Skip to content
← Back to home

Privacy Policy

Last updated: 2026-05-18

1. Data Controller

Julian Laycock / Caelith
Berlin, Germany
Email: julian.laycock@caelith.tech

No Data Protection Officer has been designated (organization has fewer than 250 employees).

2. Data We Collect

  • Account credentials (email address, name)
  • Fund and investor data uploaded by you
  • Usage analytics (page views, feature usage) if applicable
  • Session cookies (strictly necessary, no tracking cookies)

3. Legal Basis

  • Art. 6(1)(b) GDPR — Processing necessary for the performance of a contract (providing the Caelith platform services).
  • Art. 6(1)(f) GDPR — Legitimate interest in maintaining the security and integrity of our systems.
  • Art. 6(1)(a) GDPR — Explicit consent for optional processing of anonymized filing data for benchmarking and product improvement (see Section 10).

4. Data Retention

We retain your personal data for as long as your account is active. Regulatory compliance data (fund reports, audit trails) is retained for 10 years in accordance with applicable financial regulations. Upon account deletion, personal data is removed within 30 days, except where retention is legally required.

5. Hosting & Data Location

Application and managed PostgreSQL are hosted on Railway in the EU-West region (Amsterdam, Netherlands). Data does not leave the EU. When you use the AI Compliance Agent or Copilot, queries are processed by Anthropic (Claude) via the USA endpoint api.anthropic.com under the EU-US Data Privacy Framework. All AI-bound queries are stripped of investor PII before transmission. No investor personal data is sent to AI providers. Full sub-processor list at canonical registry docs/legal/sub-processors.md (authoritative for this page).

6. Data Processors (Auftragsverarbeiter)

Caelith maintains a single canonical sub-processor registry at docs/legal/sub-processors.md which is authoritative for this page, /security, /dpa, /trust, and docs/legal/dpa-template.md. If those surfaces disagree with the canonical registry, the registry wins.

Active sub-processors (per canonical registry, last verified against code 2026-05-15):

  • Anthropic, PBC — AI compliance agent + copilot inference (Claude); document extraction. USA endpoint api.anthropic.com under the EU-US Data Privacy Framework.
  • Railway, Inc. — Application hosting + managed PostgreSQL. Location: EU-West region (Amsterdam, Netherlands).
  • OpenAI — Text embeddings (OPTIONAL — used only when Voyage / Anthropic embeddings not configured). Location: USA. Data processing under the EU-US Data Privacy Framework. No LLM inference.
  • Sentry — Error monitoring. NOT CURRENTLY ENGAGED in production. If enabled (via SENTRY_DSN), the region will be declared on this page before activation.
  • OpenSanctions — Sanctions / PEP screening corpus (EU-based provider, Berlin). Mocked in sandbox. Production tenant connection: not currently engaged.
  • Plausible Analytics — Privacy-first website analytics, cookieless. Location: EU (Germany). Marketing site only — not in product runtime.

Sub-processors no longer active: MiniMax was previously evaluated as a sub-processor (most recently disclosed on a non-production buyer-demo path) and was reverted before any production data was processed. It is no longer an active sub-processor under GDPR Art. 28; the full audit trail and the conditions required for any future revival are recorded in the canonical sub-processor registry at docs/legal/sub-processors.md §2.

7. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Data portability (Art. 20 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent at any time (Art. 7(3) GDPR) — withdrawal does not affect the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us at julian.laycock@caelith.tech.

8. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin
www.datenschutz-berlin.de

9. Analytics

We use Plausible Analytics (plausible.io), a privacy-first, cookie-free analytics service hosted in the EU. Plausible does not use cookies, does not collect personal data, and is fully GDPR-compliant. No consent is required under TTDSG for this service.

Additionally, we collect anonymized usage data through our own analytics endpoints to improve the platform experience. This includes:

  • Page views and feature usage events
  • Hashed IP addresses (SHA-256, not reversible)
  • Browser user agent and referrer URL
  • Viewport dimensions and device type
  • UTM campaign parameters (if present)
  • Session duration and interaction timing

This data is processed under Art. 6(1)(f) GDPR (legitimate interest in improving our service). No personal data is shared with third parties. Analytics data is retained for 12 months.

10. Anonymized Filing Data

With your explicit consent (Art. 6(1)(a) GDPR), Caelith may use anonymized filing data to improve product features, provide industry benchmarking, and generate aggregated analytics. This processing is entirely optional and controlled via your account settings.

  • Filing data is stripped of all identifying information before processing (fund names, LEIs, investor details)
  • Anonymized data is never shared with third parties or used to identify your organization
  • Consent can be granted or revoked at any time under Settings → Data Processing
  • Consent timestamp and agreement version are recorded for audit purposes
  • Revoking consent immediately stops future processing; previously generated aggregates are not retroactively removed

For details on the current data processing agreement version, see your account settings page.

11. Cookies & Local Storage

Caelith uses only strictly necessary cookies to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

  • access_token — JWT authentication cookie (httpOnly, secure, sameSite lax, 30 min)
  • refresh_token — Session refresh cookie (httpOnly, secure, sameSite lax, 7 days)
  • caelith-cookie-consent — Cookie consent preference (stored in localStorage, not a cookie)
  • caelith_theme — UI theme preference (stored in localStorage, not a cookie)

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.

© 2026 Caelith. All rights reserved.