Skip to main content
Sylvon
Sign InGet Started

Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Benjamin Pahl
Agnes-Miegel-Str. 5, 24782 Büdelsdorf, Germany
Email: [email protected]

2. Data Collected

2.1 Account Data

When registering, we collect the following personal data:

  • Name
  • Email address
  • Password (stored encrypted)

2.2 Usage Data

When using the application, the following data is processed:

  • Tasks and notes you create
  • Team memberships and invitations
  • Activity logs for changes

2.3 Contact Data

If you use the contact management feature, the following data about your contacts is stored:

  • Names and display names
  • Phone numbers
  • Email addresses
  • Physical addresses
  • Social media profiles and identifiers
  • Free-text notes about contacts
  • Relationship information between contacts
  • Important dates (birthdays, anniversaries)

Contact data is retained as long as your account is active. Soft-deleted contacts are permanently purged after 30 days. All contact data remains on your instance and is not transferred to external services, except when AI features are explicitly used (see Section 5.2).

2.4 Financial Data

If you use the personal finance feature, the following data is processed:

  • Bank account names, account type, and financial institution
  • Account balances
  • Transaction data (date, amount, description, counterparty)
  • Budget envelopes and allocations

Financial data is subject to a legal retention period of 8 years pursuant to AO § 147. After account deletion, financial data is retained for this period and then permanently deleted.

2.5 Document Data

If you use the document management feature, the following data is processed:

  • Uploaded files and their contents
  • Document metadata (title, type, correspondent, date, tags)
  • OCR-extracted text (when text extraction is enabled)

Document data is retained as long as your account is active. Deleted documents are permanently removed after 30 days.

2.6 Wiki Data

If you use the wiki feature, the following data is processed:

  • Wiki pages with titles and contents
  • Tags and categories
  • Attachments and embedded files
  • Version history of edits

Wiki data is retained as long as your account is active. Deleted wiki pages are permanently removed after 30 days.

2.7 Email Account Data

If you use the email account feature, the following data is processed:

  • Internal email address
  • Custom vanity address
  • Vanity address change history

Email account data is retained as long as your account is active. Upon account deletion, all email account data is permanently removed.

3. Legal Basis for Processing

The processing of your data is based on the following legal grounds:

  • Art. 6 para. 1 lit. b GDPR - Contract fulfillment: Processing is necessary to provide the service.
  • Art. 6 para. 1 lit. f GDPR - Legitimate interests: To improve and secure our service.

4. Cookies and Local Storage

4.1 Authentication Cookies

We use a session cookie (NextAuth JWT) for authentication. This cookie is technically necessary and stores your session information for up to 30 days. Without this cookie, logging in is not possible.

4.2 Local Storage

We use your browser's local storage for functional purposes:

  • Workspace selection (which team/personal area is active)
  • Sidebar state (expanded/collapsed)

This storage is solely for the functionality of the application. No tracking or analysis takes place.

5. Third-Party Services

5.1 GitHub OAuth

We offer sign-in via GitHub. When using this option, your public GitHub profile information (name, email, avatar) is transmitted to us. GitHub's privacy policy can be found at: GitHub Privacy Statement

5.2 Anthropic (AI Processing)

We use Anthropic's Claude API to provide several AI-powered features. Each feature processes different data and relies on a specific legal basis under GDPR. Data is transmitted to Anthropic Ireland, Limited (EU entity).

AI Chat

When you use the AI Chat feature, your messages and any attached files are sent to Anthropic's Claude API for processing. This feature is entirely optional.

Legal basis: Art. 6(1)(a) GDPR — your explicit consent, collected before first use via the AI processing consent prompt.

Document Classification

When AI classification is enabled, document text (OCR content) is sent to Anthropic's Claude API for automated metadata extraction (title, type, correspondent, date, tags). Alternatively, classification can use rules-based logic without any data leaving your server.

Legal basis: Art. 6(1)(a) GDPR — your explicit consent for AI (cloud) classification. Rules-based processing does not involve third-party data transfers.

Contact Resolution

When you use AI features such as brain dump parsing or contact resolution, contact names and contextual information may be sent to Anthropic's Claude API to match and link contacts. This feature is optional and only active when explicitly triggered.

Legal basis: Art. 6(1)(a) GDPR — your explicit consent, collected before first use via the AI processing consent prompt.

Content Moderation

Chat messages are checked for harmful content before processing. This moderation step uses Anthropic's API to ensure the safety and integrity of the platform.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in preventing abuse and maintaining platform safety.

Common Protections

  • Anthropic does not use API content for model training.
  • Anthropic retains API inputs and outputs for up to 30 days for safety and abuse prevention purposes, after which they are deleted.
  • Processing is governed by Anthropic's Data Processing Agreement (DPA), which includes standard contractual clauses for data transfers.

Right to Withdraw Consent

You can withdraw your AI processing consent at any time under Account Settings. Withdrawing consent disables AI Chat and cloud-based document classification immediately. Content moderation (legitimate interest) continues to operate independently.

Anthropic Privacy Policy

5.3 Processors and Sub-Processors

In accordance with Art. 28(3)(h) GDPR, we inform you about the following processors involved in the processing of your personal data:

ProcessorPurpose and Data ProcessedLocation / Legal FrameworkDPA Status
GitHub, Inc.OAuth authentication — processes public profile data (name, email, avatar) when signing in via GitHub.USA (EU-US Data Privacy Framework adequacy decision)Not required — GitHub acts as identity provider (controller), not as data processor. Only public profile data during user-initiated OAuth sign-in.
Hetzner Online GmbHHosting provider — processes all user data in transit and at rest on our infrastructure.Germany (EU)Data Processing Agreement active
Anthropic Ireland, LimitedAI processing — processes chat messages, document text, and contact data when AI features are used (see Section 5.2).EU entity; data processing governed by DPA with standard contractual clausesData Processing Agreement active (incl. standard contractual clauses)
Matomo (self-hosted)Product analytics — processes anonymized usage data to improve the service.Germany (self-hosted on Hetzner infrastructure)Not required (self-hosted, no data transfer to third parties)

6. Data Storage and Deletion

Your data is stored as long as your account is active. When you delete your account, all personal data will be deleted within 30 days, unless legal retention requirements apply.

7. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) - You can request information about your stored data.
  • Right to rectification (Art. 16 GDPR) - You can request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) - You can request the deletion of your data.
  • Right to data portability (Art. 20 GDPR) - You can receive your data in a machine-readable format.
  • Right to object (Art. 21 GDPR) - You can object to the processing of your data.

To exercise these rights, please contact us via email at the address above.

8. Right to Complain

You have the right to complain to a data protection supervisory authority about the processing of your personal data. The competent supervisory authority depends on your place of residence.

9. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to adapt it to changed legal situations or changes to the service. The current version can always be found on this page.

Last updated: April 2026