Privacy Policy

Last updated: April 2026

1. Controller

The controller responsible for data processing on this website and in the Consivox app is:

SHOP-Construct UG (haftungsbeschränkt)
von-Schwind-Str. 17, 45768 Marl, Germany
Contact: info@shop-construct.de

2. Data Collected

We collect and process the following data:

  • Account data: Email address, first name, and encrypted password upon registration
  • Usage data: Your captures (text inputs), AI analyses (Mirror, Next Move), quests, streaks, and karma score
  • Archetype selection: Your chosen coaching style (Strategist, Beacon, or Rebel)
  • Voice input: Voice recordings are transmitted to Groq (Whisper STT) for transcription. Audio data is not stored — only the transcribed text is processed.
  • Technical data: Device information, app version, language setting, time zone
  • Payment data: For web checkout via Stripe: email, payment status (no credit card data stored by us)

3. Legal Basis for Processing

We process your data on the following legal grounds:

  • Art. 6(1)(b) GDPR (Performance of a contract): Providing Consivox core features — capturing entries, AI analysis (Mirror + Next Move), quests, karma score, streaks. This is the core contractual service.
  • Art. 6(1)(f) GDPR (Legitimate interests): Account security, abuse prevention, token-based authentication, rate limiting.
  • Art. 6(1)(a) GDPR (Consent): Push notifications (daily reminder, streak warning) — only after active consent.

4. AI Processing and Data Processors

Your captures are analysed by AI services to mirror behavioural patterns, suggest a concrete next step (Next Move), and generate quests.

AI providers used:

  • Anthropic PBC (San Francisco, USA) — Claude models for capture analysis and coaching responses. Your captures are transmitted to Anthropic via API. Under the Anthropic Usage Policy, API data is not used for AI training.
  • Groq, Inc. (Mountain View, USA) — Whisper Speech-to-Text for voice input. Audio is transmitted for transcription and not stored. Only the transcribed text is further processed.

Processing is carried out solely for the performance of the contractual service (Art. 6(1)(b) GDPR). Your data is not shared with third parties for advertising purposes.

5. Third-Country Transfer (USA)

For AI analysis and web payment processing, data is transferred to providers in the USA:

  • Anthropic: Transfer of captures for AI analysis
  • Groq: Transfer of audio for speech transcription
  • Stripe, Inc.: Transfer of email address and payment status for web checkout

The transfer is based on the EU-US Data Privacy Framework (adequacy decision by the European Commission of 10 July 2023). Additionally, Standard Contractual Clauses (SCCs) are in place as a safeguard.

6. Payment Processing

  • Stripe, Inc. (San Francisco, USA) — Payment processing for web checkout on consivox.app. Stripe processes payment data as an independent data processor. The Stripe Data Processing Agreement (DPA) is part of the Stripe Services Agreement.
  • Apple (App Store): In-app purchases on iOS. Apple processes payment data under its own data protection responsibility.
  • Google (Play Store): In-app purchases on Android. Google processes payment data under its own data protection responsibility.

We do not have access to credit card or bank account data.

7. Data Storage and Retention Periods

  • Data is stored on secure servers in the EU (location: Frankfurt, Germany)
  • Passwords are stored only as hashes (bcrypt)
  • Transmission is encrypted (HTTPS/TLS)
  • Voice recordings are not persistently stored

Retention periods:

  • Account data: Stored until account deletion by the user
  • On account deletion: Immediate account deactivation (soft-delete). Final deletion of all personal data after 30 days. Payment data is retained for up to 10 years in accordance with tax retention requirements (Section 147 of the German Fiscal Code).
  • AI response cache: 24 hours, then automatically deleted
  • Session tokens: Access token 15 minutes, refresh token 7 days

8. Your Rights (Art. 15-22 GDPR)

You have the right at any time to:

  • Access (Art. 15): Information about what data we store about you
  • Rectification (Art. 16): Correction of inaccurate data
  • Erasure (Art. 17): Complete deletion of your account and all data
  • Restriction (Art. 18): Restriction of processing
  • Data portability (Art. 20): Export of your data in a machine-readable format
  • Objection (Art. 21): Objection to processing based on legitimate interests
  • Withdrawal (Art. 7(3)): Withdrawal of consent at any time (e.g. push notifications)

You can delete your account and export your data directly in the app under Settings.

Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority. The responsible authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Kavalleriestr. 2-4, 40213 Düsseldorf, www.ldi.nrw.de).

9. Analytics and Tracking

This website does not use tracking cookies or advertising tracking. For error detection, we use Sentry (functional cookies, GDPR-compliant configuration). For anonymised usage analysis, we use PostHog (GDPR-compliant, EU hosting).

10. Contact

For questions about data protection: info@shop-construct.de