Privacy Policy

TODO (LEGAL): This Privacy Policy is a placeholder drafted for Paddle onboarding and domain verification. It must be reviewed and approved by qualified legal counsel (and aligned with the German Datenschutz notice) before the public production launch.

This is the English-language Privacy Policy for ProofAware. A German-language Datenschutz notice is also available at /datenschutz.

TODO (LEGAL): Add the data controller's legal entity, postal address, and a privacy / data-protection contact (and DPO, if one is appointed). This must match the Impressum.

This policy covers personal data we process through the ProofAware website (proofaware.com), the managed EU Cloud service, and our sales and support communications. The self-hosted Community Edition is operated by you on your own infrastructure; for that deployment, you are the controller.

We process: (a) contact and account data you provide (such as name, email, company, Workspace details); (b) content you submit to the Service, including training assignments and completion records; (c) communications such as demo or support requests; and (d) technical data such as logs and limited usage information needed to operate and secure the Service.

TODO (LEGAL): Confirm the exact data categories collected by the app and website once finalized.

We process personal data to provide and secure the Service, to respond to your requests, to manage subscriptions and billing, and to comply with legal obligations. Depending on the activity, the legal basis under the GDPR is performance of a contract (Art. 6(1)(b)), our legitimate interests (Art. 6(1)(f)), consent (Art. 6(1)(a)), or a legal obligation (Art. 6(1)(c)).

Paid subscriptions and licences are sold and processed by Paddle.com Market Limited ("Paddle"), who acts as the Merchant of Record. When you make a purchase, you provide your payment and billing details directly to Paddle, who processes the payment, issues the invoice, and handles tax. ProofAware does not receive or store full payment card details. Paddle processes this data as an independent controller under its own privacy policy.

TODO (LEGAL): Confirm the correct Paddle entity, link to Paddle's privacy policy, and confirm the controller / processor relationship for payment data.

The managed Cloud is hosted in the EU with data residency in the EU. We use a limited number of service providers (sub-processors) to operate the Service - for example hosting, email delivery, payments (Paddle), and privacy-friendly analytics (PostHog, EU Cloud).

TODO (LEGAL): Add the actual hosting provider, processing locations, sub-processor list, and any data transfers outside the EU/EEA with their safeguards (e.g. Standard Contractual Clauses).

We use PostHog for privacy-friendly website analytics on proofaware.com. We collect only aggregate, non-identifying usage data - such as page views and clicks on calls-to-action - to understand traffic sources and improve the site. PostHog runs on EU Cloud (data processed in the EU) and acts as our processor under a data processing agreement.

Our analytics is cookieless and stores nothing on your device (PostHog is configured with in-memory persistence, with autocapture and session recording disabled). Because no information is stored on or read from your device, the consent requirement (Art. 5(3) ePrivacy Directive / Section 25 TDDDG) does not apply and no cookie banner is shown. We do not capture personal data, do not identify visitors, and IP addresses are discarded. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in measuring and improving the site.

TODO (LEGAL): Confirm PostHog's EU entity, link its privacy policy and DPA, and add the analytics retention period.

We keep personal data only as long as necessary for the purposes described here or as required by law, after which it is deleted or anonymized.

TODO (NUMBERS): Add concrete retention periods for accounts, completion records, logs, and billing records.

Under the GDPR you may have rights to access, rectification, erasure, restriction, data portability, and objection, and to withdraw consent at any time. You also have the right to lodge a complaint with a competent supervisory authority. To exercise your rights, contact us at the address below.

Where we process personal data on behalf of a business customer (for example, your employees' training records in the Cloud), we act as a processor and the customer is the controller.

TODO (LEGAL): Reference and link to the Data Processing Agreement (DPA) offered to Cloud customers.

We may update this Privacy Policy from time to time. The "last updated" date above reflects the latest version.

Privacy enquiries: hello@proofaware.com

TODO (LEGAL): Replace with the dedicated privacy contact address once confirmed.