Privacy Policy

This privacy policy explains how personal data are processed when you use selbsai.com, the configurator, the customer portal, the checkout flow, and optional provisioning services such as preload uploads. It is intended to reflect the GDPR and the German implementation framework currently relevant to this service.

1. Controller

ALB Digital Dienstleistungen
Trading as: selbsai; represented by Levent Yilmaz
53179 Bonn, Germany
Website: https://selbsai.com
Privacy contact: privacy@selbsai.com

2. Website access and server logs

When you access the website, technically necessary connection and server data may be processed, including IP address, date and time of access, requested URL, referrer, browser and device data, and status or error information.

This processing is used to provide the website securely, maintain system integrity, troubleshoot errors, and protect against misuse. The legal basis is Article 6(1)(f) GDPR.

3. Cookies, sessions, and local storage

We do not currently describe the website as relying on advertising or marketing trackers. However, the service uses storage mechanisms that are technically necessary to provide functions you explicitly request.

• Authentication and session cookies for the customer portal and admin area
• A locale cookie used to remember the selected language
• Local browser storage for saved configurator state

The legal basis is Article 6(1)(b) GDPR and, where access to device storage is strictly necessary, Section 25(2) TDDDG.

4. Contact and pre-contract communication

If you contact us by e-mail or through a support-related workflow, we process the information you provide in order to answer your enquiry, prepare a contract, or provide support. The legal basis is Article 6(1)(b) GDPR where the communication relates to a contract or pre-contractual request, and Article 6(1)(f) GDPR otherwise.

5. Configurator, orders, and customer portal

In connection with product configuration, ordering, and customer-portal use, we may process contact details, billing and delivery information, device configuration choices, order status data, login data, and account identifiers linked to your order history.

The main legal basis is Article 6(1)(b) GDPR because these processing operations are necessary to perform or prepare the contract.

6. Payments

Payments are processed through the payment service provider integrated into the checkout. We generally do not need the full payment credentials ourselves; instead we typically receive status information, transaction references, and the data required to process the order.

The legal bases are Article 6(1)(b) GDPR for contract performance and Article 6(1)(c) GDPR insofar as accounting or tax-retention obligations apply.

7. Customer authentication

Customer portal access is provided through Supabase authentication. Login events, session identifiers, e-mail addresses, and technical metadata may be processed to authenticate users, protect accounts, and show order information to the correct customer.

The legal basis is Article 6(1)(b) GDPR for account access connected to orders and Article 6(1)(f) GDPR for abuse prevention and account security.

8. Shipping, fulfilment, and service operations

For shipping, fulfilment, support, and service operations, we may process order data, shipping details, status histories, tracking numbers, and operational notes required to complete delivery and communicate with the customer.

The legal basis is Article 6(1)(b) GDPR. Logging for abuse prevention, operational security, and internal documentation may additionally rely on Article 6(1)(f) GDPR.

9. Preload uploads and customer content

If you upload files for preload or provisioning, we may process file names, storage paths, file sizes, SHA-256 checksums where generated by the browser, upload status, and the content itself for the agreed setup and related support.

You should only upload data that you are entitled to provide and process. Because uploads may contain sensitive or confidential material, they should be limited to what is necessary for the agreed provisioning purpose.

The legal basis is Article 6(1)(b) GDPR. Where special categories of personal data may be involved, the customer remains responsible for having an appropriate legal basis to provide those data for the requested setup.

Preload files are not used to train public models. They are used to provision the purchased system, verify the setup, and provide related support where requested.

10. Recipients and service providers

The service may rely on specialised providers for hosting, database infrastructure, authentication, payments, transactional e-mail, shipping, and internal operations. Based on the currently visible technical architecture, these may include Vercel, Supabase, Stripe, Resend, Deutsche Post DHL, and Linear.

• Vercel for hosting and edge delivery, currently configured for Frankfurt deployment.
• Supabase for database, authentication, and private storage.
• Stripe for checkout, payment status, tax calculation, and payment-related records.
• Resend for transactional e-mail.
• Deutsche Post DHL for shipping labels and tracking.
• Linear for internal fulfilment and issue tracking.

Where personal data are processed outside the EEA or access from third countries cannot be excluded, appropriate safeguards such as adequacy decisions or standard contractual clauses should be relied upon where required.

11. Retention

Personal data are stored only for as long as necessary for the respective purpose or for as long as statutory retention obligations apply. In practice, this means:

• technical and security logs generally for up to 90 days unless an incident requires longer review,
• account and order data for the duration of the contractual relationship and applicable commercial or tax-retention obligations,
• provisioning and preload data only for as long as required for setup, verification, and related troubleshooting, normally no longer than 30 days after successful delivery unless a longer support period is agreed.

Business customers may request a deletion confirmation for preload content after provisioning storage is wiped.

12. Security and vulnerability reports

Security reports can be sent to security@selbsai.com. The public security contact is also published through the security.txt route. Vulnerability reports are triaged for severity, customer impact, remediation, and any required notification duties.

13. Your rights

Subject to the statutory conditions, you have rights of access, rectification, erasure, restriction of processing, data portability, and objection, in particular where processing is based on Article 6(1)(f) GDPR.

You may also lodge a complaint with a competent data-protection supervisory authority, including Landesbeauftragte fur Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Dusseldorf, Germany.

14. Changes to this policy

We may update this privacy policy if processing operations, service providers, or legal requirements change materially. The version published on this page is the version that applies.