This notice explains which personal data we process when the v9Labs AI use-case workshop platform is used, why we process it, on which legal basis, and for how long. The platform is deliberately data-minimal: no ad pixels, no web analytics, no third-party tracking.
1. Controller
The controller is v9Labs GmbH i.G., Ostfildern, Germany. Contact: privacy@v9labs.de. Full provider details are listed in the imprint. We have not appointed a data protection officer because, based on our current assessment, no statutory appointment obligation applies.
2. Data we process
Managers: name where provided, email address, billing address, VAT ID, order and payment references, and necessary login and session data.
Participants: email address for invitation and authentication, workshop conversation content, derived participant materials, and technical session data. We usually receive the email address from the inviting manager or company.
Optional voice input: if participants use dictation, the audio signal is sent only for transcription to AWS Transcribe in Frankfurt (eu-central-1). Audio is not stored and is not used for biometric identification.
Operational data: IP address, user agent, audit logs, technical delivery events, and token and cost data for AI inference. We use this for security, debugging, delivery, and cost control.
3. Purposes and legal bases
We process manager data for contract performance and account administration (Art. 6(1)(b) GDPR) and to comply with statutory accounting and tax obligations (Art. 6(1)(c) GDPR). Payment data is processed through Stripe; v9Labs does not receive full card or bank details.
We process participant email addresses to run the workshop commissioned by the manager based on the legitimate interests of the manager and v9Labs (Art. 6(1)(f) GDPR). We process workshop conversation content after the participant confirms the privacy notice at session start (Art. 6(1)(a) GDPR) and to run the workshop.
Security, audit, and cost telemetry is processed based on legitimate interests (Art. 6(1)(f) GDPR): secure operation, abuse prevention, debugging, and cost control.
4. What the manager sees
The manager sees the email addresses of invited people because those addresses are needed for invitations, status overview, and follow-up. The manager does not see individual answers, transcripts, personal participant materials, or synthesis outputs attributable to a single participant.
The post-workshop report is always aggregated. There is no admin override that could expose individual answers to the manager.
5. Retention
Workshop content, transcripts, derived participant materials, invitations, and syntheses are deleted automatically 90 days after the participation window ends, unless the manager triggers earlier deletion.
Encrypted backups may retain deleted data for up to 30 days before they are overwritten by the backup cycle. Billing and accounting data is usually retained for 10 years under § 147 AO. Audit logs and Stripe webhook events are retained for 90 days.
6. Recipients and subprocessors
We use the following processors:
- Hetzner Online GmbH — hosting in Falkenstein, Germany.
- Amazon Web Services EMEA SARL — AI inference via Amazon Bedrock, email delivery via Amazon SES, and optional speech-to-text processing via Amazon Transcribe; all in Frankfurt (eu-central-1).
- Stripe Payments Europe Ltd. — payment processing, invoicing, and payment records. Stripe may process individual operational activities in the US under Standard Contractual Clauses.
The current list is available at /legal/processors. Our data processing agreement is available at /legal/dpa.
7. Third-country transfers
Hosting, AI inference, email delivery, and transcription take place in the European Union. In particular, we do not use the direct Anthropic API; Claude runs through Amazon Bedrock in Frankfurt and cross-region inference is disabled. Third-country transfers may occur only at Stripe for individual payment operations and are covered by Standard Contractual Clauses.
8. Your rights
You have the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and objection (Art. 21 GDPR). Where processing is based on consent, you may withdraw that consent at any time with effect for the future.
Send requests through /legal/data-request or by email to privacy@v9labs.de. You also have the right to lodge a complaint with a data protection supervisory authority, in particular the Baden-Württemberg data protection authority.
9. Requirement to provide data
Manager data is required for contracting, payment, and workshop administration. Participant data is voluntary; without an email address no invitation can be delivered, and without workshop answers no meaningful report can be produced.
10. Automated decisions
The platform creates AI-assisted summaries and suggestions. There is no automated decision-making under Art. 22 GDPR that produces legal effects or similarly significant effects. Managers do not receive individual performance profiles.
11. Security
We use TLS 1.3 with HSTS, role-restricted access, SSH public-key authentication, restrictive file permissions for the SQLite database, encrypted restic backups to a second Hetzner region, and audit logs for privacy-relevant actions.
12. Personal-data breaches
We notify the competent supervisory authority within 72 hours of becoming aware of a personal-data breach if there is a risk to the rights and freedoms of affected people. We inform affected managers and, where required, participants without undue delay. Security reports can be sent to security@v9labs.de.
13. Changes to this notice
We update this notice when processing, subprocessors, retention, or legal bases change. The date above shows the current version.