Privacy Policy

Last updated: 8 May 2026

This privacy policy informs you about the nature, scope and purpose of the collection and use of personal data when you visit deepheat.ai or otherwise interact with us. Processing is carried out in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for processing your personal data within the meaning of Art. 4 (7) GDPR is:

For privacy-related inquiries, please use the email address above.

2. Scope and definitions

This policy applies to the website deepheat.ai and to any communication you initiate with us (e.g. via email or our contact form). It does not apply to third-party websites linked from our site.

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"), as defined in Art. 4 (1) GDPR. "Processing" means any operation performed on personal data, as defined in Art. 4 (2) GDPR.

3. Processing of personal data

3.1 Visiting our website (server log files)

When you visit deepheat.ai, your browser automatically transmits technical information that we store in server log files. This includes:

• your IP address (in truncated / anonymised form where technically possible)
• date and time of the request
• the URL requested and the HTTP status code returned
• the amount of data transferred
• the referring URL
• your browser type and version, operating system and language

Purpose: ensuring the technical security and stability of the site, defending against attacks, and operating the website.
Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in the secure operation of our website).
Storage: server log entries are retained for a maximum of 30 days and then deleted, unless retention is required to investigate a specific incident.

3.2 Contact requests

If you contact us via email or via the "Get in touch" form, we process the personal data you provide - typically your name, email address, company, role, and the content of your message - in order to respond to your inquiry.

Purpose: responding to inquiries, pre-contractual communication, and exchanges with prospective design partners or investors.
Legal basis: Art. 6 (1)(b) GDPR (pre-contractual measures) and Art. 6 (1)(f) GDPR (legitimate interest in responding to inquiries).
Storage: for as long as necessary to handle your request, and thereafter in accordance with statutory retention obligations (commercial / tax law: typically 6–10 years).

3.3 Investor communication

If you contact us at our investor address, we process your contact details and the content of your communication to evaluate a potential investment relationship. Information you choose to share (e.g. fund details, mandate, prior portfolio) is processed only for that purpose.

Legal basis: Art. 6 (1)(b) GDPR (pre-contractual measures) and Art. 6 (1)(f) GDPR (legitimate interest in fundraising).

3.4 Hosting and content delivery

Our website is hosted on infrastructure within the European Union. Static assets such as fonts may be served by third parties - see section 5.

4. Cookies and similar technologies

deepheat.ai uses only strictly necessary technical cookies and local storage entries that are required for the basic functioning of the site (e.g. preserving your selected variant when you reload the page). No cookies are used for tracking, profiling, or advertising.

Because no non-essential cookies are set, no consent banner is required under § 25 (2) TTDSG.

Legal basis: § 25 (2) Nr. 2 TTDSG (strictly necessary technical storage) and Art. 6 (1)(f) GDPR.

5. Recipients and processors

We share personal data only with carefully selected service providers, and only to the extent necessary. Where service providers process personal data on our behalf, we have entered into data processing agreements pursuant to Art. 28 GDPR. Categories of recipients include:

• Hosting and infrastructure providers (EU-based)
• Email and communication infrastructure
• Web font delivery (Google Fonts - see below)

An up-to-date list of processors is available on request. We never sell personal data.

5.1 Google Fonts

This website uses self-hosted-style requests to Google Fonts (operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to render typography consistently across browsers. When fonts are loaded, your IP address may be transmitted to Google. We have configured the integration to minimise data exchange.

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in a consistent and accessible presentation of our content). You can prevent the loading of Google Fonts by disabling JavaScript or web fonts in your browser; the site remains usable in fallback typography.

6. Transfers to third countries

We aim to keep all processing within the European Economic Area (EEA). Where data transfers to third countries (countries outside the EEA) are unavoidable - for example through internet-scale service providers - they are based on:

• an adequacy decision of the European Commission (Art. 45 GDPR), or
• EU Standard Contractual Clauses with appropriate supplementary measures (Art. 46 GDPR), or
• another lawful basis under Chapter V GDPR.

You can request more information about the safeguards in place at any time.

7. Storage duration

We store personal data only for as long as is necessary for the purposes for which it was collected, or for as long as required by statutory retention periods (in particular under § 257 HGB and § 147 AO, typically 6 or 10 years for accounting-relevant data). Once the purpose ceases and no statutory retention applies, the data is deleted or anonymised.

8. Your rights as a data subject

Under the GDPR you have the following rights with respect to the personal data we hold about you:

• Right of access (Art. 15 GDPR) - to obtain confirmation as to whether or not personal data concerning you is being processed and, if so, access to that data and related information.
• Right to rectification (Art. 16 GDPR) - to have inaccurate personal data corrected without undue delay.
• Right to erasure (Art. 17 GDPR) - to have personal data deleted where the conditions of Art. 17 GDPR are met.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) - to receive personal data you have provided in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) - at any time, on grounds relating to your particular situation, to processing based on Art. 6 (1)(e) or (f) GDPR.
• Right to withdraw consent (Art. 7 (3) GDPR) - where processing is based on consent, you may withdraw it at any time with effect for the future.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) - in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The competent authority for our company is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

To exercise any of these rights, please contact us at info@deepheat.ai.

9. Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Connections to our website are encrypted using TLS.

10. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our processing activities or in applicable law. The current version is always available at this URL. The "last updated" date at the top of this page indicates when the most recent change was made.

If you have questions about this policy or how we handle your data, please write to info@deepheat.ai.