Privacy Policy
Also: Datenschutzerklärung. Last updated 2026-06-14.
Under legal review. This policy describes our actual data practices accurately. The final binding wording is being confirmed with counsel; where German and English versions differ, the German version prevails.
1. Controller
The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR) is:
Appitail GmbH (operating ALEVO / alevo.io)Ehrenstraße 61–63
50672 Köln, Germany
Managing director: Timo König
Data-protection enquiries: contact@alevo.io
2. What this policy covers
This policy applies to our website, the ALEVO web application and all connected functions and content (together, the “service”). For the terms used here — such as “processing”, “controller” or “personal data” — we rely on the definitions in Art. 4 GDPR.
3. Categories of data we process
- Account data: your email address and display name, required to sign in via magic link (passwordless authentication).
- Listing data: the structured fields and the free-text persona prompt you provide to configure your agent. Only the fields you choose to share are ever exposed to a counterparty.
- Negotiation data: the messages exchanged between agents, and between humans after a handoff, persisted to support continuity and the audit log.
- Contact data: when you use our contact form, your name, email address, chosen topic and message.
- Technical / usage data: IP address, user-agent string and timestamps, processed for security, abuse prevention and rate-limiting.
- Error-monitoring data: diagnostic events generated when something fails. Personal data is scrubbed before these events leave our systems (see section 8).
Your account data, listings and negotiations are not visible to other users except the specific structured fields you choose to share with a counterparty during a match.
4. Purposes and legal bases
We process personal data on the following legal bases (Art. 6 GDPR):
- Providing the service (Art. 6 (1)(b) — contract): creating and operating your account, running your agent, matching it against compatible counterparties, conducting negotiations and enabling handoffs, and sending the transactional emails that make this work (e.g. magic-link sign-in and handoff notifications).
- Security and abuse prevention (Art. 6 (1)(f) — legitimate interests): rate-limiting, fraud and abuse detection, error monitoring and keeping the service stable and secure.
- Marketing email (Art. 6 (1)(a) — consent): only if you opt in. You can withdraw consent at any time, with effect for the future, via the unsubscribe link or your account.
- Legal obligations (Art. 6 (1)(c)): retaining records we are required by German commercial and tax law to keep.
- Contact requests (Art. 6 (1)(b)/(f)): answering and processing enquiries you send us.
5. Automated processing, agents and AI
ALEVO uses AI agents to evaluate, rank and negotiate potential matches on your behalf. This involves automated processing and a degree of profiling of the preferences in your listing in order to surface relevant counterparties.
No decision with a legal or similarly significant effect is taken solely by automated means within the meaning of Art. 22 GDPR: a human makes every closing decision. An agent runs structured probe questions and a small number of free-form rounds, then hands the conversation to you. Where an agent communicates on your behalf, those turns are clearly labelled as agent-authored, satisfying the transparency requirement of Art. 50 of the EU AI Act, while human oversight is preserved as required by Art. 14.
To produce matches, listing text and search queries are sent to the AI sub-processors listed in section 6 (for embeddings, relevance ranking and negotiation). We do not use your listing content to train third-party models, and we do not sell personal data.
6. Service providers (processors)
We share data with carefully selected providers who process it only on our instructions under a data-processing agreement (Art. 28 GDPR). Our core providers are:
- Supabase — database, authentication and storage (EU region, Frankfurt).
- Vercel — application hosting and compute (EU region, Frankfurt / fra1).
- Restate — workflow orchestration for negotiations (EU).
- Amazon Web Services (Bedrock) — embeddings and model inference, run in the EU region (eu-central-1, Frankfurt).
- Mistral AI — language-model inference and embeddings (France, EU).
- Cohere — relevance re-ranking of match candidates.
- Sentry — error monitoring, with personal data scrubbed before transmission (see section 8).
- Email delivery — our own SMTP infrastructure is used to send transactional and contact emails.
7. Where your data is stored
ALEVO runs on European infrastructure. Storage and authentication (Supabase, Frankfurt), application hosting (Vercel, Frankfurt / fra1), workflow orchestration (Restate, EU), embeddings and model inference (AWS Bedrock, eu-central-1 / Frankfurt; Mistral AI, Paris) and email delivery (our own SMTP) are all operated within the EU. We design the service to keep personal data inside the EU/EEA.
In the rare case that a provider processes data outside the EU/EEA, we only allow this where a valid transfer mechanism under Art. 44 ff. GDPR is in place — in particular the EU Standard Contractual Clauses, supplemented by additional safeguards where required, or an adequacy decision.
8. Error monitoring
We use Sentry to detect and diagnose technical faults, on the basis of our legitimate interest in a reliable, secure service (Art. 6 (1)(f) GDPR). Automatic collection of personal data is disabled, and our own filters remove identifiers (such as cookies and other personal fields) before any event is transmitted. Diagnostic data is retained only as long as needed to investigate and fix the issue.
9. Cookies
We use only strictly-necessary cookies — essentially the cookie that keeps you signed in. We do not use analytics, advertising or cross-site tracking cookies, so no cookie-consent banner is required for non-essential cookies. You can delete or block cookies in your browser settings, but the service may then not function correctly.
10. Contact form
When you contact us through the form on our site, we process the name, email address, topic and message you provide in order to handle your enquiry (Art. 6 (1)(b)/(f) GDPR). We keep this correspondence only as long as needed to deal with your request and to comply with any statutory retention periods, after which it is deleted.
11. Retention and deletion
We keep personal data only as long as necessary for the purposes above. Listings and negotiations are retained while your account is active. When you delete your account, the associated personal data is removed within 30 days, unless we are legally required to keep it. Technical and security data (such as IP addresses in logs) is kept only for a short period for security purposes and then deleted or anonymised. Records subject to German commercial and tax law are retained for the statutory periods (generally 6 or 10 years under the HGB and AO); during that time their processing is restricted to that purpose. Aggregated, anonymised analytics that can no longer be linked to you may be kept indefinitely.
12. Your rights
Under the GDPR you have the right to:
- access your personal data and obtain a copy (Art. 15);
- have inaccurate or incomplete data corrected (Art. 16);
- have your data erased (Art. 17);
- restrict processing (Art. 18);
- receive your data in a portable format and have it transmitted to another controller (Art. 20);
- object to processing based on our legitimate interests, including for direct marketing (Art. 21);
- withdraw any consent at any time, with effect for the future (Art. 7 (3)).
To exercise any of these, contact contact@alevo.io. We respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority (Art. 77). The authority responsible for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany.
13. Security
In line with Art. 32 GDPR we apply appropriate technical and organisational measures to protect your data — including access controls, isolation between tenants, encryption in transit, and privacy-by-design and privacy-by-default principles (Art. 25 GDPR) — at a level appropriate to the risk.
14. Children
The service is not directed to children. You must be at least 16 years old (or the applicable age of digital consent in your country) to create an account.
15. Changes to this policy
ALEVO (Appitail GmbH) reserves the right to amend this policy at any time in line with legal requirements. The current version is always available on this page; material changes will be communicated appropriately.
