Privacy Policy
Last updated: April 30, 2026
1. Controller
Justus Gotthardt & Lukas Gogol GbR, Birkenauer Str. 51, 68309 Mannheim, Germany.
Contact: kontakt@jl-studios.de
2. Data We Collect
| Category | Data | Purpose |
|---|
| Account | Name, email, hashed password | Authentication, service delivery |
| Usage | Pages visited, features used, ratings | Product improvement, personalization |
| Cookies | Session token, middleware session, consent preferences | Login persistence, OAuth state, compliance |
| Pipeline | URLs submitted for analysis, extracted company data (name, address, size, products, jobs, news) | Core service functionality |
| Contact enrichment | Decision-maker names, email addresses, phone numbers, job titles | Lead generation for your outreach (per-user, never shared) |
| CRM connection | OAuth tokens (encrypted), CRM portal ID, sync preferences | Syncing leads to your CRM |
| Mailbox connection | Gmail OAuth tokens (encrypted), authenticated email address | Sending B2B outreach from your mailbox (only when you click Send) |
| Outreach configuration | Pitch, email signature, Impressum URL, attestation timestamp, template content | Composing the emails you send |
| Outreach audit log | Per-send: subject, body, recipient, Gmail message-id, timestamps | Audit trail for compliance, retained per §8 |
3. Contact Enrichment & Data Isolation
When you save a company as "Interested", we may use third-party services to find decision-maker contact information (name, email, phone, job title). This data is:
- Stored per-user — your enrichment results are never visible to other users, even if they analyze the same company
- Encrypted at rest — contact data and OAuth tokens are encrypted using AES-128 before database storage
- Not used for training — we never use your enrichment data, CRM data, or contact information to improve our models, train algorithms, or benefit other users
- Deletable on request — you can request deletion of all enrichment data at any time
4. CRM Integration
You may optionally connect a third-party CRM (such as HubSpot) via OAuth 2.0. When connected:
- We create company and contact records in your CRM when you save a lead
- We read company domains from your CRM to avoid showing duplicates in your feed
- We never modify or delete your existing CRM data
- We never access CRM data beyond what is needed to operate the integration
- OAuth tokens are encrypted at rest and stored separately from your CRM data
- You can disconnect at any time from Feed Settings — this revokes access and removes synced blocklist data
4a. Mailbox Connection & Outreach
You may optionally connect a mailbox (Gmail) via OAuth 2.0 to send B2B outreach drafted by Surfacer. When connected:
- We send only the emails you click Send on — the feature is not autonomous; the
From: header is your authenticated mailbox address
- We request the minimum scope necessary —
gmail.send only; we do not read your inbox, list messages, or access labels
- OAuth tokens are encrypted at rest using application-level encryption (Fernet/AES-128) before database storage
- For each send, we retain an audit row (subject, body, recipient, Gmail message-id, status, timestamps) so compliance disputes can be reconstructed
- You are the legal sender for every email composed and sent through the feature. The legal responsibilities of an email sender (UWG §7, Art. 6(1)(f) GDPR / berechtigtes Interesse, anti-spam) sit with you. Surfacer acts as a tool / processor for the composing and sending step
- If you provide an Impressum URL, you attest that the linked page is your own legitimate business identification page in compliance with §5 TMG. We do not verify ownership; the truthful-attestation burden is yours
- You can disconnect at any time from Settings → Outreach — this revokes the OAuth grant and disables further sends; the audit log of past sends is retained per §8
5. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — account management, pipeline execution, contact enrichment, CRM sync
- Consent (Art. 6(1)(a)) — analytics cookies (only with your opt-in), CRM connection (you initiate)
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, essential cookies, de-duplication of leads
6. Cookies
| Cookie | Type | Purpose | Duration |
|---|
session | Essential | Login session (JWT) | 30 days |
surfacer_mw | Essential | Server-side session state (OAuth flow) | Session |
cookie_consent | Essential | Cookie preferences | 365 days |
lang | Functional | Language preference | 365 days |
You can manage your cookie preferences at any time using the cookie settings button in the page footer.
7. Third-Party Processors
| Processor | Purpose | Data shared | Location |
|---|
| OpenAI | LLM processing for data extraction | Website content for analysis | US |
| Hunter.io | Decision-maker email lookup | Company domain, managing director name | EU |
| HubSpot | CRM sync (only if you connect) | Company data, contacts you save | EU |
| Stripe | Payment processing | Payment details (handled by Stripe) | US/EU |
| ScrapingBee | Web page fetching | URLs for content extraction | EU |
| Google (Gmail API) | Sending outreach emails (only if you connect) | Drafted email body, subject, recipient | EU/US |
| AWS | Infrastructure hosting | All application data | EU (Frankfurt) |
All processors are bound by data processing agreements. Data is transferred only as necessary for the stated purpose.
8. Data Retention
- Account data — retained while your account is active
- Pipeline results — retained while your account is active
- Enrichment data — retained while your account is active; deleted when you disconnect CRM or request deletion
- CRM tokens — deleted immediately when you disconnect; automatically invalidated if revoked on the CRM side
- Mailbox tokens — deleted immediately when you disconnect; automatically invalidated if you revoke the OAuth grant from your Google account
- Outreach audit log — retained while your account is active for compliance and dispute reconstruction; deletable on request alongside other account data
- All data — deleted within 30 days of account deletion request
9. Security
We protect your data through:
- Application-level encryption (AES-128) for OAuth tokens and sensitive credentials
- Database encryption at rest (AWS RDS)
- HTTPS-only transport (TLS 1.2+)
- Per-user data isolation for contact enrichment results
- CSRF protection on all state-changing requests
- Input sanitization to prevent cross-site scripting
10. Your Rights
Under GDPR you have the right to access, rectify, erase, restrict processing, data portability, and object to processing. You can exercise these rights by contacting us at kontakt@jl-studios.de. We will respond within 30 days.
11. Contact
For privacy-related requests: kontakt@jl-studios.de