Datenschutzerklärung / Privacy Policy

01

Controller identification

The controller responsible for processing personal data in connection with the Cocoshede service is the Bonn-based operating entity identified in the Impressum. Until the final registered business details are completed, the responsible operating contact for privacy matters is the legal representative of the Cocoshede sole proprietorship / Gewerbe in Bonn, Germany.

Privacy contact: legal@cocoshede.com or the privacy contact form made available through the Cocoshede website.

02

Scope of data collected

Cocoshede collects only the data necessary to create a B2B workspace, generate an abstract AI adoption blueprint, process payment, provide the purchased report, and support enterprise follow-up where requested.

• Professional contact details: name, corporate email address, and company name.
• Commercial context: industry sector, headcount or scale tier, revenue tier where submitted, region, AI maturity, and strategic objective.
• Categorical configuration tokens: selected data-footprint categories, systems-of-record categories, workflow-volume bands, current-effort bands, operational department categories, implementation appetite, security posture, and selected bottleneck labels.
• Abstract operational descriptions: short free-text explanations of workflows or bottlenecks, subject to the instruction not to provide customer records, credentials, private keys, source code, internal documents, or personal data.
• Payment and access metadata: payment confirmation status, workspace identifier, access token, generated blueprint identifier, report access events, feedback rating, and enterprise-demo request status.

03

Structural abstraction defense

Cocoshede operates on a structural abstraction model. The service is intentionally designed not to request direct database connections, file uploads, production network credentials, source-code repositories, customer records, employee files, raw documents, or internal personally identifiable information. Users are instructed to submit only abstract characteristics of their operating environment.

The intake wizard converts business reality into categorical configuration data such as hosting posture, data type classes, workflow volume bands, department categories, operational bottleneck labels, and security constraints. These inputs are used to generate strategy-grade architecture patterns, ROI assumptions, risk controls, and implementation roadmaps. They are not treated as a substitute for due diligence on actual systems.

Cocoshede does not use customer inputs to train proprietary foundation models, does not place customer inputs into a global vector database for reuse across customers, and does not intentionally retain sensitive operational records because such records are outside the permitted input model.

04

Legal basis for processing

05

Sub-processors and third-party providers

Cocoshede uses specialized infrastructure providers to operate the service. Sub-processors are selected to support security, availability, data isolation, and B2B procurement expectations. The production deployment should be configured to use EU regions where available and contractually appropriate.

• PostgreSQL cloud database infrastructure: Neon Postgres and/or Supabase Postgres depending on deployment configuration, used to store workspace metadata, generated blueprint payloads, payment-unlock state, audit events, report access events, and feedback records.
• Payment processing: Stripe and/or Lemon Squeezy may process payment details, tax handling, fraud checks, invoices, and payment confirmation events. Cocoshede does not store full card numbers.
• Enterprise-grade LLM API endpoints: structured AI model endpoints may process abstract configuration payloads to support blueprint generation. Cocoshede configures available data-isolation, zero-data-retention, and training opt-out settings where supported by the provider and account tier.
• Hosting, security, and monitoring providers: infrastructure required to host the web application, serve static assets, protect endpoints, record errors, and maintain operational security.

06

Retention and deletion

Workspace and report records are retained for as long as reasonably necessary to provide customer access to the purchased digital artifact, maintain transaction evidence, support customer service, and comply with accounting or legal obligations. B2B lead records may be retained while there is a legitimate business relationship or follow-up interest.

Where a customer requests deletion, Cocoshede will erase or anonymize personal data unless retention is required for legal claims, tax, accounting, fraud prevention, or compliance obligations. Generated business artifacts may be deleted together with the workspace where legally permissible.

07

Data subject rights

Subject to the conditions of the GDPR, affected individuals may exercise the following rights by contacting the privacy contact listed above.

• Art. 15 GDPR: right of access to personal data processed by Cocoshede.
• Art. 16 GDPR: right to rectification of inaccurate or incomplete personal data.
• Art. 17 GDPR: right to erasure / right to be forgotten where no overriding retention ground applies.
• Art. 18 GDPR: right to restriction of processing.
• Art. 20 GDPR: right to data portability for data provided by the data subject in a structured, commonly used, machine-readable format.
• Art. 21 GDPR: right to object to processing based on legitimate interests, including objection to direct marketing.
• Right to lodge a complaint with a competent supervisory authority, including the data protection supervisory authority responsible for the controller's German establishment.