Privacy Policy

1. Controller

Information about the controller (Art. 4(7) GDPR):

Outcomet

Andy Görnt

Amalie-Baader-Str. 1

76137 Karlsruhe

If required by law:
Data Protection Officer: Andy Görnt

2. General Information

We take the protection of your personal data seriously. This Privacy Policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR).

Personal data means any information relating to an identified or identifiable natural person.

3. Data Processing Overview

3.1 Website Access (Server Logs)

When you access our website, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Referrer URL
  • Timestamp of request

Purpose: Ensuring system security and stability.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

3.2 Account Creation and Product Usage

When you create an account and use Outcomet, we process:

  • email address
  • account credentials
  • workspace and user settings
  • product interactions
  • structured data you create (e.g. strategies, opportunities, capabilities, stories)

Purpose: Providing and operating the platform, authentication, and enabling core functionality.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

3.3 Feedback and User-Generated Content

Outcomet enables you to submit and manage feedback and related content. We process:

  • feedback submissions
  • comments and notes
  • linked artifacts and signals
  • derived structures (e.g. themes, insights, relationships)

Purpose: Operating core product features and enabling structured product learning.

Legal basis: Art. 6(1)(b) GDPR

3.4 Signal Processing and Analytics

We process interaction data and external signals connected to your workspace, such as:

  • engagement metrics
  • imported external content (e.g. links, posts)
  • signal trends and derived metrics

Purpose: Providing insights, aggregation, and system functionality.

Legal basis: Art. 6(1)(b) GDPR

3.5 AI-Supported Processing

We use AI systems to analyze and process data within the platform. This may include:

  • classification of feedback
  • clustering of themes
  • generation of insights
  • summarization of content

Data processed may include any content you provide in the product.

Purpose: Enhancing product functionality and supporting decision-making.

Legal basis: Art. 6(1)(b) GDPR
Art. 6(1)(f) GDPR (service improvement)

Note: No automated decision-making with legal or similarly significant effects takes place.

4. Hosting and Infrastructure

4.1 Netlify

We use Netlify Inc., 2325 3rd Street, Suite 296, San Francisco, CA 94107, USA for hosting. Netlify processes:

  • server logs
  • technical request data

Data transfer to the USA is safeguarded by Standard Contractual Clauses (Art. 46 GDPR).

4.2 Supabase

We use Supabase Inc., USA, as our database and backend provider. Supabase processes:

  • user account data
  • application data
  • authentication data

Data transfer is based on Standard Contractual Clauses.

5. Communication and Email Delivery

5.1 Resend

We use Resend Inc., USA, to send transactional emails. This includes:

  • account confirmation emails
  • password reset emails
  • product notifications

Legal basis: Art. 6(1)(b) GDPR

Data transfer is safeguarded via Standard Contractual Clauses.

6. AI Service Providers

We use third-party AI providers to process and analyze data. Depending on the feature, this may involve providers located outside the EU, including the USA.

Processed data may include:

  • text inputs
  • feedback content
  • generated structures and insights

Safeguards:

  • Standard Contractual Clauses (Art. 46 GDPR)
  • Data minimization principles

7. Cookies and Local Storage

We use cookies and similar technologies.

7.1 Necessary Technologies

These are required for the operation of the platform, such as:

  • authentication
  • session management
  • security

Legal basis: Art. 6(1)(f) GDPR

7.2 Optional Technologies

If optional tools (e.g. analytics) are used, they are only activated with your consent.

Legal basis: Art. 6(1)(a) GDPR

8. Data Retention

We retain personal data only as long as necessary:

  • account data: until account deletion
  • user-generated content: until deletion by user or account closure
  • server logs: typically up to 14 days
  • backups: retained for a limited period for security purposes

9. International Data Transfers

Data may be transferred to countries outside the European Union, particularly the USA.

Where this occurs, we ensure appropriate safeguards:

  • Standard Contractual Clauses (Art. 46 GDPR)

10. Your Rights

You have the following rights under GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

You also have the right to lodge a complaint with a supervisory authority. In Germany, this is typically the authority of your federal state.

11. Security

We implement appropriate technical and organizational measures (TOMs) to protect your data, including:

  • encryption in transit
  • access controls
  • secure infrastructure

12. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in legal requirements or our services.

The current version is always available on our website.