Helpful Folks

Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Web- und Softwaresolutions Grimm
Bernd Grimm
Vogelanger 5
96158 Frensdorf
Germany

Email: hello@agilunis.io
Phone: +49 151 42879017

2. Applicable Regulations

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications Digital Services Data Protection Act (TDDDG) and other applicable data protection regulations.

3. Processing of Personal Data

3.1 Accessing the Website (Connection Data)

Each time you access our platform, the following connection data is automatically transmitted and processed:

  • IP address of the accessing device
  • Date and time of access
  • Requested URL and file path
  • Referrer URL (previously visited page)
  • Browser type, version and language
  • Operating system
  • Device type

This data is processed by our hosting provider Vercel (see Section 5.1) and is necessary for the technical operation of the platform.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable provision of the platform).

Retention period: Server log files are deleted after a maximum of 30 days.

3.2 Contact

When you contact us by email, we process the data you provide (name, email address, content of the enquiry) exclusively for processing your request. After complete processing, the data is deleted unless statutory retention obligations apply.

Legal basis: Art. 6(1)(b) GDPR (performance of contract or pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing enquiries).

3.3 Registration and User Account

When registering on our platform, we collect the following mandatory data:

  • First and last name
  • Email address
  • Password (stored encrypted)
  • Role (Service Seeker or Service Provider)

Additional data for Service Providers:

  • Postal code and city
  • Category of service offered
  • Description of activities
  • Hourly rate and experience
  • Profile picture (optional)
  • Gender and date of birth
  • Availability
  • Languages spoken

Additional data for Service Seekers:

  • Postal code and city
  • Type of service sought
  • Description of needs

Profile visibility: Other registered users can see: first name, profile picture (if available), initial of last name, city and the provider's profile. Full contact details only become visible after contact is made or a booking is placed.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). For optional data: Art. 6(1)(a) GDPR (consent).

Retention period:

  • Active accounts: As long as the user account exists.
  • Deleted accounts: Personal data is deleted immediately, unless statutory retention periods (e.g. tax or commercial law) apply.

3.4 Messages and Chat

Users can exchange messages via the platform. Message content is stored in our database and is only visible to the conversation participants.

Legal basis: Art. 6(1)(b) GDPR (performance of contract — enabling communication between users).

Retention period: Messages are deleted when both participating user accounts are deleted.

3.5 Bookings and Reviews

When booking a service provider and subsequently reviewing them, booking data (appointment, price, status) and review data (star rating, text review) are stored.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

3.6 Identity and Address Verification

Users can voluntarily undergo identity and address verification to obtain a trust badge. The following data is processed:

  • Identity verification: Photo of an identity document (front and back), name, date of birth, document type, nationality
  • Address verification: Address document (e.g. utility bill, bank statement), name, address
  • Liveness check: Facial photo for authenticity verification

This data is transmitted to and processed by our verification service provider Didit (Didit Technology S.L.). Biometric data (facial recognition) is used exclusively for authenticity verification and is not permanently stored. Didit stores only the verification result (verified/not verified), not the original documents.

On our platform, we only store the verification status (verified/not verified) and the date of verification.

Legal basis: Art. 6(1)(a) GDPR (explicit consent). For biometric data: Art. 9(2)(a) GDPR (explicit consent).

Withdrawal: You can withdraw your consent at any time with effect for the future. The verification status already obtained remains; however, no new biometric data will be processed.

3.7 Video Calls (Getting to Know Each Other)

Our platform enables video calls between users for introductory conversations. Video and audio streams are transmitted in real time. The connection is established via our service provider LiveKit (LiveKit, Inc.).

No recordings of video calls are stored. LiveKit processes the data exclusively for the duration of the call.

Legal basis: Art. 6(1)(b) GDPR (performance of contract — enabling introductory meetings between users).

3.8 Email Notifications

We send transactional emails (e.g. notifications about new messages, booking confirmations, appointment arrangements) via our email service provider Resend (Resend, Inc.).

The email address and message content are transmitted to Resend. Users can manage their email notification settings in their account.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) for transactional emails. Art. 6(1)(f) GDPR (legitimate interest) for service-related notifications.

4. Cookies and Similar Technologies

4.1 Technologies Used

Our platform uses cookies and web storage (local storage, session storage):

  • Cookies: Small text files stored on your device.
  • Local Storage / Session Storage: Browser-side storage technologies.

4.2 Obtaining Consent (Cookie Banner)

When you first visit our platform, a cookie banner is displayed. You can choose whether to accept only necessary cookies or also optional cookies. You can change your selection at any time via the cookie settings.

We use vanilla-cookieconsent for this purpose, an open-source solution that runs locally on our platform and does not transmit data to third parties.

4.3 Necessary Cookies

These cookies are required for the operation of the platform and cannot be disabled:

CookiePurposeExpiry
sb-* (Supabase)Authentication and session managementSession / 7 days
cc_cookieStorage of your cookie consent6 months

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical operation) and § 25(2) TDDDG (technically necessary cookies).

4.4 Analytics Cookies (with consent only)

Cookie / TechnologyPurposeProviderExpiry
PostHog cookies and local storageUsage analysis, page views, interactionsPostHog (EU servers)Session / 1 year

Without consent: PostHog operates in anonymous mode (persistence: 'memory'). No cookies are set and no personal data is stored. Only anonymous page views are recorded.

With consent: PostHog stores cookies and local storage data for visitor recognition. Additionally, user events (clicks, page views, scroll behaviour) are recorded and linked to the user ID.

Legal basis: Art. 6(1)(a) GDPR (consent).

Withdrawal: You can withdraw your consent at any time via the cookie settings on our platform.

5. Service Providers (Data Processors)

5.1 Vercel (Hosting)

Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA

Purpose: Hosting of our platform, provision of serverless functions, content delivery network (CDN) and edge functions.

Data processed: IP address, connection data, request logs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable operation of the platform).

Data transfer to the USA: Vercel is certified under the EU-US Data Privacy Framework. Standard contractual clauses (EU 2021/914) are also in place.

Further information: Vercel Privacy Policy

5.2 Supabase (Backend Infrastructure)

Provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992 (operated in EU region)

Purpose: Database, authentication, file storage, real-time communication.

Data processed: All user data mentioned in Section 3, authentication data, uploaded files, messages.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Data storage location: EU (AWS eu-central-1, Frankfurt).

Further information: Supabase Privacy Policy

5.3 PostHog (Analytics)

Provider: PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA

Purpose: Usage analysis for improving the platform.

Data processed: Page views, user interactions, device and browser information, user ID (with consent).

Data storage location: EU (PostHog EU Cloud, eu.i.posthog.com).

Legal basis: Art. 6(1)(a) GDPR (consent) for personalised analytics. Art. 6(1)(f) GDPR (legitimate interest) for anonymous usage statistics.

Further information: PostHog Privacy Policy

5.4 Didit (Identity Verification)

Provider: Didit Technology S.L., Spain

Purpose: Identity, address and liveness verification.

Data processed: Identity documents, address documents, facial photo (biometric data), verification result.

Legal basis: Art. 6(1)(a) GDPR (explicit consent). For biometric data: Art. 9(2)(a) GDPR.

Further information: Didit Privacy Policy

5.5 LiveKit (Video Calls)

Provider: LiveKit, Inc., San Francisco, CA, USA

Purpose: Provision of real-time video calls between users.

Data processed: Video and audio streams (real-time transmission, no recording), room ID, user identifier.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Data transfer to the USA: Standard contractual clauses (EU 2021/914).

Further information: LiveKit Privacy Policy

5.6 Resend (Email Delivery)

Provider: Resend, Inc., San Francisco, CA, USA

Purpose: Sending transactional emails (notifications, confirmations).

Data processed: Email address, message content.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Data transfer to the USA: Standard contractual clauses (EU 2021/914).

Further information: Resend Privacy Policy

5.7 Google OAuth (Sign in with Google)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland / Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Purpose: Enabling sign-in via an existing Google account.

Data processed: Google account ID, email address, name (as released by the user).

Legal basis: Art. 6(1)(a) GDPR (consent through active choice of Google sign-in).

Note: When signing in via Google, data is exchanged between our platform and Google. Google's privacy policy also applies.

Further information: Google Privacy Policy

5.8 Google Ads (Conversion Tracking)

Provider: Google Ireland Limited / Google LLC (see 5.7)

Purpose: Measuring the effectiveness of our advertising campaigns on Google Ads. We track whether a person who visited our platform via a Google ad completes a registration (conversion tracking).

Data processed: Online identifiers (Google Click ID), IP address, time of conversion. With Enhanced Conversions, the email address provided during registration is hashed locally in the browser using SHA-256 and transmitted to Google in this encrypted form to enable conversion attribution.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner, "Marketing" category).

Storage duration: Cookies set by Google have a lifespan of up to 90 days. Conversion data is stored by Google for a maximum of 90 days.

Consent Mode v2: Google Ads is only activated when you consent to the "Marketing" category in the cookie banner. Without your consent, no data is transmitted to Google Ads and no cookies are set. You can withdraw your consent at any time via the cookie settings.

Data transfer to the USA: EU-US Data Privacy Framework.

Further information: Google Ads Privacy, Google Ads Terms

6. Search Engine Visibility

Profiles of Service Providers may be indexed by search engines to improve the discoverability of services. The following data is publicly visible: first name, initial of last name, city, category, description of activities and profile picture.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the visibility and discoverability of the platform offering).

Users can restrict the visibility of their profile in the account settings.

7. Disclosure of Data

Personal data is only disclosed to third parties:

  • to the data processors named in Section 5 within the scope of the purposes described,
  • to other users of the platform within the scope of intended use (e.g. profile views, messages, bookings),
  • where we are legally obliged to do so (e.g. to law enforcement authorities),
  • to enforce our General Terms and Conditions.

Data is only disclosed to third parties for advertising purposes within the scope of the conversion tracking described in Section 5.8, and only with your consent (cookie banner, "Marketing" category).

8. Transfer of Data to Third Countries

Some of our service providers are based in the USA. The transfer of personal data to the USA is based on the following:

  • EU-US Data Privacy Framework: Vercel and Google are certified under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (EU 2021/914): Standard contractual clauses are in place with LiveKit and Resend.
  • EU storage location: Supabase (Frankfurt) and PostHog (EU Cloud) store data in the EU.
  • EU-based: Didit is based in Spain (EU).

9. Retention Period

We store personal data only for as long as is necessary for the respective processing purpose or as required by statutory retention periods:

  • User account: As long as the account is active. After deletion, data is removed immediately unless retention obligations apply.
  • Server log files: Maximum 30 days.
  • Booking data: In accordance with tax and commercial law retention periods (up to 10 years).
  • Messages: Until both participating user accounts are deleted.
  • Verification status: As long as the user account exists.
  • Analytics data (PostHog): Maximum 12 months.

10. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about your personal data stored by us.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligations apply. You can delete your user account via the account settings or by email to hello@agilunis.io.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request the restriction of processing.
  • Right to data portability (Art. 20 GDPR): You can request that your data be provided in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data based on legitimate interests (Art. 6(1)(f) GDPR).
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw consent given at any time with effect for the future.

To exercise your rights, please contact: hello@agilunis.io

Direct contact for data protection concerns

If you have any questions, concerns or complaints about the handling of your personal data, please contact us first at hello@agilunis.io. We take your concerns seriously and will endeavour to resolve them promptly and satisfactorily.

Right to lodge a complaint with a supervisory authority

Regardless, you have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), https://www.lda.bayern.de.

11. Obligation to Provide Data

The provision of personal data during registration (Section 3.3) is necessary for the use of the platform. Without this data, no user account can be created and the platform cannot be used to its full extent.

The provision of data for identity verification (Section 3.6) is voluntary and serves to obtain a trust badge.

12. Automated Decision-Making

Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place.

13. Security Measures

We implement appropriate technical and organisational measures to protect your data, in particular:

  • Encrypted data transmission (HTTPS/TLS)
  • Row Level Security (RLS) at database level
  • Encrypted password storage
  • Strict HTTP security headers (HSTS, X-Frame-Options, Content-Type-Options, Referrer-Policy)
  • Restriction of browser permissions (camera, microphone, geolocation only with explicit use)

14. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy as necessary to adapt it to changes in the law, technical changes or new processing activities. The current version is always available on our platform.

Last updated: 25 March 2026