Privacy Policy

Effective: March 2026

Note: This English version is a translation of the German Datenschutzerklärung. In the event of any discrepancy, the German version shall prevail.

This Privacy Policy applies to the website flexling.com and all its subdomains (the "Website"), together with the Flexling web applications and services (the "Services"), operated by Paul Ermler (sole proprietorship, hereinafter "Flexling", "we", "us" or "our"). It describes how we collect, use, share and protect personal data and what rights you have.

1. Data Controller

Paul Ermler Sole Proprietorship Friedrich-Ebert-Straße 62 14467 Potsdam Germany Email: [email protected]

No Data Protection Officer has been appointed (not mandatory under Art. 37 GDPR for sole proprietorships without large-scale processing of special categories of data).

2. Definitions

Personal data means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR), including name, email address, IP address and usage behaviour.

3. Principles of Data Processing

We process personal data only where one of the following legal bases under Art. 6 GDPR applies:

• lit. a – Consent of the data subject
• lit. b – Necessity for the performance of a contract or pre-contractual measures
• lit. c – Compliance with a legal obligation
• lit. f – Legitimate interests (provided the interests of the data subject do not override)

We collect only data that is necessary for the respective purpose (data minimisation, Art. 5(1)(c) GDPR) and do not sell personal data.

4. What Data We Collect

4.1 Data You Provide

When registering for and using our Services, we collect:

• Name and email address
• Username and password (stored in encrypted form)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

4.2 Automatically Collected Data

When you visit our Website, our servers automatically log technical data from your browser: IP address, browser type and version, pages visited, date and time of the visit, and time spent on pages.

Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: technical operation, security and error diagnosis of our Website.

4.3 Data Generated Through App Use

When you actively use the Flexling application, the following data is created by you and stored by us:

• Flashcards and decks: Content of flashcards you create or import (front and back), deck names, settings and metadata such as creation date and last modified.
• AI chat messages: Messages you enter in the AI chat and the generated responses are stored to display the conversation history and ensure your experience.
• Learning progress and statistics: Card ratings, review timestamps, study session data and aggregated progress statistics.
• Voice recordings and transcriptions: When you use voice input in the AI chat, your voice recordings are transmitted to OpenAI for transcription (see Section 6). The resulting text transcription is stored as a chat message; the original audio file is not retained after transcription.
• Uploaded content: Files and media you upload within the app (e.g. images or documents for card creation or in the chat) are processed and stored to the extent necessary to provide the respective feature.

Legal basis: Art. 6(1)(b) GDPR (performance of the service contract). This data is necessary to provide the core service.

4.4 Data Collected After Consent (Opt-In)

After your explicit consent via our cookie banner, we additionally collect usage behaviour, click and analytics data. Details in Section 7 (Cookies).

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG.

5. Third-Party Providers and Data Processors

We share data with the companies listed below, which act as data processors within the meaning of Art. 28 GDPR. A data processing agreement (DPA) or equivalent privacy agreement is in place with each of these providers. Data sharing is limited to the necessary minimum.

A) Required for Website Operation

Cloudflare (Cloudflare Inc., USA) Purpose: DNS, load balancing, DDoS protection, delivery of static content. Data: IP address, connection data. Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: security and availability of the Website. Third-country transfer: Cloudflare is certified under the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023, Art. 45 GDPR). Privacy policy: https://www.cloudflare.com/privacypolicy/

Hetzner (Hetzner Online GmbH, Germany/EU) Purpose: Server infrastructure (backend hosting). Data: IP address, stored user data. Legal basis: Art. 6(1)(b) and (f) GDPR. Processing exclusively within the EU/EEA. Privacy policy: https://www.hetzner.com/legal/privacy-policy/

Vercel (Vercel Inc., USA) Purpose: Frontend hosting and delivery of the Website. Data: IP address, technical connection data, access times. Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: reliable and fast provision of the Website. Third-country transfer: Secured by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Privacy policy: https://vercel.com/legal/privacy-policy

| Provider | Purpose | Data | Location | |------------|------------------------------|------------------------|------------| | Cloudflare | Network, Security | IP address | USA (DPF) | | Hetzner | Server Infrastructure | IP address, User data | EU | | Vercel | Frontend Hosting | IP address | USA (SCCs) |

B) Required for the Web Application

Convex (Convex Inc., USA) Purpose: Backend database and real-time data synchronisation. Data: All personal user data stored in the application. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Third-country transfer: Secured by SCCs pursuant to Art. 46(2)(c) GDPR. Privacy policy: https://www.convex.dev/privacy

Sentry (Functional Software Inc., USA) Purpose: Error logging and monitoring to ensure technical stability. Data: IP address, technical device data, error messages, stack traces where applicable. Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: maintaining secure and stable operation of our Services. Third-country transfer: Secured by SCCs. Sentry provides a Data Processing Addendum (DPA). Privacy policy: https://sentry.io/privacy/

Stripe & Autumn (Stripe Inc., USA / Autumn, USA) Purpose: Payment processing and subscription management. Autumn (useautumn.com) serves as a billing layer and forwards payment transactions to Stripe. Data: Name, email address, payment data, billing address, transaction data. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). These providers receive your data only when you make a purchase. Third-country transfer: Stripe is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR). Stripe privacy policy: https://stripe.com/privacy Autumn privacy policy: https://useautumn.com/privacy

Resend (Resend Inc., USA) Purpose: Sending transactional emails (e.g. registration confirmation, password reset, system notifications). Data: Email address, message content. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Third-country transfer: Secured by SCCs pursuant to Art. 46(2)(c) GDPR. Privacy policy: https://resend.com/legal/privacy-policy

| Provider | Purpose | Data | Location | |----------------|----------------------------------|----------------------------------------|------------| | Convex | Database | All user data | USA (SCCs) | | Sentry | Error Logging | IP, technical data | USA (SCCs) | | Stripe/Autumn | Payment Processing | Name, email, payment/billing data | USA (DPF) | | Resend | Transactional Emails | Email address | USA (SCCs) |

C) Optional Services – Consent Only (Opt-In)

The following services are activated only after your explicit consent via our cookie banner (Art. 6(1)(a) GDPR in conjunction with § 25 TTDSG). You may withdraw your consent at any time.

Resend – Newsletter If you subscribe to our newsletter, we also use Resend for newsletter delivery. Registration uses a double opt-in process: after signing up you will receive a confirmation email and must actively confirm your address. You can unsubscribe at any time via the unsubscribe link in every email. Data: Email address, confirmation timestamp. Legal basis: Art. 6(1)(a) GDPR (consent).

Google Tag / GTAG (Google Ireland Ltd., Ireland / Google LLC, USA) Purpose: Collection of visitor statistics. (Opt-in via cookie banner.) Data: IP address, pages visited, click behaviour, device information. Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR). Privacy policy: https://policies.google.com/privacy

PostHog (PostHog Inc., USA / EU server Frankfurt) Purpose: Page and product analytics. (Opt-in via cookie banner.) Data: IP address, clicks, navigation, usage behaviour. Third-country transfer: Data is processed on EU servers where possible; where processing occurs outside the EU, secured by SCCs. Privacy policy: https://posthog.com/privacy

| Provider | Purpose | Data | Location | |-------------|---------------------|-------------------------------|---------------| | Resend | Newsletter | Email address | USA (SCCs) | | Google Tag | Analytics/Marketing | IP, pages, clicks | USA/EU (DPF) | | PostHog | Product Analytics | IP, clicks, usage behaviour | USA/EU (SCCs) |

6. AI Features and Third-Party AI Services

Flexling uses AI-powered features. When you use the AI chat or other AI features of our application, your messages and, where applicable, relevant context data are transmitted to external AI providers for processing. We inform you that you are interacting with an AI system. Messages entered in the AI chat are stored by us. Please do not enter particularly sensitive personal data (e.g. health data, financial data) in the AI chat.

We use the following AI providers:

OpenAI (OpenAI Ireland Ltd. / OpenAI Inc., USA) Purpose: Processing user queries, generating AI responses, and speech recognition (audio transcription). Data: Message content, query context, audio data (voice recordings when using the speech recognition feature). Legal basis: Art. 6(1)(b) GDPR (performance of a contract). A DPA is in place with OpenAI. Third-country transfer: OpenAI is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR). Privacy policy: https://openai.com/policies/privacy-policy

Google (Google Ireland Ltd. / Google LLC, USA) – AI Services (e.g. Gemini) and Cloud Text-to-Speech Purpose: Processing user queries via Google AI services and speech synthesis (text-to-speech) to generate audio output for flashcard content. Data: Message content, query context, text content (when using speech synthesis). Legal basis: Art. 6(1)(b) GDPR. A DPA is in place with Google. Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (Art. 45 GDPR). Privacy policy: https://policies.google.com/privacy

OpenRouter (OpenRouter Inc., USA) Purpose: Gateway to various AI models and providers. Via OpenRouter, requests may be forwarded to additional AI models available on the OpenRouter platform. Data: Message content, query context. Legal basis: Art. 6(1)(b) GDPR. A DPA is in place with OpenRouter. Third-country transfer: Secured by SCCs pursuant to Art. 46(2)(c) GDPR. Privacy policy: https://openrouter.ai/privacy

| Provider | Purpose | Data | Location | |-------------|----------------------------------|--------------------------------|-----------------| | OpenAI | AI Responses, Transcription | Message content, audio data | USA (DPF, DPA) | | Google | AI Responses, Text-to-Speech | Message content, text content | USA (DPF, DPA) | | OpenRouter | AI Gateway (multi-model) | Message content | USA (SCCs, DPA) |

7. Cookies and Consent

We use cookies and similar technologies in accordance with § 25 TTDSG and Art. 6 GDPR.

Strictly necessary cookies: These are required for the operation of the Website and are set without consent. Legal basis: § 25(2)(2) TTDSG in conjunction with Art. 6(1)(f) GDPR.

Analytics and marketing cookies: These are set only after your explicit consent via our cookie banner. Legal basis: § 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR.

You may withdraw your consent at any time via our cookie banner. In addition, you can restrict or disable the use of cookies at browser level; this may affect the functionality of our Services.

8. Data Security

We implement technical and organisational measures (TOMs) pursuant to Art. 32 GDPR to protect your data against unauthorised access, loss, destruction or misuse. Data transmission between your browser and our servers is encrypted via HTTPS/TLS. Access to personal data is restricted to individuals who require this information to provide, develop or improve our Services.

9. Retention and Deletion

We store personal data only for as long as is necessary for the respective processing purpose or as required by statutory retention periods (e.g. tax-law retention obligations under § 147 AO for invoice data: 10 years).

When you delete your account, all personal data associated with your account – including messages stored in the AI chat – will be deleted, unless statutory retention obligations apply.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights, which you may exercise at any time:

• Withdraw consent (Art. 7(3) GDPR) – You may withdraw any consent given at any time with effect for the future.
• Access (Art. 15 GDPR) – You have the right to obtain information about whether and what personal data we process about you.
• Rectification (Art. 16 GDPR) – You have the right to have inaccurate or incomplete data corrected.
• Erasure (Art. 17 GDPR) – You have the right to request the deletion of your data, provided no retention obligations apply.
• Restriction of processing (Art. 18 GDPR) – You have the right to request the restriction of processing under certain conditions.
• Data portability (Art. 20 GDPR) – You have the right to receive your data in a structured, machine-readable format.
• Objection (Art. 21 GDPR) – You have the right to object to the processing of your data where it is based on Art. 6(1)(f) GDPR (legitimate interest).

To exercise your rights, please contact: [email protected]

Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority. The authority responsible for our registered office in Potsdam is:

Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg Stahnsdorfer Damm 77, 14532 Kleinmachnow https://www.lda.brandenburg.de

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the legal framework or our services. The current version is always available at: https://flexling.com/legal/privacy

As of: March 2026