models.

Purpose: providing a free demonstration of our content-verification service; preventing abuse of the free tier via per-IP, per-instance, and per-day rate limits.
Legal basis: Art. 6(1)(b) GDPR (performance of the service you requested) and Art. 6(1)(f) GDPR (preventing abuse and ensuring service stability). The strictly-necessary cv_daily_used cookie is set on the basis of § 25(2) no. 2 TDDDG (strictly necessary to provide the explicitly requested service).
Retention: uploaded image bytes are kept only for the duration of the inference call and are not persisted on disk; the hash-keyed result cache expires after 24 hours; the IP daily-use map is bounded in-memory and is cleared on server restart; result tokens expire after one hour.

Email capture for verified results

After a successful verification you can optionally provide your name, email address, and (optionally) company in order to receive the verification report by email and to be contacted by our team. The submission is bound to the just-completed verification via the short-lived HMAC result token described above.

Legal basis: Art. 6(1)(a) GDPR (your consent, given by submitting the form) and Art. 6(1)(f) GDPR for follow-up B2B contact within the scope permitted by Recital 47 GDPR. You may withdraw consent at any time with effect for the future (see section 13).
Retention: we keep this information for as long as needed to follow up, and in any case no longer than 24 months from your last interaction, unless we are required to retain it for longer (e.g. tax law) or you ask us to delete it sooner.

8. Cookies, Local Storage and Consent Management

We use cookies and similar technologies (e.g. browser local storage) only to the extent strictly necessary for the operation of the Website, or with your consent. Where consent is required, we collect it via our consent manager (powered by c15t) before activating the corresponding technology. The consent manager itself stores your choices locally on your device so that the banner does not reappear on every visit.

The technologies we use fall into two categories:

• Strictly necessary (always active; § 25(2) no. 2 TDDDG): session-management tokens, CSRF/origin enforcement, the consent record itself, and the cv_daily_used cookie that enforces the free-tier daily limit for the content-verification service.
• Analytics (only with consent; § 25(1) TDDDG and Art. 6(1)(a) GDPR): Matomo Analytics in pseudonymised mode (see section 9(a)).

You can review and change your choices at any time via the “Privacy settings” link in our footer, by reopening the consent manager, or via your browser settings.

9. Third-Party Services and Sub-processors

a) Matomo Analytics (self-hosted, consent-based)

Subject to your consent we use Matomo (open-source) to measure usage of the Website. Matomo is self-hosted by Crowdee on infrastructure within the European Union; no data is transmitted to InnoCraft Ltd. or any other third party. We configure Matomo with IP truncation (anonymisation of the last octet) and do not use Matomo for cross-site advertising or profile building. Matomo processes pseudonymised data such as truncated IP address, pages visited, referrer, device/browser characteristics, approximate location at country level, and a randomly assigned visitor identifier.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (your consent), revocable at any time. Retention: aggregated reports are kept for up to 26 months.

b) ALTCHA (anti-abuse)

Our forms are protected by ALTCHA, an open-source proof-of-work bot-mitigation mechanism. ALTCHA works entirely within your browser: your browser solves a short computational puzzle whose solution is verified against our own server. No data is transmitted to any third party, and ALTCHA does not use tracking, cookies, or behavioural profiling.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in preventing spam, scraping, and automated abuse of our forms. The puzzle is started only when you interact with the form.

c) Calendly (demo booking)

See section 6.

d) Workflow automation and AI model providers

Submissions from the contact form, chat assistant, content verification service, and the verification-result e-mail capture are routed through our self-hosted automation backend, which Crowdee operates on infrastructure within the European Union. This backend itself is not a third-party recipient.

Within the chat assistant and the content-verification pipeline, message text or image data is sent from our automation backend to one or more third-party AI model providers acting as our processors under Art. 28 GDPR for the sole purpose of generating a response or an authenticity assessment. Crowdee uses OpenRouter AI Inc. as a routing layer to dynamically select the optimal model provider for each request. Depending on the workflow, the actual model may be provided by Anthropic PBC (Claude models) or OpenAI Inc. (GPT models). We select all providers contractually so that they commit to (i) processing inputs only on our instructions, (ii) not retaining inputs beyond what is technically necessary to serve the response, and (iii) not using customer inputs to train their foundation models. These providers are established in the United States; transfers are safeguarded as described in section 10.

A complete, up-to-date list of all processors engaged for our services, including their location and transfer safeguards, is published at /subprocessors.

e) Hosting and content delivery

All systems are operated by Crowdee on infrastructure located in Germany:

• Website and Matomo analytics run on dedicated servers operated by netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany, in data centres located in Germany. netcup acts as our infrastructure provider under a data-processing agreement pursuant to Art. 28 GDPR; netcup does not access the application-level personal data we process and is not used as a recipient of such data.
• Automation backend runs on hardware owned and operated by Crowdee, housed in Berlin, Germany. There is no third-party infrastructure provider involved in its operation.

We do not use Vercel, third-party serverless platforms, or third-party managed CDNs to deliver dynamic content or to terminate TLS for visitor traffic. Static marketing imagery is optimised through Next.js’s built-in image pipeline running on our own servers, so that visitors’ browsers connect only to Crowdee-controlled origins in Germany.

f) Embedded fonts and assets

Web fonts and icons used on the Website are self-hosted; we do not load resources from Google Fonts or comparable third-party font services. Where we link to external websites (e.g. partner logos), the linked operator’s privacy notice applies as soon as you follow the link.

g) Social Media Profiles

We maintain public profiles on Instagram, Facebook, and Bluesky. When you visit or interact with these profiles, the respective platform operator processes your data as an independent controller under its own privacy policy. We do not receive personal data from these platforms beyond aggregate reach statistics.

h) Other processors

For the complete, current list of all other processors engaged by Crowdee — including those used for transactional email, billing, invoicing, video conferencing, crowdsourcing, and platform analytics — please see our Data Subprocessors page. That page is updated whenever a processor is added or removed and serves as the single source of truth for our subprocessor inventory.

10. Transfers to Third Countries

All Crowdee-operated systems are located in Germany: the Website and our Matomo analytics instance run on dedicated servers at netcup GmbH; our automation backend runs on hardware owned by Crowdee and housed in Berlin (see section 9(e)). The only categories of recipient that may receive personal data outside the EEA are:

• Third-party AI model providers invoked by our automation pipelines — see section 9(d). Some of these providers operate from the United States or other third countries;
• Calendly LLC (USA), but only if you visit

Transfers to third countries without an adequacy decision rely on appropriate safeguards within the meaning of Art. 46 GDPR, in particular:

• the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) where the relevant processor is self-certified, and/or
• the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 supplemented, where appropriate, by additional technical and organisational measures.

On request we will provide further information about the specific safeguards in place for an individual transfer. A complete list of all processors established outside the EEA, together with their applicable transfer safeguards, is published at /subprocessors.

11. Storage and Erasure

We store personal data only for as long as necessary to achieve the purpose for which we processed it, or as required by law. Specific retention periods are set out in the relevant sections above. Data are deleted or anonymised:

• when the original purpose of processing has been fulfilled,
• when statutory retention obligations expire,
• when consent is withdrawn and no other legal basis applies,
• when an objection under Art. 21 GDPR is upheld,
• or when erasure is otherwise required by law.

Where erasure is not possible because of statutory retention obligations (e.g. § 147 AO, § 257 HGB), processing will be restricted accordingly and the data will be erased once those obligations have expired.

12. Data Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access. These measures include in particular:

• transport encryption (HTTPS/TLS) for all traffic to and from the Website,
• encryption at rest for application databases where appropriate,
• role-based access controls, principle of least privilege, and audit logging,
• HMAC-signed tokens for binding verification results to the same browsing session,
• CSRF/origin checks on state-changing endpoints, per-IP and global rate-limiting, and bot mitigation via ALTCHA proof-of-work,
• regular patching of operating systems and dependencies, vulnerability scanning, and security reviews,
• contractual security requirements imposed on our processors.

You can responsibly disclose suspected vulnerabilities to security@crowdee.ai; see our security page for details.

13. Your Rights as a Data Subject

Subject to the conditions set out in the GDPR, you have the following rights regarding personal data we process about you:

• Right of access (Art. 15 GDPR) — to obtain confirmation as to whether and how we process your personal data, and a copy of that data.
• Right to rectification (Art. 16 GDPR) — to have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17 GDPR) — to have personal data deleted where one of the grounds in Art. 17(1) applies.
• Right to restriction of processing (Art. 18 GDPR) .
• Right to data portability (Art. 20 GDPR) — to receive the personal data you have provided to us in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — to object, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR. Where data are processed for direct marketing purposes, you may object at any time and without justification.
• Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us using the details in section 1 or write to privacy@crowdee.ai. We may ask for additional information to verify your identity. We will respond without undue delay and at the latest within one month of your request (Art. 12(3) GDPR).

14. Right to Lodge a Complaint

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The supervisory authority responsible for Crowdee GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59-61 10555 Berlin, Germany Telephone: +49 30 13889-0
www.datenschutz-berlin.de

15. No Automated Decision-Making with Legal Effect

We do not use the data collected via this Website for automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22(1) GDPR. The content-verification service returns an automated assessment of an uploaded image; this assessment is informational and does not in itself produce legal or comparable effects.

16. Obligation to Provide Data

You are under no statutory or contractual obligation to provide personal data via the Website. However, certain functions (e.g. the contact form, demo booking, or sending verification results by email) require at least the data marked as mandatory in the relevant form; without that data we cannot process your request.

17. Children

Our Website and services are directed at businesses and professional users; they are not intended for children under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without verifiable parental consent, please contact us so that we can delete that data.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, technology, or applicable law. The current version is the version published on this page and is identified by the version date shown above. For material changes we will provide reasonable advance notice through the Website or by email.