Privacy Policy

Information on data processing in accordance with GDPR

Last updated: October 23, 2025

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent when providing our application.

The terms used are not gender-specific.

Last updated: October 23, 2025

Data Controller

Emilio Irmscher
Max-Saupe-Straße 41
09131 Chemnitz, Germany

Email: privacy@symulate.dev

Legal Notice: https://platform.symulate.dev/impressum

Overview of Processing

The following overview summarizes the types of data processed and the purposes of processing and refers to the data subjects.

Types of Data Processed

  • Inventory data
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication and process data
  • Log data

Categories of Data Subjects

  • Service recipients and clients
  • Interested parties
  • Communication partners
  • Users
  • Business and contractual partners
  • Customers

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Office and organizational procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Registration procedures
  • Provision of our online offering and user-friendliness
  • Information technology infrastructure
  • Business processes and business procedures

Legal Bases

Legal bases according to GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data:

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract performance (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probabilities and severity of risks to the rights and freedoms of natural persons.

TLS/SSL encryption (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. All data transmissions are encrypted to the highest security standards.

International Data Transfers

When we transfer data to third countries (outside the EU/EEA), we do so in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers.

Data Storage and Deletion

We delete personal data in accordance with legal regulations as soon as consent is revoked or there are no further legal grounds for processing.

Retention periods under German law:

  • 10 years - Books, records, annual financial statements (§ 147 AO, § 257 HGB)
  • 8 years - Accounting documents such as invoices (§ 147 AO, § 257 HGB)
  • 6 years - Other business documents (§ 147 AO, § 257 HGB)
  • 3 years - Warranty and liability claims (§§ 195, 199 BGB)

Rights of Data Subjects

As a data subject under GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether personal data concerning you is being processed and to receive information about this data.
  • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data under certain conditions.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR): You have the right to object to processing based on legitimate interests.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

Contact for Privacy Matters

For questions regarding data protection, please contact:
privacy@symulate.dev

Supervisory Authority

Sächsischer Datenschutzbeauftragter
(State Data Protection Commissioner of Saxony)
Bernhard-von-Lindenau-Platz 1
01067 Dresden
Germany
Email: saechsdsb@slt.sachsen.de
Phone: +49 351 85471-101

Third-Party Services

We use the following third-party services to provide our platform:

Supabase (Hosting & Database)

  • Location: EU (Frankfurt/Ireland)
  • Purpose: Database, authentication, edge functions
  • Data processed: User accounts, authentication data, cached mock data
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • DPA: https://supabase.com/legal/dpa

Stripe (Payment Processing)

  • Location: EU/USA
  • Purpose: Payment processing, subscription management
  • Data processed: Name, email, payment information
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • DPA: https://stripe.com/legal/dpa

OpenAI (AI Services)

  • Location: USA
  • Purpose: AI-powered mock data generation
  • Data processed: API request data (schemas, instructions)
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Data transfer: Standard Contractual Clauses
  • DPA: https://openai.com/policies/data-processing-addendum

Resend (Email Service)

  • Purpose: Transactional emails (account verification, notifications)
  • Data processed: Email address, name
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)

Cookies

We only use strictly necessary cookies for:

  • Authentication (Supabase session)
  • CSRF protection
  • Security

No tracking or marketing cookies are used.

Changes and Updates

We reserve the right to update this privacy policy as necessary to reflect changes in our data processing practices. We will inform you of any significant changes.

This privacy policy was created using the Datenschutz-Generator.de by Dr. Thomas Schwenke and customized for our platform.

Legal NoticeTerms of ServiceBack to Home