Aquilo Logo
Aquilo Solution·S

Privacy Policy for Aquilo Solution·S GmbH

Last Updated: March 15, 2026

Effective Date: 30.03.2026

Available in: English | Deutsch

1. Introduction

Welcome to Aquilo Solution·S GmbH (“we,” “our,” or “us”). We are committed to protecting your personal data and your right to privacy. This Privacy Policy applies to all information collected through:

  • Our public website at https://aquilo-solutions.com/
  • Our NeKo-Check web application for tenant management (B2C)
  • Our cloud-based services and platforms

This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal data.

Data Controller:

  • Company Name: Aquilo Solution·S GmbH
  • Address: Am Haubarg 9, 24229 Strande, Deutschland
  • Commercial Register: Amtsgericht Kiel, HRB 25107 KI
  • Managing Directors: Mark Straßberger, Heinrich von Helmolt
  • Email: info@aquilo-solutions.com
  • Data Protection Contact: For privacy-related inquiries, please contact info@aquilo-solutions.com. The appointment of a Data Protection Officer is not required pursuant to Art. 37 GDPR in conjunction with § 38 BDSG.

If you have any questions about this Privacy Policy, please contact us at info@aquilo-solutions.com.

2. Definitions

To help you understand this policy, here are definitions of key terms:

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, such as collection, storage, use, or deletion
  • Data Controller: The entity that determines the purposes and means of processing personal data (Aquilo Solutions)
  • Data Processor: An entity that processes personal data on behalf of the controller (our service providers)
  • User/You: Any person using our website, mobile app, or services
  • GDPR: The EU General Data Protection Regulation
  • Consent: Freely given, specific, informed, and unambiguous indication of your agreement to processing

3. Types of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Account Information:

  • Name and display name (called name)
  • Email address
  • Profile picture
  • PIN (stored as cryptographic hash only)
  • Preferred language/culture settings
  • Preferred display mode (light/dark theme)
  • Notification preferences (email, push, SMS)

Organization/Group Information:

  • Organization name and associations
  • Group memberships
  • Role assignments
  • Business addresses

Communication Preferences:

  • Email notification settings
  • Push notification settings
  • SMS notification settings

3.2 Information Collected Automatically

Device and Usage Information:

  • IP address
  • Device type and operating system
  • Browser type and version
  • App version and client metadata
  • Device identifiers
  • Time zone and language preferences

Web Analytics (Plausible Analytics, self-hosted):

  • Aggregated page views and time on page (no personal data)
  • Referral source, device type, browser, and country (broad categories)
  • No cookies, no IP addresses, no fingerprinting

4. Purposes of Processing and Legal Basis

We process your personal data for the following purposes, based on the legal grounds listed:

4.1 Service Provision (Legal Basis: Contract Performance)

  • Creating and managing your user account
  • Providing access to our platform and mobile app
  • Enabling project and task management functionality
  • Facilitating team collaboration and communication
  • Processing and storing your documents and files
  • Delivering requested features and services

4.7 AI and Intelligent Features (Legal Basis: Legitimate Interest & Consent)

  • Document OCR processing using Mistral OCR (EU-based provider, France) for text extraction from uploaded documents (users can review and correct extracted data)
  • NeKo-Check AI-powered document analysis: Analysis of rental agreements and utility bills using Mistral OCR (text extraction, EU-based provider in France) and Anthropic Claude via AWS Bedrock (intelligent content analysis, EU inference profiles, region eu-central-1 Frankfurt). Document contents may naturally contain personal data (e.g., names, addresses). This data is processed solely for analysis, not stored, and not used to train AI models.
  • Generation of clarification questions, warnings, and recommendations based on document analysis

Note on Automated Decision-Making (Art. 22 GDPR): Our AI-powered analyses (particularly NeKo-Check) are purely advisory in nature and do not produce decisions with legal or similarly significant effects. The results serve as guidance and orientation — the final assessment and decision always rests with the user. Art. 22(1) GDPR therefore does not apply.

5. Data Sharing and Third-Party Processors

We share your personal data only with trusted third-party service providers who help us operate our platform. All processors are bound by data processing agreements and comply with GDPR requirements.

5.1 Self-Hosted Infrastructure (Hetzner Falkenstein, Germany)

All application services, databases, identity management, secrets management, observability, messaging, and web hosting run on self-managed Kubernetes ("Aether") on 8 dedicated bare-metal servers in Hetzner's Falkenstein datacenter (Germany). Data resides in Falkenstein, Germany. Encryption: WireGuard for node-to-node, TLS for application traffic, encryption at rest for PostgreSQL.

5.6 AI Service Providers

Anthropic Claude (via AWS Bedrock): AI-powered document analysis. Hosting: AWS eu-central-1 (Frankfurt, Germany). Data is not stored or used to train AI models.

Mistral AI (OCR): Hosted in Paris, France. Documents processed solely for text extraction; not stored or used to train AI models.

6. Data Retention

  • User Profile and Account Information: Retained while your account is active
  • Project and Task Data: Retained while projects are active, plus 3 years after project completion
  • Audit Logs: Retained for 7 years for legal compliance and security purposes
  • Financial Records: Retained for 10 years in accordance with tax and accounting regulations
  • Account Deletion: Personal data deleted within 30 days; backups up to 90 days; audit logs retained pseudonymized.

7. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR)
  • Right to Rectification (Art. 16 GDPR)
  • Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)
  • Right to Restriction of Processing (Art. 18 GDPR)
  • Right to Data Portability (Art. 20 GDPR)
  • Right to Object (Art. 21 GDPR)
  • Right to Withdraw Consent
  • Right to Lodge a Complaint with Bundesbeauftragter für den Datenschutz (BfDI) or Schleswig-Holstein ULD

To exercise any of these rights, email info@aquilo-solutions.com.

8. Cookies and Tracking

Our public website is a static site with minimal cookie usage. We do not use analytics, advertising, or tracking cookies on the public website. User preferences are stored in browser local storage.

Internal applications use ASP.NET Core authentication cookies, anti-forgery tokens, and session cookies — strictly necessary for service operation under GDPR Article 6(1)(b).

Plausible Analytics (self-hosted): No cookies, no IP addresses, no fingerprinting. Daily-rotating hash held only in memory.

9. International Data Transfers

Your personal data is stored and processed exclusively within the European Union. The vast majority of data never leaves Germany. Limited transfers occur for AI inference (AWS eu-central-1 Frankfurt; Mistral AI France) — both bound by EU Standard Contractual Clauses with no persistent storage and no training use.

10. Security Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication, including multi-factor authentication
  • Regular security reviews and vulnerability assessments
  • Data protection training for all staff and confidentiality agreements
  • Regular data backups

Data Breach Notification: In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected individuals where the breach is likely to result in a high risk (Art. 34 GDPR).

11. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected information from a child under 16, please contact info@aquilo-solutions.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through email, in-app notification, prominent notice on our website, and an updated "Last Updated" date.

13. Contact Us

Aquilo Solution·S GmbH

Am Haubarg 9

24229 Strande, Deutschland

Email: info@aquilo-solutions.com

We aim to respond to all inquiries within 30 days, as required by GDPR.

Legal Compliance

This Privacy Policy complies with: GDPR (EU General Data Protection Regulation 2016/679); ePrivacy Directive (Directive 2002/58/EC); German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG); Apple App Store Guidelines; Google Play Store Data Safety Requirements.

Effective Date: 30.03.2026

Version: 3.0

Languages:English | Deutsch

This Privacy Policy was prepared based on a comprehensive analysis of data collection and processing activities as of March 2026. Regular reviews and updates ensure ongoing compliance with evolving regulations and practices.