Context Studios

Privacy Policy

Last updated: December 21, 2025

1. Introduction

Context Studios UG (haftungsbeschränkt) ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website contextstudios.ai.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide when you:

  • Fill out a contact form
  • Subscribe to our newsletter (with double opt-in confirmation and one-click unsubscribe)
  • Book a discovery call via Cal.com
  • Create an account using Clerk authentication
  • Upload receipts or documents for processing (admin area only)
  • Communicate with us via email

This information may include:

  • Name and email address
  • Company name and role
  • Phone number (if provided)
  • Project requirements and preferences (budget range, timeline, service interests)
  • Business challenges and pain points you wish to address
  • Company information (stage, team size, industry sector)
  • Technical requirements and competitive context (if provided during consultation)
  • Decision-making authority within your organization (for B2B inquiries)
  • Receipt/document images (stored temporarily, auto-deleted after processing)
  • Financial data extracted from receipts (for accounting purposes only)

2.2 Server Log Data

When you access our website, our hosting provider (Vercel) automatically collects server log data, stored for a maximum of 30 days:

  • IP address (anonymized after 24 hours)
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Hostname of the accessing device
  • Amount of data transferred

2.3 First-Party Analytics Data

With your consent, we collect the following data through our privacy-first analytics system to improve website performance and user experience:

Session & Visitor Data

  • Anonymous session ID (UUID) – identifies your browsing session
  • Anonymous visitor ID (UUID) – distinguishes new vs. returning visitors
  • Landing page and entry locale (language)
  • Referrer URL (previous website)
  • UTM parameters for campaign attribution (source, medium, campaign)

Device & Technical Data

  • Device type (desktop, mobile, tablet)
  • Browser name and version
  • Operating system
  • Screen resolution (width × height)

Geographic Data (without IP storage)

  • Country (derived at the edge from request metadata)
  • City (derived at the edge, converted to identifier only)
  • Location is derived at the edge based on request metadata and converted to country/city. We do not store the underlying IP address as part of analytics data.

Engagement & Behavior Data

  • Pages visited with timestamps
  • Time spent on each page (heartbeat-based measurement)
  • Scroll depth percentage (how far you scrolled)
  • Scroll milestones reached (25%, 50%, 75%, 100%)
  • CTA clicks and button interactions (what you clicked)
  • Exit pages (last page before leaving)

Performance Data (Core Web Vitals)

  • LCP (Largest Contentful Paint) – page load speed
  • FCP (First Contentful Paint) – initial render time
  • INP (Interaction to Next Paint) – responsiveness
  • CLS (Cumulative Layout Shift) – visual stability
  • TTFB (Time to First Byte) – server response time

Error Tracking

  • JavaScript error messages (for debugging)
  • Error type and source file
  • Browser and OS context for reproduction
  • Note: Error data is anonymized and used solely for improving website stability

Important: We do NOT store IP addresses in our analytics system. Location is derived at the edge based on request metadata and converted to country/city. We do not store the underlying IP address as part of analytics data. Note: IP addresses may be processed in server logs for security purposes and are deleted or anonymized within 24 hours.

Legal basis: Art. 6(1)(a) GDPR (consent). All analytics data is collected only after you provide explicit consent via our cookie banner. You can withdraw consent at any time.

Retention: Analytics data is automatically deleted after 13 months. Error logs are deleted after 3 months.

2.4 Cookies and Tracking

We use cookies and similar tracking technologies. You can control cookie preferences via our cookie consent banner. See our Cookie Policy for details.

2.5 Internal Lead Management Data

For business development and quality assurance, we maintain internal records including:

  • Lead scoring and prioritization metrics based on project scope, timeline, and budget
  • Communication history and follow-up schedules
  • Lead status tracking through our sales pipeline (new, contacted, qualified, proposal sent, converted, lost)
  • Session identifiers for technical support and quality assurance

These internal tracking mechanisms help us provide better service and ensure timely follow-up on your inquiries. This data is not shared with third parties and is used solely for internal business operations under our legitimate business interests (GDPR Art. 6(1)f). You have the right to object to this processing at any time by contacting us at info@contextstudios.ai.

3. How We Use Your Information

We use the collected information to:

  • Provide and improve our services
  • Respond to inquiries and support requests
  • Send newsletters (with explicit consent only)
  • Schedule and manage discovery calls
  • Prioritize and manage lead inquiries (lead scoring and pipeline management)
  • Analyze project requirements and prepare tailored proposals
  • Track engagement and measure consultation effectiveness
  • Website analytics and optimization
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR): Newsletter subscriptions, website analytics (Google Analytics), cookie preferences for non-essential cookies. You may withdraw your consent at any time.
  • Contract Performance (Art. 6(1)(b) GDPR): Providing requested services, appointment booking via Cal.com, processing contact inquiries for contract initiation.
  • Legitimate Interest (Art. 6(1)(f) GDPR): Server log data for IT security, lead scoring for internal workflow optimization, protection against misuse. You have the right to object at any time for reasons relating to your particular situation.
  • Legal Obligation (Art. 6(1)(c) GDPR): Tax retention obligations (§ 147 AO), commercial law retention obligations (§ 257 HGB).

5. Data Sharing and Third Parties

We share data with the following service providers:

5.1 Essential Services

  • Vercel: Website hosting (USA, EU-U.S. DPF certified)
  • Convex: Real-time database and backend services (USA, GDPR-compliant with SCCs, SOC 2 & ISO 27001 certified)
  • Clerk: Authentication and user management (USA, EU-U.S. DPF certified, ISO 27001 & SOC 2)
  • Resend: Transactional email and newsletter delivery (USA, EU-U.S. DPF certified, SOC 2 Type II & ISO 27001)
  • Cal.com: Booking system (EU/USA, GDPR-compliant)
  • Google Gemini AI: Receipt and document processing via AI (USA, Google Cloud GDPR-compliant with SCCs, ISO 27001 & SOC 2 certified)

5.2 Analytics (Consent Required)

  • Google Analytics 4: Website analytics with IP anonymization and 14-month data retention. Google Analytics may involve transfers to the United States. Transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses, as applicable.

5.3 Email Marketing & CAN-SPAM Compliance

Our newsletter system is fully compliant with the CAN-SPAM Act (15 U.S.C. §§ 7701-7713) and GDPR:

  • Double Opt-In: We require email confirmation before adding you to our newsletter
  • One-Click Unsubscribe: Every email includes a tokenized unsubscribe link that works with a single click
  • No Deceptive Headers: From, To, and routing information accurately identify us
  • Clear Subject Lines: Subject lines accurately reflect email content
  • Physical Address: Every email includes our Berlin office address
  • Fast Unsubscribe Processing: Unsubscribe requests are honored within 10 business days (usually instant)
  • No Fee to Unsubscribe: Unsubscribing is always free

You can unsubscribe at any time by:

  • Clicking the "Unsubscribe" link in any newsletter email
  • Emailing us at info@contextstudios.ai

Service providers act as processors under Art. 28 GDPR unless stated otherwise. All processors have data processing agreements (DPAs) in place and comply with GDPR requirements including standard contractual clauses (SCCs) for international transfers. For Google Analytics, depending on enabled features (e.g., Google Signals), joint controller arrangements may apply.

6. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate data
  • Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Restriction (Art. 18): Restrict how we process your data
  • Portability (Art. 20): Receive your data in a structured format
  • Object (Art. 21): Object to processing based on legitimate interests
  • Withdraw Consent (Art. 7(3)): Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • Lodge a Complaint (Art. 77): File a complaint with your data protection authority

To exercise these rights, contact us at info@contextstudios.ai

Online Form for Privacy Requests

Use our online form for deletion requests, access requests, rectifications, or data transfers. You can also delete your data directly in the chatbot.

Submit Privacy Request

Supervisory Authority
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your data protection authority. For Berlin, Germany:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin, Germany
Website: www.datenschutz-berlin.de

7. Data Retention

We retain personal data only as long as necessary for the respective purposes or as required by law:

  • First-Party Analytics: 13 months
  • Google Analytics: 14 months
  • Server Logs (IP): 24 hours
  • Server Logs (other): 30 days
  • Lead/Contact records: 2 years after last contact
  • Newsletter subscribers: Until unsubscribe
  • Client data: Contract duration + 10 years
  • Consent records: 3 years
  • User accounts: Until account deletion

8. Data Security

We implement appropriate security measures including:

  • SSL/TLS encryption for data transmission (HTTPS everywhere)
  • Encryption at rest for stored data (Convex database encryption)
  • Secure authentication with Clerk (ISO 27001, SOC 2, multi-factor authentication)
  • Role-based access control (admin area restricted to authorized personnel)
  • Regular security updates and monitoring
  • Access controls and audit logging for admin operations
  • Data processing agreements with all processors
  • Security incident response procedures
  • Data breach notification (notification to authorities within 72 hours if required by GDPR)

8.1 File Upload Security & AI Processing

For receipt and document uploads (admin area only), we implement additional security measures:

  • Temporary Storage: Uploaded files are stored temporarily and automatically deleted after processing
  • Secure Transmission: Files transmitted via HTTPS to Google Gemini AI for processing
  • Limited Access: Only authenticated admin users can upload documents
  • Data Minimization: Only necessary data is extracted from documents
  • Auto-Deletion: Original files deleted within 24 hours of upload
  • Audit Trail: All upload and processing operations are logged
  • Google Cloud Security: Gemini AI processing benefits from Google Cloud's SOC 2 & ISO 27001 certifications

AI Processing Transparency: When documents are processed by Google Gemini AI:

  • Only financial/accounting data is extracted (vendor, amount, date, category)
  • We use Google Cloud services under Google Cloud's data processing terms. Google does not use customer data submitted via these services to train general-purpose AI models, in accordance with the applicable Google Cloud terms.
  • Data is transmitted via Google Cloud API with enterprise-grade encryption
  • Data retention, if any, follows the selected cloud configuration and our deletion schedule

9. International Data Transfers

Some of our service providers are located in the USA. For each service, we ensure adequate data protection through specific safeguards:

  • EU-U.S. Data Privacy Framework (DPF) certification where available
  • Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914
  • Transfer Impact Assessments (TIA) for each service provider
  • Additional technical and organizational measures as appropriate

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from minors.

10.1 Automated Decision-Making and Profiling

We do not use automated decision-making that produces legal effects or similarly significantly affects you under Article 22 of the GDPR.

Lead Scoring (Profiling)

We use an internal lead scoring system to prioritize contact inquiries. This constitutes profiling within the meaning of Art. 4(4) GDPR, used solely to prioritize internal responses and not to make decisions producing legal or similarly significant effects.

  • Project budget range and timeline urgency
  • Service interests and project scope complexity
  • Company information and business stage
  • Completeness of information provided

Important: These scores are used internally for workflow optimization only and do not affect the quality of service you receive. Every inquiry receives human review and response. Lead scores do not determine whether we accept your project - we evaluate all inquiries fairly regardless of score.

You have the right to request information about the data used for scoring and to object to the processing. Contact us at info@contextstudios.ai.

10.2 Data Protection Officer & TTDSG Compliance

We have not appointed a Data Protection Officer as we are currently not legally required to do so. For privacy inquiries, contact us at info@contextstudios.ai

TTDSG (German Telecommunications and Telemedia Data Protection Act)

As a Germany-based company, we comply with the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), effective December 1, 2021:

  • § 25 TTDSG - Cookie Consent: We obtain explicit consent before storing or accessing information on your device (cookies, localStorage)
  • Essential vs. Non-Essential: We clearly distinguish between technically necessary and optional cookies
  • Granular Consent: You can choose which non-essential cookies to accept (analytics, marketing, preferences)
  • Consent Storage: Your cookie preferences are stored for 12 months
  • Easy Withdrawal: You can withdraw consent at any time via our Cookie Settings
  • Documentation: All consents are logged with timestamps for compliance

TTDSG works in combination with GDPR to provide comprehensive data protection for German users. See our Cookie Policy for detailed information.

10.3 California Consumer Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). This section supplements the information in this Privacy Policy.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information as defined by the CCPA:

CategoryExamplesCollected?
A. IdentifiersName, email address, IP address, online identifiersYES
B. Personal Information (Cal. Civ. Code § 1798.80)Name, address, email, phone numberYES
C. Protected ClassificationsAge, gender, race, citizenshipNO
D. Commercial InformationProducts/services purchased, purchase historyYES
E. Biometric InformationFingerprints, faceprints, voiceprintsNO
F. Internet ActivityBrowsing history, search history, website interactionYES
G. Geolocation DataPhysical location or movementsYES (derived from browser timezone, city/region level, no IP storage)
H. Sensory InformationAudio, visual, thermal, olfactoryNO
I. Professional/EmploymentJob title, employer, employment historyYES (if provided)
J. Education InformationEducation records, transcriptsNO
K. InferencesPreferences, characteristics, behaviorYES (from analytics)
L. Sensitive Personal InformationSSN, driver's license, financial account, precise geolocationNO

Business Purposes for Collection

We collect and use personal information for the following business purposes:

  • Providing services and customer support
  • Processing transactions and payments
  • Communicating with you about services, updates, and offers
  • Analytics and improving our website and services
  • Security, fraud prevention, and legal compliance
  • Marketing and advertising (with consent)

Categories of Third Parties We Share With

We share personal information with:

  • Service Providers: Hosting (Vercel), database (Convex), authentication (Clerk), email (Resend), booking (Cal.com)
  • Analytics Providers: Google Analytics (with consent)
  • Professional Advisors: Lawyers, accountants, auditors
  • Government Authorities: When required by law

Sale and Sharing of Personal Information

We do not sell your personal information for monetary consideration.

However, when you consent to analytics cookies (like Google Analytics), this may constitute "sharing" under the CCPA because it enables cross-context behavioral advertising. Categories shared:

  • Internet Activity (browsing history, page views, clicks)
  • Device Information (browser type, device type, operating system)
  • Geolocation Data (general location from browser timezone, no IP storage)

You have the right to opt out of this sharing. See our Do Not Sell or Share My Personal Information page for instructions.

Retention by Category

CategoryRetention PeriodReason
Newsletter SubscribersUntil unsubscribe + 30 daysConsent-based processing
Contact Inquiries2 yearsCustomer service, potential contract
Client Contracts & Invoices10 years after contract endGerman tax law (§ 147 AO)
Analytics Data (Google Analytics)14 monthsAnalytics retention setting
Cookie Consent Records12 monthsConsent validity period
Account Data (Clerk)Until account deletion + 30 daysService provision, security logs
Cal.com Booking Data2 years after meetingClient relationship management

Your California Privacy Rights

California residents have the following rights:

  • Right to Know: Request disclosure of personal information collected, used, disclosed, and sold/shared
  • Right to Delete: Request deletion of personal information (with exceptions)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of sale/sharing of personal information
  • Right to Limit: Limit use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising CCPA rights

How to Exercise Your Rights

To exercise your California privacy rights:

We will verify your identity before processing requests. We will respond within 45 days (extendable by 45 days if needed). You may use an authorized agent to submit requests on your behalf.

Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) browser signal. When GPC is detected:

  • We treat GPC as an opt-out of sale/sharing under CCPA § 1798.135(b)(2)
  • We treat GPC as an opt-out preference for non-essential tracking where technically feasible
  • Analytics and advertising cookies will not be set without explicit consent override
  • This applies to the specific browser and device where GPC is enabled

Learn how to enable GPC on our Do Not Sell or Share page.

Financial Incentives

We do not offer financial incentives or price differences in exchange for the collection, sale, or retention of personal information.

10.4 U.S. Multi-State Privacy Rights

In addition to California, the following U.S. states have enacted comprehensive privacy laws with similar consumer rights. If you are a resident of these states, you have similar rights to those described in the CCPA section above:

StateLawEffective Date
CaliforniaCCPA/CPRAJanuary 1, 2020 (CCPA) / January 1, 2023 (CPRA)
ColoradoCPA (Colorado Privacy Act)July 1, 2023
ConnecticutCTDPA (Connecticut Data Privacy Act)July 1, 2023
DelawareDPDPA (Delaware Personal Data Privacy Act)January 1, 2025
FloridaFDBR (Florida Digital Bill of Rights)July 1, 2024
IndianaICDPA (Indiana Consumer Data Protection Act)January 1, 2026
IowaICDPA (Iowa Consumer Data Protection Act)January 1, 2025
KentuckyKCDPA (Kentucky Consumer Data Protection Act)January 1, 2026
MarylandMOPDA (Maryland Online Data Privacy Act)October 1, 2025
MinnesotaMCDPA (Minnesota Consumer Data Privacy Act)July 31, 2025
MontanaMCDPA (Montana Consumer Data Privacy Act)October 1, 2024
NebraskaNDPA (Nebraska Data Privacy Act)January 1, 2025
New HampshireNHDPA (New Hampshire Data Privacy Act)January 1, 2025
New JerseyNJDPA (New Jersey Data Protection Act)January 15, 2025
OregonOCPA (Oregon Consumer Privacy Act)July 1, 2024
Rhode IslandRIDPA (Rhode Island Data Privacy Act)January 1, 2026
TennesseeTIPA (Tennessee Information Protection Act)July 1, 2025
TexasTDPSA (Texas Data Privacy and Security Act)July 1, 2024
UtahUCPA (Utah Consumer Privacy Act)December 31, 2023
VirginiaVCDPA (Virginia Consumer Data Protection Act)January 1, 2023

Common Rights Across These States

  • Right to confirm whether we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to delete personal data you provided
  • Right to data portability (obtain a copy in a portable format)
  • Right to opt out of targeted advertising, sales, and profiling

To exercise these rights, contact us at info@contextstudios.ai with "State Privacy Rights Request" in the subject.

Appeal Process

If we deny your request to exercise your privacy rights, you have the right to appeal. To appeal, reply to our denial email within 60 days. We will respond to your appeal within 60 days. If we deny your appeal, we will provide information on how to contact your state attorney general.

10.5 UK Privacy Rights

If you are a UK resident, you have specific rights under the UK GDPR and UK Data Protection Act 2018.

Your UK Rights

You have the following rights under UK GDPR:

  • Right of Access: Request a copy of your personal data (Subject Access Request)
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing

UK Supervisory Authority

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Helpline: 0303 123 1113
Website: www.ico.org.uk

International Transfers from the UK

Following Brexit, transfers of personal data from the UK to countries outside the UK (including EEA) require adequate safeguards. We ensure data transfers from the UK through:

  • UK adequacy decisions (e.g., EEA, Switzerland)
  • UK International Data Transfer Agreement (IDTA)
  • UK Addendum to Standard Contractual Clauses
  • EU-U.S. Data Privacy Framework recognition by UK ICO

PECR (Privacy and Electronic Communications Regulations)

For UK residents, we comply with PECR regarding:

  • Cookies: We obtain consent before setting non-essential cookies
  • Marketing Communications: We send marketing emails only with your consent (opt-in)
  • Caller ID: Not applicable (we do not make marketing calls)

UK Consumer Contracts Regulations 2013

If you are a UK consumer purchasing services remotely (online), you have:

  • Right to Pre-Contractual Information: Clear information about services, pricing, and terms before purchase
  • 14-Day Cancellation Right: Right to cancel within 14 days of contract (see our Cancellation Policy)
  • Exceptions: Right may not apply if you request immediate service commencement and we perform it fully

UK Consumer Rights Act 2015

For digital content and services, you are entitled to:

  • Digital content of satisfactory quality
  • Fit for a particular purpose
  • As described
  • Remedies if digital content is faulty (repair, replacement, price reduction, refund)

To exercise your UK privacy rights, contact us at info@contextstudios.ai

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact Us

If you have questions about this Privacy Policy, contact us:

Context Studios UG (haftungsbeschränkt)
Kaiser-Friedrich Str. 6
10585 Berlin, Germany

Email: info@contextstudios.ai
General: hello@contextstudios.ai