Privacy Policy

1. Controller

Maxim Jochim, trading as IT-Beratung Jochim (sole proprietorship), Europa-Allee 101, 60486 Frankfurt am Main, Germany.

Contact: contact_form1@sitereply.app or /kontakt. No data protection officer has been appointed.

2. Hosting and logs

The application and PostgreSQL database run on netcup infrastructure in Germany. Necessary connection and security data can include IP address, timestamp, path, status and user agent.

Processing is based on Article 6(1)(f) GDPR. Logs are retained only as required for operations, security and evidence.

3. Accounts and authentication

We process email, optional name, organization membership, roles, session and sign-in data. Resend delivers magic links.

Processing is required for the contract under Article 6(1)(b) GDPR. Tokens expire or are deleted after use; account data remains for the contract and statutory retention periods.

4. Contact and access requests

We process name, business email, subject, message, consent timestamp and requested plan context to handle pre-contract and support requests.

Do not submit special-category data, passwords or other sensitive credentials through the contact form.

5. Stripe billing

Stripe processes checkout, subscription, invoice, payment-method, tax and portal data. SiteReply does not store complete card details.

Processing is based on Articles 6(1)(b) and 6(1)(c) GDPR. Stripe may process data outside the EEA using its applicable transfer safeguards.

6. Customer content and AI processing

Customers can provide websites, sitemaps, files and text. SiteReply extracts and chunks content, creates embeddings and stores content and vectors in PostgreSQL/pgvector.

Visitor questions, relevant knowledge excerpts and instructions are sent to the configured AI provider. Anthropic, OpenAI, OpenRouter and cortecs.ai are technically selectable, but productive use requires documented provider due diligence. OpenRouter can route to downstream model providers and involve international transfers.

SiteReply does not currently persist complete visitor conversation histories or widget leads. Live prompts are processed to generate a response. These documents will be updated before chat history or lead capture is released.

7. Support and application logs

Authorized administrators can enter audited support sessions for customer organizations. Full AI request and response logging is disabled by default. If deliberately enabled for diagnostics, OpenRouter diagnostic records are automatically deleted after 30 days. Access is limited to what is necessary.

8. Cookies and browser storage

SiteReply uses necessary cookies for authentication, language preference and authorized support sessions. The embedded widget also stores whether a visitor dismissed its optional tooltip or opened the chat. No advertising, analytics or session-replay cookies are used, so no consent banner is currently required.

Before non-essential cookies or similar storage are introduced, SiteReply will obtain consent and update this policy.

9. Recipients and transfers

Current service providers are listed at /subprocessors. Transfers outside the EEA rely on an adequacy decision or appropriate safeguards under Article 46 GDPR where required.

10. Retention

Data is kept only for contract, security, support and statutory purposes. Customer content is generally deleted with the related chatbot or account. Database backups are routinely deleted after 14 days. Enabled OpenRouter diagnostic records are deleted after 30 days. Commercial and tax records may be retained for up to ten years.

11. Rights

• Access, correction, erasure and restriction
• Data portability where applicable
• Objection to legitimate-interest processing
• Withdrawal of consent for the future
• Complaint to a supervisory authority, including the Hessian Commissioner for Data Protection and Freedom of Information

Cookie register