Privacy policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

No statutory data protection officer has currently been appointed.

LohnAI GmbH
Tareg Hossieni
Neue Mainzer Straße 32 (Global Tower)
60311 Frankfurt am Main
Email: info@Lohnai.com

2. Hosting and technical delivery

Our website is technically delivered through several specialized service providers: the frontend through Vercel, the backend through Fly.io, and the database through Neon.

According to our current production setup, German or European regions are configured for these services where the provider makes this available.

This public website is not the operational payroll product of LohnAI. It is used mainly for general information, contact requests, and interaction with the AI assistant.

Customer data from the separate LohnAI payroll product is not collected through this website. For the separate payroll product, relevant payroll data is intended to be processed on German servers.

Processing takes place for the secure, stable, and efficient provision of our online services (Article 6 (1) lit. f GDPR).

3. Server logs and security

When our website and technical interfaces are accessed, connection and security-related data is processed. This may include IP address, date and time of access, requested resource, browser and device information, and technical error data.

We use this data solely to ensure system security, defend against misuse, analyze errors, and maintain the stable operation of our services (Article 6 (1) lit. f GDPR). We may also use Sentry for technical error monitoring. We configure Sentry in a data-minimizing way and do not intentionally transmit form contents, cookies, or authentication contents.

Server and security logs containing personal data are generally stored only for a short time and are usually deleted or overwritten after 30 days, unless longer storage is exceptionally required to investigate a specific security or abuse incident.

• Ensuring secure and stable operation
• Defending against misuse and automated attacks
• Technical troubleshooting and recovery

4. Contact form

If you contact us through the contact form, we process the data you enter (name, company, email address, topic, and message) to handle your inquiry and any follow-up questions.

Transmission takes place technically through our backend as well as the service providers Trigger.dev and Resend for message delivery and processing.

We generally store contact requests for up to 6 months unless a legal retention obligation applies or your inquiry leads to a contractual or advisory relationship. The legal bases are Article 6 (1) lit. a GDPR and, where applicable, Article 6 (1) lit. b GDPR.

5. Tax advisor application form

Through the tax advisor application form, we collect the following data: firm name, contact person, street, postal code, city, tax advisor chamber number, number of clients, number of firm employees, email address, and phone number.

This data is used exclusively to review the request, activate access, and initiate a potential business relationship.

If no contractual or portal relationship is established, we generally delete the application data after no later than 6 months, subject to statutory retention obligations. The legal bases are Article 6 (1) lit. a and lit. b GDPR.

6. Appointment booking via Google Calendar

For introductory call booking, we link to Google Calendar Appointment Scheduling. Only after you actively click this link are you redirected to a Google service.

From that point onward, Google processes the data you enter there under its own data protection responsibility. Further information can be found in Google's privacy information.

The legal basis for providing the booking link is Article 6 (1) lit. f GDPR; where the appointment booking takes place in response to your request to initiate a business relationship, Article 6 (1) lit. b GDPR also applies.

7. Cookies, localStorage, and similar storage technologies

On the public website, we do not use optional analytics or marketing cookies.

We only use technically necessary cookies or local storage technologies such as localStorage, in particular for website display settings, the status of this notice banner, and client-side abuse protection functions.

The legal basis is Section 25 (2) TDDDG and Article 6 (1) lit. f GDPR.

8. Protected areas and sessions

If you use protected areas or login features, we process session and authentication data such as session tokens, expiration time, IP address, and user agent.

This serves secure authentication, session management, and protection against misuse (Article 6 (1) lit. b and lit. f GDPR).

In our current setup, sessions are configured for up to 7 days and are technically renewed or deleted accordingly.

9. AI assistant on the website

If you use the AI assistant on our website, your text inputs, live microphone audio, automatically generated transcripts, and response content are technically processed through Google Gemini so your request can be answered and an AI-generated spoken reply can be provided.

According to our current implementation, we do not permanently store the full content of website conversations in our own application database. However, short-lived connection and usage data may be processed for technical abuse protection and quota control; temporary quota data is currently retained for up to 1 hour.

Please do not type or speak sensitive personal, payroll, health, client, or other specially protected data. The AI assistant is intended only for general first-level information and does not replace tax, legal, or individualized payroll advice.

10. Recipients, processors, and international transfers

In connection with our website, we use the following service providers in particular: Vercel (frontend hosting), Fly.io (backend hosting), Neon (database), Upstash Redis (rate limiting and abuse protection), Trigger.dev (background jobs), Resend (email delivery), Sentry (technical error monitoring), Google Gemini (AI assistant), and Google Calendar Appointment Scheduling (appointment booking).

For providers with headquarters, group affiliation, or processing activities outside the EU/EEA, processing in third countries cannot be ruled out. In these cases, we pay attention to appropriate safeguards under Articles 44 et seq. GDPR, in particular the European Commission's Standard Contractual Clauses and, where applicable, adequacy decisions such as the EU-US Data Privacy Framework according to provider documentation.

Where a provider acts as our processor, processing takes place on the basis of an agreement under Article 28 GDPR where legally required.

11. Retention periods

We process personal data only for as long as necessary for the respective purpose or as long as statutory retention obligations apply.

• Server and security logs: generally 30 days
• Contact requests: generally up to 6 months
• Tax advisor application data: generally up to 6 months if no contractual or portal relationship is established
• Authentication and session data: according to the session lifetime, currently up to 7 days
• Temporary AI quota data: currently up to 1 hour

12. Data subject rights

You have the right:

• under Article 15 GDPR, to request information about your personal data processed by us
• under Article 16 GDPR, to request the immediate correction of inaccurate or incomplete personal data stored by us
• under Article 17 GDPR, to request the deletion of your personal data stored by us
• under Article 18 GDPR, to request restriction of the processing of your personal data
• under Article 20 GDPR, to receive your personal data in a structured, commonly used, and machine-readable format (data portability)
• under Article 7 (3) GDPR, to revoke consent you have given us at any time
• under Article 77 GDPR, to lodge a complaint with a supervisory authority

13. SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the browser address line changing from "http://" to "https://" and by the lock symbol in your browser bar.

If SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

14. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to reflect changes to our services, for example when introducing new services. The new privacy policy will then apply to your next visit.