Privacy Policy

Last updated: April 2026

The German version of this Privacy Policy is legally binding. This translation is provided for convenience only.

At Gardeo, privacy is our core principle. This Privacy Policy explains how Florian Wessels: flossels.ch ("Gardeo", "we", "us") collects, uses, stores, and protects personal data when you use our platform. Gardeo is a Swiss sole proprietorship subject to the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

Florian Wessels: flossels.ch
Lorzenparkstrasse 23, 6330 Cham, Switzerland
Email: support@gardeo.ai

2. Data We Collect

2.1 Account Data

When you register, we collect your name, email address, and language preference. If you sign in via Google or Microsoft, we receive your name and email from the OAuth provider. We do not store passwords from OAuth logins.

2.2 Content Data

We store the prompts you send to AI models, the AI responses, uploaded documents, generated images (metadata), and prompt templates you create. Both the original and pseudonymized versions of messages are stored. You can share individual conversations via a unique link: shared conversations are publicly accessible (read-only) to anyone with the link and display message content and the sharer's name.

2.3 Usage Data

We record which AI models you use, token counts, response latency, estimated costs, and PII entities detected. This data is used for billing, usage dashboards, and service improvement.

2.4 Billing Data

Company name, billing address, VAT ID, and billing email. Payment card details are processed exclusively by Stripe and never stored on our servers.

2.5 Technical Data

Server logs include IP addresses, timestamps, and error information. These are retained for security and debugging purposes and automatically deleted after 30 days.

2.6 Research and Search Data

When using Deep Research or Web Search, we store search queries, retrieved URLs, intermediate analysis steps, and synthesized reports. Web searches are performed via a self-hosted, privacy-first metasearch engine (SearXNG) within our EU infrastructure: no search data is transmitted to external search engines directly.

2.7 Enterprise Search Data

When you connect third-party data sources (such as Google Drive, Gmail, Confluence, Notion, Slack, Salesforce, HubSpot, or Microsoft 365), we index document titles, content, and metadata from those sources. This data is stored as vector embeddings in our EU-hosted PostgreSQL database for semantic search. Indexed data is deleted when the integration is disconnected.

2.8 Workflow and Automation Data

We store workflow definitions, execution history, trigger configurations, and output data from automated workflows. Batch processing job definitions and results are also stored for the duration of the job plus 30 days. If you configure webhooks, event metadata (document IDs, batch status, workflow results) is sent to your specified external URLs. Webhook payloads are signed with HMAC-SHA256 and do not contain message content or personal data.

2.9 Feedback and Interaction Data

Message ratings (helpful/unhelpful), PII detection reports, general feedback submissions, optionally attached screenshots, and browser information (user agent). This data is used to improve service quality and PII detection accuracy.

2.10 Security and Authentication Data

If you enable two-factor authentication (TOTP), we store encrypted TOTP secrets and hashed backup codes. Push notification subscription endpoints are stored for browser notifications. Generated images are stored in AWS S3 (EU) alongside their metadata.

3. How We Use Your Data

Purpose	Legal Basis
Providing the AI platform service	Contract performance (Art. 6(1)(b) GDPR)
Billing and subscription management	Contract performance (Art. 6(1)(b) GDPR)
PII pseudonymization of your prompts	Legitimate interest: data protection (Art. 6(1)(f) GDPR)
Pseudonymized usage analytics (Mixpanel, server-side, user-ID only)	Legitimate interest: service improvement (Art. 6(1)(f) GDPR)
Email notifications (alerts, digests)	Contract performance / Consent
Error monitoring (Sentry)	Legitimate interest: service reliability (Art. 6(1)(f) GDPR)

4. PII Pseudonymization

Gardeo's core feature is automatic pseudonymization of personal data before it reaches any AI model provider. When you send a prompt, our PII Engine (running exclusively within our EU infrastructure) detects and replaces personal data: names, addresses, phone numbers, identification numbers, health data, and more: with placeholders (e.g. PERSON_1, ADDRESS_1). Only the pseudonymized text is sent to the AI provider. The mapping between placeholders and original data is encrypted (AES-256-GCM) and stored in our EU infrastructure with a 24-hour TTL.

5. Data Storage and Location

All data is stored and processed in the European Union (Germany):

Application: Vercel (Frankfurt, EU)
Database: AWS RDS PostgreSQL (European Sovereign Cloud, Brandenburg)
File Storage: AWS S3 (European Sovereign Cloud, Brandenburg)
PII Engine: AWS Fargate (European Sovereign Cloud, Brandenburg)
Cache: Upstash Redis (Frankfurt, EU)

Gardeo is a Swiss company. Your data is governed by both the Swiss nDSG and the EU GDPR.

6. Third-Party Data Sharing

6.1 AI Model Providers

AI providers receive only pseudonymized data. They do not have access to your original personal data. We work with the following providers:

Anthropic (Claude): US, SCCs
OpenAI (GPT, DALL-E): US, SCCs
Google (Gemini): US, SCCs
Mistral AI (Mistral): EU (France)
xAI (Grok): US, SCCs
Perplexity (Sonar): US, SCCs
DeepSeek (DeepSeek)*: China, Art. 49 GDPR

* China-hosted models are available only after your explicit, informed consent pursuant to Art. 49(1)(a) GDPR. Data is automatically pseudonymized before transmission. China does not have an EU adequacy decision. Chinese authorities may have legal access to data processed within China under local cybersecurity and data laws. By consenting, you acknowledge these risks.

6.2 Web Search

Web Search and Deep Research features use SearXNG, a privacy-first metasearch engine hosted within our EU infrastructure. Search queries are not transmitted to external search providers directly. Retrieved web page content is processed temporarily for analysis and is not permanently stored beyond the research session.

6.3 Infrastructure Providers

See our Data Processing Agreement for the complete list of sub-processors.

7. Cookies and Tracking

Gardeo uses only essential session cookies for authentication. We do not use tracking cookies or advertising pixels. Our analytics (Mixpanel) runs exclusively server-side: no client-side JavaScript, no cookies. Sentry error monitoring runs as a client-side script for detecting application errors; it does not track user behavior or set cookies. You can opt out of analytics tracking in your account settings (Art. 21 GDPR).

8. Data Retention

Data Type	Retention
Conversations and messages	Until deleted by user, or per organization retention policy
PII mapping data	24 hours (automatic expiry)
Uploaded documents	Until deleted by user
Usage logs	12 months
Audit logs	24 months
Server logs	30 days
Account data	Until account deletion
Deep Research sessions	Until deleted by user
Enterprise Search index	Until integration disconnected
Workflow execution history	90 days
Batch job results	30 days after completion
Generated images	Until deleted by user
Feedback and PII reports	12 months

9. Your Rights

Under the GDPR and nDSG, you have the following rights:

Access (Art. 15): Request a copy of all your personal data. Use the data export feature in Settings.
Rectification (Art. 16): Correct your profile data in Settings.
Erasure (Art. 17): Delete your account and all associated data in Settings.
Restriction (Art. 18): Request restriction of processing by contacting us.
Portability (Art. 20): Export your data in machine-readable JSON format via Settings.
Objection (Art. 21): Object to processing based on legitimate interest by contacting us.
Withdraw consent: Revoke consent for China-hosted models at any time in Settings.

Artificial Intelligence Transparency

Gardeo is an AI-powered platform. All text responses are generated by large language models (LLMs) from various providers. Gardeo does not independently verify AI-generated content. Users should verify important information independently. In accordance with the EU AI Act (Art. 52), we inform you that you are interacting with AI systems when using the chat, document analysis, and content generation features.

10. Data Security

TLS 1.3 for all data in transit
AES-256-GCM encryption for PII mappings and integration credentials
Automatic PII pseudonymization before any data leaves EU infrastructure
Role-based access control (OWNER, ADMIN, MEMBER, VIEWER)
API key scoping and rate limiting
Audit logging of all administrative actions
SAML SSO and SCIM provisioning for enterprise customers

11. Children

Gardeo is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the latest revision.

13. Contact

For privacy inquiries, data subject requests, or complaints:
Email: support@gardeo.ai
Florian Wessels: flossels.ch, Lorzenparkstrasse 23, 6330 Cham, Switzerland

You also have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).