Skip to content
← Back to home

Privacy Policy

Last updated: March 2026

1. Data Controller

Julian Laycock / Caelith
Berlin, Germany
Email: julian.laycock@caelith.tech

No Data Protection Officer has been designated (organization has fewer than 250 employees).

2. Data We Collect

  • Account credentials (email address, name)
  • Fund and investor data uploaded by you
  • Usage analytics (page views, feature usage) if applicable
  • Session cookies (strictly necessary, no tracking cookies)

3. Legal Basis

  • Art. 6(1)(b) GDPR — Processing necessary for the performance of a contract (providing the Caelith platform services).
  • Art. 6(1)(f) GDPR — Legitimate interest in maintaining the security and integrity of our systems.
  • Art. 6(1)(a) GDPR — Explicit consent for optional processing of anonymized filing data for benchmarking and product improvement (see Section 10).

4. Data Retention

We retain your personal data for as long as your account is active. Regulatory compliance data (fund reports, audit trails) is retained for 10 years in accordance with applicable financial regulations. Upon account deletion, personal data is removed within 30 days, except where retention is legally required.

5. Hosting & Data Location

Data is primarily stored and processed within the EU (Railway, Amsterdam). When you use the AI Compliance Agent, your queries are processed by MiniMax (default) or Anthropic (fallback), both outside the EU. No investor personal data is sent to AI providers — queries are stripped of PII before processing.

6. Data Processors (Auftragsverarbeiter)

We use the following third-party data processors:

  • Railway — Hosting & infrastructure. Location: EU West, Amsterdam, Netherlands.
  • MiniMax — AI compliance agent (default model). Location: USA. No personal data or investor information is transmitted — only anonymized regulatory queries. Processing based on Art. 6(1)(f) GDPR (legitimate interest in providing AI-powered compliance assistance).
  • Anthropic — AI compliance copilot (fallback model). Location: USA. Data processing under the EU-US Data Privacy Framework.
  • OpenAI — Text embeddings (optional). Location: USA. Data processing under the EU-US Data Privacy Framework.
  • Sentry — Error tracking and monitoring (if configured). Location: USA. No personal user data is transmitted — only error metadata.
  • OpenSanctions — Screening data for compliance checks. Location: EU-based.
  • Plausible Analytics — Privacy-first website analytics (cookie-free). Location: EU (Germany).

7. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Data portability (Art. 20 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent at any time (Art. 7(3) GDPR) — withdrawal does not affect the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us at julian.laycock@caelith.tech.

8. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin
www.datenschutz-berlin.de

9. Analytics

We use Plausible Analytics (plausible.io), a privacy-first, cookie-free analytics service hosted in the EU. Plausible does not use cookies, does not collect personal data, and is fully GDPR-compliant. No consent is required under TTDSG for this service.

Additionally, we collect anonymized usage data through our own analytics endpoints to improve the platform experience. This includes:

  • Page views and feature usage events
  • Hashed IP addresses (SHA-256, not reversible)
  • Browser user agent and referrer URL
  • Viewport dimensions and device type
  • UTM campaign parameters (if present)
  • Session duration and interaction timing

This data is processed under Art. 6(1)(f) GDPR (legitimate interest in improving our service). No personal data is shared with third parties. Analytics data is retained for 12 months.

10. Anonymized Filing Data

With your explicit consent (Art. 6(1)(a) GDPR), Caelith may use anonymized filing data to improve product features, provide industry benchmarking, and generate aggregated analytics. This processing is entirely optional and controlled via your account settings.

  • Filing data is stripped of all identifying information before processing (fund names, LEIs, investor details)
  • Anonymized data is never shared with third parties or used to identify your organization
  • Consent can be granted or revoked at any time under Settings → Data Processing
  • Consent timestamp and agreement version are recorded for audit purposes
  • Revoking consent immediately stops future processing; previously generated aggregates are not retroactively removed

For details on the current data processing agreement version, see your account settings page.

11. Cookies & Local Storage

Caelith uses only strictly necessary cookies to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

  • access_token — JWT authentication cookie (httpOnly, secure, sameSite strict, 30 min)
  • refresh_token — Session refresh cookie (httpOnly, secure, sameSite strict, 7 days)
  • caelith-cookie-consent — Cookie consent preference (stored in localStorage, not a cookie)
  • caelith_theme — UI theme preference (stored in localStorage, not a cookie)

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.

© 2026 Caelith. All rights reserved.