Privacy Policy

Last updated: May 2026

With this Privacy Policy we inform you in accordance with Art. 13 and Art. 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the German Federal Data Protection Act (BDSG) and the German Digital Services Act (DDG) about how we process personal data when you use our website uiweaver.io and the related services.

1. Data controller

The controller within the meaning of Art. 4 No. 7 GDPR is:
DexterBee GmbH
Industriestraße 13
63755 Alzenau
Germany
Managing Director: Stephan Dongjin Oh
Commercial register: Amtsgericht Aschaffenburg, HRB 17694
VAT ID: DE369096037
Email: privacy@uiweaver.io
See also: Legal notice.

2. Data protection officer

A statutory obligation to appoint a Data Protection Officer under Art. 37 GDPR in conjunction with § 38 BDSG does not currently apply, as our core activities do not consist of large-scale regular and systematic monitoring of data subjects nor of large-scale processing of special categories of personal data. For any data protection inquiry please contact privacy@uiweaver.io.

3. Categories of data processed

3.1 Data you provide

  • Email address — when you use the AI Assembler, request a preview, or contact us.
  • Business URL and business information — when you request a website audit or describe your business.
  • AI chat input — the textual description of your business that you submit to our AI assistant.
  • Configuration data — design preferences, section choices, layout settings during the AI consultation.
  • Payment data — processed exclusively by Stripe; we never store full card numbers.

3.2 Data collected automatically

  • IP address — hashed within 24 hours; used only for regional delivery and abuse prevention.
  • Usage data — pages visited, time on site, referrer (only with consent).
  • Cookies and similar technologies — see Cookie Policy.

4. Legal bases for processing

PurposeLegal basis
Providing the service (AI Assembler, preview, delivery)Art. 6(1)(b) GDPR (contract performance / pre-contractual measures)
Sending transactional emails (receipts, delivery)Art. 6(1)(b) GDPR
Analytics (Google Analytics 4)Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG (consent)
Marketing emails (newsletter)Art. 6(1)(a) GDPR (consent)
B2B outreach (Renewal Protocol — sending design previews)Art. 6(1)(f) GDPR (legitimate interest, documented via a balancing test)
Fraud prevention and IT securityArt. 6(1)(f) GDPR
Compliance with retention obligationsArt. 6(1)(c) GDPR (§§ 147 AO, 257 HGB)

5. AI processing (Google Gemini)

To generate your website configuration we use Google's Gemini API. Your chat inputs (business description, design preferences) are transmitted to Google for transient processing. According to Google, inputs sent to the Gemini API on the paid tier are not used to train Google's models. No automated decision with legal effect within the meaning of Art. 22 GDPR is taken; the system produces design suggestions only. Legal basis: Art. 6(1)(b) GDPR. Recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For international transfers see Section 8.

6. Retention periods

  • Consultation records (email, business description, configuration): up to 24 months, if no contract is concluded.
  • Customer records: 10 years per § 147 AO and § 257 HGB (German tax and commercial law), then deleted.
  • Unsubscribed contacts: personal data deleted within 30 days; email kept on a suppression list to prevent re-contact (Art. 6(1)(c) GDPR).
  • Prospect data (publicly accessible business data): automatically deleted after 90 days if no conversion occurs.
  • IP addresses: hashed within 24 hours of collection.
  • Analytics data: 14 months (configured GA4 retention).

7. Recipients and processors

We engage carefully selected processors within the meaning of Art. 28 GDPR. A data processing agreement (Art. 28(3) GDPR) is in place with each processor. A template is available at Data Processing Agreement.

Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Payment processing (PCI-DSS certified). Legal basis: Art. 6(1)(b) GDPR. stripe.com/privacy.

Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992; parent company based in the USA. PostgreSQL database hosted in the EU region Frankfurt am Main (AWS eu-central-1). Legal basis: Art. 6(1)(b) and (f) GDPR. Third-country transfers (USA) are safeguarded by EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 and, additionally, the EU-US Data Privacy Framework (Commission adequacy decision of 10 July 2023, C(2023) 4745). supabase.com/privacy.

Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. Hosting and edge functions. Legal basis: Art. 6(1)(b) GDPR. US transfers safeguarded by EU Standard Contractual Clauses and the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). vercel.com/legal/privacy-policy.

Resend, Inc., 2261 Market Street #4889, San Francisco, CA 94114, USA. Transactional email delivery. Recipient email addresses are transferred to the United States. Legal basis: Art. 6(1)(b) GDPR in conjunction with the EU-US Data Privacy Framework (adequacy decision of 10 July 2023, C(2023) 4745); additionally Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914. resend.com/legal/privacy-policy.

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Gemini API). Processing of chat inputs to generate AI-powered design suggestions. Legal basis: Art. 6(1)(b) GDPR. Third-country transfer based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Google LLC is certified). ai.google.dev/terms.

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (Google Analytics 4). Reach analysis. Only used after prior consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG); IP anonymisation is enabled. Onward transfers to Google LLC, USA, are safeguarded by the EU-US Data Privacy Framework.

Sanity.io (Sanity, Inc., 153 Townsend Street, San Francisco, CA 94107, USA) — headless CMS for delivered customer websites (optional). Third-country transfer based on Standard Contractual Clauses and the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(b) GDPR.

We do not sell your personal data.

8. International transfers

Our primary infrastructure (database, storage) is located within the EU/EEA. Where processors are located outside the EU, or where data is transferred to affiliates in the United States, transfers are based primarily on the European Commission's adequacy decision regarding the EU-US Data Privacy Framework of 10 July 2023 (C(2023) 4745). Additionally, we rely on EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 and supplementary technical and organisational measures (encryption in transit and at rest, access controls, data processing agreements). Upon request we will provide you with the applicable safeguards.

9. Magic-link preview

After completing an AI consultation you receive a personal preview link (magic link) by email. This link contains a cryptographically signed HMAC token valid for 30 days and grants access to your configuration without a classic login. No profiling is performed. Legal basis: Art. 6(1)(b) GDPR. After expiry the token becomes invalid server-side.

10. Personal data breaches (Art. 33, 34 GDPR)

We undertake to notify the competent supervisory authority of a personal data breach without undue delay, where feasible within 72 hours of becoming aware of it (Art. 33 GDPR). Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, you will also be notified without undue delay (Art. 34 GDPR). We operate internal escalation and incident-response processes to ensure these obligations are met.

11. Data Processing Agreement (Art. 28 GDPR)

Where we process personal data of our customers' end-users on their behalf, we enter into a data processing agreement under Art. 28 GDPR upon request. A pre-formulated template is available at /en/legal/dpa and can be provided in signed form on request to privacy@uiweaver.io.

12. Your rights (Art. 15 et seq. GDPR)

You have the following rights vis-à-vis us:

  • Access (Art. 15 GDPR).
  • Rectification (Art. 16 GDPR).
  • Erasure ("right to be forgotten", Art. 17 GDPR).
  • Restriction of processing (Art. 18 GDPR).
  • Portability in a structured, commonly used, machine-readable format (Art. 20 GDPR).
  • Objection to processing based on legitimate interests, including profiling (Art. 21 GDPR).
  • Withdraw consent at any time with effect for the future (Art. 7(3) GDPR).
  • Not to be subject to a decision based solely on automated processing (Art. 22 GDPR). Note: our AI system produces design suggestions, not decisions with legal effect.

To exercise these rights, an informal notice to privacy@uiweaver.io is sufficient. We respond within one month (Art. 12(3) GDPR).

13. Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for DexterBee GmbH is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany (www.lda.bayern.de). You may also lodge a complaint with the authority of your habitual residence or workplace. A list of all EEA data protection authorities is available at edpb.europa.eu.

14. Obligation to provide data

To enter into a contract, providing the data marked as mandatory (in particular email address and billing data) is required. Without these data the contract cannot be concluded or performed.

15. Changes to this Privacy Policy

We update this Privacy Policy as legal requirements or our processing activities change. Material changes will be communicated by email to known contacts. The version in force at the time of processing applies.

16. Contact

Privacy inquiries: privacy@uiweaver.io
Postal address: see Legal notice.