Privacy Policy

1. Controller

The controller responsible for data processing on this website is:

If you have questions about data protection, please contact our Data Protection Officer or reach us at support@ucited.ai.

2. Overview of Data Processing

We process personal data only to the extent necessary to provide and improve the ucited Service, to fulfill contractual obligations, and to comply with legal requirements. This Privacy Policy applies to the websites ucited.ai and ucited.de and the ucited SaaS platform (collectively, the "Service").

The Service is intended exclusively for business customers (Unternehmer) within the meaning of Section 14 BGB. We do not knowingly collect personal data from consumers using the Service.

3. Legal Bases for Processing

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Art. 6(1)(b) GDPR – Performance of a contract: Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations.
• Art. 6(1)(f) GDPR – Legitimate interests: Processing necessary for our legitimate interests (e.g., improving the Service, ensuring security, preventing fraud), provided these interests are not overridden by your rights.
• Art. 6(1)(a) GDPR – Consent: Where you have given explicit consent to specific processing activities (e.g., analytics cookies). You may withdraw consent at any time.
• Art. 6(1)(c) GDPR – Legal obligation: Processing necessary to comply with applicable laws (e.g., tax and accounting requirements).

4. Data We Collect

4.1 Account Registration Data

When you register for the Service, we collect:

• Full name and job title
• Business email address
• Company name and address
• Phone number
• VAT identification number (USt-IdNr.)
• Password (stored in hashed form only)

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention: For the duration of the contractual relationship and as required by statutory retention periods (typically 6–10 years under German commercial and tax law).

4.2 Payment Data

We use Stripe, Inc. as our payment processor. When you subscribe to a paid plan, Stripe collects and processes your payment information (e.g., credit card number, billing address). We do not store full credit card numbers on our servers. We receive from Stripe only a truncated card reference, transaction confirmations, and billing details necessary for invoicing.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

4.3 Usage Data and Service Input

When you use the Service, we process:

• Keywords, brand names, URLs, and prompts you enter into the platform ("Input")
• Results, reports, and analytics generated by the Service ("Output")
• Feature usage patterns, timestamps, and interaction logs

This data is processed solely to provide and improve the Service. We do not use your Input or Output for purposes unrelated to the Service without your consent.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in service improvement) for anonymized and aggregated usage analytics.

4.4 Server Log Data

When you access the Service, our hosting infrastructure automatically collects:

• IP address (anonymized where technically feasible)
• Date and time of access
• Browser type and version
• Operating system
• Referring URL
• Pages accessed

Server logs are deleted or anonymized after 30 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and system stability).

4.5 Google Sign-In and Google User Data

If you choose "Continue with Google", we use Google Sign-In only for authentication and account creation or account linking. Through Google and our authentication provider Supabase, we receive the following Google user data to the extent you approve it in Google's consent flow:

• Your Google Account email address and whether Google has verified that email address
• Your name or display name from your Google profile
• A technical Google Account identifier needed to uniquely associate the sign-in with your account

We use this data to sign you in, create or link your ucited account, match your Google-verified email address to an invitation, secure your session, prevent abuse, associate support requests with your account, and send transactional emails.

We do not use Google Sign-In to access Gmail, Google Drive, Google Calendar, Google Contacts, or other Google Workspace content. We do not read, modify, create, or delete content in your Google Account.

Google user data obtained through Google Sign-In is not sold, used for advertising, or shared with data brokers. We do not use it to train general AI or machine-learning models. Where information received from Google APIs is transferred to other services, it is transferred only to our processors to provide the features described above, in particular Supabase for authentication and database operations, Resend for transactional email, and Chatwoot for support when you use the support chat.

ucited.ai's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. You can revoke Google OAuth access in your Google Account settings under third-party apps and services.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure authentication and abuse prevention).

5. Cookies and Analytics

5.1 Essential Cookies

We use cookies that are strictly necessary for the operation of the Service, such as maintaining your login session, security, and your payment provider during checkout. These cookies do not require your consent under § 25(2) TTDSG.

5.2 Google Tag Manager and Google Analytics

We use Google Tag Manager (GTM) to manage tags such as Google Analytics. GTM and the tags it loads (including any analytics or advertising cookies) are activated only after you consent via our cookie banner. Until then, Google Consent Mode keeps all analytics and advertising storage disabled, so no such cookies are set and no analytics or advertising data is sent. You can withdraw your consent at any time with future effect.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Legal basis: Art. 6(1)(a) GDPR (consent).

6. Data Recipients and Sub-processors

We share personal data only with the following categories of recipients, and only to the extent necessary:

All US-based processors maintain appropriate safeguards for international data transfers (see Section 7).

We do not sell, rent, or otherwise share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
• Adequacy decisions by the European Commission, where applicable
• Additional technical and organizational measures as appropriate

You may request a copy of the applicable safeguards by contacting us at support@ucited.ai.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law:

• Account data: For the duration of the contract plus statutory retention periods (6–10 years under §§ 147 AO, 257 HGB).
• Payment records: 10 years (§ 147 AO).
• Server logs: 30 days.
• Google Sign-In data: For the duration of your account; OAuth session data is retained according to the session and security settings of our authentication provider.
• Usage analytics (Vercel): Aggregated and anonymized; no personal data retained.
• Customer Data (Input/Output): For the duration of the contract. After termination, Customer Data is available for export for 30 days, then deleted (see Terms of Use, Section 9.5).

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) – You may request information about the personal data we hold about you.
• Right to rectification (Art. 16 GDPR) – You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) – You may request deletion of your data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR) – You may request that we restrict processing of your data under certain conditions.
• Right to data portability (Art. 20 GDPR) – You may request to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) – You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3) GDPR) – Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@ucited.ai. We will respond within one month of receiving your request.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for our company is:

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure. These measures include encryption of data in transit (TLS), access controls, regular security reviews, and secure password hashing.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal requirements. We will notify registered users of material changes via email or in-app notification. The current version is always available at https://ucited.ai/privacy.

13. Contact