Privacy Policy

1. Data Controller

The controller responsible for data processing on this website is:

Kaufmann Elsner GbR

Email: privacy@workshopweaver.com

2. Overview

This privacy policy explains how Workshop Weaver ("we," "our," or "us") collects, processes, and protects your personal data when you visit our website (workshopweaver.com) or use our AI-powered workshop planning platform. We take the protection of your personal data very seriously and process it in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).

3. Data We Collect

3.1 Data you provide directly

• Account information: Name, email address, and password when you register
• Workshop content: Workshop goals, agendas, notes, and planning data you create
• Contact inquiries: Name, email, and message content when you use our contact form (processed via HubSpot)
• Payment information: Billing details processed by our payment provider Stripe — we do not store credit card numbers on our servers

3.2 Data collected automatically

• Server log data: IP address, browser type, operating system, referring URL, pages visited, date and time of access
• Cookies and similar technologies: See Section 5 for details
• Usage data (with consent): Interaction patterns, feature usage, and session data collected via analytics tools

4. Legal Basis for Processing

We process your personal data on the following legal bases under Art. 6(1) GDPR:

• Consent (Art. 6(1)(a) GDPR): For analytics cookies, marketing tools, and newsletter subscriptions. You may withdraw your consent at any time.
• Contract performance (Art. 6(1)(b) GDPR): For providing our SaaS platform, managing your account, processing payments, and delivering the service you subscribed to.
• Legal obligations (Art. 6(1)(c) GDPR): For tax and accounting records, and compliance with legal retention requirements.
• Legitimate interests (Art. 6(1)(f) GDPR): For server log files (IT security), fraud prevention, and improving our services. Our legitimate interest is ensuring a secure, stable, and user-friendly platform.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. In accordance with § 25 TTDSG, we only set non-essential cookies after obtaining your explicit consent via our cookie consent banner.

5.1 Necessary cookies

These cookies are required for the website to function and cannot be disabled.

5.2 Analytics cookies (consent required)

These cookies help us understand how visitors interact with our website.

5.3 Marketing cookies (consent required)

These cookies are used for marketing and lead tracking.

*Google may transfer data to the USA. This transfer is based on the EU-US Data Privacy Framework (adequacy decision by the European Commission, July 2023). Google LLC is certified under the framework.

6. Third-Party Service Providers

We use the following third-party services to operate our platform:

6.1 Stripe (Payment Processing)

We use Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA) to process payments. When you subscribe to a paid plan, your payment data (credit card number, billing address) is transmitted directly to Stripe. We do not store your full payment details on our servers. Stripe is certified under the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(b) GDPR (contract performance). Stripe Privacy Policy

6.2 HubSpot (CRM & Contact Forms)

We use HubSpot Inc. (25 First Street, Cambridge, MA 02141, USA) for our contact forms and customer relationship management. Data submitted through contact forms is stored in HubSpot's EU data center (eu1 region). Legal basis: Art. 6(1)(a) GDPR (consent) for marketing; Art. 6(1)(b) GDPR for contact inquiries. HubSpot Privacy Policy

6.3 PostHog (Product Analytics)

We use PostHog Inc. for product analytics. Data is processed in the EU (eu.i.posthog.com). PostHog is only activated after you give consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR (consent). PostHog Privacy Policy

6.4 Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage tracking scripts. GTM itself does not collect personal data but triggers other tools that may. It is only activated after you give consent. Legal basis: Art. 6(1)(a) GDPR (consent). Google Privacy Policy

6.5 Vercel (Hosting)

Our website is hosted on Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Vercel processes server log data (IP addresses, request metadata) for the purpose of delivering the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting). Vercel Privacy Policy

6.6 Anthropic (AI Processing)

We use the API of Anthropic, PBC (548 Market St, PMB 90375, San Francisco, CA 94104, USA) to power our AI features, including workshop agenda generation (Claude Opus) and the briefing chat (Claude Sonnet). When you use these features, the content you enter (workshop goals, context, constraints) is transmitted to Anthropic's API for processing.

• Anthropic does not use API inputs or outputs to train its models by default (as per Anthropic's API usage policy).
• Data is transferred to the USA. This transfer is safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
• We do not transmit personal data about third parties (e.g., workshop participants) to Anthropic. You should avoid entering personal data of others into AI input fields.
• Legal basis: Art. 6(1)(b) GDPR (contract performance — AI generation is a core feature of the paid service).

Anthropic Privacy Policy

6.7 Facilitation Methods Library

Our facilitation methods library (workshopweaver.com/facilitation-methods) contains descriptions of facilitation methods. These are either original content, openly licensed content (Creative Commons), or content rewritten in our own words. Methods sourced from third parties are attributed accordingly on each method page. No personal data is processed in connection with browsing the methods library.

7. Data Transfers to Third Countries

Some of our service providers are based in the United States. Where personal data is transferred to the USA, this is safeguarded by:

• EU-US Data Privacy Framework: For providers certified under the framework (Google, Stripe, Vercel)
• Standard Contractual Clauses (SCCs): For providers not covered by an adequacy decision
• EU-based processing: PostHog and HubSpot process data in their EU data centers

8. Data Retention

We retain your data only as long as necessary for the purposes described:

• Account data: For the duration of your account. Deleted within 30 days of account deletion request.
• Workshop content: For the duration of your account. Deleted with your account.
• Payment/billing records: 10 years after the end of the contract (German tax law, § 147 AO, § 257 HGB).
• Contact inquiries: 3 years after the last communication, or longer if required for legal claims.
• Server log files: 14 days.
• Analytics data: Anonymized or deleted after 26 months.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): Obtain confirmation of whether we process your data and request a copy.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18 GDPR): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests at any time.
• Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@workshopweaver.com.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)

Holstenstraße 98, 24103 Kiel, Germany

Phone: +49 431 988-1200

Website: www.datenschutzzentrum.de

11. AI Processing and Automated Decision-Making

Workshop Weaver uses artificial intelligence to generate workshop agendas and suggest facilitation methods based on your input. This AI processing:

• Is based on the information you voluntarily provide (workshop goals, team size, constraints)
• Does not produce legal effects or similarly significant decisions about you (Art. 22 GDPR does not apply)
• Does not use your workshop content to train AI models — Anthropic's API does not use API inputs for model training by default
• Is powered by Anthropic Claude (see Section 6.6) — your input is transmitted to Anthropic's servers in the USA for processing

Recommendation: Do not enter sensitive personal data about individuals (e.g., employees, participants) into AI input fields. Describe workshop goals and context in general terms where possible.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including TLS/SSL encryption for data in transit, encryption at rest for stored data, regular security audits, and access controls limiting data access to authorized personnel only.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons. We will notify registered users of material changes by email. The current version is always available at workshopweaver.com/privacy.

14. Contact

For questions about this privacy policy or your personal data, contact us at: privacy@workshopweaver.com