Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

2. Data We Collect

We collect and process the following personal data:

• Registration data: Name, email address, phone number, company name, trade/specialty, and your chosen user role (client or contractor).
• Project data: Project descriptions, quotes, bills of quantities, photos, and other documents you create on the platform.
• Usage data: Log data, IP addresses, browser information, and access timestamps (for security and error diagnosis).
• Communication data: Messages and inquiries exchanged through the platform.

3. Purpose of Data Processing

We process your data for the following purposes:

• Provision and operation of the Hammerpreis platform
• Creation of quotes and bills of quantities with AI assistance
• Matching between clients and contractors
• Verification and quality assurance of trade businesses
• Platform security and protection against misuse
• Compliance with legal obligations

The legal basis is Art. 6(1)(b) GDPR (performance of a contract) for platform usage and Art. 6(1)(f) GDPR (legitimate interests) for security and misuse prevention.

4. Disclosure to Third Parties

We only disclose your data to third parties in the following cases:

• OpenAI: For AI-powered quote generation, project descriptions and documents are processed. We use the API of OpenAI (OpenAI Ireland Limited, 1 Grand Canal Street Lower, Dublin, D02 H210, Ireland). No personal data is transmitted unless you include it in project descriptions.
• Hosting provider: Our infrastructure is operated by Strato AG (Berlin, Germany). All data remains in Germany.
• Legal obligation: In response to government requests based on legal grounds.

Data is not disclosed to other third parties for marketing purposes.

5. Data Retention

We retain your data for as long as necessary for the respective purpose or as required by statutory retention periods (generally 6–10 years for business-relevant documents). Demo test data (accounts with @test.de emails) is automatically deleted after 24 hours. After deletion of your account, personal data will be removed within 30 days.

6. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15 GDPR): You may request information about your stored data.
• Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Erasure (Art. 17 GDPR): You may request deletion of your data ("right to be forgotten").
• Restriction (Art. 18 GDPR): You may request restricted processing.
• Data portability (Art. 20 GDPR): You may receive your data in a machine-readable format.
• Objection (Art. 21 GDPR): You may object to the processing of your data.

To exercise your rights, please contact: michael@runnable.vc. You also have the right to file a complaint with the competent supervisory authority (State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg).

7. Cookies and Local Storage

We exclusively use technically necessary cookies and local browser storage (localStorage) for authentication (JWT token). No tracking cookies or analytics services are used.

8. Security

All data transfers are encrypted via HTTPS/TLS. Passwords are hashed with bcrypt and never stored in plain text. Access to production systems is restricted to authorized personnel.

9. Changes to This Privacy Policy

We reserve the right to update this privacy policy in the event of changes to the platform or the legal framework. The current version is available at /privacy.