Privacy Policy

The full English version of this Privacy Policy is available. The German version below serves as the legally binding document. Both versions convey identical legal content.

1. Controller

GD Green Dopamine GmbH
Seehügelweg 1f
9500 Villach, Austria
VAT No.: ATU78344267
Email: backoffice@green-dopamine.at
Web: www.green-dopamine.at

2. Scope

This Privacy Policy applies to the following services of GD Green Dopamine GmbH (hereinafter "we"):

• finoptory.ai — Marketing website with information and contact services,
• app.finoptory.ai — SaaS platform "FinOptory for SAP RISE" for contractual and commercial management of SAP RISE agreements.

Where sections apply only to one of these services, this is explicitly stated.

3. General Data Processing

We process personal data confidentially and exclusively in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and this Privacy Policy.

Personal data is collected only to the extent necessary for the provision of our services or where you have given your consent. We implement appropriate technical and organisational measures to protect your data.

4. Website (finoptory.ai)

4.1 Hosting

The website is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). When you visit the website, Vercel automatically collects technical access data in server log files:

• IP address of the requesting device,
• date and time of access,
• name and URL of the requested file,
• volume of data transferred,
• browser type and version, operating system,
• referrer URL.

This data is technically necessary to provide the website and is processed to ensure stability and security.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
Retention period: Server log files are deleted after no more than 30 days.

4.2 Contact and Lead Forms

When using our contact or lead forms, the following data is collected:

• Name, email address, message,
• optional: company, phone number.

Data is used exclusively to process your enquiry. Email dispatch is handled by Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA).
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding).
Retention period: Data is deleted after your enquiry has been fully processed, unless statutory retention obligations apply.

4.3 Web Analytics (Plausible)

We use Plausible Analytics, a privacy-friendly analytics service that uses no cookies, collects no personal data, and creates no user profiles. Only aggregated, anonymous usage statistics are recorded (e.g. page views, referral sources, device category).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website optimisation).
Further information: plausible.io/data-policy

5. SaaS Platform (app.finoptory.ai)

The following sections apply to registered users of the "FinOptory for SAP RISE" platform. Access requires a contract between us and the user's organisation (the "Client").

5.1 User Accounts and Authentication

When registering and using an account, we process:

• First and last name, business email address,
• password hash (we never store passwords in plain text),
• company affiliation, department, function/role,
• login timestamps, IP address at login.

Authentication is via email/password or Single Sign-On (Azure Entra ID). Multi-factor authentication (MFA) is mandatory for all users. Account management is handled by Supabase Inc. (San Francisco, USA).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Retention period: Account data is stored for the duration of the contractual relationship and deleted after termination in accordance with Section 8.

5.2 Contract Data and Document Storage

As part of contract management, we process contract documents and data uploaded or entered by the Client. These may contain personal data (e.g. contact persons, signatures, representatives in SAP RISE contracts).

Documents are stored encrypted (AES-256 at rest). Access is restricted by tenant-based data separation (Row-Level Security) and role-based access control.
Legal basis: Art. 6(1)(b) GDPR (performance of contract); for data of third parties contained in documents: Art. 6(1)(f) GDPR (legitimate interest of the Client in contract management).
Retention period: For the duration of the contractual relationship. After termination, see Section 8.

5.3 AI-Assisted Contract Analysis

At the user's request, our platform analyses contract documents using AI models (Anthropic, PBC, San Francisco, USA). Contract content is transmitted to Anthropic's API exclusively for processing the specific request.

Anthropic does not retain transmitted data and does not use it to train AI models. Processing is carried out on the basis of EU Standard Contractual Clauses (SCCs).
Legal basis: Art. 6(1)(b) GDPR (performance of contract or execution of the AI analysis requested by the user).

5.4 Audit Logging

For transparency and security purposes, we log all data-protection-relevant activities on the platform:

• User (name/ID), action performed, timestamp,
• affected entity (e.g. contract, document).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, traceability and compliance) and Art. 6(1)(c) GDPR (legal obligation, where applicable).
Retention period: Audit logs are retained for the duration of the contractual relationship and any applicable statutory retention periods.

5.5 Transactional Emails

For the dispatch of system-related emails (invitations, notifications, password resets), we use Resend Inc. Your email address and, where applicable, your name are transmitted to Resend.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

5.6 Session Management

The platform uses technically necessary session tokens (cookies or local storage) to maintain your authenticated session. These contain no personal data and are deleted upon logout or session expiry. A cookie banner is not required, as only technically necessary cookies are used (Art. 5(3) ePrivacy Directive).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).

6. Recipients and Processors

We engage the following service providers as data processors. A data processing agreement pursuant to Art. 28 GDPR is in place with each provider.

No further transfer to third parties takes place unless we are legally obliged to do so or you have explicitly consented.

7. International Data Transfers

Some of our service providers are based in the USA. We ensure an adequate level of data protection, in particular through:

• EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914,
• Adequacy decisions of the European Commission, where applicable (EU-U.S. Data Privacy Framework).

The relevant safeguards are available upon request.

8. Retention and Deletion

We store personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations.

• Website form data: Deleted after the enquiry has been fully processed, unless statutory retention obligations apply.
• Server log files: Maximum 30 days.
• Platform user accounts: For the duration of the contractual relationship between us and the Client.
• Contract data and documents: For the duration of the contractual relationship. After termination, the Client may request a data export within four (4) weeks. Thereafter, all data is irreversibly deleted.
• Audit logs: For the duration of the contractual relationship plus any applicable statutory retention periods.

Where statutory retention obligations apply (e.g. under Austrian tax or commercial law), affected data is blocked until the retention period expires and then deleted.

9. Cookies and Local Storage

Website (finoptory.ai): Our website uses no cookies and no tracking. Plausible Analytics operates entirely without cookies.

App (app.finoptory.ai): The platform uses only technically necessary session tokens (via cookie or local storage) to maintain your authenticated session. These are automatically removed upon logout or session expiry. No marketing or analytics cookies are used.

10. SSL/TLS Encryption

All connections to our services are encrypted using TLS 1.2 or higher. Data at rest in the SaaS platform is additionally encrypted with AES-256.

11. Your Rights

Under the GDPR, you have the following rights at any time:

• Access (Art. 15 GDPR) — which data we process about you,
• Rectification (Art. 16 GDPR) — correction of inaccurate data,
• Erasure (Art. 17 GDPR) — deletion of your data, where no retention obligation applies,
• Restriction (Art. 18 GDPR) — restriction of processing,
• Data portability (Art. 20 GDPR) — provision of your data in a common format,
• Objection (Art. 21 GDPR) — objection to processing based on legitimate interests.

For website visitors: Please direct your request to backoffice@green-dopamine.at.

For platform users: Please contact the data protection officer or responsible function within your organisation (the controller) in the first instance. We support your employer in fulfilling your rights within the scope of our data processing activities.

12. External Links

Our services contain links to external third-party websites. We have no influence over their content. The respective provider is always responsible for the content of linked pages.

13. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The authority competent for us is:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Web: www.dsb.gv.at

14. Data Processing Agreement (B2B)

Where we process personal data on behalf of our business clients, the provisions of our Data Processing Agreement (DPA) pursuant to Art. 28 GDPR apply. The current version is published at finoptory.ai/en/auftragsverarbeitung.

15. Updates to this Privacy Policy

This Privacy Policy is currently valid. As of: February 2026.

We reserve the right to update this Privacy Policy to reflect changes in the legal framework or our services. The current version is always available at finoptory.ai/en/privacy-policy.