Commitery Logo

Commitery

Privacy Policy

Effective: May 20, 2025

1. Controller

The controller within the meaning of Art. 4(7) GDPR is Luca Jandke, Predigstuhlweg 3, 84508 Burgkirchen an der Alz, Germany, email: support@commitery.com.

2. Scope and Purpose

This Privacy Policy governs the processing of personal data in connection with the use of the platform commitery.com (the "Platform"), including (i) visiting the website, (ii) registering and maintaining a user account, (iii) defining goals and commitments, (iv) uploading proof and receiving verdicts, including automated evaluations, (v) payment processing, (vi) authentication via third-party providers such as Google, and (vii) the use of analytics and marketing technologies subject to user consent.

3. Website Access and Server Log Files

When visiting the Platform, personal data is automatically processed in server log files, including (i) IP address, (ii) date and time of access, (iii) browser type and version, (iv) operating system, and (v) referrer URL. This processing is carried out solely to ensure technical stability, security, and proper operation of the Platform.

The legal basis for this processing is Art. 6(1)(f) GDPR. Server log data is deleted after a maximum of fourteen (14) days.

4. User Accounts and Registration

4.1 Account Creation

When creating a user account, we process personal data including (i) email address, (ii) username if provided, (iii) hashed password where email/password authentication is used, and (iv) technical account metadata. The processing is necessary for the performance of the user contract.

The legal basis is Art. 6(1)(b) GDPR. Data is stored for the duration of the account and deleted upon account termination unless statutory retention obligations apply.

4.2 Third-Party Login (Google Sign-In)

Users may authenticate via third-party providers, in particular Google. Authentication is performed directly by the provider. Commitery does not receive or store the password of the third-party account.

Depending on the permissions granted, we may receive (i) email address, (ii) provider-specific user ID, (iii) display name, and (iv) profile image. This data is processed solely for account creation, authentication, and security purposes.

The legal basis is Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. The provider is Google Ireland Limited / Google LLC. Further information is available in the Google Privacy Policy.

5. Goals, Commitments, and Uploaded Content

5.1 Goal and Commitment Data

When users create commitments, Commitery processes data relating to (i) the defined goal and its description, (ii) applicable deadlines, (iii) the selected referee type, and (iv) the pledged monetary commitment amount. This processing is required for contract performance pursuant to Art. 6(1)(b) GDPR.

5.2 Proof Uploads

To verify goal completion, users may upload proof in the form of files such as images, screenshots, or documents. Users are instructed to upload only content strictly required by the applicable proof specifications.

Commitery cannot technically guarantee the exclusion of sensitive personal data within uploaded files. Users remain responsible for the content they upload. Processing is based on Art. 6(1)(b) GDPR.

6. Automated Evaluation and AI Referees

6.1 Automated Decision-Making

Where a user selects an AI-based referee, uploaded proof is evaluated automatically to determine compliance with the predefined proof specifications and to issue a binding verdict regarding goal completion.

6.2 Use of AI Service Providers

For automated evaluation and dispute resolution, proof data may be transmitted to third-party AI service providers, in particular OpenAI, L.L.C., acting as a data processor on behalf of Commitery. Processing is strictly purpose-limited and proof data is not used to train or improve AI models. Further information is available in the OpenAI Privacy Policy.

6.3 Automated Decisions under Art. 22 GDPR

Automated evaluations constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. Such processing is necessary for the performance of the contract pursuant to Art. 6(1)(b) GDPR and is explicitly accepted by the user when selecting an AI-based referee.

Users retain the right to challenge negative verdicts through the dispute mechanism provided by the Platform.

7. Cookies and Similar Technologies

We use cookies and similar technologies (e.g. local storage) to operate the Platform and, where you consent, to enable analytics and marketing functionality. Cookies and similar technologies are divided into categories, including (i) technically necessary technologies required for core functionality and security, (ii) analytics technologies that help us understand usage, and (iii) marketing technologies used to measure advertising performance.

Further details, including specific technologies, purposes, retention periods, and how to manage preferences, are provided in our Cookie Policy.

8. Data Retention and Deletion

Personal data is stored only for as long as necessary for the purposes described in this Privacy Policy and is deleted or anonymized thereafter, unless statutory retention obligations apply.

In particular, (i) account data is stored until the user deletes the account or the account is otherwise terminated, subject to mandatory legal retention and the need to establish, exercise, or defend legal claims, (ii) proof files and goal-related evaluation data are stored until a verdict has been issued and any applicable dispute period has ended, and may be retained longer where necessary to resolve disputes, prevent abuse, or establish, exercise, or defend legal claims, (iii) analytics data is retained according to the retention settings configured within the relevant analytics service and is processed only with consent where required, and (iv) consent records and preference signals (e.g. stored in a cookie or local storage) are retained until they are revoked, reset, or deleted by the user, or until the applicable storage expires.

Accounting and transaction-related data is retained in accordance with applicable statutory commercial and tax retention periods. Where data must be retained to comply with legal obligations (e.g. commercial or tax law), processing is based on Art. 6(1)(c) GDPR.

9. Payments (Stripe)

Payments and conditional charges are processed via Stripe, Inc. Commitery does not receive full payment details such as credit card numbers. Processing is required for contract performance pursuant to Art. 6(1)(b) GDPR. Further information is available in the Stripe Privacy Policy.

10. Analytics and Marketing

10.1 Consent-Based Activation and Preference Management

Analytics and marketing technologies are activated only if you provide consent via our consent banner (cookie banner). Your choice is recorded as a preference signal and stored locally (e.g. in a cookie and/or local storage) so that we can honor your selection on future visits.

You may revoke or change your consent at any time with effect for the future by adjusting your preferences via the consent settings accessible on the Platform (for example via a link in the footer or within the Cookie Policy). Until consent is given, analytics and marketing technologies that are not strictly necessary remain disabled.

The legal basis for consent-based processing is Art. 6(1)(a) GDPR. Where strictly necessary technologies are used, the legal basis is Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR, as applicable.

10.2 Google Analytics

Google Analytics is used only after explicit user consent. Usage and interaction data may be processed for statistical analysis. The legal basis is Art. 6(1)(a) GDPR. Further information is available in the Google Privacy Policy.

10.3 Google Ads

Google Ads technologies are used solely with explicit marketing consent to measure advertising performance and attribute conversions. The legal basis is Art. 6(1)(a) GDPR. Further information is available in the Google Privacy Policy.

11. Internal Access Control

Access to personal data is restricted to authorized persons on a need-to-know basis and solely for defined operational, security, and support purposes.

12. Hosting and Infrastructure

The Platform is hosted by Vercel Inc. and uses Supabase Inc. for database, authentication, and file storage services. Where required, we conclude data processing agreements (Art. 28 GDPR) with service providers.

Where personal data is transferred to third countries (including the United States), appropriate safeguards pursuant to Art. 44 et seq. GDPR are implemented, in particular the use of EU Commission-approved Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures.

Further information is available in the Vercel Privacy Policy and the Supabase Privacy Policy.

13. Data Subject Rights

Users have the rights under Arts. 15–21 GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

You also have the right to lodge a complaint with a supervisory authority, in particular the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA): BayLDA.

14. Data Security

All data transmissions are protected using TLS/HTTPS encryption.

15. Amendments to this Privacy Policy

This Privacy Policy may be updated to reflect legal or technical changes. The current version is always available on the Platform.