Privacy Policy

1. Privacy at a Glance

General Information

Data protection is of the highest priority for PathHub AI. The use of our website (pathhub.ai) is generally possible without providing personal data. If you wish to use special services of our platform (app.pathhub.ai), the processing of personal data may be necessary. Where the processing of personal data is required and there is no legal basis for such processing, we will obtain your consent.

The processing of personal data is always carried out in accordance with the General Data Protection Regulation (GDPR) and the applicable German data protection regulations. This Privacy Policy informs you about the type, scope, and purpose of the personal data we collect, use, and process, as well as your rights.

Data Controller

The data controller for data processing on this website is:
PathHub AI
Email: hello@pathhub.ai

2. Data Collection on Our Website

Cookies

Our website uses cookies. The cookies we use are:

session_token (necessary): Authentication cookie for logged-in users. HttpOnly, Secure, SameSite=Lax. Storage duration: Session or 30 days (with "Remember me").
cookie_consent (functional): Stores your cookie preferences. Storage duration: 1 year.

We do not use any tracking, advertising, or analytics cookies. Detailed information can be found in our Cookie Policy.

Server Log Files

Our web server (Nginx) and the CDN service Cloudflare automatically collect information in server log files that your browser transmits:

Browser type and version
Operating system used
Referrer URL
IP address (processed by Cloudflare, see Section 10)
Time of the server request

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security and stable operation of the website). The data is not merged with other data sources.

3. Registration and User Account

When registering on our platform (app.pathhub.ai), we collect and store:

First and last name
Email address
Password (stored hashed with bcrypt -- the plain-text password is not stored)
Registration date

The legal basis is Art. 6(1)(b) GDPR (contract performance). Your data is stored server-side in a SQLite database on our Hetzner server in Germany.

Email Verification

After registration, we send you a confirmation email to the email address you provided. The email is sent via the service Resend (Resend, Inc., USA). Your email address and the verification link are transmitted to Resend. The legal basis is Art. 6(1)(b) GDPR (contract performance). Privacy policy of Resend: resend.com/legal/privacy-policy.

Session Management

After login, a cryptographically secure session token (64 characters, randomly generated) is set as an httpOnly cookie. The token references a server-side session entry in the database. No localStorage and no sessionStorage is used in the browser for personal data. The legal basis is Art. 6(1)(b) GDPR (contract performance).

4. Data Processing in the App

Project Data (Paths)

When you create a Path (project plan), we store the following data server-side:

Project name and description
Phases, tasks, milestones
Budget items
Risks and stakeholders
Compliance requirements
AI-generated recommendations and chat histories

This data is exclusively assigned to you and is not visible to other users. The legal basis is Art. 6(1)(b) GDPR (contract performance).

Workspace Context

Optionally, you can provide information about your company/workspace (company name, industry, team size, stakeholders, challenges). This data is stored as JSON files on the server and serves to improve the AI analysis of your projects.

Document Uploads

You can upload documents (PDF, Word, Excel, CSV, TXT) to your workspaces. These are stored as files on the server in a protected directory and are only accessible to you. The files are deleted when the workspace is deleted or upon your request.

Upon upload, the text content of the documents is automatically extracted and stored. With the Max plan, you can activate documents as AI reference. In this case, the extracted text content is transmitted to DeepSeek during AI requests (see Section 5). You decide which documents are used as AI references.

5. Use of Artificial Intelligence (AI)

A core component of PathHub AI is AI-powered project planning. Project data is transmitted to external AI services to generate project plans, recommendations, and chat responses.

DeepSeek API

Provider: DeepSeek, China
Purpose: Generation of project plans, AI recommendations, and chat responses
Data transmitted: Project description, phases, tasks, budget information, company context (if provided), and optionally the text content of documents you have marked as AI reference -- no directly personally identifiable data such as name or email
Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (consent when using AI features)
Data transfer: Data is transmitted to servers in China. See Section 10 (Data Transfer to Third Countries).
Privacy policy: deepseek.com/privacy

Important: We only send project data (descriptions, phases, tasks, budgets, company context) and -- if activated by you -- the text content of AI reference documents to DeepSeek. Your personal data such as name, email address, or password is not sent. According to their policies, DeepSeek does not use data transmitted via the API to train their models.

6. Contact

When you contact us by email, your information (name, email address, message content) is stored to process your inquiry. The data is deleted once storage is no longer necessary. The legal basis is Art. 6(1)(f) GDPR (legitimate interest).

7. Payment Service Provider

For payment processing, we use Stripe (Stripe, Inc., USA / Stripe Payments Europe, Ltd., Ireland).

Data transmitted: Email address, selected plan. Your payment details (credit card, etc.) are transmitted directly to Stripe and are not stored by us.
Stored by us: Stripe customer ID, subscription ID, current plan, subscription status
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Privacy policy: stripe.com/privacy

Stripe may set its own cookies on the Stripe domain during the payment process. Details can be found in Stripe's privacy policy.

8. Email Sending

For sending system emails (verification, password reset), we use the service Resend (Resend, Inc., USA).

Data transmitted: Recipient's email address, email content
Purpose: Email verification during registration, password reset
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Data transfer: Data is transmitted to servers in the USA. See Section 10.
Privacy policy: resend.com/legal/privacy-policy

We do not send marketing emails or newsletters. Only transactional emails necessary for the operation of your account are sent.

9. Hosting and Infrastructure

Hetzner Cloud

Our platform is operated on a server of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). The server is located in the data center in Falkenstein/Vogtland, Germany. All user data (database, files, uploads) is stored exclusively on this server in Germany.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation)
Privacy policy: hetzner.com/legal/privacy-policy

Cloudflare

Our domain uses Cloudflare, Inc. (USA) as a DNS and CDN provider. Cloudflare may process technical access data (IP address, browser information) to optimize traffic and protect against attacks.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security)
Privacy policy: cloudflare.com/privacypolicy

Google Fonts

Our website loads the "Inter" font from Google servers. A connection to Google servers is established, and Google may receive technical access data (IP address). No cookies are set by Google Fonts.

Provider: Google LLC, USA
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent presentation)
Privacy policy: policies.google.com/privacy

10. Data Transfer to Third Countries

When using our platform, personal or project-related data may in certain cases be transferred to recipients in third countries (outside the EU/EEA):

USA: Stripe (payment), Resend (email sending), Cloudflare (CDN/DNS), Google (Fonts). An adequacy decision of the EU Commission exists for the USA (EU-U.S. Data Privacy Framework). The mentioned providers are partially certified under the DPF or Standard Contractual Clauses (SCCs) apply.
China: DeepSeek (AI service). No adequacy decision exists for China. The data transfer is based on your consent pursuant to Art. 49(1)(a) GDPR, which you grant by using the AI features. Only project data (no directly personally identifiable data) is transmitted.

11. Automated Decision-Making

The AI features of PathHub AI generate suggestions for project plans, budgets, risks, and recommendations. These suggestions are not automated individual decisions within the meaning of Art. 22 GDPR. They serve solely as support and recommendations. You decide whether and how to incorporate the AI suggestions into your project. All AI-generated content can be edited and deleted by you at any time.

12. Security Measures

Encryption: All connections are SSL/TLS encrypted (HTTPS). Passwords are hashed with bcrypt.
Session protection: Session tokens are httpOnly and Secure. Sessions are managed server-side.
Rate limiting: API endpoints are protected by rate limiting to prevent abuse. Failed login attempts are logged and temporarily blocked after multiple attempts.
Data isolation: Each user can only see their own projects and data.

13. Duration of Storage

Personal data is deleted once the purpose of its storage no longer applies:

User account: Data is deleted when you delete your account (within 30 days)
Project data: Deleted when the project or the account is deleted
Session data: Automatically deleted upon expiration (end of session or max. 30 days)
Server logs: Automatically deleted after 14 days
Document uploads: Deleted when the associated project is deleted or upon request

Statutory retention periods (in particular commercial and tax law) remain unaffected.

14. Your Rights

You have the following rights under the GDPR:

Right of access (Art. 15 GDPR): You can request information about the personal data we process.
Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data. You can also change your data yourself in the account settings.
Right to erasure (Art. 17 GDPR): You can request the deletion of your data. You can also delete your account yourself in the settings.
Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing.
Right to data portability (Art. 20 GDPR): You can receive your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR): You can object to the processing of your data insofar as it is based on legitimate interest.
Right to withdraw consent (Art. 7(3) GDPR): You can withdraw your consent at any time with effect for the future.
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority.

15. Legal Bases for Processing

Art. 6(1)(a) GDPR (Consent): Cookie preferences, use of AI features with third-country data transfer
Art. 6(1)(b) GDPR (Contract performance): Registration, login, project data, email verification, payment
Art. 6(1)(f) GDPR (Legitimate interest): Server logs, hosting, CDN, fonts, security measures

16. Contact

If you have any questions about data protection or wish to exercise your rights, you can reach us at:
hello@pathhub.ai

17. Changes to This Privacy Policy

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements and reflects our actual data processing practices. The current version can always be found on this page.

Last updated: February 17, 2026