Privacy Policy

⚠ Draft / placeholder — the legally binding details must be reviewed and completed by the operator and/or legal counsel.

This policy explains how personal data is processed when you use RibatAI (the “Service”). The controller under the GDPR is the entity named below.

1. Controller

Samira Ait Taleb
[address]
Email: [email protected]

2. Hosting

The Service is hosted by Hetzner Online GmbH (servers in Germany), with traffic routed through Cloudflare (CDN / proxy / TLS). Data processing agreements (DPAs) are in place. [confirm DPAs]

3. Data we process

Account / sign-in: email address (one-time-code login), display name and optional profile picture.
Content: your boards, cards, clusters, notes, uploaded images and memory items.
Team: workspace membership, roles, invitations.
Usage / technical: generation logs (model, token counts, timestamp, cost), server logs.
Payments: for paid plans, payment data is processed directly by Stripe — we do not store card data.

4. Purposes and legal bases

Providing the Service and your account — Art. 6(1)(b) GDPR (contract).
AI generation and memory features — Art. 6(1)(b) GDPR.
Payment processing — Art. 6(1)(b) GDPR.
Security, abuse prevention, logging — Art. 6(1)(f) GDPR (legitimate interest).
Transactional emails (one-time codes, invitations) — Art. 6(1)(b)/(f) GDPR.
Analytics (Google Analytics) — Art. 6(1)(a) GDPR (consent); withdrawable at any time.

5. Processors / third parties

Hetzner Online GmbH — server hosting (EU / Germany).
Cloudflare — CDN, TLS, DDoS protection (possible transfer to third countries; Standard Contractual Clauses).
Stripe — payment processing.
Hostinger — sending transactional emails (SMTP).
Google (Gemini API) — AI processing of brainstorm prompts/content to generate boards. [verify data flow / SCCs]
Cloudflare R2 — storage of uploaded images.
Google Analytics (Google Ireland Ltd.) — anonymous usage statistics, only with your consent (possible transfer to the US; Standard Contractual Clauses).

[Conclude DPAs with all processors and safeguard third-country transfers.]

6. Retention

Data is kept while your account/workspace exists and deleted afterwards unless statutory retention obligations apply (e.g. invoices for tax purposes). Backups are kept on a rolling basis. [add concrete periods]

7. Your rights

You have the right to access, rectification, erasure, restriction, data portability and objection, and the right to lodge a complaint with a supervisory authority. Requests: [email protected]. Accounts/workspaces and memory items can be viewed and deleted in the app.

8. Cookies

Strictly necessary cookies run the Service and need no consent: a session cookie for authentication and a cookie to remember your active workspace. A theme preference is stored locally in your browser.

Analytics: we use Google Analytics, which sets non-essential cookies, only after you opt in via the consent banner. If you decline, Google Analytics is not loaded and no analytics cookies are set. You can change your choice at any time (which also withdraws consent with effect for the future).

Last updated: [date]. This is a draft and not legal advice.