Privacy Policy

1. Privacy at a Glance

The following information provides a simple overview of what happens to your personal data when you visit our website or use our service. Personal data is any data that can be used to personally identify you.

2. Data Controller

GRVITY GmbH
Schauenburgerstr. 116
24118 Kiel
Germany

Managing Director: Raitschin Raitschew
E-Mail: datenschutz@speaktomycrm.ai
Phone: +49 431 729 85 2320

3. Legal Basis for Data Processing

The processing of personal data is based on the following legal grounds: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (performance of contract), Art. 6(1)(f) GDPR (legitimate interest). Where we obtain consent for processing operations, you may revoke it at any time.

4. Data Collection on the Website

Server Log Files

The hosting provider automatically collects information in server log files: browser type/version, operating system, referrer URL, IP address (anonymized), time of server request. This data cannot be attributed to specific persons. Legal basis: Art. 6(1)(f) GDPR.

Cookies

We use session cookies for dashboard authentication (httpOnly, secure). Additionally, cookies may be set by analytics tools if you have consented via our cookie banner. You can configure your browser to inform you about the setting of cookies.

5. Hosting

Website Hosting: Vercel

Our website is hosted by Vercel Inc. Serverless functions run in the Frankfurt (fra1) region, EU. Vercel processes access data (IP address, timestamp) to serve the website. Legal basis: Art. 6(1)(f) GDPR. A data processing agreement pursuant to Art. 28 GDPR is in place.

Database: Neon.tech

Our PostgreSQL database is hosted at Neon.tech, server location Frankfurt, Germany. All user data (accounts, conversations, settings) is stored exclusively on EU servers. GDPR-compliant. A data processing agreement pursuant to Art. 28 GDPR is in place.

6. Processing of Voice Messages

When you use our service, your voice messages are processed as follows:

Receipt: Telegram/WhatsApp transmits the audio file to our servers (Vercel, Frankfurt).
Transcription: The audio file is sent to Mistral AI (Paris, France, EU) for speech recognition. Mistral processes the data solely for transcription and does not store it.
Deletion: The audio file is immediately and irrevocably deleted after transcription.
Storage: Only the transcribed and AI-structured data (contacts, deals, notes) is stored in your HubSpot CRM — on HubSpot's servers, in accordance with their privacy policy.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

7. HubSpot Integration

To connect your HubSpot portal, we use the HubSpot OAuth flow. OAuth tokens are stored encrypted in our database. We only access HubSpot data on behalf of and at the request of the Customer. Data processing is based on Art. 6(1)(b) GDPR (performance of contract) and, where applicable, Art. 28 GDPR (data processing on behalf).

8. Payment Processing via Stripe

Payment processing is handled by Stripe Inc. (or Stripe Payments Europe, Ltd. for EU customers). During a purchase, payment data (credit card number, expiration date, CVC) is transmitted directly to Stripe and processed there. We do not store any credit card data. We only receive a payment confirmation and Stripe Customer ID from Stripe. Invoices and payment history are accessible via the Stripe Customer Portal.

Legal basis: Art. 6(1)(b) GDPR. Stripe Privacy Policy: stripe.com/privacy

9. Analytics Tools and Tracking

Google Tag Manager

We use Google Tag Manager (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The Tag Manager itself does not collect personal data but controls the integration of other tracking tags. These tags are only activated if you have consented via our cookie banner.

Google Analytics 4

We use Google Analytics 4 to analyze user behavior.
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Processed data: IP address (anonymized), page views, session duration, device type, location (country/region)
Purpose: Website optimization, understanding user behavior
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner)
Storage duration: 14 months
Opt-out: tools.google.com/dlpage/gaoptout

Google Ads Conversion Tracking

We use Google Ads Conversion Tracking to measure the effectiveness of our advertisements. When you click on a Google ad, a cookie is set (if you have consented), which allows us to track conversions (e.g., registrations). No personal data is transmitted to Google. Legal basis: Art. 6(1)(a) GDPR (consent).

10. Data Subject Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR): Right to information about your stored data
• Rectification (Art. 16 GDPR): Right to correction of inaccurate data
• Erasure (Art. 17 GDPR): Right to deletion of your data ("right to be forgotten")
• Restriction (Art. 18 GDPR): Right to restrict processing
• Data portability (Art. 20 GDPR): Right to receive your data in machine-readable format
• Objection (Art. 21 GDPR): Right to object to processing
• Withdrawal of consent (Art. 7(3) GDPR): Right to withdraw consent at any time

To exercise your rights, please contact: datenschutz@speaktomycrm.ai

11. Right to Complain to Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority about the processing of your personal data:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel, Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Website: www.datenschutzzentrum.de

12. Telegram Bot API as Transport Infrastructure

SpeakToMyCRM uses the Telegram Bot API as an encrypted transport channel for transmitting voice messages. Telegram acts as an infrastructure layer — comparable to an email server or HTTPS connection.

How it works: We use webhook mode of the Telegram Bot API. When you send a voice message, Telegram forwards it via TLS-encrypted HTTPS connection directly to our EU server (Frankfurt). According to Telegram's documentation, undelivered updates are stored on Telegram servers for a maximum of 24 hours and then deleted.

Data flow: The following is transmitted via Telegram: your voice message audio file, your Telegram user ID, and a timestamp. The actual data processing (transcription via Mistral AI, AI analysis, CRM synchronization) takes place exclusively on our EU servers. Telegram has no access to the CRM content we generate.

Metadata: As a platform operator, Telegram stores metadata (user ID, timestamps, IP address) in accordance with its own Privacy Policy. This is the case with any messenger service and is outside our control.

Telegram server locations: Telegram operates data centers in Amsterdam (Netherlands, EU), Miami (USA), and Singapore. User assignment to a data center is determined by Telegram during registration. European users are typically assigned to the EU data centers in Amsterdam.

Data processing agreement: Telegram currently does not offer a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. We therefore do not consider Telegram a data processor, but rather an independent telecommunications service / transport infrastructure through which the user communicates on their own responsibility — comparable to using an email provider. The decision to use Telegram as a communication channel is made by the user themselves.

Deletion: Audio files are immediately and irrevocably deleted from our servers after successful processing. Only the structured CRM note remains in your HubSpot portal.

Legal basis: Art. 6(1)(b) GDPR (performance of contract — you actively initiate usage by sending a message to our bot).

13. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to ensure it always complies with current legal requirements or to implement changes to our services. The new Privacy Policy will then apply to your subsequent visits.