Privacy Policy

Transparent and understandable privacy policies for DivineMind.AI Services

Effective as of: 14 September 2025
Last update
1

Data Processing When Visiting Our Website

When accessing our website divinemind.ai, certain technical data are automatically processed to ensure the reliable and secure display of the page.

Data Collected:

  • IP-Adresse (truncated after 7 days)
  • Page accessed, date and time of the request
  • Browser used, operating system, and language setting
  • Referrer-URL (page from which you came to us)

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO — legitimate interest in a stable, secure web presence.

Storage Duration: Server-Log-Daten are automatically deleted after 14 days, unless security incidents require longer retention.

We do not pass on these data to third parties and do not use them for profiling about you.

2

Contacting Us

If you contact us via email, contact form, or by placing an order, we process the data provided by you to handle your request.

Data Collected:

  • Name, company, email address
  • Telephone number (optional)
  • Content of your message

Legal Basis:

  • Art. 6 Abs. 1 lit. b DSGVO for contractual or pre-contractual communication
  • Art. 6 Abs. 1 lit. f DSGVO for other inquiries

Storage Duration: As long as the inquiry is open, plus up to 3 years thereafter for evidentiary purposes. Statutory retention periods (e.g., according to UGB or BAO) remain unaffected.

3

Cookies

Our website uses Cookies. Cookies are small text files that are stored on your device and support the functioning of the page.

We distinguish between:

  • Technically necessary Cookies — e.g., session management, language selection, login status. Without these, the page does not function. Legal Basis: Art. 6 Abs. 1 lit. f DSGVO.
  • Functional Cookies — convenience functions such as saved filter states. These require your consent.
  • Analysis Cookies — audience measurement. These require your consent.

Consent and Revocation: You can adjust your Cookie settings at any time via the Cookie banner or your browser. A revocation is effective for the future.

4

Google Fonts

We use fonts from Google Fonts, but host them locally on our own servers in the EU. Therefore, no connection to Google's servers is established when you visit our page.

As a result, no IP-Adressen are transmitted to Google — not even to the USA.

5

Server-Logfiles

Our servers standardly log access data (so-called Logfiles) that your browser automatically transmits:

  • IP-Adresse (truncated after 7 days)
  • Date, time, time zone
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transferred
  • Browser type and version, operating system
  • Referrer-URL

These data are used exclusively to ensure operation, detect attacks, and analyze errors. No merging with other data sources takes place.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO.
Storage Duration: generally 14 days.

6

Data Processing within Our SaaS Solutions

When you use DivineMind.AI as a Software-as-a-Service, we process the data that you or your employees enter into the platform (e.g., CRM contacts, invoices, emails, appointments, documents).

Processor Role: In this role, we act as a processor within the meaning of Art. 28 DSGVO. A data processing agreement (DPA) is part of our General Terms and Conditions or is provided separately.

Tenant-Isolation: Data are processed in a Tenant-isolated data model (each customer organization has its own company_id with logical separation). Cross-access between Tenants is excluded by the data model.

Hosting Location: All application and database servers are located in the EU (main region Frankfurt, Germany). Backups are also located in the EU.

Encryption: Data at rest are encrypted with AES-256, data in transit with current TLS (at least TLS 1.2).

No AI Training on Customer Data: We do not use your content for training or fine-tuning generic AI models (Zero-Training-on-Customer-Data). Models are used exclusively to fulfill the functions requested by you.

Sub-processors: An up-to-date list of sub-processors (e.g., Cloud-Infrastruktur, Mail-Versand, Zahlungsdienstleister) is available upon request via privacy@divinemind.ai.

7

Payment Data

For the processing of payments, we use Mollie B.V. (Amsterdam, Netherlands) as a payment service provider. Credit card, SEPA, or other payment data are transmitted directly from the browser to Mollie — we ourselves do not store complete payment data.

What we store:

  • Mollie-Transaktions-ID
  • Amount, currency, payment method (e.g., “SEPA”)
  • Date and status of the payment
  • Link to the invoice or subscription

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract fulfillment), Art. 6 Abs. 1 lit. c DSGVO (statutory retention according to BAO, UGB).

Retention: 7 years after the end of the financial year in accordance with tax and corporate law requirements.

8

Newsletter

With your consent, we send you a Newsletter with product news, industry updates, and information about DivineMind.AI.

We collect:

  • Your email address
  • Date and time of registration
  • IP-Adresse for documenting consent (Double-Opt-in)

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO (consent).

Revocation: You can unsubscribe at any time via the unsubscribe link at the end of each Newsletter email or by sending a message to privacy@divinemind.ai. The revocation is effective for the future.

Recipients: We use an EU-hosted SMTP-Infrastruktur for sending. No sending takes place via US mailing services.

9

Your Rights as a Data Subject

As a data subject, you have the following rights under the DSGVO:

  • Right of Access (Art. 15 DSGVO) — You can find out what data we process about you
  • Right to Rectification (Art. 16 DSGVO) — You can have incorrect data corrected
  • Right to Erasure (Art. 17 DSGVO) — You can request the erasure of your data, provided that no statutory retention periods prevent this
  • Right to Restriction of Processing (Art. 18 DSGVO)
  • Right to Data Portability (Art. 20 DSGVO) — Export of your data in a structured format
  • Right to Object (Art. 21 DSGVO) to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7 Abs. 3 DSGVO) — with effect for the future

Exercising Your Rights: An informal message to privacy@divinemind.ai is sufficient. We will respond within 30 days.

Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority — in Austria with the Datenschutzbehörde (dsb.gv.at), in Germany with the respective competent state authority.

10

Storage Duration

We store personal data only for as long as it is necessary for the respective purpose or as statutory retention periods prescribe.

Data TypeStorage Duration
Server-Logfiles14 days
Contact inquiriesup to 3 years
Contract data / Invoices7 years (UGB, BAO)
Accounting records7 years
Newsletter subscriptionuntil revocation
OAuth-Tokens (Google, Microsoft)until revocation, max. 7 days after inactivity
Customer SaaS-Datafor the duration of the contractual relationship + statutory retention periods
After expiry, data are deleted or irrevocably anonymized.
11

Contact Details of the Controller

Controller within the meaning of the DSGVO is:

DivineMind.AI FlexCo GmbH
Burgring 1
1010 Wien
Österreich

Email: office@divinemind.ai
Data Protection Inquiries: privacy@divinemind.ai
Web: divinemind.ai

12

Data Protection Officer

An obligation to appoint a Data Protection Officer (DSB) according to Art. 37 DSGVO does not currently exist for DivineMind.AI FlexCo GmbH. Data protection concerns are handled directly by the management.

Should the legal requirements change (e.g., due to increasing processing volumes), we will appoint a DSB and update this privacy policy accordingly.

Data Protection Contact: privacy@divinemind.ai

13

Google API Services User Data Policy

DivineMind.AI integrates Google Workspace (Gmail, Google Calendar, Google Drive) via OAuth 2.0. This section describes what user data we retrieve, why we retrieve it, how we store it, and how it is deleted.

13.1 Requested Google-OAuth-Scopes

  • gmail.readonly — is used by the Mail Agent to categorize Inbox content, extract invoice references, and identify follow-up candidates. Read-only access.
  • gmail.send — is used by the Mail Agent and Finance Agent to send transactional emails (invoice dispatch, follow-ups, press pitches) on behalf of the authenticated user — with explicit instruction.
  • gmail.modify — restricted to label management (adding/removing Agent labels). No deletion of messages.
  • calendar.events — is used by the Calendar Agent to create, read, and update appointments in the user's primary calendar. Necessary for appointment bookings and sending invitations.
  • calendar.readonly — for free/busy queries without write access.
  • drive.file — restricted to files created or opened by DivineMind.AI (e.g., attaching generated invoices). No full access to the user's Drive.
  • userinfo.email und userinfo.profile — for identification of the authenticated account.

13.2 How Google User Data are Used

Google user data are used exclusively to provide the functions that the user explicitly requests in DivineMind.AI:
  • Email content is processed to categorize incoming emails, draft replies, and extract invoice data, as instructed by the user to the Mail Agent or Finance Agent.
  • Calendar data are read to suggest appointment slots and written to book appointments requested by the user or the AIRIS-Portal-Agent.
  • Drive files created by DivineMind.AI (invoices, offers, exports) are stored in the user's Drive if the user activates this.

13.3 How Google User Data are Stored

OAuth-Access- and Refresh-Tokens are encrypted at rest and stored on EU-servers (Frankfurt, Germany). Message content is processed transiently: We retrieve the specific message an Agent is currently responding to, process it, and do not retain the full message body beyond the ongoing task. Derived metadata (category labels, extracted invoice fields) are stored in the customer's isolated Tenant-Datenbank, also in the EU. We never copy the entire mailbox or calendar into our own data storage.

13.4 How Google User Data are Shared

We do not sell, rent, trade, or share Google user data with third parties for advertising, marketing, or analytical purposes. We do not use Google user data to train or fine-tune general AI or Machine-Learning models. Processing takes place exclusively within the user's Tenant-Kontext.

13.5 How Google User Data can be Deleted

The user retains control at all times:
  • Revoke DivineMind.AI's access directly on the Google account permissions page at myaccount.google.com/permissions.
  • Disconnect within DivineMind.AI under Settings → Connected Accounts. This deletes stored Tokens and derived metadata within 24 hours.
  • Request complete deletion of all account data via email to privacy@divinemind.ai. We will respond within 30 days.

13.6 Limited-Use-Compliance

DivineMind.AI's use and transfer of information received from Google APIs to other apps adhere to the Google API Services User Data Policy, including the Limited-Use requirements.

13.7 Data Protection Contact

Questions regarding the handling of Google user data: privacy@divinemind.ai. Controller: DivineMind.AI FlexCo GmbH, Wien, Österreich.
14

Microsoft Graph API Data Use

DivineMind.AI integrates Microsoft 365 (Outlook, Calendar) via the Microsoft Graph API using OAuth 2.0. The policy described below is consistent in content with our Google-OAuth-Policy: minimum-Scope-principle, EU-storage, no model training, access revocable at any time.

14.1 Requested Microsoft-Graph-Scopes

  • Mail.Read — the Mail Agent reads the Inbox for categorization and data extraction.
  • Mail.Send — the Mail Agent sends on behalf of the user with explicit instruction.
  • Calendars.ReadWrite — the Calendar Agent books and manages appointments.
  • User.Read — for identification of the authenticated account.
  • offline_access — enables background Refresh as long as consent is active.

14.2 Storage, Sharing, Deletion

Tokens are stored encrypted on EU-servers. Message content is processed transiently and not persisted. Data are never shared with third parties, never used for advertising, and never used for training generic AI models.

The user can revoke access at any time — either under myaccount.microsoft.com or in DivineMind.AI under Settings → Connected Accounts. Tenant-Admins can additionally restrict or remove the app under entra.microsoft.com (Enterprise Applications).

Privacy Policy | DivineMind.AI