1. Controller and Scope

This Privacy Policy applies to the use of the web application \"Peduno\" (hereinafter \"App\").

Responsible Provider / Controller:
Philipp Rajkovic
Kirchdorfstrasse 18
39037 Vals
Italy
Email: support@peduno.de

Target Audience and Responsibility:
Our services are directed exclusively at law firms, legal professionals, and institutional entities (\"Users\"). When users input personal data of their clients into the App, they act as the Controllers under GDPR. Peduno acts as a technical service provider and processor. The responsibility for the lawful collection and input of client data into the App lies solely with the User.

2. Hosting and Infrastructure

Our App is hosted by Vercel Inc. (USA). Vercel provides the technical frontend infrastructure. Connection data (e.g., IP address, browser information) is processed in server logs to ensure security and stability. Data transfers to the USA are covered by Standard Contractual Clauses (SCC).

3. Data Processing & Storage (Supabase)

We use Supabase as our central database and backend solution. We strictly differentiate storage between client case files and our general Knowledge Base.

A) Case Files (Strictly Isolated Storage)

All files, case data, uploaded documents, and subsequent AI analyses are stored in strict isolation.

Access Control: Secure \"Row-Level-Security\" (RLS) guarantees that only you (and authorized team members) have access to these files.
Purpose: Providing app functionality, full-text searches, and Retrieval-Augmented Generation (RAG) contexts.
Deletion: Upon deleting your account, these case files are permanently and irrevocably deleted.

B) Knowledge Base (Anonymized Crowd Intelligence)

The Knowledge Base improves application intelligence across all users.

Anonymization: Items explicitly moved to the Knowledge Base are anonymized before processing. All personal details are stripped.
Shared Usage: These anonymized inputs are not isolated per firm. They train our legal AI model to benefit all users. Clear text searches of other firms' data are impossible.
Persistence: As anonymized data holds no personal identity, it remains stored after account deletion to maintain AI model intelligence.

Storage Location: All databases are hosted on servers in the EU (Frankfurt am Main) within AWS infrastructures managed by Supabase.

4. Use of Artificial Intelligence (OpenAI)

Peduno uses API connections to OpenAI, L.L.C. (USA). As we utilize the professional API platform, our app operates under strict Enterprise Privacy Commitments.

No Training on Your Data

OpenAI does not use files, prompts, or reports submitted via our API connection to train their models. Your data remains fully confidential.
(Source: OpenAI Enterprise Privacy)

Data Retention at OpenAI

All transfers are encrypted (TLS 1.2+). OpenAI stores API payload data for up to 30 days solely for abuse monitoring. After 30 days, data is automatically deleted.

Note on Attorney-Client Privilege

OpenAI is certified under the EU-U.S. Data Privacy Framework. However, we recommend pseudonymizing highly sensitive files prior to upload if required by local professional regulations.

5. Transactional Emails (Resend)

We use Resend (USA) exclusively for technical transactional emails (e.g. login magic links, team invites, deadline notifications). No marketing emails are sent.

6. Cookies and Tracking

We do not use any third-party tracking tools (such as Google Analytics or PostHog) or marketing pixels. Only essential technical cookies are utilized.

7. Data Security

We apply advanced cryptographic technologies (TLS/SSL, AES-256) and strict Row-Level-Security (RLS) to safeguard database access.

8. Your Rights and Deletion Requests

You have the right to information, rectification, restriction, and deletion of your data. To request account deletion, email support@peduno.de.

9. Amendments

We reserve the right to amend this Privacy Policy to align with new legal requirements or app features.

Last updated: June 2026