Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites.

Controller

Wunner Software
Thomas Wunner
Am Fichtenhain 6
95463 Bindlach, Germany
Email:

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

  • Account data (e.g. name, email address)
  • Content data (e.g. notes, flashcards, tasks, media files)
  • Usage data (e.g. pages visited, access times)
  • Meta/communication data (e.g. device information, IP addresses)
  • Payment data (e.g. for Premium subscriptions via Mollie)

Categories of Data Subjects

  • Users (e.g. registered users, website visitors)

Legal Bases

Below we share the legal bases of the General Data Protection Regulation (GDPR), on the basis of which we process personal data.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for a specific purpose.
  • Contract Performance (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract or pre-contractual measures.
  • Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller.

Registration and User Account

Users can create an account. During registration, the required information (first name, last name, email address, password) is communicated to users and processed for the purpose of providing the user account on the basis of contractual obligation (Art. 6(1)(b) GDPR).

The data entered during registration and all content (notes, flashcards, tasks, tags, media files) are stored on servers in Germany. Passwords are stored exclusively as cryptographic hashes.

Users can delete their account at any time. All personal data and content will be irrevocably deleted.

Social Login (OAuth)

We offer the option to register and log in via third-party accounts (e.g. Google, GitHub). Only the data shared by the third-party provider (name, email address, profile picture) is transferred. We do not gain access to your password with the third-party provider. The legal basis is Art. 6(1)(b) GDPR (contract performance).

Payment Processing

For Premium subscriptions, we use Mollie B.V. (Keizersgracht 126, 1015 CW Amsterdam, Netherlands) as our payment service provider. During a payment process, the required payment data is transmitted directly to Mollie. We do not store complete payment data ourselves, only the Mollie customer and subscription ID. For more information, please visit mollie.com/privacy.

Provision of Online Services and Web Hosting

To provide our online services securely and efficiently, we use the services of web hosting providers. When accessing our web pages, the following information is automatically stored in server log files:

  • IP address of the accessing device
  • Date and time of access
  • Browser type and version, operating system
  • Requested URL and referrer URL
  • Amount of data transferred and HTTP status code

The IP address constitutes personal data within the meaning of the GDPR. The processing of this data is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring IT security, detecting and preventing attacks, and maintaining stable server operations. Server log files are automatically deleted after 14 days.

Two-Factor Authentication

We offer the option to secure your user account with two-factor authentication (TOTP or FIDO2/Passkeys). The generated keys and device data are stored exclusively on our servers and are not shared with third parties.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR:

  • Right to Object: You have the right to object at any time to the processing of your personal data.
  • Right to Withdraw Consent: You have the right to withdraw consent given at any time.
  • Right of Access: You have the right to request confirmation as to whether data concerning you is being processed.
  • Right to Rectification: You have the right to request the correction of inaccurate data concerning you.
  • Right to Erasure: You have the right to request the deletion of data concerning you.
  • Right to Restriction of Processing: You have the right to request restriction of processing of your data.
  • Right to Data Portability: You have the right to receive data concerning you in a transferable format.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

MCP API Logging

For users who access Brainsparkle via the MCP interface (Model Context Protocol), we log API requests for security purposes. The following data is recorded:

  • API method and invoked tool name
  • Request and response content
  • IP address of the accessing device
  • HTTP status code
  • Timestamp of the request
  • Associated API client and user account

The legal basis for this processing is our legitimate interest in ensuring IT security and detecting misuse pursuant to Art. 6(1)(f) GDPR. Audit log data is automatically deleted after 90 days.

Changes to this Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in data processing make this necessary.

Last updated: June 2026

Source: eRecht24