Privacy Policy

Last updated: January 30, 2025

Introduction

HanseNexus GmbH ("we", "us", or "our") operates CalNexus (cal-nexus.com), an AI-powered calendar management service. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our service, in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

Data Controller

HanseNexus GmbH
Eidelstedter Weg 2, 20255 Hamburg
Germany
service@hansenexus.de
hansenexus.de

Registered at Amtsgericht Hamburg, HRB 188746

Managing Director: Lennard Finsterbusch

Data We Collect

We collect and process the following categories of personal data:

Account Data

  • Name and email address
  • Password (encrypted)
  • Profile preferences
  • Account creation date

Calendar Data

  • Calendar events and metadata
  • Event titles, descriptions, locations, and times
  • Calendar connections and sync settings
  • Nexus routines and automation preferences

Usage Data

  • Log data and service interactions
  • Device and browser information
  • IP address and approximate location
  • Performance and error data

Payment Data

  • Payment method details (processed by Stripe)
  • Billing information
  • Subscription and plan details
  • Transaction history

Voice Input

  • Voice commands are processed in real-time and are not stored permanently
  • Transcribed text is used to create calendar events
  • Voice data is deleted immediately after processing

Legal Basis for Processing (Art. 6 GDPR)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary to provide CalNexus services, including account management, calendar synchronization, and AI-powered features.

Legitimate Interest (Art. 6(1)(f) GDPR)

We process data to improve our service, prevent fraud, ensure security, and provide customer support. We have assessed that our legitimate interests do not override your rights and freedoms.

Consent (Art. 6(1)(a) GDPR)

For optional features like marketing communications, we obtain your explicit consent. You may withdraw consent at any time.

Legal Obligation (Art. 6(1)(c) GDPR)

We process data as required by law, including tax and accounting obligations.

Third-Party Processors

We use the following trusted service providers to process data on our behalf:

Convex

Database and backend infrastructure
United States (EU-US Data Privacy Framework compliant)

Stripe

Payment processing
United States and Europe (GDPR compliant)

Google

OAuth authentication and Calendar API integration
United States and Europe (GDPR compliant)

Vercel

Application hosting and content delivery
United States and Europe (GDPR compliant)

All processors are bound by data processing agreements and comply with GDPR requirements.

International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and participation in the EU-US Data Privacy Framework, to protect your data in accordance with GDPR standards.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

  • Account data: Retained while your account is active and for 30 days after deletion
  • Calendar data: Retained while your account is active; deleted within 7 days of account deletion
  • Usage logs: Retained for 12 months for security and service improvement
  • Payment records: Retained for 10 years as required by German tax law
  • Voice input: Deleted immediately after processing (not stored)

Your Data Protection Rights (Art. 15-21 GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15)

You may request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17)

You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to Restriction (Art. 18)

You may request that we limit the processing of your data under certain circumstances.

Right to Data Portability (Art. 20)

You may request your data in a structured, machine-readable format to transfer to another service.

Right to Object (Art. 21)

You may object to processing based on legitimate interest, including for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at service@hansenexus.de. We will respond within 30 days.

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Regular security audits and penetration testing
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response procedures

Cookies and Tracking

CalNexus uses minimal cookies necessary for service functionality:

  • Essential cookies: Authentication session, locale preference, security tokens
  • We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

For more information, see our Cookie Policy.

Children's Privacy

CalNexus is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware of such data collection, we will delete it immediately.

Automated Decision-Making

Our AI-powered features (event parsing, smart scheduling) use automated processing to suggest calendar entries. However, you always retain full control and can modify or reject any AI-generated suggestions. No decisions with legal or similarly significant effects are made solely through automated processing.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the service. The "Last updated" date at the top indicates when this policy was last revised.

Supervisory Authority

If you believe we have not addressed your data protection concerns adequately, you have the right to lodge a complaint with the competent supervisory authority:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany
mailbox@datenschutz.hamburg.de
https://datenschutz-hamburg.de

Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, please contact:

Data Protection Inquiries: service@hansenexus.de
HanseNexus GmbH, Eidelstedter Weg 2, 20255 Hamburg, Germany