Privacy Policy
Transparent and understandable privacy policies for DivineMind.AI Services
Data Processing When Visiting Our Website
When accessing our website divinemind.ai, certain technical data are automatically processed to ensure the reliable and secure display of the page.
Data Collected:
- IP-Adresse (truncated after 7 days)
- Page accessed, date and time of the request
- Browser used, operating system, and language setting
- Referrer-URL (page from which you came to us)
Legal Basis: Art. 6 Abs. 1 lit. f DSGVO — legitimate interest in a stable, secure web presence.
Storage Duration: Server-Log-Daten are automatically deleted after 14 days, unless security incidents require longer retention.
We do not pass on these data to third parties and do not use them for profiling about you.
Contacting Us
If you contact us via email, contact form, or by placing an order, we process the data provided by you to handle your request.
Data Collected:
- Name, company, email address
- Telephone number (optional)
- Content of your message
Legal Basis:
- Art. 6 Abs. 1 lit. b DSGVO for contractual or pre-contractual communication
- Art. 6 Abs. 1 lit. f DSGVO for other inquiries
Storage Duration: As long as the inquiry is open, plus up to 3 years thereafter for evidentiary purposes. Statutory retention periods (e.g., according to UGB or BAO) remain unaffected.
Google Fonts
We use fonts from Google Fonts, but host them locally on our own servers in the EU. Therefore, no connection to Google's servers is established when you visit our page.
As a result, no IP-Adressen are transmitted to Google — not even to the USA.
Server-Logfiles
Our servers standardly log access data (so-called Logfiles) that your browser automatically transmits:
- IP-Adresse (truncated after 7 days)
- Date, time, time zone
- Content of the request (specific page)
- Access status / HTTP status code
- Amount of data transferred
- Browser type and version, operating system
- Referrer-URL
These data are used exclusively to ensure operation, detect attacks, and analyze errors. No merging with other data sources takes place.
Legal Basis: Art. 6 Abs. 1 lit. f DSGVO.
Storage Duration: generally 14 days.
Data Processing within Our SaaS Solutions
When you use DivineMind.AI as a Software-as-a-Service, we process the data that you or your employees enter into the platform (e.g., CRM contacts, invoices, emails, appointments, documents).
Processor Role: In this role, we act as a processor within the meaning of Art. 28 DSGVO. A data processing agreement (DPA) is part of our General Terms and Conditions or is provided separately.
Tenant-Isolation: Data are processed in a Tenant-isolated data model (each customer organization has its own company_id with logical separation). Cross-access between Tenants is excluded by the data model.
Hosting Location: All application and database servers are located in the EU (main region Frankfurt, Germany). Backups are also located in the EU.
Encryption: Data at rest are encrypted with AES-256, data in transit with current TLS (at least TLS 1.2).
No AI Training on Customer Data: We do not use your content for training or fine-tuning generic AI models (Zero-Training-on-Customer-Data). Models are used exclusively to fulfill the functions requested by you.
Sub-processors: An up-to-date list of sub-processors (e.g., Cloud-Infrastruktur, Mail-Versand, Zahlungsdienstleister) is available upon request via privacy@divinemind.ai.
Payment Data
For the processing of payments, we use Mollie B.V. (Amsterdam, Netherlands) as a payment service provider. Credit card, SEPA, or other payment data are transmitted directly from the browser to Mollie — we ourselves do not store complete payment data.
What we store:
- Mollie-Transaktions-ID
- Amount, currency, payment method (e.g., “SEPA”)
- Date and status of the payment
- Link to the invoice or subscription
Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract fulfillment), Art. 6 Abs. 1 lit. c DSGVO (statutory retention according to BAO, UGB).
Retention: 7 years after the end of the financial year in accordance with tax and corporate law requirements.
Your Rights as a Data Subject
As a data subject, you have the following rights under the DSGVO:
- Right of Access (Art. 15 DSGVO) — You can find out what data we process about you
- Right to Rectification (Art. 16 DSGVO) — You can have incorrect data corrected
- Right to Erasure (Art. 17 DSGVO) — You can request the erasure of your data, provided that no statutory retention periods prevent this
- Right to Restriction of Processing (Art. 18 DSGVO)
- Right to Data Portability (Art. 20 DSGVO) — Export of your data in a structured format
- Right to Object (Art. 21 DSGVO) to processing based on legitimate interests
- Right to Withdraw Consent (Art. 7 Abs. 3 DSGVO) — with effect for the future
Exercising Your Rights: An informal message to privacy@divinemind.ai is sufficient. We will respond within 30 days.
Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority — in Austria with the Datenschutzbehörde (dsb.gv.at), in Germany with the respective competent state authority.
Storage Duration
We store personal data only for as long as it is necessary for the respective purpose or as statutory retention periods prescribe.
| Data Type | Storage Duration |
|---|---|
| Server-Logfiles | 14 days |
| Contact inquiries | up to 3 years |
| Contract data / Invoices | 7 years (UGB, BAO) |
| Accounting records | 7 years |
| Newsletter subscription | until revocation |
| OAuth-Tokens (Google, Microsoft) | until revocation, max. 7 days after inactivity |
| Customer SaaS-Data | for the duration of the contractual relationship + statutory retention periods |
Contact Details of the Controller
Controller within the meaning of the DSGVO is:
DivineMind.AI FlexCo GmbH
Burgring 1
1010 Wien
Österreich
Email: office@divinemind.ai
Data Protection Inquiries: privacy@divinemind.ai
Web: divinemind.ai
Data Protection Officer
An obligation to appoint a Data Protection Officer (DSB) according to Art. 37 DSGVO does not currently exist for DivineMind.AI FlexCo GmbH. Data protection concerns are handled directly by the management.
Should the legal requirements change (e.g., due to increasing processing volumes), we will appoint a DSB and update this privacy policy accordingly.
Data Protection Contact: privacy@divinemind.ai
Google API Services User Data Policy
DivineMind.AI integrates Google Workspace (Gmail, Google Calendar, Google Drive) via OAuth 2.0. This section describes what user data we retrieve, why we retrieve it, how we store it, and how it is deleted.
13.1 Requested Google-OAuth-Scopes
- gmail.readonly — is used by the Mail Agent to categorize Inbox content, extract invoice references, and identify follow-up candidates. Read-only access.
- gmail.send — is used by the Mail Agent and Finance Agent to send transactional emails (invoice dispatch, follow-ups, press pitches) on behalf of the authenticated user — with explicit instruction.
- gmail.modify — restricted to label management (adding/removing Agent labels). No deletion of messages.
- calendar.events — is used by the Calendar Agent to create, read, and update appointments in the user's primary calendar. Necessary for appointment bookings and sending invitations.
- calendar.readonly — for free/busy queries without write access.
- drive.file — restricted to files created or opened by DivineMind.AI (e.g., attaching generated invoices). No full access to the user's Drive.
- userinfo.email und userinfo.profile — for identification of the authenticated account.
13.2 How Google User Data are Used
Google user data are used exclusively to provide the functions that the user explicitly requests in DivineMind.AI:- Email content is processed to categorize incoming emails, draft replies, and extract invoice data, as instructed by the user to the Mail Agent or Finance Agent.
- Calendar data are read to suggest appointment slots and written to book appointments requested by the user or the AIRIS-Portal-Agent.
- Drive files created by DivineMind.AI (invoices, offers, exports) are stored in the user's Drive if the user activates this.
13.3 How Google User Data are Stored
OAuth-Access- and Refresh-Tokens are encrypted at rest and stored on EU-servers (Frankfurt, Germany). Message content is processed transiently: We retrieve the specific message an Agent is currently responding to, process it, and do not retain the full message body beyond the ongoing task. Derived metadata (category labels, extracted invoice fields) are stored in the customer's isolated Tenant-Datenbank, also in the EU. We never copy the entire mailbox or calendar into our own data storage.13.4 How Google User Data are Shared
We do not sell, rent, trade, or share Google user data with third parties for advertising, marketing, or analytical purposes. We do not use Google user data to train or fine-tune general AI or Machine-Learning models. Processing takes place exclusively within the user's Tenant-Kontext.13.5 How Google User Data can be Deleted
The user retains control at all times:- Revoke DivineMind.AI's access directly on the Google account permissions page at myaccount.google.com/permissions.
- Disconnect within DivineMind.AI under Settings → Connected Accounts. This deletes stored Tokens and derived metadata within 24 hours.
- Request complete deletion of all account data via email to privacy@divinemind.ai. We will respond within 30 days.
13.6 Limited-Use-Compliance
DivineMind.AI's use and transfer of information received from Google APIs to other apps adhere to the Google API Services User Data Policy, including the Limited-Use requirements.13.7 Data Protection Contact
Questions regarding the handling of Google user data: privacy@divinemind.ai. Controller: DivineMind.AI FlexCo GmbH, Wien, Österreich.Microsoft Graph API Data Use
DivineMind.AI integrates Microsoft 365 (Outlook, Calendar) via the Microsoft Graph API using OAuth 2.0. The policy described below is consistent in content with our Google-OAuth-Policy: minimum-Scope-principle, EU-storage, no model training, access revocable at any time.
14.1 Requested Microsoft-Graph-Scopes
- Mail.Read — the Mail Agent reads the Inbox for categorization and data extraction.
- Mail.Send — the Mail Agent sends on behalf of the user with explicit instruction.
- Calendars.ReadWrite — the Calendar Agent books and manages appointments.
- User.Read — for identification of the authenticated account.
- offline_access — enables background Refresh as long as consent is active.
14.2 Storage, Sharing, Deletion
Tokens are stored encrypted on EU-servers. Message content is processed transiently and not persisted. Data are never shared with third parties, never used for advertising, and never used for training generic AI models.The user can revoke access at any time — either under myaccount.microsoft.com or in DivineMind.AI under Settings → Connected Accounts. Tenant-Admins can additionally restrict or remove the app under entra.microsoft.com (Enterprise Applications).