Privacy Policy
As of: February 2026 ยท In accordance with the EU GDPR (Regulation 2016/679)
This is a courtesy English translation. In case of discrepancies, the German version prevails.
Table of Contents
- Controller
- General information on data processing
- Legal bases
- Hosting (IONOS)
- Backend infrastructure (Supabase)
- Payment processing (Stripe)
- ACTLI training platform (by AX1S)
- Local data storage
- Cookies & technical storage
- Email communication
- Disclosure of data to third parties
- Data transfer to third countries
- Retention period
- Your rights (GDPR)
- Right to lodge a complaint
- Changes
๐ข 1. Controller
The controller responsible for data processing on this website is:
Thomas BrandtSole proprietor trading under the brand AX1S
AX1S c/o Clevver
Winterhuder Weg 29, 7. Stock
22085 Hamburg, Germany
Email:
Website: www.ax1s.de
Hereinafter referred to as "we" or "provider".
๐ 2. General information on data processing
As a matter of principle, we process the personal data of our users only to the extent necessary to provide a functional compliance training platform as well as our content and services. The processing of personal data regularly takes place only with the user's consent or where processing is permitted by statutory provisions.
๐ Privacy by Design: The platform was designed from the ground up to minimise data. We do not use any tracking cookies, no Google Analytics and no advertising networks.
โ๏ธ 3. Legal bases
The processing of personal data is based on the following legal bases of the GDPR:
- Art. 6 (1) (a) GDPR โ consent of the data subject
- Art. 6 (1) (b) GDPR โ performance of a contract or pre-contractual measures
- Art. 6 (1) (c) GDPR โ compliance with a legal obligation (in particular EU AI Act Art. 4, NIS2, DORA)
- Art. 6 (1) (f) GDPR โ safeguarding legitimate interests (e.g. IT security, fraud prevention)
๐ 4. Hosting and provision of the website
๐ช๐บ EU hosting
This website is hosted by:
IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
When you visit our website, the web server automatically records:
- IP address of the requesting computer
- Date and time of access
- Name and URL of the retrieved file
- Amount of data transferred
- Notification of whether the retrieval was successful
- Identification data of the browser and operating system used
- Website from which the access was made (referrer URL)
This data is stored temporarily in server log files on the basis of legitimate interest (Art. 6 (1) (f) GDPR) to ensure trouble-free operation and is deleted after no more than 7 days.
Order processing: We have concluded a data processing agreement with IONOS in accordance with Art. 28 GDPR.
๐๏ธ 5. Backend infrastructure (Supabase)
๐ช๐บ EU data centre SOC 2 Type II (Supabase)
For authentication, data storage and server-side logic we use:
Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
Our Supabase project is hosted in the AWS region eu-central-1 (Frankfurt). All personal data therefore remains within the European Union.
5.1 Data processed in Supabase
- Authentication: email address, encrypted password (bcrypt), login timestamp, session token
- Profile data: first name, last name, email, department, tenant assignment (tenant_id)
- Learning progress: module progress, examination results, certificate data
- Tenant data (B2B): company name, licence key, subscription status, invitations
- Purchase data: module ID, purchase status, reference to Stripe payment
5.2 Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row Level Security (RLS) โ users can only view their own data
- Regular backups within the EU region
- hosting with a SOC 2 Type II certified provider (Supabase)
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (c) GDPR (legal obligation pursuant to the EU AI Act).
Order processing: Data processing by Supabase takes place on the basis of a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.
๐ณ 6. Payment processing (Stripe)
๐ช๐บ EU data processing PCI DSS Level 1
For processing paid training licences we use:
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
When making a purchase, you are redirected to Stripe's payment page (Stripe Payment Links). The following data is processed by Stripe:
- Name and email address
- Payment data (credit card number, expiry date, etc.)
- Billing address
- IP address and device information (for fraud prevention)
๐ Important: Payment data (credit card numbers etc.) is processed exclusively by Stripe and is never stored on our servers. We only receive a confirmation of the payment status from Stripe.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Stripe privacy information: stripe.com/de/privacy
๐ 7. ACTLI training platform (by AX1S)
7.1 Registration and account creation
To use the ACTLI training platform (operated by AX1S), the following data is processed:
- First name and last name
- Email address
- Department / organisational unit
- Password (stored encrypted via bcrypt)
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
7.2 Learning progress and examination results
We store the learning progress of the training modules, examination results and certificate data. This processing is necessary to demonstrate AI literacy in accordance with EU AI Act Article 4 as well as further EU regulations (NIS2, DORA, GDPR+AI, CSRD, CRA).
Legal basis: Art. 6 (1) (b) and (c) GDPR (performance of a contract and legal obligation).
7.3 Certificates
Upon passing an examination, a certificate with a unique certificate ID is created. It contains name, company, date, regulation and examination result. Public verification is possible at ax1s.de/verify.html.
Storage takes place to demonstrate compliance with the EU AI Act and can be presented during audits.
7.4 Invitation system (B2B)
For B2B customers, the platform offers an invitation system. The email addresses of invited learners are stored until the invitation is accepted or revoked.
Legal basis: Art. 6 (1) (b) GDPR (performance of a B2B contract) and Art. 6 (1) (f) GDPR (legitimate interest of the employer in compliance training).
7.5 Licence keys (B2B)
For B2B customers we process licence keys, customer numbers and usage data for licence management.
Legal basis: Art. 6 (1) (b) GDPR.
๐พ 8. Local data storage (localStorage)
In addition to server-side storage, the application uses your browser's localStorage for:
- Language selection
- Module unlock status (cache)
- Temporary session data
This data does not leave your computer and is not transferred to our servers. You can delete this data at any time via your browser settings.
๐ช 9. Cookies & technical storage
This website uses exclusively technically necessary cookies and localStorage entries for:
- Language selection (preference)
- Session management / login status (Supabase Auth token)
- Module unlocks (cache)
โ No cookie banner required: We use no tracking cookies, no analytics tools (no Google Analytics), no advertising cookies and no social media plugins.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in technical operation) as well as ยง 25 (2) TDDDG (technically necessary).
โ๏ธ 10. Email communication
If you contact us by email, your details (including your email address) will be stored for the purpose of processing the enquiry and for follow-up questions. This data will not be passed on without your consent.
System notifications (e.g. invitation emails, password reset) are sent via Supabase Auth.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (f) GDPR (legitimate interest).
๐ 11. Disclosure of data to third parties
Personal data is only transmitted to third parties if:
- this is necessary for the performance of a contract (e.g. Stripe for payments)
- there is a legal obligation
- you have expressly consented
Current processors:
- IONOS SE (Germany) โ web hosting
- Supabase Inc. (EU region Frankfurt) โ backend, database, authentication, Edge Functions
- Anthropic PBC (USA) โ AI service (Claude model) for AI-assisted analyses and the AI assistant โ transmitted data is not used for training, DPA pursuant to Art. 28 GDPR
- Stripe Payments Europe, Ltd. (Ireland) โ payment processing
- Clevver GmbH (Germany) โ virtual business address
๐ 12. Data transfer to third countries
All personal data is processed within the European Union or the EEA:
- IONOS: Germany ๐ฉ๐ช
- Supabase: AWS eu-central-1, Frankfurt ๐ฉ๐ช
- Stripe: Dublin, Ireland ๐ฎ๐ช
Supabase Inc. is headquartered in Singapore. However, the data processing of our instance takes place exclusively in the EU region (Frankfurt). In the event that Supabase employees from third countries require access to systems, this takes place on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR.
Stripe Payments Europe, Ltd. processes payment data in the EU. SCCs and the EU-U.S. Data Privacy Framework also apply to the transfer to Stripe, Inc. (USA).
AI service (Anthropic): For AI-assisted analyses and the AI assistant (โFelixโ) we use the Claude model from Anthropic PBC (San Francisco, USA). Anthropic contractually does not train its models on the data transmitted via the API (no-training commitment). For the transfer to the USA, Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR and the EU-U.S. Data Privacy Framework apply; a data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. EU inference (e.g. via AWS Bedrock in Frankfurt) and customer-side model/key choice (BYOK) are in preparation.
โฑ๏ธ 13. Retention period
Personal data is deleted as soon as the purpose of storage no longer applies:
- Server log files: max. 7 days
- Account data: until account deletion or end of contract, plus statutory retention periods
- Invoice / payment data: 10 years (tax law, ยง 147 AO)
- Contract data: 6 years (commercial law, ยง 257 HGB)
- Certificate and training records: for the duration of the statutory documentation obligation in accordance with the EU AI Act, NIS2 and further EU regulations (minimum of 5 years recommended)
- Invitations: until acceptance or revocation, max. 12 months
๐ก๏ธ 14. Your rights (GDPR)
You have the following rights vis-ร -vis us regarding your personal data:
- Access (Art. 15 GDPR) โ which data we have stored about you
- Rectification (Art. 16 GDPR) โ correction of inaccurate data
- Erasure (Art. 17 GDPR) โ "right to be forgotten"
- Restriction (Art. 18 GDPR) โ restriction of processing
- Data portability (Art. 20 GDPR) โ receive data in a common format
- Objection (Art. 21 GDPR) โ objection to processing based on legitimate interests
- Withdrawal โ withdraw consent given at any time with effect for the future
To exercise your rights, please contact:
We will process your request without undue delay, but no later than within one month of receipt (Art. 12 (3) GDPR).
๐ฎ 15. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.
Competent supervisory authority for our place of business:
Der Hamburgische Beauftragte fรผr Datenschutz und Informationsfreiheit (HmbBfDI)Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg
Phone: +49 40 42854-4040
Email: mailbox@datenschutz-hamburg.de
Website: datenschutz-hamburg.de
๐ 16. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy so that it always complies with current legal requirements or in order to implement changes to our services. For your renewed use, the updated Privacy Policy then applies. The respective current version published on this website applies.
Effective date of this Privacy Policy: February 2026