Privacy Policy

Privacy Last updated: April 20, 2026 hypescale GmbH • Germany/EU (GDPR)

Privacy Policy

This Privacy Policy explains how hypescale GmbH ("hypescale", "we", "us", or "our") processes personal data when you use LeezyAI and our websites. We comply with the EU General Data Protection Regulation (GDPR). If you have questions, reach us at privacy@leezy.ai.

1 Scope & Roles

  • Controller: hypescale GmbH, Bornstraße 32, 12163 Berlin, Germany.
  • Applies to: leezy.ai website, app, APIs, and LeezyAI chatbot platform.
  • For customer end-user data ingested into an Organization, the customer is the controller and hypescale acts as processor under our DPA.

2 Data We Collect

  • Account data: name, email, organization, authentication identifiers.
  • Billing data: payment method details and invoices processed by Stripe.
  • Service content: training documents, prompts, chat transcripts, and files you upload to LeezyAI.
  • Usage and device data: log events, IP address, browser/device type, timestamps, feature interactions.
  • Support data: messages you send to our support channels.

3 How We Use Data

  • Provide and secure the Service, including authentication, chat processing, and storage.
  • Operate AI features (embeddings, model inference, AI Actions) for your Organization.
  • Process payments, subscriptions, and invoices.
  • Monitor performance, prevent abuse, and troubleshoot issues.
  • Send essential service messages (e.g., security, billing, updates) and—where permitted—product communications.
  • Improve and develop the Service using aggregated or de-identified analytics.

4 Legal Bases (GDPR)

  • Contract: to deliver the Service you sign up for.
  • Legitimate interests: security, fraud prevention, service analytics, and improving our platform.
  • Consent: marketing emails or optional cookies where required.
  • Legal obligation: accounting and compliance recordkeeping.

5 Sharing & Subprocessors

We use trusted providers under data protection terms:

  • Supabase (database, authentication, storage) — EU region; DPA in place.
  • Cloudflare (edge delivery, security, D1 infrastructure) — DPA applies automatically; EU traffic served from EU edge nodes where available.
  • OpenAI (embeddings and, via OpenRouter, model inference) — processed in the US under Standard Contractual Clauses and OpenAI's data processing terms. Requests via the OpenAI API are not used to train OpenAI models.
  • OpenRouter (routing layer to model providers such as OpenAI, Anthropic, and others) — US-based; engaged for all model inference requests.
  • Stripe (payments, billing) — Stripe's DPA applies automatically.
  • Resend (transactional email delivery) — DPA in place.
  • Brevo (broadcast and lifecycle email delivery) — EU-based; DPA in place.
  • Google (Sign-in with Google, optional Google Calendar integration for meeting scheduling) — engaged only when the user authenticates or connects the integration.
  • Microsoft (Sign-in with Microsoft, optional Microsoft/Outlook Calendar integration for meeting scheduling) — engaged only when the user authenticates or connects the integration.
  • Hypescale Analytics (first-party, privacy-friendly product analytics) — hosted on Hetzner; DPA in place.
  • Hetzner (infrastructure for hypescale-operated services and analytics) — DPA in place; EU data centers.
  • Bunny Fonts (privacy-focused web font delivery) — EU-based; no IP logging, no cookies.

We do not sell personal data. Access is limited to personnel and processors who need it to operate the Service. We maintain an up-to-date list of sub-processors and will notify customers at least 30 days before adding or replacing a sub-processor, giving customers the opportunity to object on reasonable grounds.

6 International Transfers

  • Primary hosting is in the EU. When data leaves the EEA/UK, we rely on Standard Contractual Clauses or equivalent safeguards.
  • Model inference with OpenAI, Anthropic, or other selected providers may be processed outside the EEA/UK; contractual safeguards apply.

7 Data Retention

  • Account and billing data: retained while you have an account and as required for legal obligations (e.g., tax/finance).
  • Service content (documents, chats, leads): retained while your Organization keeps it or until deletion/export by admins.
  • Logs and analytics: typically retained for up to 12 months, then aggregated or deleted.
  • AI inference providers: prompts and completions may be retained by upstream providers such as OpenAI for a limited period (typically up to 30 days) for abuse monitoring under the provider's standard terms, then deleted. Your Service content is not used to train third-party AI models.

8 Security

  • Encryption in transit (TLS) and at rest via our cloud providers.
  • Role-based access controls and least-privilege for staff and services.
  • Backups and business-continuity procedures through Supabase.
  • We encourage reporting vulnerabilities to security@leezy.ai.

9 Your Rights (GDPR)

  • Access, rectification, erasure, restriction, and portability of your personal data.
  • Objection to processing based on legitimate interests.
  • Withdraw consent at any time (does not affect prior processing).
  • Lodge a complaint with your supervisory authority; our lead authority is Berlin (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

10 Cookies & Analytics

  • Essential cookies: authentication and session management (Supabase auth), and language preference. These are required for the Service to function as requested.
  • First-party analytics — no cookies, no device storage: We use a self-hosted Umami instance at analytics.hypescale.com, operated by hypescale GmbH. Umami does not set cookies, does not write to localStorage or sessionStorage, and does not persistently identify individual visitors. Visitor uniqueness is derived from a daily-rotating server-side hash of IP address, user agent, and a site-specific salt that is discarded after 24 hours; cross-day tracking is technically prevented. Because no information is stored on or read from your device for analytics, §25 TTDSG does not require consent. The server-side processing of your IP address is based on our legitimate interest (Art. 6(1)(f) GDPR) in understanding aggregate site performance.
  • No third-party trackers: We do not use Google Analytics, advertising pixels, or similar third-party tracking technologies.
  • Browser controls: You can block cookies via your browser settings; doing so will prevent you from staying signed in.

11 Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us for deletion.

12 Changes to this Policy

We may update this Privacy Policy. Material changes will be notified via email and/or in-product notice at least 30 days before they take effect, unless changes are required sooner for legal or security reasons.

13 Contact

hypescale GmbH
Bornstraße 32, 12163 Berlin, Germany
Email: privacy@leezy.ai

A statutory Data Protection Officer has not been formally designated under §38 BDSG at this time. Data protection inquiries may be addressed directly to privacy@leezy.ai. This position will be established if required by our size or processing activities.