Privacy Policy

Last updated: March 2026

1. Data Controller

NeuronForge UG (haftungsbeschränkt)
Brillenburgsweg 7
21614 Buxtehude, Germany
Email: hello@streamlain.de

2. Overview

StreamLain is a SaaS platform for docs, canvas, databases, automations, and AI features. We process personal data only to the extent necessary to provide our services or where you have given consent. This privacy policy informs you about the nature, scope, and purpose of personal data processing.

3. Hosting and Infrastructure

Our servers are located in Germany, operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). No data is transferred to third countries for hosting purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient service provision).

4. Account Data

When you register, we process:

• Email address (required)
• Name (optional)
• Password (hashed with bcrypt, never stored in plaintext)
• Workspace membership and role

Legal basis: Art. 6(1)(b) GDPR (contract performance). Retention: Until account deletion, then fully removed within 30 days.

5. Two-Factor Authentication

To enhance account security, you can enable two-factor authentication (2FA). In this context, we process:

• TOTP secret: Stored encrypted with AES-256-GCM, used to generate time-based one-time passwords
• Backup codes: Stored hashed with bcrypt, serve as emergency access if the authentication device is lost
• Device trust cookies: Valid for 30 days, contain an HMAC-SHA256 fingerprint of the trusted device

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in account security).

6. Third-Party Authentication (Google OAuth)

You can alternatively sign in using your Google account. When signing in via Google OAuth, Google transmits the following data to us:

• Name
• Email address
• Profile picture URL

Signing in via Google is voluntary. Registration with email and password is available as an alternative. When signing in via Google, a connection to the servers of Google LLC (Mountain View, USA) is established.

Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke the connection at any time in your account settings.

International data transfer: USA. The transfer is based on the EU-US Data Privacy Framework and supplementary Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

7. Usage Data

During platform usage, we process technically necessary data: IP address (truncated), browser type, access time, pages visited. This data is not combined with other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service security and stability).

8. File Upload

StreamLain allows uploading files (images, documents, attachments) to workspaces. Uploads use the tus protocol (resumable uploads).

• Storage location: Hetzner servers in Germany
• Encryption: TLS 1.3 during transfer
• Deletion: Files are deleted together with the associated workspace/document, no later than 30 days after contract termination

Legal basis: Art. 6(1)(b) GDPR (contract performance — file management is a core function of the platform).

9. Cookies

The StreamLain platform uses only technically necessary session cookies for authentication. No consent is required for these (§ 25(2)(2) TDDDG). No tracking cookies or analytics cookies are used.

10. AI Features and Third-Party Providers

StreamLain offers AI-powered features (Copilot, automations with AI nodes). Data is transmitted to the following third-party providers via their API interfaces:

10.1 AI Providers

StreamLain exclusively uses EU-based endpoints for AI processing (EU Data Residency). All AI requests are processed in EU data centers (Frankfurt, Germany):

• Anthropic Claude — via Amazon Web Services (AWS) Bedrock, region eu-central-1 (Frankfurt). Data processor: Amazon Web Services EMEA SARL (Luxembourg). Anthropic, PBC is a sub-processor of AWS.
• Google Gemini — via Google Cloud Vertex AI, region europe-west3 (Frankfurt). Data processor: Google Cloud EMEA Limited (Ireland).

10.2 What Data Is Transmitted?

Depending on the AI function: user inputs (prompts), selected document content, database entries, images for analysis. Transmission occurs exclusively to process the respective request.

10.3 No Training With Your Data (Zero Data Retention)

Your data is NOT used to train AI models. We exclusively use API interfaces from providers who contractually guarantee that API data is not used for model training.

Additionally, our EU endpoints enforce Zero Data Retention (ZDR):

• AWS Bedrock: ZDR is the default — your inputs and outputs are not stored after processing.
• Google Vertex AI: In-memory processing only with a maximum 24-hour project-isolated cache. No persistent logging.

10.4 EU Data Residency

All AI requests are processed exclusively in EU data centers:

• AWS Bedrock: Region eu-central-1 (Frankfurt, Germany)
• Google Vertex AI: Region europe-west3 (Frankfurt, Germany)

No international data transfer of AI request data occurs. The data processors (AWS EMEA, Google Cloud EMEA) are subject to European data protection law. Additionally, SCCs (Standard Contractual Clauses) are included as a fallback.

10.5 Retention by AI Providers

Through Zero Data Retention, API requests are not persistently stored after processing. In-memory processing at Vertex AI is limited to a maximum of 24 hours and is project-isolated.

Legal basis: Art. 6(1)(b) GDPR (contract performance — AI features are part of the service).

11. Payment Processing (Stripe)

For billing of paid plans, we use the payment processor Stripe, Inc. (San Francisco, USA). The following data is transmitted directly to Stripe:

• Billing address
• Payment method (credit card or SEPA direct debit)
• Email address (for payment receipts)

StreamLain does not store complete credit card data. Payment data entry occurs via Stripe Elements directly within Stripe's infrastructure. Stripe is PCI DSS Level 1 certified.

Legal basis: Art. 6(1)(b) GDPR (contract performance). International data transfer: USA, based on the EU-US Data Privacy Framework and SCCs.

12. Free Trial

12.1 Purpose

We offer registered users a one-time free 14-day trial of the Pro plan. To prevent abuse of this offer (e.g., repeated registration for multiple trials), we store a pseudonymized hash of your email address.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing trial abuse). The balancing of interests is documented in our internal Legitimate Interest Assessment (LIA).

12.2 Data Processed

• Email hash: SHA-256 hash of your email address, salted with a secret key. The hash does not allow inference of your email address.
• Timestamp: Date and time of trial usage
• Expiration date: Automatic deletion date (24 months after trial usage)

12.3 Retention and Account Deletion

The hash record is automatically deleted 24 months after trial usage. After this period, you are eligible for a new free trial.

When you delete your account, the hash record is retained because: the salted hash cannot be attributed to any person without knowledge of the secret key and your email address, deletion would defeat the protective purpose, and the record is automatically deleted after 24 months.

12.4 Right to Object

You may object to this processing pursuant to Art. 21 GDPR. Contact us at hello@streamlain.de. After deletion of the hash record, no further eligibility check is possible.

12.5 Stripe Processing

The trial is managed via Stripe. Stripe processes your email address to create a Stripe Customer object. No payment method is required for the trial. After expiration, the subscription is automatically terminated if no payment method has been provided.

12.6 Email Notifications

In connection with the trial, we send you:

• 3 days before expiration: Reminder about the upcoming end of the trial
• Upon expiration: Information about termination and downgrade to the Free plan

Legal basis: Art. 6(1)(b) GDPR (contract performance).

13. AI Usage Tracking

StreamLain logs the use of AI features: timestamp, model used, and credits consumed. This serves transparency towards workspace admins (credit usage overview) and traceability of data processing pursuant to Art. 5(2) GDPR (accountability principle).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in cost transparency and traceability of AI usage).

13. Data Processing Agreements

We have concluded Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all relevant service providers. Current sub-processors:

• Hetzner Online GmbH — Hosting, server infrastructure, object storage (Nuremberg/Falkenstein, Germany)
• Amazon Web Services EMEA SARL — AI inference via Bedrock (eu-central-1 Frankfurt, Luxembourg)
• Google Cloud EMEA Limited — AI inference via Vertex AI (europe-west3 Frankfurt, Ireland)
• Stripe Ireland Limited — Payment processing (Ireland, EU-US DPF)
• Cloudflare, Inc. — DNS management (USA, EU-US DPF + SCCs). No proxy/CDN — DNS resolution only (Grey Cloud).
• BunnyWay d.o.o. (bunny.net) — CDN, DDoS protection (Ljubljana, Slovenia / EU)

14. Data Security

We employ comprehensive technical and organizational measures pursuant to Art. 32 GDPR to protect your data. These include encryption in transit and at rest, secure password hashing, multi-tier access control with tenant isolation, redundant infrastructure with automated backups, and logging of security-relevant operations.

15. Data Protection Officer

Pursuant to § 38 BDSG (German Federal Data Protection Act), the appointment of a data protection officer is only required when 20 or more persons are regularly engaged in the automated processing of personal data. As NeuronForge UG currently does not meet this threshold, no data protection officer has been appointed.

For data protection inquiries, please contact: hello@streamlain.de

16. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you.

The AI features integrated in StreamLain generate suggestions and drafts. These do not constitute automated individual decisions — the final decision on the use of AI outputs always rests with the user.

17. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15) — What data we store about you
• Rectification (Art. 16) — Correction of inaccurate data
• Erasure (Art. 17) — Deletion of your data (“right to be forgotten”)
• Restriction (Art. 18) — Restriction of processing
• Data portability (Art. 20) — Export your data in machine-readable format
• Objection (Art. 21) — Object to processing based on legitimate interests
• Withdrawal of consent — At any time, without giving reasons

To exercise your rights, contact us at hello@streamlain.de.

18. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
www.lfd.niedersachsen.de

19. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or modifications to our service. The current version is always available on this page.