firstrun

Privacy Policy

Last updated: February 2026

1. Controller

The controller responsible for data processing is:

Softure UG (haftungsbeschränkt)
Scharfenberger Straße 28
13505 Berlin, Germany
Email: customers@softure-ug.de

2. Data We Collect

Account data: When you register, we collect your email address and password (stored as a bcrypt hash). This data is necessary to provide our service.

User-submitted content: URLs you submit, files you upload, and text you paste. This content is processed to generate wizards and is stored alongside the generated output. Uploaded files are stored on our servers for processing and are retained for the lifetime of the associated wizard.

Generated wizard data: The AI-generated wizard content (steps, commands, descriptions) and any edits you make. This includes wizard configuration, visibility settings (public or internal), and references to images from the original source documents.

End-user interaction data: When visitors interact with published wizards, we collect anonymous analytics events including: step completion outcomes, environment/OS information, optional error messages, session identifiers, IP addresses, and browser user-agent strings. This data is used to provide wizard analytics to wizard creators and is not linked to personal identities.

Usage data: We collect standard server logs including IP addresses, browser type, and pages visited. This data is used for security, debugging, and service improvement.

3. AI Processing

User-submitted content (URLs, uploaded files, pasted text) is processed by third-party AI services (large language models) to generate wizard content. This means your submitted content is sent to our AI sub-processors for analysis. We do not use your content to train AI models. Our AI providers are contractually prohibited from using your data for model training.

If your submitted content contains personal data, that data will be processed by our AI sub-processors. Please ensure you have a lawful basis to share any personal data contained in your submissions.

4. Legal Basis

We process your data based on:

  • Contract performance (Art. 6 (1)(b) GDPR) — processing account data, user-submitted content, and generating wizards is necessary to provide the service
  • Legitimate interests (Art. 6 (1)(f) GDPR) — server logs, security measures, and anonymous analytics for service improvement
  • Consent (Art. 6 (1)(a) GDPR) — where applicable, such as optional communications

5. Data Retention

  • Account data: Retained for the duration of your account. Deleted upon account deletion.
  • Wizard and submitted content: Retained for the lifetime of the wizard. Deleted when the wizard is deleted or the account is deleted.
  • End-user interaction data: Retained for the lifetime of the associated wizard.
  • Server logs: Retained for up to 90 days.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share data with the following sub-processors, all located in the United States and contractually bound to process data only on our behalf and in compliance with GDPR:

  • Railway — application hosting and deployment (US)
  • Neon — PostgreSQL database hosting (US)
  • Upstash — caching and rate limiting (US)
  • Vercel — frontend hosting and CDN (US)
  • Mailtrap — transactional email delivery (US)
  • AI providers — for processing submitted content and generating wizard steps (content is sent to the provider's API and is not used for model training) (US)

This list may be updated from time to time. We will notify registered users of material changes to our sub-processors via email. The current list is also available on request at customers@softure-ug.de.

7. International Data Transfers

All data described in this policy is stored and processed in the United States. Our infrastructure — application servers (Railway), database (Neon), caching (Upstash), frontend (Vercel), email (Mailtrap), and AI processing — is entirely US-based.

For data transferred from the European Economic Area (EEA) to the United States, we rely on: (a) the EU-U.S. Data Privacy Framework (DPF), under which our providers are certified; (b) EU Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements with each provider; or (c) other legally recognized transfer mechanisms. You may request copies of the relevant safeguards by contacting us at customers@softure-ug.de.

8. Published Wizards

Public wizards: When you publish a wizard as “public,” its content (title, description, steps, commands) is accessible to anyone on the internet and may be indexed by search engines. Do not include personal data, credentials, or sensitive information in public wizards.

Internal wizards: When you publish a wizard as “internal,” its content is only accessible to authenticated members of your organization. Internal wizard content is not exposed to public endpoints or search engines.

Third-party images: Wizards may contain images referenced from the original source documentation. These images remain hosted on the original third-party servers and are not downloaded or stored by us. When you view a wizard containing such images, your browser loads them directly from the third-party server, which may receive your IP address, browser information, and referrer URL. We have no control over how those third-party servers process this data.

9. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing of your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests

To exercise these rights, contact us at customers@softure-ug.de. We will respond within 30 days.

You also have the right to lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

10. Cookies

We use only essential cookies and local storage required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as we use only strictly necessary cookies (Art. 5(3) ePrivacy Directive).

11. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (TLS), hashed passwords (bcrypt), access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

12. Changes

We may update this privacy policy from time to time. We will notify registered users of significant changes via email at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.

← Back to home