Privacy Policy
Last updated: 30 May 2026
This policy explains how we process personal data when you use adlass and this website. It is governed by the General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.
1. Controller
The controller responsible for data processing is Adlass, [Anschrift folgt], registered under registry code [Registrikood folgt], represented by Felix Crombach.
For any privacy request you can reach us at hola@adlass.io. We have not appointed a data protection officer, as there is no legal obligation to do so.
2. Data we process
- Account data: the name and email address you provide when registering through our login provider.
- Content data: documents, files, datasets and text you upload or create in adlass, including information extracted from them.
- Usage and log data: IP address, time, features accessed, device and browser information.
- Payment data: on paid plans, billing data processed through our payment provider (we do not store full card details).
- Communication data: the content of your requests when you contact us.
3. Purposes and legal bases
We process your data for the following purposes and on the following legal bases:
- Providing and operating the service, managing your account and performing the contract (Art. 6(1)(b) GDPR).
- Security, stability, abuse prevention and service improvement (legitimate interest, Art. 6(1)(f) GDPR).
- Billing and compliance with tax and commercial law obligations (Art. 6(1)(b) and (c) GDPR).
- Optional analytics and non-essential cookies only with your consent (Art. 6(1)(a) GDPR and the applicable ePrivacy rules).
We use your content solely to provide the service to you. We do not sell data to third parties and we do not train public AI models on your content.
4. Processors and recipients
To deliver the service we rely on carefully selected providers acting as processors under data processing agreements pursuant to Art. 28 GDPR:
| Service | Purpose | Provider / location |
|---|---|---|
| Clerk | Sign-in and account management | Clerk, Inc., USA |
| Railway | Database and cache hosting | Railway Corp., USA |
| Amazon Web Services (S3) | Storage of uploaded documents | Amazon Web Services, Inc. |
| Mistral AI | Text recognition and document analysis | Mistral AI, France (EU) |
| Resend | Transactional email delivery | Resend, Inc., USA |
| Stripe | Payment processing | Stripe Payments Europe, Ireland / Stripe, Inc., USA |
| Cloudflare | Delivery, security and attack protection | Cloudflare, Inc., USA |
5. International transfers
Some of these providers are located in or process data in the United States. Where no adequacy decision applies, we base such transfers on the European Commission's Standard Contractual Clauses and, where certified, the EU-US Data Privacy Framework, supplemented by appropriate additional safeguards.
6. Retention
We retain personal data only as long as necessary for the purposes described. Account data and content are kept for the duration of your account and removed within a reasonable period after deletion, unless statutory retention obligations (for example for invoices) require otherwise.
7. Your rights
You have the following rights in relation to your personal data:
- Access to the data we hold about you (Art. 15 GDPR).
- Rectification of inaccurate data (Art. 16 GDPR).
- Erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR).
- Objection to processing based on legitimate interests (Art. 21 GDPR).
- Withdrawal of consent with effect for the future (Art. 7(3) GDPR).
A message to hola@adlass.io is enough to exercise these rights. You also have the right to lodge a complaint with a supervisory authority. The lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee). You may also contact the authority of your place of residence.
8. Cookies and analytics
We set technically necessary cookies (such as for your sign-in) without consent. Non-essential cookies and analytics are used only if you have consented. Details are in the Cookie Notice.
9. No automated decisions
We do not carry out automated decision-making, including profiling, that produces legal effects concerning you within the meaning of Art. 22 GDPR.
10. Changes
We update this policy when the service or the legal framework changes. The version published on this page applies.