Privacy Policy
Last updated: April 10, 2026
1. Data Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
27Street GmbH Gleimstrasse 36, 10437 Berlin Email: privacy@27street.de Responsible person: Gero Keller
2. Data Protection Officer
We are not legally required to appoint a data protection officer. For data protection inquiries, please contact us at the email address provided above.
3. Legal Bases for Processing
We process personal data on the following legal bases under the GDPR:
- Art. 6(1)(b) GDPR (Contract performance): Provision of the SaaS service, user account, authentication, core application features.
- Art. 6(1)(f) GDPR (Legitimate interest): Security logging (audit logs with IP address and user agent for abuse detection), semantic embeddings to improve search functionality, cookie-free web analytics for aggregate usage measurement, and the operation and optimization of our service.
- Art. 6(1)(a) GDPR (Consent): Where we obtain consent in the future, this will be indicated separately.
Where we process data on the basis of Art. 6(1)(f) GDPR, our legitimate interest lies in the provision and improvement of our service, aggregate usage measurement, ensuring IT security, and fraud prevention.
4. Data Collected
We collect and process the following categories of personal data:
Authentication Data
- Email address, password (stored as hash)
- OAuth tokens for third-party sign-in
- Session tokens (JWT, refresh tokens)
- CSRF tokens for cross-site request forgery protection
User Profile Data
- Display name
- Avatar URL
- Theme preference (light/dark)
- Email notification settings
Organization Data
- Organization membership and role
- Membership timestamps
Audit Logs
To ensure IT security and traceability, we log:
- User actions within the application
- IP addresses
- User agent strings (browser identification)
- Timestamps
This data is automatically deleted after 90 days.
Usage Data (Vercel Web Analytics)
For aggregate reach measurement and technical optimization of our service, we process the following usage data with Vercel Web Analytics:
- Page view timestamps
- Visited URL and dynamic route pattern
- Referrer domain
- Query parameters stripped before transmission
- Approximate geolocation (country, region, city)
- Device type, operating system, browser and version, and analytics script version
According to Vercel, visitors are distinguished only by a hash derived from the incoming request that is discarded after 24 hours. No third-party cookies are used for this web analytics functionality.
Meeting Data
- Participant names and contact information
- Agendas and meeting notes
- Meeting documents imported from Google Gemini (verbatim content)
Client Project Data
- Client names and contact details
- Project details, tasks, and cost calculations
- Questionnaire responses
- Quote calculations and timelines
Semantic Embeddings
To improve search functionality, we generate vector representations using OpenAI (text-embedding-3-small) from the following content:
- Task names and descriptions
- Comments
- Questionnaire responses
The text content is transmitted to OpenAI to generate embedding vectors. The resulting vectors are stored in our database. OpenAI processes the data as a sub-processor in accordance with its privacy policy. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improved search functionality).
Billing Data
When you subscribe to a paid plan, we collect and process the following billing-related data:
- Name and email address of the billing contact
- Billing address and VAT ID (if provided)
- Stripe Customer ID and Subscription ID
- Payment method metadata: last 4 digits, card brand, and expiry date. Full card numbers are collected directly by Stripe and never reach our servers.
This data is processed by Stripe, Inc. (USA) as a sub-processor. Stripe is certified under the EU-US Data Privacy Framework (DPF) and we have additionally concluded Standard Contractual Clauses (SCCs) with Stripe.
The legal basis for processing billing data is Art. 6(1)(b) GDPR (performance of the subscription contract). For the retention of invoices and accounting records, the legal basis is Art. 6(1)(c) GDPR (compliance with a legal obligation), specifically the 10-year retention period under German tax law (Abgabenordnung, AO §147).
5. Sub-Processors
We use the following sub-processors:
| Service | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, encryption (Vault) | All application data | EU | Processing within the EU |
| OpenAI, L.P. | Semantic search embeddings (text-embedding-3-small) | Task names, descriptions, comments, questionnaire responses | USA | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |
| Google LLC | Google Drive OAuth integration, Gemini document import | OAuth tokens, document content | USA | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional emails (invitations, notifications, questionnaire sharing) | Email addresses, notification content | USA | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | Subscription billing, payment processing, invoicing | Billing email, organization name, Stripe customer ID, subscription metadata. Full card data is collected by Stripe directly and never reaches our servers. | USA | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |
| Vercel Inc. | Web application hosting, deployment, and cookie-free web analytics for aggregate reach measurement and technical optimization | Request logs, IP addresses, and web analytics data such as page URL, referrer domain, approximate geolocation, device and browser information, and a request-derived visitor hash | EU/USA | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |
6. International Data Transfers
Some of our sub-processors are located in the USA. The transfer of personal data to the USA is based on the adequacy decision of the European Commission for the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR, insofar as the respective sub-processor is certified under the DPF.
In addition, we have concluded Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR with all US-based sub-processors to ensure an adequate level of data protection.
7. Data Retention
We retain personal data only for as long as necessary for the respective processing purpose:
| Data Category | Retention Period |
|---|---|
| Authentication and profile data | Until account deletion |
| Organization membership | Until departure from the organization |
| Audit logs (IP, user agent, actions) | 90 days (automatic cleanup) |
| Client project data | 30 days after deletion (automatic purge) |
| Meeting data | 30 days after deletion (automatic purge) |
| Semantic embeddings | Until deletion of the associated source record, or immediately upon opt-out |
| OAuth tokens (Google) | 30 days after authorization revocation |
| Subscription and billing data | Until account deletion. Invoice references are retained for 10 years to comply with German tax law (AO §147). |
| Account deletion | All user-created content is soft-deleted upon account deletion and permanently purged after 30 days |
Deleted records are initially marked as deleted (soft delete) and automatically permanently removed after 30 days.
8. Your Rights as a Data Subject
You have the following rights under the GDPR:
- Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data or completion of incomplete data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no legal retention obligations apply.
- Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data.
- Right to data portability (Art. 20 GDPR): You may receive your data in a structured, commonly used, and machine-readable format. An export function is available in the application under account settings. The export includes your profile, organization memberships, clients, tasks, meetings, comments, and calendar connections.
- Right to object (Art. 21 GDPR): You may object to the processing of your data based on Art. 6(1)(f) GDPR at any time. This includes, in particular, processing for the purpose of semantic embeddings. Organization administrators can disable embedding generation in the organization settings under AI & Privacy (self-service opt-out).
To exercise your rights, please contact us at the email address provided above. For embedding opt-out, you can use the self-service toggle in your organization settings.
9. Withdrawal of Consent
Where the processing of your data is based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw your consent at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.
12. Automated Decision-Making and Profiling
Our application uses an AI-powered semantic search function that generates vector representations (embeddings) from text content using OpenAI. These are used for:
- Semantic search across tasks, comments, and questionnaire responses
- Detection of similar or duplicate entries
- Traceability analysis within projects
This is a support function. No automated decisions with legal effect or similarly significant impact are made (Art. 22 GDPR). The results of the semantic search serve solely as an aid to users.
The legal basis is Art. 6(1)(f) GDPR. You may object to processing for the purpose of semantic embeddings at any time pursuant to Art. 21 GDPR. A self-service opt-out is available in the organization settings under AI & Privacy.
13. Data Not Collected Directly from You (Art. 14 GDPR)
In certain cases, we process personal data that was not collected directly from the data subject:
Portal / Questionnaire Respondents
When users of our application share questionnaires via the portal, recipients can submit responses without their own user account. The responses entered are stored. The controller for this data is the user who sent the questionnaire (or their organization).
Meeting Participants
When using the Google Drive integration, meeting notes can be imported that contain names and discussion content of meeting participants. This data originates from Google Gemini documents and is imported verbatim into our application.
14. Technical and Organizational Measures
We implement appropriate technical and organizational measures to protect your data:
- Row-Level Security (RLS) for multi-tenant data isolation
- Encryption of sensitive data using Supabase Vault
- HMAC token verification for API access
- CSRF protection for all authentication flows
- Encrypted transmission of all data via HTTPS/TLS
15. Changes to This Privacy Policy
We reserve the right to update this privacy policy as needed to reflect changes in legal requirements or our service. The current version is always available on this page. The date of the last update can be found at the top of this privacy policy.