Privacy Policy
Version: 1.0.1
Last updated: June 4, 2026
Privacy Policy of Qontext GmbH
Protecting the confidentiality, integrity, and availability of personal data is our highest priority. This notice covers personal data processing carried out by Qontext GmbH in connection with our Website and Services. It explains what personal data we collect, why we collect it, on what legal basis, and what rights you have. It covers your use of our Website and the Qontext Platform (together, the "Services") and applies to all processing for which Qontext GmbH acts as controller.
"User", "you", or "your" refers to any individual who accesses or uses our Services, including all features, tools, and functionalities made available through them.
1. Controller, Contact Information, Data Protection Officer, and Categories of Personal Data
1.1 Controller, Contact, Data Protection Officer
The controller responsible for the processing described in this notice is:
Qontext GmbH
Almstadtstraße 9-11, 10119 Berlin
Email: lorenz@qontext.ai
Data Protection Officer:
Valeska von Pachelbel-Gehag
Email: valeska@qontext.ai
Further contact details and disclosures are available in our imprint.
1.2 Scope of this Privacy Notice
This Privacy Policy is referenced in our Terms of Service. Where we have provided separate privacy terms for a specific service or context, those terms apply instead of or in addition to this notice.
Where our Services include links to third-party websites, tools, APIs, or social media features, the operators of those services are solely responsible for their own data processing. Please review their privacy policies directly.
This notice is reviewed and updated periodically. For further details, refer to the previous version of this Privacy Policy below.
1.3 Categories of Personal Data
Depending on how you interact with our Services, we may process the following categories of personal data:
Contact Data: Identifying and contact-related information, including your full name, business email address, telephone number, and employer or company name.
Account and Usage Data: Information associated with your account and your use of the Services, including login credentials, account settings, subscription details, and usage metrics.
Communication Data: The content of communications you send to us, including support requests, inquiry emails, feedback, and any materials you voluntarily share with us.
Payment Data: Billing address and payment instrument information processed through our payment service provider in connection with a paid subscription.
Marketing Data: Information about how you engage with our marketing content, including whether you subscribe to our newsletter, your responses to product emails, and sign-ups for events we host.
Traffic and Device Data: Technical data generated when you access the Website or Services, including IP address, browser type and version, operating system, language settings, access timestamps, referrer URLs, and server log entries.
No AI training on your data. Qontext does not use any personal data arising from the operation of its Services – including data originating from connected third-party integrations – for the purpose of training or improving AI or machine learning models, whether proprietary or third-party.
Minors. Our Services are designed for business use and are not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a person under 18 has submitted personal data to us, please notify us at valeska@qontext.ai so we can delete it promptly.
2. What Data We Collect and Why
2.1 Data Collection When Visiting the Website / Using the Platform
To deliver our Services reliably and securely, our servers automatically record technical access data each time our Website or platform is accessed. This includes:
IP address of the accessing device,
Referrer URL,
Date and time of access,
Requested pages or resources, and the HTTP status code returned,
Volume of data transferred,
Device type, operating system, browser type and version, and language settings.
This data is stored in encrypted form, used solely for ensuring technical operation, detecting and responding to security incidents, and troubleshooting errors. It is deleted at regular intervals. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operating and securing the Services).
When using the platform, we may additionally log session-related information (e.g., session IDs, user identifiers, and technical session details) where necessary to diagnose disruptions or maintain stability. The legal basis is Art. 6(1)(f) GDPR.
2.2 Use of the Platform - Qontext as Data Processor
When an organization provides its employees or users with access to the Qontext platform, that organization (typically your employer) acts as the data controller for the content and personal data generated through your use of the platform. In this context, Qontext acts solely as a data processor within the meaning of Art. 28 GDPR, on the basis of a data processing agreement concluded with your organization.
Content processed through the platform – including context data, queries, outputs, and data received from third-party integrations your organization has enabled – is used exclusively to deliver the contracted Services. We are contractually prohibited from using that content for any other purpose, including the training of AI or machine learning models.
In addition, Qontext independently processes pseudonymized operational data in its own capacity as controller – such as aggregated feature usage counts, average response times, and error event frequencies – for the purpose of maintaining platform stability and guiding product development. This data is held in a form that does not reasonably permit identification of individual users. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in maintaining and improving the platform).
If you have questions about how your organization processes your personal data through the Qontext platform, please consult your organization's privacy policy or contact your employer's data protection contact directly.
2.3 Contact by Email / Customer Support
When you contact us by email or through a support channel, we process the personal data you provide (e.g., your name, email address, and the content of your message) to handle your request. The legal basis is Art. 6(1)(b) GDPR where the inquiry concerns pre-contractual or contractual matters, and Art. 6(1)(f) GDPR (legitimate interest in responding to communications) for all other inquiries. Data is deleted once the inquiry has been fully resolved, unless statutory retention obligations require otherwise. For commercially or tax-relevant correspondence, retention of up to ten (10) years applies.
2.4 Newsletter and Marketing Communication
Newsletter recipients
Where you have actively subscribed to our newsletter, we process your name and email address to send you product updates, company news, and relevant content. The legal basis is Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time without incurring any costs beyond standard transmission charges – either via the unsubscribe link included in every newsletter email or by contacting valeska@qontext.ai. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Product communications to existing customers
Where you have entered into a paid contract with us and provided your email address in that context, we may send information about our own similar or complementary products and services. The legal basis is Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG. You may object to this at any time by using the unsubscribe link in any such email or by contacting valeska@qontext.ai.
2.5 Registration of a Customer Account
You may register a customer account for trials or paid subscriptions. In doing so, we process:
First and last name, email address, and phone number,
Company name and job title, where applicable,
Profile picture, where applicable (voluntary),
IP address and date and time of registration,
Authentication data where your organization uses Single Sign-On (e.g., via Microsoft Entra ID or Google Workspace),
For paid subscriptions: billing address and any additional information you voluntarily provide during the registration process (e.g., a promo code).
The legal basis for processing your account details is Art. 6(1)(b) GDPR (measures necessary to enter into and perform the contract). Providing your name, email address, and phone number is required to create an account — without it, we cannot provide the Services.
Your IP address and the date and time of registration are processed on the basis of Art. 6(1 (f) GDPR (legitimate interest in preventing misuse and ensuring the security of the registration process). This data is not required for the contractual relationship itself.
For information on how long we retain account data, see "Storage Period" below. To request account deletion, contact valeska@qontext.ai.
2.6 Paid Subscriptions / Payments
When you purchase a paid subscription, we process:
Name and email address,
Billing address,
Payment instrument information (processed by our payment service provider),
Selected subscription plan and associated order details.
Payment instrument data is transmitted directly to our payment service provider for secure processing. Qontext does not store or have access to full payment instrument details. Our payment service provider is contractually bound to process payment data solely for the purposes of transaction execution, fraud prevention, and compliance with applicable law.
The legal basis is Art. 6(1)(b) GDPR. Processing covers payment execution, fraud prevention, invoicing, and tax compliance (including VAT determination). Statutory retention obligations under commercial and tax law require retention of relevant records for up to ten (10) years.
3. Data Protection, Security, and Sharing
3.1 Data Security
We apply comprehensive technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration. These include:
Encryption of data in transit (TLS) and at rest (AES-256 or equivalent),
Strict logical tenant separation between customer environments,
Role-based access controls limiting data access to personnel who require it,
Regular security reviews, vulnerability assessments, and system monitoring.
In the event of a personal data breach affecting data for which Qontext acts as controller, Qontext will assess the incident in accordance with Art. 33 and Art. 34 GDPR. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, Qontext will notify those individuals without undue delay as required by Art. 34 GDPR. Where required, Qontext will also notify the Berliner Beauftragte für Datenschutz und Informationsfreiheit within 72 hours of becoming aware of the breach in accordance with Art. 33 GDPR. To report a suspected security incident affecting your personal data, please contact valeska@qontext.ai.
3.2 Use of Processors
We engage carefully selected third-party service providers as data processors within the meaning of Art. 28 GDPR – including providers of cloud hosting, technical infrastructure, communication and support tools, payment processing, analytics, and internal business operations. Each provider is bound by a data processing agreement that prohibits processing for the provider's own purposes and requires implementation of appropriate security measures. Where feasible, processing takes place within the EU/EEA. The processors used by Qontext can be found in our list of sub-processors in our Trust Center.
In the event of a merger, acquisition, or sale of all or a material part of our business, personal data may be disclosed to the actual or prospective acquirer and its advisors, subject to confidentiality obligations and limited to what is strictly necessary for that purpose. We ensure that your data remains protected and that your rights under applicable data protection law continue to apply.
We may also disclose personal data where required by applicable law, court order, or binding regulatory decision and where we have no legal means to prevent such disclosure. Where legally permissible, we will endeavor to notify affected individuals in advance of any such disclosure.
3.3 Data Transfers to Third Countries
Primary data processing takes place within the EU/EEA. Where data is transferred to the United States – whether to group companies or to third-party service providers – such transfers are carried out only on the basis of one or more recognized mechanisms under Arts. 44 et seq. GDPR, including adequacy decisions (such as the EU–US Data Privacy Framework, where applicable), EU Standard Contractual Clauses (SCCs) approved by the European Commission, or other recognized safeguards. We apply additional technical measures (such as encryption and access controls) where appropriate.
For questions about specific transfers, or to request a copy of applicable safeguards, please contact valeska@qontext.ai.
3.4 Storage Period
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Upon account deletion, personal data is deleted or irreversibly anonymized within thirty (30) days, unless a statutory retention period requires longer storage (e.g., up to ten (10) years under applicable tax and commercial law).
Once all applicable retention periods have expired and no further lawful processing purpose exists, personal data is securely and irreversibly deleted.
3.5 Automated Decision-Making
To protect against bots, spam, and unauthorized registrations, we may automatically review incoming sign-up requests based on technical signals such as registration patterns, IP reputation data, and behavioral indicators. Where a registration is classified as abusive, it may be automatically blocked or restricted. This processing may in individual cases constitute an automated decision with significant effect within the meaning of Art. 22 GDPR. It is necessary to limit access to our platform to legitimate users and is carried out on the basis of Art. 22(2)(a) GDPR as a measure required for entering into a contract. If you believe your registration was blocked in error, please contact valeska@qontext.ai. We will ensure your case is reviewed by a person and inform you of the outcome. You have the right to obtain human intervention, to express your point of view, and to contest the outcome.
We do not make any further automated decisions that have legal or similarly significant effects on individuals.
4. Other Processing Contexts
4.1 Social Media
We operate profiles on social media platforms including LinkedIn. When you contact us through these channels (e.g., by sending a direct message), we process the personal data you share (such as your username, name, and message content) in order to respond to your inquiry. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in maintaining business communication).
Joint controllership for platform analytics: Where LinkedIn provides us with statistical data on how users interact with our company page (so-called "Page Insights"), Qontext and LinkedIn Ireland Unlimited Company act as joint controllers within the meaning of Art. 26 GDPR. We use Page Insights exclusively in aggregated, non-personal form to understand the reach and relevance of our content. The joint controller arrangement with LinkedIn is governed by LinkedIn's Page Insights Joint Controller Addendum, available within LinkedIn's Privacy Policy. For all other processing carried out by LinkedIn on its own responsibility, including the processing of your profile data and activity, LinkedIn's privacy policy applies exclusively. Where we operate profiles on additional platforms, the same principles apply and are governed by each platform's respective joint-controller terms.
4.2 Job Applications at Qontext
When you apply for a position with us, we process the personal data you provide as part of your application. This includes in particular:
First and last name,
Contact details (e.g., email address, phone number, postal address),
Application documents (e.g., cover letter, resume, references, and certificates),
Information about your professional background, qualifications, and skills,
Salary expectations, availability, and desired start date,
Notes from interviews and information you share with us during the application process.
The purpose of this processing is to conduct the application process, in particular to assess your suitability for the advertised position, to communicate with you, and to decide whether to establish an employment relationship. The legal basis is Art. 6(1)(b) GDPR in conjunction with Section 26(1) of the German Federal Data Protection Act (BDSG).
If no employment relationship is established, we delete your application documents six (6) months after the end of the application process. The legal basis for this retention period is our legitimate interest in being able to defend our rights in potential proceedings under the German General Equal Treatment Act (AGG) (Art. 6(1)(f) GDPR).
If an employment relationship is established, your application data will be transferred to your personnel file and processed for the purposes of performing that employment relationship.
5. Your Rights and Policy Updates
5.1 Your Rights
Subject to the conditions of applicable law, you have the following rights in relation to your personal data:
Right of access (Art. 15 GDPR): to obtain confirmation of whether we process your data and to receive a copy of that data.
Right to rectification (Art. 16 GDPR): to have inaccurate or incomplete data corrected without undue delay.
Right to erasure (Art. 17 GDPR): to request deletion of your data where no lawful processing purpose or retention obligation remains.
Right to restriction of processing (Art. 18 GDPR): to restrict our processing of your data in certain circumstances.
Right to data portability (Art. 20 GDPR): to receive data you have provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means.
Right to object (Art. 21 GDPR): to object to processing based on legitimate interests. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to withdraw consent (Art. 7(3) GDPR): where processing is based on your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, contact valeska@qontext.ai. We will respond within thirty (30) days of receipt of your request, or notify you if an extension is required in accordance with Art. 12 GDPR.
Right to lodge a complaint (Art. 77 GDPR): You may lodge a complaint with the supervisory authority competent for Qontext GmbH at any time:
Berliner Beauftragte für Datenschutz und Informationsfreiheit Email: mailbox@datenschutz-berlin.de Website: www.datenschutz-berlin.de
Right to object to direct marketing: Where we process your data for direct marketing purposes, you may object at any time and without giving reasons. Upon objection, we will immediately cease using your data for that purpose. Please contact valeska@qontext.ai.
5.2 Updates to This Notice
We may update this Privacy Notice from time to time to reflect changes in applicable law, our Services, or our processing practices. The date shown on this page indicates when it was last revised.
Minor clarifications and non-material updates take effect immediately upon publication. Where we make material changes to how we process your personal data, we will notify you in advance (either by posting a prominent notice on our website or by sending you a direct notification), and those changes will take effect no earlier than thirty (30) days after notification. We encourage you to review this notice periodically to stay informed of how we protect your personal data.