Privacy Policy
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information on data protection, please refer to our privacy policy listed below.
Data Collection on This Website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the "Information on the Responsible Party" section of this privacy policy.
How do we collect your data?
Some of your data is collected when you provide it to us. This may include data you enter in a contact form.
Other data is collected automatically or with your consent when you visit the website by our IT systems. This mainly includes technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.
What do we use your data for?
Some of the data is collected to ensure the website is provided without errors. Other data may be used to analyze your user behavior.
2. Hosting
We host the content of our website independently:
Self-Hosting (Own Hosting)
We host our website on our own servers (self-hosting). The personal data collected on this website (such as IP addresses, meta and communication data, or website access) is processed and stored on our own IT systems in Germany. There is no transfer of this basic traffic data to external web hosting providers.
The processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f DSGVO) in the secure, independent and efficient provision of our website.
Content Delivery Network (Cloudflare)
This website uses the Content Delivery Network (CDN) of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare provides a globally distributed DNS and CDN network with DDoS protection. All traffic between your browser and our website is routed through Cloudflare's servers. In the process, Cloudflare may analyze your IP address, security and performance data, and browser metadata to detect and prevent threats. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). In addition, we have agreed to the EU Commission's Standard Contractual Clauses as the basis for data transfer to the USA. The use of Cloudflare is based on our legitimate interest in a secure and efficient provision of our website (Art. 6 para. 1 lit. f GDPR). For more information, please refer to Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/.
3. General Information and Mandatory Information
Data Protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
Information on the Responsible Party
The responsible party for data processing on this website is:
Andreas Lippold (Sole Proprietorship)
voranai
Ottenhofen 32
91613 Marktbergel
Germany
The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).
Storage Duration
Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial retention periods); in the latter case, deletion will occur after these reasons no longer apply.
Revocation of Your Consent to Data Processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Your Rights as a Data Subject
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing (Art. 15 GDPR), as well as a right to rectification (Art. 16 GDPR), blocking or deletion (Art. 17 GDPR) of this data. Furthermore, you have the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR) and a right to object to processing (Art. 21 GDPR). In addition, in the event of data protection violations, you have a right of complaint to the competent supervisory authority (Art. 77 GDPR). For this purpose, you can contact the state data protection officer of the federal state in which you have your residence or our company is based.
4. Data Collection on This Website
Cookies
Our website uses so-called 'cookies' and similar storage technologies (e.g., local storage). Cookies are small data packets and do not harm your device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted after you close your browser. Persistent cookies remain stored on your device until you delete them yourself or until they are automatically deleted by your web browser.
The storage of cookies that are necessary for the electronic communication process or to provide certain functions you have requested is based on Art. 6 Abs. 1 lit. f DSGVO.
Technically Necessary Session Cookies
We use a technically necessary session cookie (name: "session") on our website. This cookie serves exclusively to maintain the current status of your visit, to securely manage session data and to provide basic security functions. This cookie is automatically deleted after the end of your visit or when you close your browser. The storage of this cookie is based on Art. 6 Abs. 1 lit. f DSGVO and § 25 Abs. 2 TDDDG (formerly TTDSG), as the cookie is strictly necessary for the secure and error-free provision of the website you have accessed.
Cookie Consent Records
When you accept or save your cookie preferences, we store a timestamped consent record as an HttpOnly cookie (name: voranai_consent) in your browser. This record serves as proof of consent pursuant to Art. 7 para. 1 GDPR and is automatically deleted after 1 year. No personal data beyond the timestamp and consent version is stored in this record. The legal basis is Art. 6 para. 1 lit. c GDPR (compliance with a legal obligation).
Protection Against Abuse and Overload (Rate Limiting)
To protect our website, server infrastructure and forms from overload, spam and automated attacks (so-called brute-force attacks), we use a rate limiting system (Flask-Limiter). Your IP address is temporarily processed in the server's working memory to limit the number of requests per IP address within a certain period and to temporarily block requests if the limit is exceeded. These IP addresses are not permanently stored in databases and are automatically discarded from volatile memory after the respective blocking period expires. Processing is based on our legitimate interest (Art. 6 Abs. 1 lit. f DSGVO) in ensuring the security, integrity and constant availability of our online service.
Contact Form
If you send us inquiries via the contact form, your information from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We will not pass on this data without your consent.
The processing of this data is based on Art. 6 Abs. 1 lit. b DSGVO if your inquiry is related to the fulfillment of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6 Abs. 1 lit. f DSGVO) or on your consent (Art. 6 Abs. 1 lit. a DSGVO) if this was requested.
Mandatory legal provisions – in particular retention periods under the German Commercial Code (HGB) or the Tax Code (AO), which generally require business correspondence to be kept for 6 to 10 years – remain unaffected.
Retention Period for Contact Inquiries
Inquiries submitted via the contact form that are not related to an ongoing contractual or commercial relationship are deleted after 2 years at the latest from the date the matter is conclusively resolved. If the inquiry leads to a contractual relationship or constitutes commercial correspondence in the sense of the HGB/AO, the statutory retention periods of 6 to 10 years apply instead.
E-Mail Communication (Cloudflare and Google Mail)
When you contact us by email (e.g., to info@voran-ai.com), we use Cloudflare (Cloudflare, Inc., USA) for domain management and email routing. The emails are forwarded from there to our email account at Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and stored there. Your email address and the content of your message are processed on the servers of these providers. Data transmission to the USA is based on the Standard Contractual Clauses of the EU Commission and the EU-US Data Privacy Framework (DPF). Processing is based on our legitimate interest in reliable and secure communication (Art. 6 para. 1 lit. f GDPR / Art. 6 para. 1 lit. b GDPR for contract initiation and fulfillment).
Appointment Bookings (Calendar Integration)
To arrange and manage appointments via our website, we use two calendar systems: (1) To display available time slots, the website reads existing appointments from our Apple iCloud calendars (Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland) in read-only mode. No personal data is transmitted to Apple in this process. (2) When you book an appointment, the data you enter (e.g., name, email address, company, booking time) is stored in our self-hosted Nextcloud calendar on our own servers in Germany. There is no transfer of this booking data to third parties. Processing is carried out to fulfill a contract or to carry out pre-contractual measures (Art. 6 para. 1 lit. b GDPR).
Retention Period for Appointment Bookings
Appointment data (e.g., name, email, company, booking time) stored in our self-hosted Nextcloud calendar is retained for 2 years after the appointment date, unless a longer statutory retention obligation applies (e.g., commercial correspondence: 6 years under § 257 HGB).
E-Mail Delivery Service (Brevo)
For sending emails from our contact and booking forms, we use the service Brevo (Sendinblue GmbH, Koepenicker Str. 126, 10179 Berlin, Germany) as our email delivery provider. When you submit a form on our website, the data you enter (e.g., name, email address, message, attachments) is transmitted via Brevo's SMTP servers for delivery. A data processing agreement (DPA) has been concluded with Brevo in accordance with Art. 28 GDPR. Brevo processes the data exclusively on our behalf and in accordance with our instructions. Processing is based on our legitimate interest in reliable and secure email communication (Art. 6 para. 1 lit. f GDPR) and, where applicable, for the fulfillment of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR). Further information can be found in Brevo's privacy policy at https://www.brevo.com/legal/privacypolicy/.
6. AI Voice Demo
Vapi (AI Telephony Platform)
For the interactive voice demo on this website, we use the service Vapi (Vapi AI Inc., USA). When you use the live demo, a WebRTC voice connection is established via Vapi's infrastructure. In doing so, your audio data (microphone input) is transmitted and processed in real time. Vapi processes the data exclusively on our behalf and according to our instructions (Art. 28 GDPR). Data transmission to the USA is based on the EU Standard Contractual Clauses. Processing is based on your consent (Art. 6 para. 1 lit. a GDPR), which you grant by actively starting the voice demo. For more information, please refer to Vapi's privacy policy at https://vapi.ai/privacy.
Daily.co (WebRTC Transport Layer)
The Vapi SDK uses Daily.co (Daily.co, Inc., 330 Townsend St., Suite 236, San Francisco, CA 94107, USA) as the technical transport layer for WebRTC audio transmission. When establishing a voice connection, connection metadata (e.g. IP address, connection parameters) is transmitted to Daily.co's servers. Processing takes place within the order processing by Vapi. Data transmission to the USA is based on the EU Standard Contractual Clauses. For more information, please refer to Daily.co's privacy policy at https://www.daily.co/privacy.
Sentry (Error Telemetry)
The embedded Vapi SDK includes an error monitoring component from Sentry (Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA). In the event of technical errors during the voice demo, error data (e.g. error type, stack trace, browser version) may be automatically transmitted to Sentry's servers. No personal content data (such as your speech input) is transmitted to Sentry. Processing is based on our legitimate interest in the technical quality assurance of our services (Art. 6 para. 1 lit. f GDPR). Data transmission to the USA is based on the EU Standard Contractual Clauses. For more information, please refer to Sentry's privacy policy at https://sentry.io/privacy/.
Demo Usage Data (Call Counter)
To prevent misuse of the voice demo, we store a per-account call counter (username and number of calls made) in our database. This data is used solely to enforce the demo usage limit. The legal basis is our legitimate interest in preventing abuse (Art. 6 para. 1 lit. f GDPR). Demo usage records are automatically deleted after 12 months of inactivity (Art. 5 para. 1 lit. e GDPR – storage limitation).
Source: e-recht24.de