Effective February 21, 2026

Privacy Policy

Datenschutzerklärung gemäß DSGVO, BDSG & TTDSG

We take the protection of your personal data very seriously. This privacy policy explains how Audyr ("we", "us", "our") collects, processes, and uses personal data when you use our website at app.audyr.com(the "Platform"), our embeddable feedback widget (the "Widget"), and any related services (collectively, the "Service").

This policy complies with the General Data Protection Regulation (GDPR / DSGVO), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG).

1. Controller (Verantwortlicher)

The controller responsible for data processing on this website within the meaning of Art. 4(7) GDPR is:

3DOptikone (provider of Audyr)
Surick 187
46286 Dorsten, Germany

Email: hello@audyr.com
Phone: +49 0178 1423306

Data Protection Officer: Not applicable.

2. Overview of Data Processing

2.1 What Audyr Does

Audyr is an AI-powered user feedback platform. Our customers ("Customers") embed our Widget on their websites to collect feedback from their end users ("End Users"). We process this feedback using artificial intelligence to extract sentiment, topics, and actionable insights displayed in our dashboard.

2.2 Roles Under GDPR

Audyr as Data Controller: For data of our Customers (account registration, authentication, billing, usage of the dashboard).

Audyr as Data Processor:For End User data collected through the Widget on behalf of our Customers. The Customer is the Data Controller; Audyr processes data under a DPA (Art. 28 GDPR).

3. Data We Collect

3.1 Customer Account Data

Data Category	Specific Data	Legal Basis
Registration data	Name, email address	Art. 6(1)(b) — contract
Authentication data	Session tokens, auth identifiers (via WorkOS)	Art. 6(1)(b) — contract
Billing data	Subscription plan, payment status (via Polar)	Art. 6(1)(b) — contract
Project configuration	Project names, widget settings, AI context, integrations	Art. 6(1)(b) — contract
Usage & analytics data	Dashboard interactions, feature usage, page views, session data	Art. 6(1)(f) — legitimate interest

3.2 End User Data (Collected via Widget)

When End Users interact with the Audyr Widget embedded on a Customer's website, the following data may be collected:

Data Category	Specific Data	Legal Basis
Feedback content	Text entered in the chat widget	Art. 6(1)(f) — legitimate interest
Conversation metadata	Conversation ID, session ID, timestamps	Art. 6(1)(f) — legitimate interest
Technical metadata	Page URL, user agent	Art. 6(1)(f) — legitimate interest
Approximate geolocation	Latitude and longitude derived from IP address (city-level accuracy) via server-side lookup; used for geographic feedback analysis	Art. 6(1)(f) — legitimate interest
Optional identifiers	Customer-provided user ID, email (if passed)	Art. 6(1)(f) — legitimate interest

3.3 AI-Processed Data

Feedback is processed by OpenAI's API to generate sentiment analysis, topic extraction, canonical feedback grouping, priority scoring, and AI-generated summaries. OpenAI processes data as a sub-processor and does not use API data to train models.

AI outputs include:

Sentiment analysis (positive / neutral / negative, score -1 to 1)
Topic extraction and categorization
Canonical feedback grouping (merging duplicate feedback)
Priority scoring and AI-generated summaries and insights

3.4 Server Log Data

Our hosting provider (Vercel) automatically collects: IP address (anonymized), date/time, HTTP method, requested URL, status code, referrer, and user agent. Legal basis: Art. 6(1)(f) GDPR.

4. Cookies and Similar Technologies

4.1 Cookies on the Platform (app.audyr.com)

We use the following cookies in accordance with § 25 TTDSG and Art. 6(1) GDPR:

Cookie / Technology	Purpose	Category	Duration
Session cookie (WorkOS AuthKit)	Authentication & session management	Strictly necessary	Session / 30 days
Convex client token	Real-time database connection	Strictly necessary	Session

Strictly necessary cookies do not require consent under § 25(2) TTDSG. We do not use advertising cookies or tracking pixels.

4.2 The Audyr Widget

The Widget does not set cookies by default. It uses in-memory session state during a single page visit. If the Customer configures consent collection, consent status may be stored in localStorage.

5. Purpose and Legal Basis

Purpose	Legal Basis	Details
Providing the Service	Art. 6(1)(b)	Account creation, auth, project management, dashboard
Processing feedback	Art. 6(1)(b) / 6(1)(f)	Collecting, storing, analyzing, displaying feedback
AI analysis	Art. 6(1)(f)	Sentiment, topics, deduplication via OpenAI
Billing & payments	Art. 6(1)(b)	Subscription management via Polar
Third-party integrations	Art. 6(1)(b)	Connecting feedback to tools like Linear
Geolocation (End Users)	Art. 6(1)(f)	Approximate location derived from IP for geographic feedback analysis
Security & abuse prevention	Art. 6(1)(f)	Rate limiting (Upstash Redis), monitoring, logging
Legal obligations	Art. 6(1)(c)	Tax records, regulatory compliance

6. Third-Party Service Providers (Sub-Processors)

Each provider processes data on our behalf under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR:

Provider	Purpose	Data Processed	Location
Convex, Inc.	Backend database, real-time sync, serverless functions	All application data (accounts, projects, feedback, conversations, analyses)	USA
WorkOS, Inc.	Authentication, SSO, user management	Email, name, auth tokens, session data	USA
OpenAI, L.L.C.	AI feedback analysis (sentiment, topics, summaries)	Feedback text, AI context (no direct PII sent)	USA
Vercel, Inc.	Hosting, edge functions, blob storage, CDN	Server logs, IP addresses, request metadata, uploads	USA / Global Edge
Upstash, Inc.	Rate limiting, caching (Redis)	IP addresses, request counts, temp session data	USA / EU (Frankfurt)
Polar Software, Inc.	Subscription billing & payment processing	Subscription plan, payment status, customer IDs	USA / EU
Linear, Inc.	Issue tracking integration (optional)	Feedback titles, summaries, issue metadata	USA

7. International Data Transfers

Several sub-processors are in the USA. Transfers outside the EEA are protected by:

EU-US Data Privacy Framework (DPF):Where providers are DPF-certified (adequacy decision by the European Commission, July 10, 2023), this serves as the legal basis under Art. 45 GDPR.

Standard Contractual Clauses (SCCs):Where DPF does not apply, we rely on EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Supplementary Measures: Where necessary, additional technical and organizational measures (encryption in transit/at rest, pseudonymization) ensure adequate protection.

You may request a copy of safeguards at hello@audyr.com.

8. Data Retention

Data Category	Retention Period	Basis
Customer account data	Duration of contract + 30 days after deletion request	Art. 6(1)(b)
Feedback & conversations	Duration of subscription; deleted on account closure or request	Art. 6(1)(b) / (f)
AI analysis results	Same as feedback (derived; deleted with source)	Art. 6(1)(f)
Server logs	Up to 30 days (Vercel)	Art. 6(1)(f)
Billing records	10 years after fiscal year end (§ 147 AO, § 257 HGB)	Art. 6(1)(c)
Rate limiting data (Upstash)	Temporary; auto-expires within minutes to hours	Art. 6(1)(f)

9. Your Rights Under GDPR

Art. 15 — Access: Obtain confirmation and a copy of your data
Art. 16 — Rectification: Correct inaccurate or incomplete data
Art. 17 — Erasure: Request deletion where no compelling reason exists for continued processing
Art. 18 — Restriction: Restrict processing in certain circumstances
Art. 20 — Portability: Receive data in structured, machine-readable format
Art. 21 — Object: Object to processing based on legitimate interests at any time
Art. 7(3) — Withdraw consent: Withdraw consent without affecting prior lawfulness
Art. 77 — Complaint: Lodge a complaint with a supervisory authority (Aufsichtsbehörde)

10. Automated Decision-Making

Our AI analysis features (sentiment analysis, topic extraction, feedback deduplication, priority scoring) constitute automated processing. However, these features:

Do not produce legal effects concerning End Users or similarly significantly affect them
Are used solely to help Customers understand and organize feedback
Do not make automated decisions about individuals

Art. 22 GDPR (automated individual decision-making) does not apply. Customers retain full control over how AI insights are used.

11. Data Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR:

Encryption in transit: All data transmitted over HTTPS/TLS between clients, servers, and third parties.
Encryption at rest: Database storage on Convex and Vercel Blob uses encryption at rest.
Authentication security: WorkOS AuthKit with industry-standard JWT tokens and RS256 signing.
Access control: Role-based access control (admin/member) enforced at project level.
Rate limiting: API endpoints protected by Upstash Redis-based rate limiting.
Domain restrictions: Widget can be restricted to specific allowed domains.

12. Information for End Users

If you arrived here from the Audyr feedback widget, please see the End User summary below for a plain-language explanation of what data is collected, how it is used, and how to exercise your rights.

In summary: the website operator who embedded the Audyr Widget is the Data Controller for your feedback. Audyr acts as Data Processoron their behalf under Art. 28 GDPR. To exercise your GDPR rights, contact the website operator. You may also contact us at hello@audyr.com and we will forward your request to the relevant Customer.

13. Data Processing Agreement (DPA)

Customers who use Audyr to collect End User feedback act as Data Controllers. We offer a DPA (Auftragsverarbeitungsvertrag) per Art. 28 GDPR covering:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller
Sub-processor list and notification procedures
Technical and organizational measures (Art. 32 GDPR)
Obligations upon termination (data return/deletion)

Request a DPA at hello@audyr.com.

14. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@audyr.com and we will delete it promptly.

15. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email or through the Platform. The effective date at the top indicates the last revision. We encourage periodic review.

16. Contact

3DOptikone (provider of Audyr)
Surick 187
46286 Dorsten, Germany

Email: hello@audyr.com
Phone: +49 0178 1423306

For Widget Users: What Happens With Your Data

You interacted with the Audyr feedback widget on a third-party website. Below is a plain-language summary of what data is collected, how it is used, and what your rights are.

Who is responsible for your data?

The website where you left feedback is the Data Controller — they decide why and how your data is collected. Audyr is the Data Processor: we process your feedback on their behalf, under a formal Data Processing Agreement (Art. 28 GDPR). To exercise your privacy rights (access, deletion, etc.), contact the website operator first. You can also reach us at hello@audyr.com and we will forward your request.

What data is collected when you use the widget?

Your feedback text — the messages you type into the chat widget
Conversation metadata — a random conversation ID and timestamps so messages are grouped together
Technical metadata — the page URL you were on and your browser type (user agent)
Approximate geolocation — your approximate geographic location (latitude and longitude) is derived from your IP address via a server-side lookup. This is used to help the website operator understand where feedback originates geographically. We do not use GPS, Bluetooth, or precise device location — only an IP-based approximation (typically accurate to city level).
Optional identifiers — if the website operator passes your user ID or email to the widget, those are also stored

How is your data used?

Your feedback text is analyzed by artificial intelligence (OpenAI) to detect sentiment (positive / neutral / negative), extract topics, and group similar feedback together
The website operator sees your feedback and AI-generated summaries in their Audyr dashboard to improve their product
Your approximate location is displayed to the website operator on an aggregated geographic map to understand regional feedback patterns
OpenAI processes your text as a sub-processor — OpenAI does not use your data to train its AI models

Cookies and tracking

The Audyr widget does not set cookies. It uses temporary in-memory session state that is cleared when you leave the page. We do not use advertising trackers or fingerprinting within the widget.

Where is your data stored?

Your feedback is stored on servers operated by Convex, Inc. (USA). Transfers to the USA are protected by the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses. All data is encrypted in transit (HTTPS/TLS) and at rest. See Section 7 for details.

How long is your data kept?

Your feedback is retained for as long as the website operator maintains their Audyr subscription. When they close their account or request deletion, your feedback is permanently deleted within 30 days.

Your rights under GDPR

You have the right to access, correct, delete, or restrict the processing of your data, and to object to processing. Contact the website operator to exercise these rights. If you cannot reach them, email hello@audyr.com and we will help. You also have the right to lodge a complaint with a data protection supervisory authority (Aufsichtsbehörde).