ChatBlitz
Kostenlos testen
DeutschEnglish
Legal

Privacy Policy

Per GDPR / DSGVO and German BDSG · Last updated: May 2026

⚠ The German Datenschutzerklärung is the legally binding version. This English translation is provided for convenience only.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

VebiSoft · Owner Vebi Fejzuli
Ernst-Heinkel-Straße 14
71404 Korb (Rems-Murr-Kreis), Germany
Email: info@vebisoft.com
Phone: +49 176 32223663

ChatBlitz is operated by VebiSoft (owner Vebi Fejzuli).

2. Purposes & legal basis

We process personal data only for the purposes described below. The legal bases are Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interests) and, where consent is required, Art. 6(1)(a) GDPR. Personal data is deleted as soon as the purpose of processing ceases and no statutory retention obligations remain.

3. Server log files (Vercel hosting)

When you access our site, our hosting provider Vercel automatically collects:

  • IP address (anonymised after 14 days)
  • Date and time of the request
  • Browser type and version
  • Operating system
  • Referrer URL and accessed page

Legal basis: Art. 6(1)(f) GDPR. Retention: 14 days.

4. Cookies

Only strictly necessary cookies (session, language preference). No tracking, no advertising cookies, no profiling.

5. ChatBlitz service: processing of WhatsApp messages

ChatBlitz is an AI-powered WhatsApp assistant that automatically replies to WhatsApp messages on behalf of our business customers. The following personal data is processed:

a) Data of our business customers (B2B):

  • Name, business address, email, phone number
  • Invoicing and payment data
  • AI assistant configuration and knowledge data
  • Login data and authentication (email, Google OAuth, Facebook OAuth)

b) Data of end-users of our business customers (people who send messages to our customer's WhatsApp number):

  • Phone number (provided by WhatsApp)
  • WhatsApp profile name (where public)
  • Content of messages exchanged (text, media)
  • Timestamps and conversation history

Legal basis:

  • For business customers: Art. 6(1)(b) GDPR (contract performance).
  • For end-users: data processing under Art. 28 GDPR on behalf of our business customers, who must rely on their own legal basis (e.g. end-user consent under § 7 UWG / Art. 6 GDPR).

5a. Transparency under the EU AI Act

Under Article 50 of the EU Artificial Intelligence Regulation (AI Act), we make the following explicit disclosure: end-users who communicate with our business customers via WhatsApp initially interact with an AI assistant. A corresponding notice is surfaced at the start of every conversation, for example:

"Notice: You are initially communicating with an AI assistant. A human can take over when needed."

Business customers are contractually obligated to ensure this transparency toward their end-users.

6. WhatsApp Business Platform (Meta) — independent provider

We use the WhatsApp Business Platform (Cloud API) operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Meta is not a processor under Art. 28 GDPR; Meta is an independent provider acting as a separate controller within the meaning of Art. 4(7) GDPR. Meta processes message content, metadata and phone numbers for its own purposes under the WhatsApp Terms and Privacy Policy. Use of the WhatsApp Business Platform requires business customers and end-users to accept Meta's terms. We have no influence over the scope of Meta's processing.

The applicable Meta terms and notices are:

Transfers may also reach third countries (outside the EU/EEA). Meta relies on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

7. AI processing (Azure OpenAI Frankfurt)

For automated reply generation we use the Azure OpenAI Service, operated by Microsoft Ireland Operations Limited, in the Frankfurt region (Germany West Central), Germany.

The following data is sent to Azure OpenAI:

  • Incoming message content (text)
  • Configured bot instructions ("system prompt")
  • Limited conversation context for relevant reply generation

Key safeguards:

  • Processing in the EU region Frankfurt (Germany West Central) per current configuration 🇩🇪
  • Encrypted transit (TLS 1.3)
  • A Data Processing Agreement (DPA) under Art. 28 GDPR is in place with Microsoft
  • A contractually guaranteed "Zero Data Retention" (full opt-out from any transient storage) is not uniformly available for every model and region and depends on the specific terms agreed between ChatBlitz and Microsoft. By default, Microsoft may transiently store inputs and outputs for abuse monitoring unless this feature has been excluded.

Independently of the above: your data is NOT used to train any AI model. Microsoft does not train its foundation models on Azure OpenAI customer data. Legal basis: Art. 6(1)(b) GDPR and Art. 28 GDPR.

8. Data storage (Supabase, EU region)

We store conversation data, configurations and customer data in an encrypted PostgreSQL database operated by Supabase Inc. (970 Toa Payoh North, Singapore). The primary data location is the EU region Frankfurt 🇩🇪.

A DPA under Art. 28 GDPR is in place with Supabase, including Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR. Supabase is a US-based company; support and engineering activities, as well as some sub-processors, may be located in third countries (including the USA). Absolute exclusion of third-country transfers therefore cannot be guaranteed. Routine data storage and processing run in the EU region. Legal basis: Art. 6(1)(b) GDPR, Art. 28 GDPR and Art. 46 GDPR.

9. Hosting (Vercel)

The ChatBlitz web application is hosted with Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Function execution runs in EU regions. Transfers to the USA are based on Standard Contractual Clauses per Art. 46(2)(c) GDPR and the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(f) GDPR.

9a. Vercel Web Analytics

This website uses Vercel Web Analytics, a privacy-friendly analytics service by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA), to obtain aggregated information about page views, countries of origin, devices used and general website usage. The analysis serves exclusively for technical improvement, reach measurement and optimisation of our online offering. According to the provider, Vercel Web Analytics does not use cookies for advertising purposes and does not create personal user profiles for cross-site tracking.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the analysis, security and improvement of our online offering. A cookie consent banner is not required for Vercel Web Analytics as no advertising cookies or cross-site profiles are created. Should tracking tools such as Google Analytics, Meta Pixel or advertising networks be introduced in the future, they will only load after explicit consent.

Transfers to the USA are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework.

10. Email routing (Cloudflare)

For routing email to info@chatblitz.de and similar addresses we use Email Routing by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). US transfers are based on Standard Contractual Clauses. Legal basis: Art. 6(1)(f) GDPR.

11. Facebook Login for Business (OAuth)

For authenticating our business customers we use "Facebook Login for Business" by Meta Platforms Ireland Limited. The following data is transmitted on login:

  • Facebook User ID
  • Name and email (where shared)
  • Access tokens to manage WhatsApp Business Account assets

This data is used solely for authentication and managing the WhatsApp integration. Legal basis: Art. 6(1)(b) GDPR.

12. Sub-processors (Art. 28 GDPR)

We engage the following processors:

  • Microsoft Ireland Operations Ltd. — Azure OpenAI Service; processing location: Frankfurt 🇩🇪.
  • Supabase Inc. — database, authentication, storage; processing location: Frankfurt 🇩🇪.
  • Vercel Inc. — web hosting and web analytics (Vercel Web Analytics); processing location: EU regions 🇪🇺.
  • Cloudflare, Inc. — email routing; USA, Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • Resend Inc. — transactional email delivery; Standard Contractual Clauses (Art. 46(2)(c) GDPR).
  • Sentry Inc. — error and performance monitoring; USA (Sentry.io, San Francisco), Standard Contractual Clauses (Art. 46(2)(c) GDPR). Data processed: error logs, technical metadata, anonymised user identifiers where applicable.

Note on Meta Platforms Ireland Ltd.: With respect to the WhatsApp Business Platform (Cloud API), Meta is not a processor under Art. 28 GDPR; Meta acts as an independent controller under Art. 4(7) GDPR. See Section 6 above for details.

An updated list is available on request.

13. Retention periods

  • WhatsApp conversations: up to 12 months, then automatically deleted
  • Knowledge data (FAQs, documents): until deleted by the customer
  • Account data: 30-day soft-delete after deletion request, then full removal
  • Invoicing and tax data: up to 10 years per § 147 AO / § 257 HGB
  • Server logs: 14 days; security logs: 30 days

14. Your rights

You have the following rights at all times:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR) — see Data Deletion
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

A JSON export is available in the dashboard. Send requests to info@vebisoft.com.

15. Right to lodge a complaint

Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Königstraße 10a, 70173 Stuttgart, Germany
Phone: 0711 / 615541-0
Email: poststelle@lfdi.bwl.de
baden-wuerttemberg.datenschutz.de

16. Data Processing Agreement (DPA)

With every business customer (B2B) we conclude a mandatory DPA under Art. 28 GDPR. The DPA forms an integral part of the main contract and is deemed concluded upon contract formation. The current version is available for download in the dashboard.

17. Special / sensitive data

ChatBlitz is a general B2B communication tool and is not designed by default for the processing of special categories of personal data under Art. 9 GDPR. This includes in particular:

  • Health data (doctor-patient communication, diagnoses, prescriptions)
  • Client and professional-secrecy data of lawyers and notaries (§ 203 StGB)
  • Data of tax advisors and auditors (§ 203 StGB / § 57 StBerG)
  • Insurance and claims data with a health context
  • Data on religion, ethnicity, sexual orientation or political views
  • Biometric and genetic data

Business customers in regulated professions (doctors, clinics, lawyers, tax advisors, insurance brokers, etc.) may use ChatBlitz to process such data only on the basis of a separate written agreement with ChatBlitz (in particular a supplementary DPA with professional-secrecy protection, configuration of the knowledge base, choice of sub-processors and access controls). End-users must be explicitly advised not to submit such data via the bot — the AI assistant is not intended for individual diagnoses, legal or tax advice. Business customers are required to surface corresponding notices in their bot configuration and end-user communication.

Where sensitive data is processed without such a supplementary agreement, sole responsibility lies with the respective business customer as the controller under Art. 4(7) GDPR.

18. Data security

Data is transmitted over TLS 1.3. API keys and access tokens are stored encrypted on the server with AES-256-GCM.

19. Updates

We may update this Privacy Policy to reflect new legal requirements or changes to our services.

© 2026 VebiSoft — owned by Vebi Fejzuli. All rights reserved.