← Back to Deep Research CIATA GmbH

Privacy Policy

Deep Research — AI-Powered Research Reports

Last updated: June 17, 2026 · CIATA GmbH, Berlin

This Privacy Policy applies to CIATA GmbH, the Deep Research web application at research.ciata.io, and all related services (together the "Services"). CIATA GmbH acts as the controller within the meaning of Art. 4(7) GDPR.

1. Controller

CIATA GmbH
Arnimallee 7
14195 Berlin, Germany
HRB 266084 · Amtsgericht Charlottenburg
Managing Director: Prof. Dr. Tim Landgraf
Email: privacy@ciata.io

2. Principles of Processing

We process personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality pursuant to Art. 5 GDPR.

All personal data is processed exclusively within the European Economic Area (EEA). We do not use any third-party marketing, analytics, or advertising services. No personal data is transferred to countries outside the EEA.

3. Categories of Personal Data

We process the following categories of personal data:

  • Account data — email address, hashed password
  • Usage data — research questions submitted, reports generated
  • Technical data — IP address, browser type, timestamps
  • Payment data — transaction records (processed via Stripe; we do not store card details)

4. Legal Bases for Processing

Each processing activity is based on one of the following legal bases:

  • Art. 6(1)(b) GDPR — performance of a contract (account creation, research execution)
  • Art. 6(1)(f) GDPR — legitimate interests (IT security, error resolution, platform stability)
  • Art. 6(1)(c) GDPR — compliance with legal obligations (tax, accounting)

We do not process personal data on the basis of consent for marketing or advertising purposes. We do not use cookies beyond what is technically necessary for session management.

5. How the Service Works — Data Flow

When you submit a research question, the following processing takes place. We describe this in detail so you can understand exactly where your data goes.

✓ EU AI Processing

Your research question and all AI inference run on AKI.io, a German-hosted LLM provider (Frankfurt, Germany). No data leaves EU servers for AI processing. Your queries are never used for model training.

Provider
AKI.io GmbH — Frankfurt, Germany 🇩🇪
Data sent
Research question, page excerpts for analysis
Training
No — user data is never used for training
Legal basis
Art. 6(1)(b) GDPR (contract performance)

✓ EU Web Search (Default: Staan)

By default, derived search queries are sent to Staan, an EU-sovereign search index operated by Ecosia and Qwant. All query data stays within EU jurisdiction. The search engine sees only derived queries — never your original question.

Provider
European Search Perspective GmbH (Ecosia + Qwant) — EU 🇪🇺
Data sent
Derived search queries (not your original question)
Legal basis
Art. 6(1)(b) GDPR (contract performance)
Alternative search engines: If configured to use DuckDuckGo or Google, search queries are routed to US-based servers. DuckDuckGo does not track users; Google’s Terms of Service apply. The search engine is selected by the server operator and is disclosed in the GDPR information panel within the application.

✓ EU Page Fetching

All web pages are fetched by our server in Germany, not by your browser. Third-party websites only see our server’s IP address and standard HTTP headers. Your personal IP, identity, and location are never exposed to third-party websites.

Server location
Hetzner Cloud — Germany 🇩🇪
Data exposed to third parties
Server IP + HTTP headers only

✓ EU Data Storage

All research results, reports, user accounts, and intermediate data are stored locally on the server in Germany. No cloud storage services are used.

Storage
SQLite database on the server
Location
Hetzner Cloud — Germany 🇩🇪
Encryption
Disk-level encryption; passwords hashed with bcrypt

6. Recipients and Categories of Recipients

We disclose personal data only where necessary for the purposes described in this Privacy Policy:

  • AKI.io GmbH — AI inference provider (processor, DPA in place)
  • European Search Perspective GmbH (Staan) — search provider (derived queries only)
  • Hetzner Online GmbH — infrastructure / hosting provider
  • Mollie B.V. — payment processing (Amsterdam, Netherlands 🇳🇱)
  • Tax advisers and accountants as required by law

All processors act only on our documented instructions and under appropriate contractual safeguards including data processing agreements.

7. Account Registration

For registration and authentication, we process your email address and a hashed password. Passwords are hashed with bcrypt and never stored in plaintext.

Dominant legal basis: Art. 6(1)(b) GDPR.

8. Billing and Payments

Payment processing is handled by Mollie B.V., an EU-native payment provider headquartered in Amsterdam, Netherlands. Mollie is regulated by De Nederlandsche Bank (DNB) and processes all payment data within the EU. We do not store credit card numbers or bank details on our servers.

Dominant legal basis: Art. 6(1)(b) GDPR; for statutory retention, Art. 6(1)(c) GDPR.

9. Technical Logs and Security

Technical logs (IP addresses, timestamps, request metadata) are processed solely to ensure platform security, stability, and error resolution. Logs are automatically deleted after 90 days.

Dominant legal basis: Art. 6(1)(f) GDPR.

10. No Analytics, No Advertising, No Cookies

We do not use any analytics tools (no Google Analytics, no Matomo), advertising services, tracking pixels, or third-party cookies. The only data stored in your browser is a session token (JWT) for authentication, held in localStorage.

11. AI Model Training

Your research questions, results, and reports are never used to train AI models — neither by us nor by our AI provider (AKI.io). AKI.io processes prompts exclusively in volatile memory and does not log, store, or analyse customer-provided content.

12. Data Retention

Personal data is deleted or anonymised once the processing purpose no longer applies:

  • Account data — retained until account deletion
  • Research reports — retained until you delete them or request erasure
  • Technical logs — automatically deleted after 90 days
  • Payment records — retained for 10 years per statutory tax obligations (§ 147 AO)

13. Your Rights

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)

To exercise any of these rights, contact us at privacy@ciata.io.

14. Supervisory Authority

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de
www.datenschutz-berlin.de

15. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place. AI-generated research reports are informational outputs, not decisions that produce legal or similarly significant effects.

16. Amendments

This Privacy Policy may be updated from time to time. We will notify registered users of material changes by email. Changes are effective when posted on this page.

CIATA GmbH · Arnimallee 7 · 14195 Berlin · privacy@ciata.io