App Privacy Policy

Privacy information for the use of the Aldric platform according to Art. 13/14 GDPR

Version 1.0 — As of: March 2026

This privacy policy applies to the use of the Aldric SaaS platform (application). For the website aldric.app, please refer to the Website Privacy Policy.

1. Data Controller

CONPORT Services GmbH
Alte Benninghofer Str. 24
44263 Dortmund, Germany
Managing Director: Benjamin Schowe
Email: datenschutz@conport.services

Note on data processing: Insofar as you use the Aldric platform as a customer, CONPORT Services GmbH processes personal data on your behalf (data processing pursuant to Art. 28 GDPR). Details are governed by the Data Processing Agreement (DPA). The following information relates to processing for which CONPORT Services GmbH is the controller.

2. Data Protection Officer

An external Data Protection Officer is currently being appointed. Contact details will be published here once appointed.
In the meantime, please contact: datenschutz@conport.services

3. Overview of Processing Activities

3.1 User Account and Authentication

Processed Data: Email address, name, password (hashed), organization assignment (tenant membership), roles and permissions, time of registration and last login.
Purpose: Provision of the user account, authentication via Keycloak (OpenID Connect/JWT), role-based access control (RBAC).
Legal Basis: Art. 6 (1) (b) GDPR (performance of contract).
Storage Duration: For the duration of the contractual relationship. After contract termination, account data is deleted within 30 days, unless statutory retention obligations apply.

3.2 Use of Platform Modules

Processed Data: All data you enter in the compliance modules (e.g., records of processing activities, DPIA assessments, contracts, training data, policies, deletion concepts). This data may contain personal data of third parties.
Purpose: Provision of the contractually agreed compliance management functions.
Legal Basis: Art. 6 (1) (b) GDPR (performance of contract) for your usage data; Art. 28 GDPR (data processing) for personal data of third parties that you enter into the platform.
Storage Duration: For the duration of the contractual relationship. After contract termination, you receive an export option (30 days), after which all tenant data is deleted (90-day backup rotation).

3.3 Audit Log and Logging

Processed Data: User ID, timestamp, action performed, affected resource, IP address, organization assignment.
Purpose: Traceability of changes for compliance requirements, detection of unauthorized access, support during audits.
Legal Basis: Art. 6 (1) (f) GDPR (legitimate interest in security and traceability) and Art. 6 (1) (c) GDPR (legal obligation, insofar as logging is legally required).
Storage Duration: Audit logs are retained for the duration of the contractual relationship, but for at least 12 months. Technical server logs are deleted after 30 days.

3.4 Payment Processing

Processed Data: Billing address, payment method (processed directly by Stripe — we do not store credit card data), invoice history.
Purpose: Processing of subscription payments.
Legal Basis: Art. 6 (1) (b) GDPR (performance of contract).
Storage Duration: Invoice data is retained for 10 years in accordance with tax retention requirements (Section 147 AO, Section 257 HGB under German law).

3.5 Transactional Emails

Processed Data: Email address, name, notification content.
Purpose: Sending system notifications (e.g., password reset, invitations, task reminders, deadline warnings).
Legal Basis: Art. 6 (1) (b) GDPR (performance of contract).
Storage Duration: Email dispatch logs are deleted after 30 days.

3.6 File Uploads and Document Storage

Processed Data: Uploaded files (contracts, evidence, documents), file name, file type, upload timestamp, uploading user.
Purpose: Storage of compliance-relevant documents within the platform usage.
Legal Basis: Art. 6 (1) (b) GDPR (performance of contract).
Storage Location: S3-compatible object storage (MinIO).
Storage Duration: For the duration of the contractual relationship. Export and deletion according to contract termination provisions.

4. Technical and Organizational Measures

We implement comprehensive technical and organizational measures to protect your data:

  • Encryption: TLS 1.2+ for all data transmissions, encryption of data at rest in the database and object storage
  • Access Control: Role-based access control (RBAC) at module, function, and record level
  • Tenant Isolation: Strict technical data separation at the database level — no tenant can access another tenant's data
  • Authentication: Industry-standard OpenID Connect with token-based authentication, optional two-factor authentication
  • Audit Trail: Complete logging of all security-relevant actions
  • Backups: Regular automated backups with 90-day rotation

Detailed technical and organizational measures are described in Annex 1 of the Data Processing Agreement (DPA).

5. Recipients and Data Processors

Service ProviderPurposeLocation
Stripe, Inc. (USA)Payment processingEU/USA (EU-US Data Privacy Framework)
Hosting provider — to be addedPlatform hosting and infrastructureto be added
Email service provider — to be addedTransactional emailsto be added

The complete and current list of data processors can be found in our Data Processing Agreement (DPA), Annex 2.

6. Data Transfers to Third Countries

Personal data is only transferred to third countries insofar as this is necessary for the performance of the contract or an adequate level of data protection is ensured.

USA (Stripe): Stripe, Inc. is certified under the EU-US Data Privacy Framework (DPF). The European Commission adopted the adequacy decision for the EU-US DPF on July 10, 2023 (Art. 45 GDPR). Additionally, Standard Contractual Clauses (Art. 46 (2) (c) GDPR) are in place as supplementary safeguards.

7. Rights of the Data Subject

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15 GDPR): You have the right to obtain information about your stored personal data.
  • Right to Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to Restriction of Processing (Art. 18 GDPR): You may request the restriction of processing.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format. The Aldric platform provides an integrated export function for this purpose.
  • Right to Object (Art. 21 GDPR): You may object to the processing of your data at any time.
  • Right to Withdraw Consent (Art. 7 (3) GDPR): You may withdraw any given consent at any time.

To exercise your rights, please contact: datenschutz@conport.services

8. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for us is:

Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Postfach 20 04 44
40102 Duesseldorf, Germany
Phone: +49 (0) 211 38424-0
Email: poststelle@ldi.nrw.de
Website: www.ldi.nrw.de

If you are located in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

9. Currency and Changes to this Privacy Policy

This privacy policy is currently valid as of March 2026.

Due to the further development of our platform and offerings or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version is always available via the platform and our website.