Privacy policy
Information under Art. 13, 14 GDPR and § 25 TDDDG. The German version is legally binding.
Controller
Ufuk Dumrul (sole proprietorship, brand Lektoria), Königstraße 82, 53332 Bornheim. Contact: info@lektoria.eu.
Categories of data processed
Email address for receipts and delivery. Uploaded files including any personal data they contain (proper names, addresses, student IDs). Payment data exclusively at Stripe (card content never reaches Lektoria).
Purposes of processing
Delivery of the proofreading service including document preparation (OCR), consensus review, synthesis, PDF export, and delivery of the result by email. Payment processing via Stripe. Compliance with statutory retention obligations.
Legal bases
Art. 6 (1) (b) GDPR (contract performance) for upload, review and delivery. Art. 6 (1) (c) GDPR (legal obligations, in particular tax records) for billing data. Art. 6 (1) (f) GDPR (legitimate interest) for time-limited server logs.
Retention
Uploaded files are deleted automatically 14 days after delivery via a cron job; manual deletion is possible at any time via info@lektoria.eu. Invoice-relevant data is retained for up to 10 years under § 147 AO.
Processors
Hetzner Online GmbH (Falkenstein, DE) for backend, storage and local spell-checking (LanguageTool); processor under Art. 28 GDPR. Mistral AI (France, EU) for document preparation (OCR / Document AI); a European company, processor under Art. 28 GDPR — exclusion of training, Zero Data Retention and processing details still to be confirmed contractually. Microsoft (Azure OpenAI, deployment “Data Zone Standard (EUR)”, region Sweden Central) for the form review with GPT 5.4, and Amazon Web Services (AWS Bedrock, primary region Stockholm, failover Ireland) for substance review and synthesis with Opus 4.8; each a processor under its respective Data Processing Addendum (Art. 28 GDPR). Inputs are not used to train the models at Azure and Bedrock; AWS Bedrock does not persistently store model requests and responses, while Microsoft may store them for up to 30 days for abuse monitoring within the EU. IONOS SE (Montabaur, DE) for transactional email; processor under Art. 28 GDPR. Stripe Payments Europe Ltd. (Dublin, IE) for payment processing; Stripe processes payment and fraud-prevention data partly as an independent controller. The providers in turn engage sub-processors; the current lists are available via the linked data-processing agreements.
Transfer to third countries
A distinction must be drawn between the place of processing on the one hand and a possible access or transfer to a third country on the other — EU data residency does not mean that third-country access is excluded in every case. Hetzner, IONOS and Mistral are European providers processing in the EU. Microsoft (Azure OpenAI) processes in the “Data Zone Standard (EUR)” deployment within the Microsoft EU Data Boundary, which comprises the EU member states and the EFTA states (including Norway and Switzerland); data at rest remains in the Sweden Central region. AWS Bedrock processes primarily in Stockholm (eu-north-1), with failover to Ireland (eu-west-1) — both within the EU. Microsoft and AWS are US-based corporate groups; insofar as data is transferred to a third country or third-country access occurs, this is based on the EU Standard Contractual Clauses of 2021 and, in addition, on certification under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Third-country transfers are not based on consent in a blanket manner.
Residual risk of government access (US authorities)
When using Microsoft Azure and AWS Bedrock there is, despite processing in EU regions, a residual risk that US authorities may access personal data or demand its disclosure, because both providers are US-based corporations and US legal acts such as the CLOUD Act or FISA 702 can, under certain conditions, give rise to access or disclosure obligations. Storage or processing in the EU does not eliminate this risk entirely; contractual guarantees (Standard Contractual Clauses, notification and challenge obligations, disclosure of only the legally required minimum) reduce but do not exclude it. End-to-end pre-encryption of the content is not feasible for AI model calls, because the model must process the document content in plain text. To mitigate the risk we use only European regions or EU data-zone deployments, no global model deployments, storage limited to 14 days, and data-processing agreements and Standard Contractual Clauses. A complete exclusion of access by US authorities is not promised. We recommend removing personal data that is not required — in particular data of third parties and special categories under Art. 9 GDPR — before uploading.
Data-subject rights
Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7 (3)). Requests to datenschutz@lektoria.eu.
Right to lodge a complaint
You may lodge a complaint with a data-protection supervisory authority at any time, in particular with the authority responsible for North Rhine-Westphalia: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), 40213 Düsseldorf.
Data security
Transport encryption via TLS (TLS 1.3 where supported, at least TLS 1.2) for all connections. Encryption of data at rest per Hetzner's storage configuration. Production access only via SSH key, dedicated admin account, automatic patching, backups in an EU region. No Cloudflare/tracking scripts are embedded.
Web fonts
All fonts used (Cal Sans, Inter, Lexend — each under the SIL Open Font License) are served locally from Lektoria's own server and are not fetched from Google Fonts or any third-party CDN when a page loads. No IP address is therefore transmitted to a font provider.