Privacy Policy

1. Data controller

The party responsible for processing your personal data within the meaning of the revDSG and the GDPR is: DuneDive LLC 30 N Gould St, Ste R, Sheridan, WY 82801, USA E-mail: [email protected]

EU representative under Art. 27 GDPR and CH representative

Since the controller has its seat outside the EU/Switzerland, it designates the following entity under Art. 27 GDPR (and applying the corresponding principles of the revDSG) as its representative in the EU and Switzerland for data-protection matters: Fairlane Ventures GmbH Baarerstrasse 107, 6300 Zug, Switzerland UID: CHE-240.244.650 E-mail: [email protected]

Data subjects in the EU and Switzerland may exercise their rights and address all data-protection matters either directly to DuneDive LLC or to Fairlane Ventures GmbH as representative. Where Fairlane Ventures GmbH operates AI infrastructure on behalf of the controller or on behalf of customers, it additionally acts as processor on the basis of corresponding data-processing agreements.

2. Definitions and general principles

Personal data means any information relating to an identified or identifiable natural person. We process personal data in accordance with the principles of lawfulness, good faith, proportionality, purpose limitation, data accuracy and data security. We process only as much data as is necessary for the respective purpose and retain it only for as long as necessary or legally required.

3. Purposes of processing and legal bases at a glance

We process personal data in particular for the following purposes: provision and security of the website, responding to enquiries via the contact form, managing appointment bookings, processing enquiries via the AI checklist, processing online payments for booked packages, fulfilling contractual and statutory obligations and cookieless statistical reach measurement. The legal basis under the revDSG is the overriding legitimate interest, consent or performance of a contract; under the GDPR, Article 6(1)(a) (consent), (b) (contract/pre-contractual measures) or (f) (legitimate interest).

4. Server log files, hosting and CDN

When the website is accessed, technically necessary access data is automatically collected and stored in server log files. Our hosting partner is Hetzner Online GmbH, with a data centre in Germany (EU). For delivery, acceleration and protection against attacks (DDoS mitigation, web application firewall) we also use the services of Cloudflare, Inc. (USA) with edge locations in the EU.

Data categories

• IP address (partly truncated/processed)
• Date and time of access (timestamp)
• requested URL / resource and HTTP status code
• browser type, operating system and user agent
• referrer URL (if transmitted)

Purpose: technical provision, stability and security of the website, detection and defence against attacks, and error analysis. Legal basis: legitimate interest in secure, stable operation (revDSG; GDPR Article 6(1)(f)). Retention: short-term for security purposes; security and attack data is retained only for as long as necessary for threat prevention.

5. Contact form

If you use the contact form (/contact), we process the data you enter in order to respond to your enquiry.

• Data categories: name, company (optional), e-mail address, topic/request
• Purpose: handling and answering your enquiry, communication
• Legal basis: pre-contractual/contractual measures or legitimate interest (revDSG; GDPR Article 6(1)(b) and (f))

Transmission takes place by e-mail via the dispatch service Brevo (Sendinblue SA, France/EU) to [email protected]. The content of the contact form is not stored in a database. To protect against automated abuse, we use an invisible honeypot field and a limitation of the submission frequency (rate limiting). We retain the correspondence received by e-mail for as long as necessary to handle the matter and to comply with any statutory retention obligations.

6. Appointment booking

You can reserve an appointment via the booking system (/termin). The data required for the booking is stored in a PostgreSQL database on our server at Hetzner (Germany/EU) (tables bookings and blocked_times).

• Data categories: name, e-mail address, chosen appointment/time slot
• Purpose: management, confirmation and cancellation of appointments and preparation of a possible business relationship
• Legal basis: pre-contractual/contractual measures and legitimate interest (revDSG; GDPR Article 6(1)(b) and (f))

Confirmation and cancellation e-mails – including a calendar entry in .ics format – are sent via Brevo (Sendinblue SA, France/EU). Each confirmation contains a personal cancellation link (cancel-by-token) which lets you cancel your booking yourself. Booking and contract data is subject to statutory retention obligations (in particular Art. 958f CO, ten years for business records). Otherwise we delete booking data as soon as it is no longer required for the stated purposes.

7. AI checklist / lead form

On the page /vorbereitung we provide a questionnaire designed to prepare you for a meeting. If you submit the associated form, we process the following data:

• E-mail address (mandatory)
• optionally the questionnaire answers you have filled in, provided you expressly submit them as well

This data is stored in a PostgreSQL database on our server at Hetzner (Germany/EU) in the table leads. A notification is sent to our team via Brevo (Sendinblue SA, France/EU). Transmission only takes place if you have ticked the mandatory consent checkbox.

• Purpose: making contact, preparing and conducting a consultation meeting
• Legal basis: consent and pre-contractual measures (revDSG; GDPR Article 6(1)(a) and (b))
• Retention: until you withdraw your consent, but at most 24 months from the last contact (inactivity)

To improve data quality, we carry out real-time validation when you enter your e-mail address. This checks only the format of the address and the existence of a responsible mail server (DNS MX lookup). No delivery check is performed against the individual mailbox (no "mailbox probing").

7a. Payment processing (Stripe)

When you book a package via /pakete, we process the payment through the payment service provider Stripe (Stripe Payments Europe, Ltd., Ireland/EU, and Stripe, Inc., USA). Payment takes place in a Stripe-hosted checkout; card and IBAN data is processed exclusively by Stripe and is at no time visible to us.

• Data categories: name, e-mail address, billing address, company; card/IBAN data exclusively at Stripe
• Purpose: contract execution and payment, fraud prevention, accounting
• Legal basis: performance of a contract (revDSG; GDPR Article 6(1)(b)) and legitimate interest in secure payment processing (lit. f)
• Retention: in accordance with statutory retention obligations, in particular Art. 958f CO (ten years for business records)

8. Local storage (localStorage)

For your convenience, the online questionnaire is stored exclusively locally in your browser storage (localStorage) for as long as you do not expressly submit it. This data remains on your device and is not transmitted to us. A language preference may also be stored locally. You can delete this locally stored data yourself at any time (see Cookie information).

9. Reach measurement (analytics)

For statistical reach measurement we operate a self-hosted, cookieless first-party analytics system on our server at Hetzner (Germany/EU). No third-party analytics services are used and no cross-site tracking takes place. We do not process a raw IP address: it is used only briefly to form a daily-rotating, irreversible session hash (session_hash, SHA-256 of IP, user agent, a secret salt and the day's date) and is not stored. We record: the page/URL requested, the approximate location (country, region, city) derived at the edge from Cloudflare headers, device type, browser and operating system, the daily-rotating session hash, the referrer host and referrer URL, UTM parameters and the screen width. No data is collected that would allow permanent identification of individual visitors. We respect the "Do Not Track" (DNT) and "Global Privacy Control" (GPC) signals. The website sets no cookies for this purpose. Legal basis: legitimate interest in a privacy-friendly needs and reach analysis (revDSG; GDPR Article 6(1)(f)). Retention: aggregated analytics data is retained for at most 24 months and then deleted or anonymised.

10. Processors and disclosure to third parties

We use carefully selected service providers as processors who process personal data exclusively in accordance with our instructions and on the basis of corresponding data-processing agreements:

• Fairlane Ventures GmbH (Zug, Switzerland) – affiliated Swiss company, processor for AI infrastructure and EU/CH representative under Art. 27 GDPR / revDSG
• Hetzner Online GmbH (Germany/EU) – hosting, server, database
• Cloudflare, Inc. (USA, EU edge locations) – CDN, proxy, web application firewall, DDoS protection
• Sendinblue SA / Brevo (France/EU) – sending of transactional e-mails (contact, appointments, notifications)
• Stripe Payments Europe, Ltd. (Ireland/EU) and Stripe, Inc. (USA) – processing of online payments; card data is processed exclusively by Stripe and is not visible to us
• Self-hosted first-party analytics (Hetzner, Germany/EU) – cookieless, IP-free statistical reach measurement; not a third-party analytics service

Your personal data is only passed on to further third parties insofar as this is necessary to perform a contract or a legal obligation, you have consented, or an overriding legitimate interest exists. No disclosure for advertising purposes to uninvolved third parties takes place.

11. Disclosure abroad (USA and other countries)

Since the controller – DuneDive LLC – has its seat in the United States of America, a disclosure of personal data to the USA already takes place wherever data is transmitted to the controller itself. Additional disclosures to the USA result from the use of Cloudflare, Inc. (USA) and of Stripe, Inc. (USA) in the context of payment processing. Such disclosures only take place in compliance with the requirements of Articles 16 and 17 revDSG and – for EU data subjects – Chapter V of the GDPR.

As appropriate safeguards we rely – depending on the recipient – on the Swiss-U.S. / EU-U.S. Data Privacy Framework (Swiss-U.S. / EU-U.S. DPF), on the European Commission's Standard Contractual Clauses (SCC) and on supplementary technical and organisational protective measures. The operational running of the AI infrastructure and the hosting of the servers material to the website take place in Switzerland or the EU. On request, we will provide you with information on the safeguards in place.

12. Retention and deletion

• Lead/AI-checklist data: until withdrawal of consent, at most 24 months from the last contact
• Booking and contract data: in accordance with statutory retention obligations, in particular Art. 958f CO (ten years)
• Server log files and security data: short-term for security purposes
• Contact correspondence: until final processing and expiry of any retention obligations

After the respective period has elapsed, the data is deleted or destroyed or – where complete deletion is not possible – anonymised in a data-protection-compliant manner.

13. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or falsification. These include in particular end-to-end transport encryption (TLS/HTTPS), a web application firewall and DDoS protection, restriction of access rights, measures against automated abuse (honeypot, rate limiting) and operation in data centres within the EU. Nevertheless, absolute security of data transmission over the internet cannot be guaranteed.

14. Your rights

Under the Swiss Federal Act on Data Protection you have in particular the following rights:

• right of access to the personal data processed about you
• right to rectification of inaccurate data
• right to erasure or destruction of data
• right to data release or portability
• right to withdraw consent given, with effect for the future
• right to object to certain processing

Where the GDPR applies, you additionally have the rights under Articles 15 to 21 GDPR (access, rectification, erasure, restriction of processing, data portability and objection) as well as the right to lodge a complaint under Article 77 GDPR. To exercise your rights, a message to [email protected] is sufficient – addressed either directly to DuneDive LLC or to Fairlane Ventures GmbH as EU/CH representative. We may request further information to verify your identity.

15. Cookies

This website does not set tracking cookies as a matter of principle. Details on local storage (localStorage) and on the cookieless first-party reach measurement can be found in our Cookie Policy.

16. No automated individual decision-making

We do not use any automated individual decision-making within the meaning of Art. 21 revDSG or Art. 22 GDPR, nor any profiling producing legal effects concerning you.

17. Supervisory authorities and right to complain

In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC/EDÖB, edoeb.admin.ch) is competent. Data subjects in the EU may contact the data-protection supervisory authority competent for them. Irrespective of this, you may always contact us first, or Fairlane Ventures GmbH as EU/CH representative.

18. Changes to this Privacy Policy

We may amend this Privacy Policy at any time to adapt it to changed legal situations or adjustments to our services. The version published on this website at the relevant time prevails. The date of the last update is stated above.

19. Integration of third-party AI services / QAIA gateway

Draft – as of 2026-05-29. This section does not replace individual legal advice; legal review is pending.

19.1 AI services used and purpose of integration

In the provision of our services, we may integrate third-party artificial intelligence services, in particular language models and AI infrastructure from the following providers (non-exhaustive): Anthropic, PBC ("Claude"), OpenAI, LLC, Mistral AI SAS, Google LLC (Gemini), DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) and others, each in the version displayed. Such use serves to process enquiries, generate and summarise text, classify content and related technical purposes.

19.2 Data that may be transmitted to AI providers

In the course of using AI services, content entered by you or on behalf of your organisation (prompts, texts, documents) may be transmitted to the API infrastructure of the respective AI providers. Processing generally takes place on the servers of these providers, which may be located in the USA, the EU or other countries depending on the provider. As a matter of principle, we do not transmit to AI providers any personal data identifying individuals beyond the scope of the respective service context; responsibility for the content of the data entered lies with the user or customer (see section 19.4). On request, we will inform you which providers are used in the specific service context.

19.3 QAIA gateway: technical intermediary layer, not an AI provider in its own right

The AI gateway operated by DuneDive LLC or Fairlane Ventures GmbH (QAIA or "Chatriq") acts exclusively as a technical intermediary and infrastructure layer ("mere conduit"). It routes the customer's requests to the third-party AI models selected by the customer or agreed contractually, and returns their outputs. DuneDive and Fairlane Ventures GmbH neither provide their own AI model nor place AI systems on the market under their own name or brand. The AI models are exclusively developed, trained, hosted and operated by the respective third-party providers. Within the meaning of the EU AI Act (Regulation (EU) 2024/1689), DuneDive LLC and Fairlane Ventures GmbH therefore do not act as "provider" of an AI system, but at most as a technical service provider making third-party AI systems accessible on the instructions and on behalf of the customer (within the "deployer" sphere). The obligations of a deployer under the EU AI Act rest, in this relationship, with the customer who deploys the AI system within its own operational sphere. Insofar as DuneDive LLC or Fairlane Ventures GmbH processes personal data of the customer in operating this gateway, it does so as a processor within the meaning of the revDSG and the GDPR, processing on the instructions and for the account of the customer; a data-processing agreement (DPA) is available on request.

19.4 Customer responsibility for data fed in

The user and the customer are themselves responsible for ensuring that the data, prompts and content they feed into AI services are lawful – in particular that the necessary data-protection bases exist (consent, contract, legitimate interest), that no sensitive personal data is transmitted without appropriate safeguards, and that no professional secrecy or other confidential third-party data is disclosed without authorisation. The terms of use of the integrated AI providers must be observed in parallel.

19.5 Third-party terms of use and privacy policies

• Anthropic (Claude): https://www.anthropic.com/legal/privacy (USA; SCCs / DPF depending on contract)
• OpenAI: https://openai.com/policies/privacy-policy (USA; SCCs / DPF depending on contract)
• Mistral AI: https://mistral.ai/terms/#privacy-policy (France/EU)
• Google (Gemini API): https://policies.google.com/privacy (USA; SCCs / DPF depending on contract)
• DeepSeek: https://www.deepseek.com/privacy_policy (PRC; elevated third-country risk; used only in projects without sensitive personal data)

The transfer of personal data to the USA and other third countries is based on Arts. 16 f. revDSG and – for EU data subjects – Chapter V GDPR (SCCs or DPF, depending on provider). The relevant safeguards are provided on request.

The German-language version prevails. In the event of discrepancies between the German and the English version, the German version takes precedence. These texts do not constitute individual legal advice.