Privacy policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:

IP Strategy UG (haftungsbeschränkt), trading as “Siyaya Digital” (product: CertX), Niederrheinstraße 46f, 41472 Neuss, Germany. Represented by Managing Director Ilya Piontek. Email: legal@siyaya-digital.com.

No data protection officer is appointed; there is currently no obligation to appoint one under Art. 37 GDPR or § 38 BDSG. For data protection questions, please use the address above.

2. Scope and legal bases

This notice applies to the certx.app website and the CertX application. We process personal data solely in accordance with the GDPR, the BDSG and the German Telecommunications-Digital-Services Data Protection Act (TDDDG).

Depending on the processing, the legal bases are: Art. 6(1)(b) GDPR (contract/use), Art. 6(1)(a) GDPR (consent), Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest, in particular security and operation).

3. Hosting and infrastructure (EU)

The application is operated in the European Union; data is held in the EU region of Frankfurt am Main.

Vercel (hosting/CDN)

The frontend and server functions are provided via Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Server functions are pinned to the EU region (Frankfurt, “fra1”). A data processing agreement under Art. 28 GDPR is in place; any US transfers rely on Standard Contractual Clauses (Art. 46 GDPR) and — where certified — the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(f) GDPR.

Supabase (database, storage, authentication)

Database, file storage (uploaded drawings) and authentication run on Supabase (Supabase Inc., USA), hosted in the EU region of Frankfurt (AWS eu-central-1). A data processing agreement under Art. 28 GDPR is in place; third-country transfers rely on Standard Contractual Clauses (Art. 46 GDPR). Tenant isolation is enforced technically via Row-Level Security (RLS).

4. Server log files

When the website is accessed, technically necessary access data transmitted by your browser is processed:

• requested URL and referrer
• date and time of access
• browser type and operating system
• IP address (for delivery and attack prevention)

Processing serves the delivery, stability and security of the service. The legal basis is Art. 6(1)(f) GDPR. Data is stored only as long as necessary for these purposes.

5. Cookies and consent management

We use technically necessary cookies (session/sign-in, language and theme settings, and storage of your cookie consent). Storing or reading this information is strictly necessary and exempt from consent under § 25(2) TDDDG.

Non-necessary cookies (e.g. statistics, marketing) are set only with your consent under § 25(1) TDDDG together with Art. 6(1)(a) GDPR. Via the cookie banner you can consent or object per category; you can change or withdraw your choice at any time via “Cookie settings” in the footer.

No statistics or marketing services are currently active; the corresponding categories are kept available and are only activated after your consent.

6. Fonts

The fonts used are served locally from our server (self-hosting). No connection to Google Fonts or other third parties takes place; in particular, your IP address is not transmitted to third parties for font delivery.

7. User account, sign-in and two-factor authentication

To use CertX an account is created. We process name, email address, role, tenant membership, language setting and sign-in/security metadata (time of first sign-in, password-change status and 2FA status).

For security reasons you must change the initial password on first sign-in and set up two-factor authentication (TOTP) within 7 days. Passwords are stored only as a cryptographic hash; TOTP secrets are managed by our authentication provider (Supabase).

The legal basis is Art. 6(1)(b) GDPR (performance of the use relationship) and Art. 6(1)(f) GDPR (account security).

8. Processing of uploaded drawings and AI extraction

The core function of CertX is reading technical drawings. Uploaded files and the characteristics extracted from them are stored tenant-scoped in the EU (see section 3).

For extraction, the content is transmitted server-side to the Claude API of Anthropic PBC, 548 Market Street, San Francisco, CA 94104, USA. Anthropic acts as a processor (Art. 28 GDPR); a data processing agreement is in place, and the US transfer relies on Standard Contractual Clauses (Art. 46 GDPR). Under the API terms, the transmitted content is not used to train the models and is retained only transiently for operational and safety purposes.

The API key is a server-only secret; AI processing happens exclusively within CertX, tenant-scoped, and is logged per tenant. The legal basis is Art. 6(1)(b) GDPR. Technical drawings may contain personal data (e.g. operator initials); do not transmit personal data that is not required for the inspection.

9. Improving recognition (corrections / learning loop)

Corrections that reviewers make to the automated read may be used to improve the central recognition engine. Before any cross-tenant use, the data is de-identified: customer and drawing names, drawing numbers and other identifying information are removed; only geometry and characteristic data remain.

The cross-tenant master dashboard shows only metrics (counts, accuracy percentages, categories) — never drawing content. The legal basis for the improvement is Art. 6(1)(f) GDPR; where personal data is concerned, we additionally rely on consent given in the terms of use. You can object to the processing under Art. 21 GDPR.

10. No solely automated decision-making

The AI extraction is a proposal that is reviewed, corrected and released by a human. There is no solely automated decision producing legal effects within the meaning of Art. 22 GDPR.

11. Recipients / processors

We disclose personal data only where necessary. Processors used:

• Vercel Inc. (USA) – hosting/CDN, server functions (EU region).
• Supabase Inc. (USA) – database, file storage, authentication (hosting EU/Frankfurt).
• Anthropic PBC (USA) – AI extraction (Claude API).

Data processing agreements under Art. 28 GDPR are in place with all processors. No disclosure for third parties’ own advertising purposes takes place.

12. Transfers to third countries

Processing may take place in the USA (see section 11). Where data is processed outside the EU/EEA, we ensure an adequate level of protection through the European Commission’s Standard Contractual Clauses (Art. 46(2)(c) GDPR) and — where the recipient is certified — through the EU-US Data Privacy Framework (Art. 45 GDPR).

13. Retention and deletion

We store personal data only as long as necessary for the stated purposes or to meet statutory retention obligations. Account, drawing and protocol data is stored for the duration of the use relationship and deleted after it ends, unless retention obligations (e.g. under commercial/tax law) apply. Thereafter the data is deleted or restricted.

14. Your rights

Under the GDPR you have the following rights:

• access (Art. 15 GDPR)
• rectification (Art. 16 GDPR)
• erasure (Art. 17 GDPR)
• restriction of processing (Art. 18 GDPR)
• data portability (Art. 20 GDPR)
• objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
• withdrawal of consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, a message to legal@siyaya-digital.com is sufficient.

15. Right to lodge a complaint

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf (https://www.ldi.nrw.de).

16. Data security

We take appropriate technical and organisational measures (Art. 32 GDPR): transport encryption (TLS/HTTPS), tenant isolation via Row-Level Security, role-based access control, server-side secret management (no AI key in the browser) and mandatory two-factor authentication.

17. Status and changes

Status of this privacy policy: 14 June 2026. We will update this notice if the processing or the legal situation changes.