Privacy policy

We process personal data only to the extent necessary to operate this website, provide user accounts, deliver AI functions, and protect the service. The GDPR, the German Federal Data Protection Act, and for access to end devices in particular Section 25 TDDDG are relevant.

Last updated: 19.04.2026 - 20:00 Uhr

Controller: Maximilian Schaller

Address: Rehdorfer Str. 56, 90431 Nürnberg, Deutschland

Email: Maximilian-Schaller@netioon.de

When you access the website and its API endpoints, technically necessary connection and protocol data is generated, in particular:

• IP address
• Date and time of access
• Browser, device, and operating system information
• requested content and technical response data

This data is necessary to deliver the website, defend against attacks, trace errors, and keep the service stable.

If access logs are kept at server or reverse-proxy level, they may in particular contain the following data:

• IP address
• Time of access
• Requested URL
• HTTP status code
• User-Agent

Processing is carried out for IT security, abuse prevention, troubleshooting, and technical administration.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest).

Server-side access logs are stored only for as long as required for security, troubleshooting, and administration. The exact retention depends on the server configuration in use.

The log data is not used for advertising tracking or profiling.

Log data is not merged with other data sources.

If you use the app with a user account or guest access, the following data may in particular be processed and stored:

If you choose Google sign-in, you are redirected to Google. No Google login takes place unless you actively start it.

Depending on available Google data and the released standard information, the following data may in particular be transferred to us:

• Name
• Email address
• Google subject ID
• Profile image, if available

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The legal basis for account sign-in is Art. 6(1)(b) GDPR. Security mechanisms of the OAuth flow, in particular state and nonce checks, are also based on Art. 6(1)(f) GDPR.

This website accesses information stored on your device or stores information there only where technically required or where you have explicitly consented. This includes in particular:

• Session cookie for login and sessions
• OAuth security cookies
• Cookie consent settings
• language and display settings
• local theme setting in the browser

The legal basis for required access to or storage on your device is Section 25(2) No. 2 TDDDG. To the extent personal data is processed afterwards, this is based on Art. 6(1)(b) or Art. 6(1)(f) GDPR.

No tracking or marketing cookies are used.

Only if you consent, optional browser comfort storage may be used as well. At present, this mainly concerns storing your own OpenAI API key only locally on this device. That information is not automatically sent to our server with every request.

The legal basis for optional comfort storage is Section 25(1) TDDDG and Art. 6(1)(a) GDPR (consent).

To provide chat, image, and audio functionality, the content required for the respective feature is transmitted to OpenAI.

Depending on the feature used, the following data may in particular be transmitted:

• chat messages and other text inputs
• attachments, images, and file contents
• audio for transcription or text for speech output
• system-side context elements such as model choice or enabled memory items

Recipient/service provider: OpenAI, L.L.C., USA, or affiliated companies for the provision of API services.

OpenAI receives only the data necessary for the specific requested function. Integration is based on the provider's applicable contractual data protection terms.

The legal basis for the processing is Art. 6(1)(b) GDPR insofar as the AI function is provided at your request.

Where required, we rely on OpenAI's offered contractual and data protection terms, including DPA/SCC mechanisms.

If you use your own OpenAI API key in the settings, it is not stored server-side in your account. It can only optionally be stored locally in your browser if you allow the optional comfort storage for that purpose.

Note: According to OpenAI's current platform documentation, API data may by default be retained in abuse monitoring logs for up to 30 days unless a zero-retention setup or longer legal obligations apply.

This may also involve a transfer of personal data to the United States as a third country.

Appropriate safeguards, in particular Standard Contractual Clauses (SCCs) and the provider's contractual data protection rules, are used for third-country transfers.

The data stored server-side in this app is processed on the hosting used by us in Germany. In addition, certain comfort settings remain only in your browser.

As a rule, account data, attachments, memories, settings, and credit data are stored until you delete them yourself or until your account is removed, unless statutory retention duties or legitimate security interests require longer storage. Chats additionally follow an automatic inactivity-based deletion period: unpinned chats are deleted after 15 days without new activity, and pinned chats after 2 months without new activity.

In the account settings, you can reset saved settings, delete chats, and remove your account entirely. Chats can also be renamed permanently and pinned. If you delete your account, your user account and the related server-side data such as settings, chats, memories, and credit data are deleted. Separately submitted feedback is additionally handled under the rules stated for feedback.

Hosting: Eigenhosting (eigener Server in Deutschland).

To handle support cases, security incidents, abuse reports, and requests for access or erasure, specially authorized internal administrators may access server-side stored data where necessary.

• account data such as name, email address, account type, creation timestamp, and technically derivable activity status
• stored settings, chats, messages, attachments, and memories where necessary for the specific case
• bug reports and other voluntarily submitted feedback content
• credit and usage balances as well as session status for security checks and for implementing deletion or restriction requests

The legal bases are Art. 6(1)(b) GDPR for contract-related support handling, Art. 6(1)(c) GDPR for compliance with legal obligations and data subject rights, and Art. 6(1)(f) GDPR for IT security, abuse prevention, and reliable service operation.

If a verified deletion request exists or an appropriate authorization applies, server-side stored account data, chats, memories, settings, feedback entries, and related sessions may be specifically deleted or blocked.

Where a verified deletion request exists, not only complete accounts but also individual chats, memories, or feedback entries may be removed in a targeted manner where required to handle the respective request.

For verified access or data portability requests, a structured machine-readable export of server-side stored account data, settings, chats, messages, attachments, memories, feedback, and usage data may be created. Purely browser-local storage on other devices is not included.

Guest accounts are intended only as temporary one-time access and are deleted automatically on the server after 24 hours. This also removes the related server-side stored data and sessions.

Purely browser-local comfort storage on user devices cannot be deleted remotely, for example locally stored settings or a personal API key voluntarily stored there. Such content can generally only be removed on the respective device or by the user. Server-side sessions can, however, be revoked.

If you voluntarily submit information through the feedback button, only the data required for handling it is processed. Your submission is stored as a feedback thread.

• date and time of submission
• email address or the contact address linked to the account
• your submission and later replies within the feedback thread

Processing takes place solely for reviewing, prioritising, handling, and responding to bug reports and improvement suggestions.

The legal basis is Art. 6(1)(a) GDPR (consent).

The content is not disclosed to third parties. Access is limited to the parties responsible for operation and handling, plus technically necessary hosting providers.

Open feedback threads are generally stored until the respective process has been completed. After completion, they are usually deleted within 90 days unless longer retention is exceptionally required to handle an unresolved concern or to establish, exercise, or defend legal claims.

If the Netioon team replies, that reply may be shown to you as a notice popup the next time you open the site. The popup remains marked as pending on the server until you actively click “Close” or “Reply”. Simply closing the browser window does not permanently remove the notice.

You may withdraw your consent at any time for the future and request deletion of your feedback.

Within the scope of the law, you have in particular the right to:

• Access
• Rectification
• Erasure
• Restriction of processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent with effect for the future
• Lodge a complaint with a data protection supervisory authority

Please send requests to: Maximilian-Schaller@netioon.de

Competent or helpful supervisory contacts:

• Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
• BfDI authority contact finder

No automated decision is made within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

This service is not directed at children. Persons under the age of 16 should use the website and AI functions only with the consent of their legal guardians.

No analytics, profiling, advertising, or marketing tools are used. In particular, we do not use audience measurement, retargeting, or third-party trackers.

This privacy policy may be updated if functions, legal requirements, or service providers change. The version published on this website applies.