Last updated: 17 May 2026
1. Introduction
We protect your personal data. Here we explain briefly and clearly which data we process, why we do so, and how you can exercise your rights.
2. Controller
Arpaci Seferaj Jaddi GbR (operating as "Nulara")
Eckardtstraße 10, 44263 Dortmund
Email: info@nulara.de
3. Processing of Personal Data
The provision of personal data is voluntary. However, without certain information (e.g. email address), some functions or responses cannot be provided.
3.1 Website Visit
When you visit our website, your browser automatically sends technical data to our servers, including IP address, date and time, accessed URL, referrer, and browser/OS information. We store this temporarily in log files to operate the website securely, identify errors, and defend against attacks. The transmission is encrypted via SSL/TLS. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and stable operation).
3.2 Contact Form
If you contact us via the form, we process your name, email address, and message. We use this data only to respond to your request and delete it afterwards unless another reason prevents this. Legal basis: Art. 6(1)(a) GDPR (consent).
3.3 Email Contact
If you send us an email, we process your sender address and message content to respond. We delete the data when no longer needed. Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(b) GDPR if the communication serves contract initiation or fulfilment.
3.4 Sharing with Partners and External Service Providers
For the professional or technical processing of your request and to provide our services, we may involve selected partners in the areas of AI and IT. These partners act as processors on our behalf under Art. 28 GDPR; a Data Processing Agreement (DPA) is in place with each active processor. You can exercise your data subject rights directly with us; the central contact point is info@nulara.de. A current list of subprocessors is available on request. No sharing for other purposes takes place. Legal basis: Art. 6(1)(a), (b) or (f) GDPR as applicable.
4. SaaS Platform — B2B Customer Data
When B2B customers use the Nulara platform and upload product data or user information, Nulara processes this data exclusively as a data processoron behalf of the customer (Art. 28 GDPR). The customer remains the data controller for their users' data. We conclude a Data Processing Agreement (DPA) with each B2B customer. Customer data is processed within the EU: the primary application database and server infrastructure are operated by Hetzner in Germany; further EU-based subprocessors (e.g. Cloudflare R2 with EU jurisdiction for file storage, AWS Bedrock in eu-central-1 for AI features) are listed in Sections 5 and 6. After contract termination, customer data is exported on request and then deleted within 30 days; data contained in routine encrypted backups expires automatically in line with the backup retention period. Legal basis: Art. 6(1)(b) GDPR (contract performance).
5. Hosting and Storage Providers
Our servers are provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Privacy policy: hetzner.com/legal/privacy-policy. A Data Processing Agreement exists with Hetzner (Art. 28 GDPR). Legal basis: Art. 6(1)(f) GDPR.
Uploaded files and documents in the SaaS platform are stored in Cloudflare R2 object storage with EU jurisdictional restriction. Provider: Cloudflare, Inc. and affiliated Cloudflare entities. Processed data can include uploaded files, file metadata and technical access data. Legal basis: Art. 6(1)(b) GDPR and Art. 28 GDPR. Cloudflare R2 data location.
6. Analytics, AI and App Integrations
6.1 Plausible Analytics
We use Plausible Analytics for privacy-friendly website analytics. Plausible measures aggregated page views, referrers, device/browser information, country or region, and non-interactive Core Web Vitals events. Plausible does not set analytics cookies, does not use browser storage, and does not create persistent cross-site identifiers. IP address and user agent are processed only transiently to derive daily aggregate statistics and are not stored in raw form. Processing is based on our legitimate interest in measuring and improving the website without tracking individual visitors (Art. 6(1)(f) GDPR). Plausible data policy and Plausible DPA.
6.2 Google Analytics
Google Analytics is not active on this website at launch. If Google Analytics 4 is activated later for Google Ads or conversion measurement, tracking will only start after your consent (§ 25 TDDDG). IP anonymisation is enabled by default for EU traffic. Data may be transferred to Google LLC (USA); the transfer basis is the EU-US Data Privacy Framework (Art. 45 GDPR). A DPA must be in place with Google before activation. Legal basis after activation: Art. 6(1)(a) GDPR. Google Privacy Policy.
6.3 AI Services (Amazon Bedrock)
For AI-assisted features on the platform, we use AI models provided via Amazon Bedrock. Inputs, selected context, document excerpts and outputs are processed through a programming interface (API) to generate responses based on natural language. Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Model technology may include Anthropic Claude models operated through Amazon Bedrock. We configure EU or geography-bound inference profiles where available for data residency. Amazon Bedrock states that prompts and completions are not persistently stored, are not shared with model providers and are not used to train AWS or third-party models. For latency and cost optimization, AWS Bedrock's native prompt-caching feature is enabled with a 1-hour time-to-live: only the static portion of each request (system prompt, available tools, conversation history) is temporarily cached on the AWS side within the same request region (eu-central-1). User-specific inputs are not selectively cached. The cached prefix is automatically deleted after 1 hour of inactivity. Amazon Bedrock data protection. A Data Processing Agreement exists with AWS; where personal data is transferred to third countries, appropriate safeguards including Standard Contractual Clauses apply. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in providing AI-assisted services). AWS DPA.
AI Act transparency (Art. 50 EU AI Act). Where you interact with an AI-assisted feature on the platform, you are informed that you are interacting with an AI system. AI-generated content is marked as such in the user interface. No automated decisions with legal or similarly significant effect within the meaning of Art. 22 GDPR are taken.
6.4 Location and Map Services
When users use address search, warehouse location or map features in the SaaS platform, address search terms, approximate coordinates and technical request data may be processed by Geoapify (KEPTAGO LTD, Cyprus) via our backend and by MapTiler AG, Switzerland, when map tiles or map styles are loaded in the browser. These services are used only to provide location search and map rendering. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Geoapify DPA and MapTiler GDPR.
7. Cookies
We use cookies for basic website functions, for example to store your cookie preference. Plausible Analytics does not set analytics cookies. If consent-based tools such as Google Analytics are activated later, non-essential cookies will only be set after your consent (§ 25 TDDDG). Legal basis for necessary cookies: Art. 6(1)(f) GDPR; for consent-based analytics cookies after activation: Art. 6(1)(a) GDPR.
8. Disclosure to Third Parties
Your data is only disclosed if you have consented, it is necessary for contract performance or pre-contractual steps, there is a legal obligation, or legitimate interests outweigh and no opposing rights exist. Legal basis: Art. 6(1)(a), (b), (c) or (f) GDPR as applicable.
9. Your Rights
- 9.1 Access (Art. 15 GDPR): You can request information about the personal data stored about you.
- 9.2 Rectification (Art. 16 GDPR): You can have incorrect data corrected and incomplete data completed.
- 9.3 Erasure (Art. 17 GDPR): You can request deletion of your data if the legal requirements are met.
- 9.4 Restriction (Art. 18 GDPR): You can have processing restricted if the legal requirements are met.
- 9.5 Notification obligation (Art. 19 GDPR): We inform recipients of rectification, erasure or restriction where possible.
- 9.6 Data portability (Art. 20 GDPR): You can receive the data you provided in a common, machine-readable format.
- 9.7 Withdrawal of consent (Art. 7(3) GDPR): You can withdraw consent at any time with effect for the future.
- 9.8 Complaint (Art. 77 GDPR): You can lodge a complaint with a supervisory authority. The competent authority in North Rhine-Westphalia is LDI NRW, Kavalleriestr. 2-4, 40213 Duesseldorf, ldi.nrw.de.
Contact for rights requests: info@nulara.de
10. Right to Object
You can object to processing based on legitimate interests if reasons arise from your particular situation. We will then no longer process the data unless compelling legitimate grounds exist or the processing serves the establishment, exercise or defence of legal claims. Contact: info@nulara.de. Legal basis: Art. 21 GDPR.
11. Changes
We adapt these notices when our offers change or legal requirements make this necessary. The current version is always available at nulara.de/datenschutz.