Privacy Policy
Effective date: 6 June 2026
Person Responsible
Martin Kulawik
Chodowieckistr. 40
10405 Berlin, Germany
Email:
daten@martinkulawik.de
Data Protection Declaration
We process personal data to operate Achtung.app, provide AI visibility analysis, manage customer communication, secure the service, and fulfill legal obligations. This includes data you submit directly, usage data created while using the platform, and data received from connected integrations.
Server Log Files
When you use this website, our infrastructure stores technical log data such as IP address, timestamp, requested URL, status code, user agent, and referrer. Logs are used for security monitoring, abuse prevention, debugging, and reliability operations.
Cookies
We use only technically necessary cookies and local storage entries for session handling, authentication state, locale, and theme settings. We do not use cookies for cross-site advertising, behavioural profiling, or classic tracking. Our web analytics (Matomo) runs cookie-free and without fingerprinting (see "Web Analytics with Matomo"). A cookie consent banner is therefore not required (§ 25(2) no. 2 TDDDG, ePrivacy Directive Art. 5(3) exemption).
Contact Data
If you contact us by email, form submission, or product inquiry (including free scan requests), we process your contact details and message content to handle your request, provide onboarding information, and support your account.
Email Tips and Product Updates (Consent)
When requesting a free scan, you may optionally consent to receive follow-up emails (AI visibility tips and product updates). The consent only takes effect once you click the confirmation link (double opt-in). As proof of consent, we store your email address, the time of consent, the version of the consent text, and the IP address. The legal basis is GDPR Art. 6(1)(a) in conjunction with § 7(2) no. 2 of the German Act Against Unfair Competition (UWG). You can withdraw your consent at any time via the unsubscribe link in every email or by contacting daten@martinkulawik.de. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Payment Data
Payments are processed by Stripe, Inc. (stripe.com) as our payment sub-processor. Stripe receives your payment card details directly – we do not store full card numbers, CVV codes, or bank account details on our servers. We store only: your Stripe customer ID, subscription status, plan tier, and the last four digits of your payment method. Processing is based on GDPR Art. 6(1)(b) (contract performance). Stripe's own privacy policy (stripe.com/privacy) applies to its processing of your payment data.
Custom Niche Report (Paid Research)
Via /research you can commission an individual industry research report (Custom Niche Report). We process your email address, the niche description you enter, and the payment processed by Stripe in order to deliver the agreed report as a PDF. The legal basis is GDPR Art. 6(1)(b) (contract performance) as well as tax retention obligations under § 147 AO for billing data. The niche descriptions you enter are transmitted to our AI sub-processors to generate queries (see "AI Service Providers"); no personal data is forwarded to AI providers.
AI Service Providers (Sub-Processors)
To provide AI visibility analysis, we transmit brand names, keywords, and domain information to the following third-party AI service providers acting as sub-processors: OpenAI, Inc. (USA) – openai.com/privacy; Google LLC / Gemini (USA) – policies.google.com/privacy; Perplexity AI, Inc. (USA) – perplexity.ai/privacy; Anthropic, PBC (USA) – anthropic.com/privacy; xAI Corp. (USA) – x.ai/legal/privacy-policy; Mistral AI (France) – mistral.ai/terms. We send only the minimum data necessary for the query (brand name, keywords, domain). No personal account data such as email addresses, passwords, or payment information is transmitted to AI providers. Processing is based on GDPR Art. 6(1)(b) (contract performance) and Art. 6(1)(f) (legitimate interest in providing the contracted service).
International Data Transfers
Some of our sub-processors (OpenAI, Google, Perplexity, Anthropic, xAI, Stripe) are based in the United States. These transfers are safeguarded by the EU–US Data Privacy Framework (DPF) where the recipient is certified, and by EU Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c) in all other cases. Mistral AI processes data within the European Union. You may request a copy of the applicable safeguards by contacting us at the address above.
Automated Processing
Achtung.app uses automated processing to generate AI visibility scores, citation analysis, competitor classifications, trend detection, and alert notifications. These outputs are informational tools to support your marketing decisions – they do not produce legal effects or similarly significant effects concerning you within the meaning of GDPR Art. 22. No fully automated decisions with binding consequences are made. You may contact us at any time to request human review of any automated output.
Aggregated and Anonymised Statistics
We use data submitted to the service – including data from paying subscribers and from free public scans – in aggregated and anonymised form to produce industry benchmarks, public insights (such as those displayed on our /insights page), internal analytics, and product improvements. Aggregation is performed with k-anonymity thresholds: a category, niche, provider, or competitor only appears in published aggregates once a minimum number of independent contributors is present, so individual brands, customers, or persons cannot be re-identified. We never publish raw inputs, brand names, account-level scores, or any data attributable to your account. Once anonymised, aggregated statistics fall outside the scope of personal data under GDPR Recital 26. The legal basis for the underlying processing is GDPR Art. 6(1)(f) (legitimate interest in service improvement and industry research), balanced against the minimal residual risk after anonymisation. You may object to this processing for data attributable to your account at any time by contacting us at the address above.
Data Retention Periods
We apply the following retention periods unless statutory obligations require longer storage:
- Server log files: 30 days
- Account data (name, email, settings): duration of the account plus 30 days after deletion
- Visibility scores, citations, and reports: duration of the account plus 90 days
- Free scan data: scan content and results 90 days after scan completion. If you additionally consented to receive follow-up emails, we retain your email address and the consent record beyond that period, until you unsubscribe or withdraw consent
- Custom Niche Reports: raw data 12 months, order and PDF retained permanently as a customer record (tax retention obligation)
- Billing records (invoices, transaction IDs): 10 years (German tax retention obligation, § 147 AO)
- Support correspondence: 3 years after last contact
Legal Basis
Processing is based on GDPR Art. 6(1)(b) for contractual services, Art. 6(1)(f) for legitimate interests (security, fraud prevention, service quality), and Art. 6(1)(a) where consent is required.
Your Rights
You have the right to access, rectify, erase, restrict processing, object to processing, and data portability, subject to applicable law. You may also lodge a complaint with your competent supervisory authority (for Berlin: Berliner Beauftragte für Datenschutz und Informationsfreiheit).
Data Deletion
We retain personal data only as long as necessary for service delivery, security, support, and legal retention duties. Account and report-related data is deleted or anonymised when no longer required, unless statutory obligations require longer storage. You may request deletion of your account at any time by contacting us.
Right of Objection
To exercise rights, withdraw consent, or object to processing, contact: daten@martinkulawik.de
Web Analytics with Matomo
We use the self-hosted open-source software Matomo to measure how this website is used. The instance runs on our own infrastructure at https://stats.mkmx.de/; no data is shared with third parties. Matomo is configured on this website without cookies and without fingerprinting: no tracking cookies are set, your browser fingerprint is not collected, and your IP address is anonymised before storage (the final bytes are removed so that no personal reference remains). We process, among other things: pages visited, time on page, approximate region, browser/device class, and referrer. Because no information is stored on or read from your device, § 25 TDDDG does not apply. The legal basis for the subsequent processing of the anonymised measurement data is GDPR Art. 6(1)(f) (legitimate interest in privacy-preserving web analytics to improve the service). Aggregated analytics data is retained for 24 months. We additionally respect your browser's Do-Not-Track signal.
Conversion Measurement with Google Ads
When you reach this site through one of our Google ads, Google appends a click identifier (gclid, gbraid, or wbraid) to the landing URL. If you later take out a paid subscription or confirm a free scan, we transmit that identifier together with a timestamp (and, for subscriptions, the order value) to Google Ads so we can measure which ads lead to sign-ups. This happens entirely on our server (Google Ads offline conversion import): we set no advertising cookie, load no Google tracking script, build no cross-site profile, and share no personal data such as your name or email address with Google. Because nothing is stored on or read from your device, § 25 TDDDG does not apply and no consent banner is required. The legal basis is GDPR Art. 6(1)(f) (legitimate interest in measuring the effectiveness of our advertising). You may object to this processing at any time by contacting us at: daten@martinkulawik.de
Matomo Tracking Opt-Out
Independently of the above, you can disable measurement entirely for this browser at any time. Matomo stores a technically necessary opt-out cookie that persistently signals you do not wish to be measured:
If loading is slow, open the opt-out page directly: Open Matomo opt-out page