Skip to main content

Last updated: 14 March 2026

Privacy Policy of ELLYTIC Technologies UG (haftungsbeschränkt)

1. Introduction

This Privacy Policy explains how ELLYTIC Technologies UG (haftungsbeschränkt), registered in Hamburg, Germany, processes personal data when you use our websites, applications, tools, and services.

We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and applicable EU/EEA law.

We maintain a GDPR-first infrastructure, with primary hosting in the European Union (Germany). All personal data is processed based on data minimisation, purpose limitation, and storage limitation.

2. Controller and Contact Details

Controller and contact details:

3. Categories of Personal Data Processed

3.1 Data You Provide Directly

  • Identification data: name, address, contact details.
  • Account data: login credentials, authentication data, MFA tokens.
  • Administrative and civil registry documents: passports, ID cards, birth/marriage certificates, tax forms, property documents, inheritance documentation, supporting evidence.
  • Translation/verification documents: files uploaded for certified or professional translation.
  • Declarations and forms: data entered into wizards, questionnaires and self-service modules.
  • Communication data: support messages, emails, user requests, content of conversations.
  • Payment and billing data: processed exclusively via PCI-DSS compliant processors such as Stripe or PayPal.

3.2 Data Collected Automatically

  • Technical identifiers: IP addresses (truncated where possible), device type, operating system, browser type/version.
  • Usage data: interactions with features, timestamps, form completion, workflow progression.
  • Security logs: login attempts, authentication events, fraud detection signals.
  • Diagnostic information: performance telemetry, error reports.
  • Cookies and similar technologies (see Cookie Policy).

3.3 Special Category Data

We do not request sensitive categories of data under Art. 9 GDPR.

  • However, users may upload documents that contain such information (e.g. health-related notes on civil certificates). In such cases:
  • processing is carried out only for the explicit purpose of fulfilling the user’s request,
  • the legal basis is Art. 6(1)(b) GDPR (contract) combined with Art. 9(2)(a) GDPR (explicit consent upon upload).

Documents containing special-category data are deleted according to our retention schedule.

4. Purposes of Processing

4.1 Contract Fulfilment (Art. 6(1)(b) GDPR)

  • Providing translation, administrative, tax, and documentation services.
  • Preparing, reviewing and validating forms or wizards.
  • Delivering human-in-the-loop AI-assisted outputs.
  • Managing user accounts, authentication, MFA and onboarding.

4.2 Legal Obligations (Art. 6(1)(c) GDPR)

  • Compliance with German and EU accounting, tax and commercial law.
  • Providing statutory retention of invoices and transaction metadata.
  • Responding to lawful requests from authorities or courts.

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

  • Platform security, fraud detection and abuse prevention.
  • Service improvement and workflow optimisation.
  • Internal quality assurance (anonymised or aggregated where possible).
  • Ensuring the accuracy of translations and document outputs.

4.4 Consent (Art. 6(1)(a) GDPR)

Users may withdraw consent at any time: privacy@ellytic.com

  • Non-essential cookies and analytics.
  • Optional communication preferences (e.g., newsletters).
  • Processing of sensitive information contained within uploaded documents, when applicable.

5. AI-Assisted Processing (“Human-in-the-Loop”)

Ellytic uses AI models to support document analysis, translation workflows, form preparation and administrative guidance. This processing is subject to:

AI output may include summaries, classifications, or draft text, but decisions are never made solely by automated processing (no Art. 22 GDPR automated decision-making).

  • human review,
  • professional oversight,
  • authorization before delivery to the client.

All AI processing takes place either on EU-hosted infrastructure, or with subprocessors bound by GDPR-compliant agreements and EU-standard safeguards.

We do not use uploaded data to train public AI models.

6. Recipients and Categories of Recipients

6.1 Processors (Art. 28 GDPR)

We share personal data only with the following categories of processors:

  • EU-based hosting and cloud services
  • Email and communication providers
  • Support ticket systems
  • Document translation and linguistic QA partners
  • Payment processors (e.g., Stripe, PayPal)
  • Identity verification or e-signature providers (if used)
  • All processors are bound by strict Data Processing Agreements (DPAs).

6.2 Authorities and Institutions

Only with your explicit request or legal obligation, e.g.:

  • tax offices
  • civil registry offices
  • notaries
  • property registries
  • courts
  • banks

6.3 No Third-Country Transfers Without Safeguards

We do not transfer personal data outside the EU/EEA unless an adequacy decision exists (Art. 45 GDPR) or appropriate safeguards (Art. 46 GDPR) are implemented, including Standard Contractual Clauses (SCCs).

Primary data hosting: Germany (EU).

7. Retention Periods

7.1 Documents and Uploaded Files

Deleted 30 days after service completion, unless:

statutory retention obligations apply, or you request earlier deletion (except where prohibited by law).

7.2 Account Data

Retained until account deletion, and thereafter:

anonymized immediately where possible, with certain metadata retained for 6–10 years under German tax/commercial law.

7.3 Security Logs

Stored for 90 days, unless required longer for fraud investigations.

7.4 Backups

Secure encrypted backups are overwritten according to a rolling schedule (30–90 days).

8. Your Rights (Art. 12–23 GDPR)

To exercise your rights: privacy@ellytic.com

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (“right to be forgotten”, Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3))
  • Right not to be subject to automated decisions (Art. 22 — not used here)
  • Right to lodge a complaint with a supervisory authority, especially the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI).

9. Security Measures

  • Encryption at rest and in transit
  • Role-based access control and least-privilege policies
  • MFA for administrative accounts
  • Secure audit logs
  • Segmented server architecture
  • Regular penetration tests and vulnerability assessments
  • Automated anomaly and fraud detection
  • Strict employee access protocols and confidentiality agreements

10. Cookies and Tracking Technologies

  • Strictly necessary cookies (for login, session, security)
  • Functional cookies (preferences, language, UI settings)
  • Analytics cookies (only with consent, anonymised if possible)
  • For details see our separate Cookie Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect legal, technical or operational changes. The updated version will be published on our website with a new “Last updated” date.

12. Contact

For privacy questions, rights requests, or account deletion:

Email: privacy@ellytic.com | Controller: ELLYTIC Technologies UG (haftungsbeschränkt), Hamburg, Germany

Back to Home