← Back to homepage

Privacy Policy

Last updated: May 2, 2026

This is a convenience translation of the German original. In case of any discrepancy, the German version shall prevail.

1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Philipp Humburg
Zum Hahletal 17
37339 Leinefelde
Email: kontakt@nexmori.com

1a. Data Protection Officer

Our operations are not subject to a mandatory designation of a data protection officer under Art. 37 GDPR or § 38 BDSG, as the statutory thresholds for a mandatory appointment (in particular the minimum number of persons regularly engaged in automated processing, and the existence of a core activity involving large-scale or particularly sensitive processing) are not met. The controller is personally available for data-protection enquiries at the email address listed above.

2. Collection and Processing of Personal Data

2.1 Newsletter Registration

Our website offers the option to subscribe to our newsletter. In doing so, we collect the following data:

  • Email address
  • Timestamp of registration
  • Timestamp of confirmation (Double Opt-In)
  • IP address at the time consent was given (audit evidence)
  • User-Agent (browser/device identifier) at the time consent was given
  • Language version and hash of the displayed consent text

Legal basis: Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

Double Opt-In: After entering your email address, you will receive a confirmation email. Your subscription will only be activated after clicking the confirmation link. This ensures that no one can sign up with your email address without authorization.

Retention period: Your email address is stored as long as you are subscribed to the newsletter. Unconfirmed registrations are automatically deleted after 48 hours.

2.2 User Account & Authentication

Minimum age: Use of the platform is restricted to persons aged 16 or older (Art. 8 GDPR).

When you register for a user account, we collect the following data:

  • Email address
  • Password (hashed with argon2id — the original password is never stored)
  • Timestamp of account creation

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Sessions: Authentication uses JWT session tokens with automatic expiry. No persistent cookies are used.

Account deletion: When you delete your account, all associated data is permanently and immediately deleted.

Unverified registrations: Accounts that never complete the email confirmation step are deleted after seven days. Any newsletter record matching the same email address is removed in the same operation via an email-match cascade, so a never-confirmed signup cannot survive as an orphan address.

2.2a Tester Provisioning during the Closed Beta

Public self-registration is disabled during the closed beta. Tester accounts are created exclusively by the controller through an internal administrative tool (an operator action). The controller collects and stores the following data in the user-account table (see § 2.2):

  • Email address (identification and welcome email)
  • Display name, if provided by the tester (used solely for the personal greeting)
  • argon2id hash of a system-generated 16-character initial password (no plaintext)
  • Provisioning timestamp
  • "First-login password change required" flag

The initial password is sent to the tester once via a welcome email through our processor Brevo (see § 3.2). On the controller's servers it exists only as an argon2id hash; the plaintext is discarded immediately after dispatch and is never written to a log.

Validity: The initial password is valid for 48 hours from provisioning. After that window, a login with the initial password is rejected by the system in the same way as a wrong password — without telling the tester the reason for the rejection (account-enumeration prevention). The tester can at any time set a new password via the password-reset flow (see § 2.2b); this also clears the first-login obligation.

Forced password change: On the first successful login with the initial password, the tester is taken straight to the password-change screen; until they have chosen their own password, every other API call (other than password change, token refresh, and sign-out) is blocked. On success, the flag is cleared and fresh JWT tokens are issued.

Audit log: The provisioning event is recorded in a structured pino log line carrying the email address, a pseudonymous user ID, the locale, and a success indicator. The plaintext initial password is never logged.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures — closed-beta access IS the service).

2.2b Password Reset via 8-Digit One-Time Code

If a tester forgets their password, they can request a reset from the "Forgot password?" screen. The flow processes:

  • Email address of the account in question
  • argon2id hash of a system-generated 8-digit numeric one-time code (OTP)
  • Issue timestamp, expiry timestamp (15 minutes after issue), and — once consumed — a consumption timestamp

At any given time only a single non-consumed, non-expired code can exist per account. If a new code is requested while an older one is still active, the older one is marked consumed in the same operation.

Account-enumeration prevention: A reset request is answered with the same success response and a comparable response time regardless of whether the email belongs to an existing account. For an unknown address, no OTP record is created and no email is sent. The code is delivered exclusively to the address on file — never echoed back to the requester.

Validity and single-use enforcement: Codes expire 15 minutes after issue. A successful verification immediately marks the record as consumed; a second attempt with the same code is rejected. On success, a single database transaction (a) sets the argon2id hash of the new password, (b) clears the "first-login required" flag, and (c) increments the session version counter so that all previously issued session tokens of the account become invalid immediately.

Retention: Consumed and expired OTP records are removed by a daily maintenance job; no record persists more than 24 hours after expiry or consumption. Active codes have a maximum life of 15 minutes (or less, if consumed by the user or overwritten by a later request).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

2.3 Document Upload & AI Processing

When you upload documents, only the OCR-extracted text is transmitted to our servers — the original documents remain on your device. All data is encrypted at rest using AES-256-GCM.

The processing pipeline consists of the following steps: text chunking, contextual enrichment, embedding generation, and storage.

Background-queue processing records are automatically deleted after at most 1 hour (successful jobs) or 24 hours (failed jobs), and are synchronously removed when an account is deleted.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 50(1) of Regulation (EU) 2024/1689 (AI Act) for the transparency obligation regarding AI-generated content.

2.3a Batch Scan Reconstruction

When you use the batch scan feature, the platform processes scanned pages through a reconstruction pipeline to group and order them into documents. The following data categories are processed:

  • Original filenames of scanned pages
  • Content fingerprints (hashes used for duplicate detection and page grouping)
  • AI confidence scores (how confident the system is in grouping and ordering decisions)
  • Detected identifiers (e.g. document numbers, dates extracted from page content)
  • User review actions (your manual corrections to grouping and ordering)

All data containing personal information (filenames, identifiers, review details) is encrypted at rest using AES-256-GCM. The automated grouping and ordering decisions have no legal effect and no similarly significant impact on you — they are suggestions that you can review and correct at any time.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.4 Hosting & Server Logs

This website is hosted on a server in Germany. When you visit our website, the following data is processed:

IP addresses (in-memory only): Your IP address is held exclusively in the server's working memory for rate limiting (abuse detection). It is not written to disk and is automatically deleted after at most 1 hour.

Server log files (without IP addresses): The server creates log files containing the following information:

  • Request ID (unique per request)
  • HTTP method and URL path
  • Response status code
  • Request duration (milliseconds)

For authenticated requests, logs also include a pseudonymous user identifier. These log files contain no IP addresses and are deleted after 30 days.

Not part of the access-request archive: Server log files are not user-retrievable; they are processed only in aggregated form for at most 30 days to ensure operational security (Art. 6(1)(f) GDPR) and are therefore not part of the Art. 15 GDPR access-request archive.

Access to log files: Access to server log files is limited to the operator (controller) and authorised systems administrators of the hosting processor Hetzner, in the scope of technical operation. Inspection of server logs only takes place to the extent necessary to diagnose technical faults or to defend against security threats.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the website).

2.5 Automated Decision-Making (AI Document Classification)

The platform uses artificial intelligence to automatically classify uploaded documents (e.g. invoice, contract, certificate). In accordance with Art. 13(2)(f) GDPR and the transparency obligation under Art. 50(1) of Regulation (EU) 2024/1689 (AI Act), we inform you about the underlying logic:

  • Classification is based on the extracted text content using an AI language model.
  • The classification has no legal effect and no similarly significant impact on you.
  • You can manually change the assigned category at any time.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 50(1) of Regulation (EU) 2024/1689 (AI Act) for the AI-output transparency duty.

Art. 22 GDPR does not apply: The classification is merely a suggestion; you retain manual control at all times and can override any classification. A decision based solely on automated processing producing legal effects or similarly significant effects within the meaning of Art. 22(1) GDPR therefore does not occur.

2.6 Storage on Your Device

This website stores no data on your device — neither via cookies nor via comparable browser application-storage mechanisms. Language selection is determined exclusively via URL paths (/de/ for German, the root for English). No storage or read operations under § 25 TTDSG/TDDDG (the German implementation of the ePrivacy Directive) occur on your device, and no consent is therefore required.

3. Data Processors (Art. 28 GDPR)

To provide our service, we work with the following data processors. Processing is governed by data processing agreements pursuant to Art. 28 GDPR. For each processing activity outside the European Economic Area (EEA) we have performed and documented a Transfer Impact Assessment (TIA) in line with the European Data Protection Board's Recommendations 01/2020.

3.1 Mistral AI, Paris

Establishment and data location: Mistral AI is headquartered in France, with EU-prioritized processing infrastructure. Should individual processing steps occur outside the EEA (e.g. for load distribution), the transfer mechanism described below applies.

Purpose: Processing of document content and user queries to generate semantic search vectors (embeddings), AI-powered answers, and automatic document classification.

Data transmitted: Extracted text content from uploaded documents and user search queries.

Data usage: Inputs and outputs are not used for model training (section 4.2 of Mistral AI's Commercial Terms). Abuse-monitoring data is retained for 30 days under Mistral's standard API terms; no shorter retention is contractually offered for the API tier. The customer owns all inputs and outputs.

Transfer mechanism: EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR safeguard any data flows outside the EEA.

Transfer Impact Assessment (TIA): We have performed a Transfer Impact Assessment. Outcome: with EU-prioritized processing in France, supplementary protection through Standard Contractual Clauses, and the technical safeguards listed below, a level of protection essentially equivalent to that of the EU is ensured.

Technical safeguards: Transmission exclusively over TLS 1.3 (transport encryption); content is held by us only in pseudonymized form (chunks without plaintext linkage to identifiers); additionally encrypted at rest with AES-256-GCM.

Actively accepted Data Processing Agreement: Mistral AI Data Processing Addendum, Effective 12 March 2026, accepted on April 25, 2026 via the Mistral console account. The underlying DPA text is publicly available at legal.mistral.ai/terms/data-processing-addendum.

Ownership: The customer retains ownership of the data submitted and owns all outputs generated (per section 3.1 of the Commercial Terms).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.2 Brevo (Sendinblue), Paris

Establishment and data location: Brevo is headquartered in France with EU-based infrastructure. Should individual processing steps occur outside the EEA, the transfer mechanism described below applies.

Purpose: Delivery of newsletter emails (Double Opt-In, regular newsletter), account verification emails, and contact form relay.

Data transmitted: Email address, sender name and message content (contact form relay only).

Data usage: Email tracking (open pixels, link rewriting) is disabled for all outgoing emails via API-level headers. Brevo does not use transmitted data for its own purposes beyond delivery.

Transfer mechanism: EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR safeguard any data flows outside the EEA.

Transfer Impact Assessment (TIA): We have performed a Transfer Impact Assessment for the transfer to Brevo. Through the EU-based infrastructure, the Standard Contractual Clauses, and the technical safeguards listed below, the residual risk remains acceptable.

Technical safeguards: Transmission over TLS 1.2+ (transport encryption); emails are stored encrypted at rest at Brevo using industry-standard practices.

Actively accepted Data Processing Agreement: Brevo Terms of Service - Appendix 3 (Data Processing Agreement), Version October 1, 2025, accepted on April 3, 2026 via the Brevo account's GDPR settings. The DPA covers processing scope, retention, sub-processors and audit rights.

Legal basis: Art. 6(1)(a) GDPR (consent) for newsletter emails; Art. 6(1)(b) GDPR (performance of a contract) for account verification emails; Art. 6(1)(f) GDPR (legitimate interest) for contact form relay.

3.3 Hetzner Online GmbH, Gunzenhausen

Establishment and data location: Hetzner is headquartered in Germany; all processing takes place on servers within the European Union (Hetzner data centre in Germany). No third-country transfer takes place.

Purpose: Provision of server infrastructure for hosting the application and storing user data.

Data transmitted: All data generated during use of the service is processed on Hetzner servers in Germany.

Transfer mechanism: Because processing takes place entirely within the EEA, no third-country transfer mechanism under Art. 46 GDPR is required.

Transfer Impact Assessment (TIA): A Transfer Impact Assessment is not required in the absence of any third-country transfer; processing remains entirely within the European Union.

Technical safeguards: Hetzner operates physical access controls, redundant power supply and an ISO-27001-certified information security management system. At the application level all user content is stored encrypted with AES-256-GCM; data transport is exclusively over TLS 1.3 (transport encryption).

Actively accepted Data Processing Agreement: Hetzner Data Processing Agreement (Art. 28 GDPR), Version 1.2 (February 16, 2026), accepted in writing vis-à-vis Hetzner on April 18, 2026. The DPA governs the scope of processing, technical and organisational measures, sub-processors and inspection rights pursuant to Art. 28 GDPR.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable and secure infrastructure).

4. Data Retention

We store your personal data only as long as necessary for the respective processing purposes:

  • User accounts: Until deleted by the user. On deletion, all account data is permanently deleted immediately.
  • argon2id password hashes: Retained for the lifetime of the associated user account; without the hash, authentication is impossible. Plaintext passwords are never persisted.
  • Initial password (tester provisioning, § 2.2a): Hash kept in the user-account table until the tester sets their own password. Login with the initial password is rejected by the server 48 hours after provisioning.
  • Password-reset one-time codes (§ 2.2b): Active OTP hashes for at most 15 minutes after issue; consumed or expired records are hard-deleted by a daily maintenance job, no later than 24 hours after expiry or consumption.
  • Documents: Until deleted by the user.
  • Newsletter registrations (unconfirmed): Automatic deletion after 48 hours.
  • Newsletter consent evidence (IP, User-Agent, copy hash): Stored for as long as the subscription is active; deleted after unsubscription pursuant to Art. 17 GDPR, subject to any statutory retention obligations.
  • Rate limiting data (IP addresses): Automatic deletion after at most 1 hour.
  • Server logs: Deletion after 30 days.
  • Encrypted backups: Backups are retained for up to 30 days. Deleted user data may persist in encrypted backups for up to 30 days after deletion.

Two separate erasure paths (Art. 17 GDPR): The iOS app distinguishes between a data-only wipe and a full account closure. Both are separate user-initiated processing activities under the right to be forgotten.

  • Data-only deletion (library reset) via Settings → Delete all my data: We remove all of your documents, their derived chunks and embeddings, and any in-flight background jobs. Your user account stays intact, and any active newsletter subscription on the same email address remains unchanged. You stay signed in and can immediately add new documents.
  • Account closure (full account deletion) via Settings → Delete my account: In addition to everything data-only deletion does, we remove your user record, your AGB-acceptance audit rows, and all Auskunft-request records in the same database transaction. Any active newsletter subscription whose email address matches the email address of the deleted account is also removed in the same step (email-match cleanup). You are signed out locally and returned to the login screen. No user-tied row survives a self-service account closure.

Confirmation email after account closure: Following an account closure we send a single confirmation email to the account's last-known address — as an Art. 17 GDPR audit trail. The delivery is performed by our processor Brevo (Sendinblue), France (see § 7 Processors). If the confirmation email fails to send, the deletion remains final; the email is a courtesy, not a precondition of the deletion.

You have the right at any time to request the deletion of your data pursuant to Art. 17 GDPR.

5. Cookies and Tracking

This website uses no cookies and no tracking tools. No analytics services such as Google Analytics or comparable services are used.

6. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): You have the right to obtain information about the data we store about you. You can pull the report yourself in the iOS app under Settings → Request information report; the result is a combined ZIP archive with a PDF report and JSON appendix. As a backup, you may also request the report in writing to kontakt@nexmori.com.
  • Rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected. No self-service surface is currently provided; please request rectification in writing to kontakt@nexmori.com.
  • Erasure (Art. 17 GDPR): You have the right to request the deletion of your data. The iOS app provides two distinct self-service actions under Settings: Delete all my data removes all documents and derived data while keeping your account; Delete my account closes the account fully (including any newsletter subscription on the same address) and triggers a one-time confirmation email. Alternatively you may request erasure in writing to kontakt@nexmori.com.
  • Restriction of processing (Art. 18 GDPR): You have the right to request the restriction of processing. No self-service surface is currently provided; please request restriction in writing to kontakt@nexmori.com.
  • Data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format. The platform provides a self-service export function for your documents and data.
  • Objection (Art. 21 GDPR): You have the right to object to the processing of your data. No self-service surface is currently provided; please lodge your objection in writing to kontakt@nexmori.com.
  • Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time.

We respond to requests under Art. 15–22 GDPR without undue delay and at the latest within one month of receipt (Art. 12(3) GDPR); for particularly complex or numerous requests, this period may be extended by a further two months, in which case we will inform you within the first month. To exercise rights for which no self-service surface is listed above, please contact: kontakt@nexmori.com

7. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with any data protection supervisory authority regarding the processing of your personal data — in particular with the supervisory authority of the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The supervisory authority with primary competence for our establishment is:

Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (TLfDI)
Häßlerstraße 8, 99096 Erfurt
Phone: +49 361 57-3112900
Email: poststelle@datenschutz.thueringen.de
Web: www.tlfdi.de