Last updated July 16, 2026
This Privacy Policy describes how Uisdom.design processes personal data under the EU General Data Protection Regulation (GDPR / DSGVO) and German data protection law. The Service is offered exclusively to business customers (B2B); see Section 2.
The data controller responsible for the processing of data through this website under the General Data Protection Regulation (GDPR / DSGVO) is:
Cesare D’adamo & Steven Hagenah GbR
Trading as: Uisdom.design
Mühlenstrasse 20, 13187 Berlin, Germany
Contact: uisdomcontact@gmail.com
This Service is explicitly targeted at business customers (B2B) operating in a commercial or independent professional capacity. We do not knowingly offer services to consumers within the meaning of § 13 BGB. However, because B2B operations involve processing user accounts, employee emails, metadata, and IP addresses, the GDPR applies.
We process personal data based on the following legal frameworks:
Art. 6(1)(b) GDPR: Processing necessary for the performance of a contract or to execute pre-contractual steps (e.g., managing user accounts, running subscriptions, executing website design rebuilds).
Art. 6(1)(f) GDPR: Processing based on our legitimate interests (e.g., ensuring web application stability, monitoring infrastructure security, and defending against automated malicious activities such as denial-of-service or scraping attacks).
Art. 6(1)(a) GDPR: Processing based on your explicit consent (e.g., if you choose to opt-in to optional communication channels or analytical features).
A. Account Registration & Profile Data. Data collected: First and last name, business email address, company name, and account credentials. Purpose: To verify your identity, allow secure dashboard access, deliver the platform features, and provide technical client support. Retention: Kept for the duration of your active subscription. Upon a formal request for account deletion, it will be erased from our active databases within 30 days, unless statutory commercial or tax preservation obligations apply.
B. Billing & Transaction Data. Data collected: Billing address, corporate tax identification numbers (VAT ID / USt-IdNr.), and payment metadata. Your critical credit card details are processed directly via our payment infrastructure provider (Stripe) and never pass through or get stored on our servers. Purpose: Processing your plan payments, issuing monthly invoices, and ensuring legal financial bookkeeping. Retention: Retained for ten (10) years following the end of the calendar year of transaction, strictly adhering to German statutory archiving laws under tax code regulations (§ 147 AO).
C. Input Data for AI Processing (The Website Rebuild Pipeline). Data collected: The target URLs you input into Uisdom, along with the publicly accessible structural components (public source code, layout schemas, text copy, and public asset URLs) parsed during the analysis phase. Purpose: To run layout analyses and compile structural design blueprints, which are forwarded to our AI models to generate your modern website draft. Enterprise Security Shield: We transfer this structural text and schema information to upstream AI APIs. Under our enterprise data processing agreements, your data blocks are protected and are not utilized to train third-party machine learning models.
D. Server Log Files & Infrastructure Security. Data collected: Anonymized or raw IP address, browser user-agent string, page referral parameters, access timestamps, and protocol data. Purpose: To maintain server-side system security, detect server load drops, discover network bugs, and isolate security threats. Retention: Log data is kept strictly isolated and automatically overwritten or deleted within 7 to 14 days, except where an open security breach requires deeper auditing.
To host our application and process machine workflows reliably, we share data with trusted tech infrastructure sub-processors. Where data transfers land outside the European Economic Area (EEA), safety guarantees are backed by formal Data Processing Agreements (DPAs), EU Standard Contractual Clauses (SCCs), or active certifications under the EU-U.S. Data Privacy Framework:
Vercel Inc. (Hosting, Deployment, Edge Routing). Data shared: server log parameters, web telemetry, routing metadata. Processing location: Global Network Nodes / US Infrastructure. Safeguard: Data Processing Addendum + EU Standard Contractual Clauses.
Supabase Inc. (Cloud Database, Authentication & File Storage). Data shared: user profile records, account tables, saved drafts, lead submissions and any files attached to them. Processing location: EU-Central Region (Frankfurt, Germany). Safeguard: Database physically locked to EU Region; DPA + Standard Contractual Clauses signed.
Anthropic PBC (AI Design Model Architecture). Data shared: extracted website structural elements, styling prompts, chat messages. Processing location: United States. Safeguard: Commercial API Terms (data explicitly barred from model training) + Standard Contractual Clauses.
Stripe Inc. (Payment Infrastructure). Data shared: billing addresses, invoice numbers, credit card tokens. Processing location: United States / Global. Safeguard: Certified under the EU-U.S. Data Privacy Framework.
Trigger.dev Inc. (Background Job Orchestration). Data shared: session identifiers, workspace files transferred between sandbox and storage, publish build artifacts. Used to run long jobs (clone, publish, reboot) outside the request-response cycle. Processing location: United States. Safeguard: Standard Contractual Clauses.
E2B Inc. (Sandbox Runtime). Data shared: generated workspace source code, crawled brand assets, dev-server I/O. Each user session runs in an isolated short-lived container where the AI assembles and previews your site. Processing location: United States. Safeguard: Standard Contractual Clauses.
Mendable Inc. (Firecrawl — Website Analysis API). Data shared: the target URL you submit for analysis and the publicly retrievable HTML / images returned from it. Used only to compile structural blueprints fed to the AI design step. Processing location: United States. Safeguard: Standard Contractual Clauses.
SMTP Email Provider (Transactional Email). Data shared: recipient email address, subject line, and message body for clone-ready notifications, password resets, and lead-notification emails routed to you. Configured via standard SMTP credentials; the exact provider may change. Safeguard: TLS in transit; relevant DPA with the current provider on file.
Microsoft Corporation (Microsoft Clarity — Product Analytics, optional). Data shared: anonymized session interactions, click and scroll telemetry on www.uisdom.design. Loaded only after you accept analytics in the cookie banner. Processing location: United States. Safeguard: Standard Contractual Clauses.
Meta Platforms Ireland Ltd. (Meta Pixel — Audience Measurement, optional). Data shared: page-view and conversion events on www.uisdom.design. Loaded only after you accept marketing in the cookie banner. Processing location: Ireland / United States. Safeguard: EU-U.S. Data Privacy Framework + SCCs for onward transfers.
We use cookies and equivalent local-storage entries in two tiers, separated by whether they require consent under § 25 TTDSG and the ePrivacy Directive:
Strictly necessary (no consent required). Authentication session (Supabase Auth), language preference (NEXT_LOCALE), and the cookie-banner choice itself. Without these the Service cannot function.
Consent-based. Microsoft Clarity (product analytics + session insights) and Meta Pixel (audience measurement + ad attribution) are loaded only after you click "Accept" in our cookie banner. You can withdraw consent at any time by clearing your choice in the banner; the loaders react immediately and stop firing. Withdrawal under Art. 7(3) GDPR does not affect the lawfulness of processing carried out before the withdrawal.
When a visitor submits a form on a site you have published with Uisdom, the form data (text fields and any file attachments) is captured to the lead store associated with your account. Files are kept in the public lead-attachments bucket under an unguessable path; access requires the URL.
Roles: you are the controller of the visitor's data (your customer relationship), and Uisdom is your processor for storage, delivery, and presentation in your dashboard. A Data Processing Agreement applying to this processing is incorporated into our Terms.
Retention: lead data is stored on your behalf for the lifetime of your account or until you delete the individual lead from the dashboard. You are responsible for honouring data-subject requests received from your own visitors; we will assist within a reasonable time on written request.
When you submit a third-party URL into Uisdom for analysis or rebuild, our crawler retrieves publicly available content from that URL (HTML, public images, public copy). That content may incidentally contain personal data of unrelated third parties (e.g., employee photographs on team pages, public contact details).
You warrant in our Terms that you have the right to submit the URL for analysis. We process the retrieved content solely to compile the structural blueprint forwarded to the AI design step and to mirror referenced media into your workspace; we do not republish it externally on your behalf without an explicit publish action by you.
In compliance with Article 50 of the EU AI Act, we ensure structural transparency:
Users are explicitly informed that the website designs, layouts, and code structures provided inside the Uisdom workspace are generated utilizing artificial intelligence models (Claude, by Anthropic PBC).
The service acts as an assistive developer engine; all generated code blocks and visual interpretations remain subject to human editorial tracking, proofing, and final administrative approval by the user before public deployment. No legally or materially significant decision concerning you is taken purely on the basis of automated processing within the meaning of Art. 22 GDPR.
You possess full legal recourse regarding your stored data under European data protection laws:
Art. 15 GDPR (Right of Access): The right to request comprehensive copies of all personal records we have on file.
Art. 16 GDPR (Right to Rectification): The right to adjust or update inaccurate business account profiles.
Art. 17 GDPR (Right to Erasure): The right to wipe your profile data instantly, provided it does not conflict with German tax retention regulations.
Art. 18 GDPR (Right to Restriction of Processing): The right to demand that we limit processing of your data in specified circumstances (e.g. while a rectification or objection request is being examined).
Art. 20 GDPR (Right to Data Portability): The right to receive the data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Art. 21 GDPR (Right to Object): The right to halt any processing actions built upon legitimate interest assumptions (Art. 6(1)(f) GDPR).
Art. 7(3) GDPR (Right to Withdraw Consent): Where processing is based on consent (Art. 6(1)(a) GDPR), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before it.
Art. 22 GDPR (Automated Decision-Making): You are not subject to a legally or materially significant decision based solely on automated processing through this Service.
To trigger any of these verification requests, write directly to our team at uisdomcontact@gmail.com. You also have the right to introduce formal compliance complaints to our local oversight regulator:
Berliner Beauftragte für Datenschutz und Informationsfreiheit. Anschrift: Alt-Moabit 59-61, 10555 Berlin, Germany. Eingang: Alt-Moabit 60. E-Mail: mailbox@datenschutz-berlin.de
We have not appointed a designated Data Protection Officer (DPO) because we do not meet the threshold criteria set out in Art. 37(1) GDPR / § 38 BDSG (we do not engage in regular and systematic monitoring of data subjects on a large scale, nor in large-scale processing of special categories of data). All privacy-related requests are handled directly by the controller listed in Section 1 at uisdomcontact@gmail.com.
The Service is offered to business customers only and is not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at uisdomcontact@gmail.com and we will delete it.
We may update this Policy from time to time to reflect product changes, regulatory updates, or new sub-processors. Material changes will be communicated by email or via an in-product notice with reasonable notice. The "Last updated" date at the top of this Policy tells you when the current version took effect; we recommend reviewing it on each publication.