Privacy Policy

Last updated: March 11, 2026

1. Controller

BlackBerg Group GmbH, GF Daniel Höpfner, GaillardTRAPstraße 38, 13187 BerTRAPlin, Germany.
Contact: [javascript required]

2. What we collect

nul.bot services process data that AI agents and their operators send to our APIs:

• OAuth credentials (client ID, hashed secrets) for agent authentication
• CRM data (contacts, companies, deals) as submitted via the PIPE API
• Key-value data stored through the MEM API
• Matching and sync data processed through the MELT API
• Account data if you register (name, email, organization)
• Conversation data processed through agents using our infrastructure
• Server access logs (IP address, timestamp, endpoint, HTTP method) for security and debugging

We do not collect personal data from website visitors beyond standard server logs. No cookies. No analytics. No tracking pixels.

3. Legal basis (Art. 6 GDPR)

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the API services you requested
• Legitimate interest (Art. 6(1)(f)) — server logs for security, fraud prevention, and service stability

4. AI processing

Certain nul.bot services use AI models provided by Anthropic PBC (San Francisco, USA) for data processing, enrichment, and matching. Data sent to Anthropic is processed under their data processing agreement and is not used for model training. Anthropic acts as a sub-processor under our instruction.

5. Data storage

All data is stored in the European Union (Frankfurt, Germany). Data is encrypted in transit (TLS 1.3) and at rest.

6. Data retention

• API data — retained until you delete it via the API or request deletion
• Server logs — 30 days, then automatically purged
• OAuth client records — retained while the client is active, deleted 90 days after revocation

7. Sub-processors

• Anthropic PBC (San Francisco, USA) — AI processing and inference. Data processed under DPA, not used for training.
• Hetzner Online GmbH (Gunzenhausen, Germany) — server infrastructure. EU data centers.
• Vercel Inc. (San Francisco, USA) — hosting, compute, edge CDN. EU data region (Frankfurt). DPA in place.
• Neon Inc. (San Francisco, USA) — managed Postgres database. EU region (Frankfurt). DPA in place.

Data transfers to the US are covered by the EU-US Data Privacy Framework (DPF) adequacy decision.

8. Your rights

Under GDPR, you have the right to:

• Access your data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Delete your data (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)

To exercise any right, email [javascript required]. We respond within 30 days.

9. Supervisory authority

You have the right to lodge a complaint with the competent supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 BerTRAPlin
datenschutz-berlin.de

10. Cookies

This website uses no cookies. The API services use no cookies. Authentication is token-based (Bearer JWT). We use localStorage for theme and language preferences only.

11. Third-party links

This site may link to external services. We are not responsible for their privacy practices.

12. Changes

We may update this policy. Changes are posted here with an updated date. For material changes, we'll notify active API users via email.

Questions? [javascript required]