Privacy.

1. Data controller

The data controller responsible for this website under Article 4(7) GDPR is:

Represented by: Heiko Altrichter, Geschäftsführer.
Contact: [email protected]

2. What data we collect and why

We collect as little personal data as the site can reasonably function with. There are two categories:

2.1 Server access logs

When you load a page on creativehuman.ai, our hosting provider (Cloudflare) automatically records:

• your IP address (truncated or hashed where configurable),
• the timestamp of the request,
• the URL you requested and the HTTP status of the response,
• your browser user-agent string and referring URL (if any),
• the country the request originated from (derived from IP).

These logs are used for security (detecting abuse, DDoS mitigation), operational stability, and diagnosing errors. They are not joined with any personal profile and are not used for advertising or user tracking.

2.2 Form submissions

When you submit a form on this site — the contact form, demo request, advisory, training enquiry, or engine deployment form — we collect the fields you provide, typically:

• your name,
• your email address,
• your organisation (if you provide one),
• your role (if you provide one),
• the free-text message you write,
• which form you used (e.g. glasshouse-demo, service-advisory) — to route your enquiry.

We use this data only to respond to your enquiry and to have a business conversation with you. We do not sell it, do not share it with third parties outside the processors named in section 4, and do not use it for advertising.

3. Legal bases for processing

Under Article 6(1) GDPR, each category of processing rests on a specific legal basis:

• Server access logs: Art. 6(1)(f) GDPR — legitimate interest in operating and securing the website against abuse and DDoS, and in diagnosing operational errors.
• Contact form data (initial enquiry): Art. 6(1)(b) GDPR — processing necessary for pre-contractual steps at your request. When you ask us for a demo, advisory, or training conversation, we need your contact data to respond.
• Continuing conversation and follow-up: Art. 6(1)(f) GDPR — legitimate interest in maintaining a business conversation you initiated and in keeping a minimal record of correspondence.

4. Processors and recipients

We rely on two data processors under Art. 28 GDPR. Each has a signed Data Processing Agreement (DPA) on file and each is obliged to process personal data only on our instructions.

5. International data transfers

Both processors named above may transfer personal data to the United States. These transfers are governed by:

• the EU–U.S. Data Privacy Framework (DPF), to which both Cloudflare Inc. and Google LLC are certified participants, and
• the EU Standard Contractual Clauses (2021/914) as a secondary safeguard, embedded in each processor's DPA with us.

6. Cookies and tracking

At the time of writing, this site sets no marketing cookies, no third-party analytics, and no cross-site trackers. The only network requests made from your browser are:

• the HTML, CSS, JavaScript, and images served by Cloudflare (the hosting provider);
• the web fonts Work Sans, Newsreader, and Space Grotesk served from Google Fonts;
• the Tailwind CSS runtime served from cdn.tailwindcss.com;
• Material Symbols icons served from Google Fonts.

Google Fonts may receive your IP address as a technical consequence of loading the font file. Google has documented this and supplies an SCC-backed processing notice at developers.google.com/fonts/faq/privacy.

Future analytics. Creative Human AI intends to add first-party, consent-based analytics and product insights in future. Before any such tool is introduced, we will update this policy with the tool, the data collected, the legal basis, and where the TTDSG § 25 requires consent, a consent banner will be added. Until that change is made and documented here, no analytics or tracking is running on this site.

7. Retention

• Server access logs are retained by Cloudflare on our behalf for the period documented in Cloudflare's log retention policy (typically a short operational window, measured in days).
• Form submission emails in our Google Workspace inbox are retained for up to 24 months from the date of the enquiry. After 24 months we delete the submission, unless (a) you have become a client and the correspondence is part of an active engagement, or (b) we are legally obliged to keep it longer under tax or commercial law (§ 257 HGB / § 147 AO — up to 10 years for certain business records).
• If you ask us to delete your data earlier, we will delete it unless point (b) above applies, in which case we will tell you which records we must keep and why.

8. Who can access your data inside the company

Only the Geschäftsführung of Creative Human AI GmbH — in practice, the Chief Executive Officer and the Chief Operating Officer — have routine access to the inbox that receives form submissions. Members of the engineering or advisory team only see your enquiry if and when it is relevant to responding to you.

9. Your rights under the GDPR

As a data subject you have, at no cost and without having to justify yourself, the following rights with respect to personal data we hold about you:

• Right of access (Art. 15 GDPR) — you can ask what data we hold and receive a copy.
• Right to rectification (Art. 16) — you can ask us to correct inaccurate data.
• Right to erasure (Art. 17, "right to be forgotten") — you can ask us to delete data we hold.
• Right to restriction (Art. 18) — you can ask us to stop processing your data while you dispute its accuracy or our legal basis.
• Right to data portability (Art. 20) — you can ask for your data in a machine-readable format and have it transmitted to another controller.
• Right to object (Art. 21) — where we rely on legitimate interest (Art. 6(1)(f)), you can object and we must stop unless we show compelling grounds that override your interests.
• Right to withdraw consent (Art. 7(3)) — if we ever ask for and rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email [email protected]. We aim to respond within one month (Art. 12(3) GDPR) and will confirm receipt earlier.

10. Right to lodge a complaint

You have the right to complain to a supervisory authority (Art. 77 GDPR) if you believe our processing of your personal data violates the GDPR. Because Creative Human AI GmbH is registered in Rostock, the lead supervisory authority in Germany is:

You may also lodge your complaint with the data protection authority in your EU member state of residence or place of the alleged infringement.

11. Data Protection Officer

Creative Human AI GmbH is not currently required to appoint a Data Protection Officer under § 38 BDSG (we have fewer than 20 persons continuously engaged in the automated processing of personal data, and we do not process special categories of data as a core activity). If the company's scale or the nature of its processing crosses the threshold, we will appoint a DPO and update this policy immediately.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Our products (Glasshouse, Brew Chai) simulate stakeholder reactions against materials you provide to us directly in a separate business engagement — that processing is governed by a separate contract and is not performed via this website.

13. Children's data

This site is a business-to-business marketing site. It is not directed at children, and we do not knowingly collect personal data from minors. If you believe a minor has submitted personal data through this site, email us and we will delete it.

14. Changes to this policy

We may update this policy as the site and the company evolve — for example, when we introduce product analytics, add a new processor, or change the retention period. Changes are announced by updating the "Last updated" date below. Where a change materially affects your rights, we will flag it more prominently.