Privacy Policy

Effective: May 29, 2026

1. Controller

The controller within the meaning of Art. 4(7) GDPR is Luca Jandke, Predigstuhlweg 3, 84508 Burgkirchen an der Alz, Germany, email: support@commitery.com.

2. Scope and Purpose

This Privacy Policy governs the processing of personal data in connection with the use of the platform commitery.com (the "Platform"), including (i) visiting the website, (ii) registering and maintaining a user account, (iii) defining goals, commitments, routines, and routine cycles, (iv) uploading proof and receiving verdicts, including automated evaluations, (v) payment processing and saved payment methods, (vi) Stripe Connect payouts under Commitery Creator, (vii) referral links, attribution, and payout eligibility, (viii) authentication via third-party providers such as Google, (ix) country and risk checks, and (x) the use of analytics and marketing technologies subject to user consent.

3. Website Access and Server Log Files

When visiting the Platform, personal data is automatically processed in server log files, including (i) IP address, (ii) date and time of access, (iii) browser type and version, (iv) operating system, and (v) referrer URL. This processing is carried out solely to ensure technical stability, security, and proper operation of the Platform.

The legal basis for this processing is Art. 6(1)(f) GDPR. Server log data is deleted after a maximum of fourteen (14) days.

4. User Accounts and Registration

4.1 Account Creation

When creating a user account, we process personal data including (i) email address, (ii) username if provided, (iii) hashed password where email/password authentication is used, and (iv) technical account metadata. The processing is necessary for the performance of the user contract.

The legal basis is Art. 6(1)(b) GDPR. Data is stored for the duration of the account and deleted upon account termination unless statutory retention obligations apply.

4.2 Third-Party Login (Google Sign-In)

Users may authenticate via third-party providers, in particular Google. Authentication is performed directly by the provider. Commitery does not receive or store the password of the third-party account.

Depending on the permissions granted, we may receive (i) email address, (ii) provider-specific user ID, (iii) display name, and (iv) profile image. This data is processed solely for account creation, authentication, and security purposes.

The legal basis is Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. The provider is Google Ireland Limited / Google LLC. Further information is available in the Google Privacy Policy.

5. Goals, Commitments, and Uploaded Content

5.1 Goal, Commitment, and Routine Data

When users create commitments or routines, Commitery processes data relating to (i) the defined goal and its description, (ii) routine text, routine cadence, cycle start, cycle index, goal deadlines, and proof deadlines, (iii) proof requirements and proof specifications, (iv) the selected referee/review type, (v) the conditional Commitment Amount per commitment or routine cycle, (vi) status, review, dispute, withdrawal, pause, and cancellation information, and (vii) technical records required to create, materialize, assess, and manage commitments and routine cycles. This processing is required for contract performance pursuant to Art. 6(1)(b) GDPR. Where data is processed for abuse prevention, security, debugging, or legal defense, the legal basis is Art. 6(1)(f) GDPR.

5.2 Proof Uploads

To verify goal completion, users may upload proof in the form of files such as images, screenshots, documents, or comparable files. Depending on the content, proof may include personal data, timestamps, location or metadata, account information, health-related information, or other sensitive information. Users are instructed to upload only content strictly required by the applicable proof specifications and to redact unnecessary sensitive information before uploading.

Commitery processes proof only for contract performance, review and dispute handling, fraud and abuse prevention, debugging, and legal defense. The legal basis is Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR. Commitery cannot technically guarantee the exclusion of sensitive personal data within uploaded files. Users remain responsible for the content they upload.

6. Automated Evaluation and AI Referees

6.1 Automated Decision-Making

Goal descriptions, proof specifications, uploaded proof, metadata, dispute explanations, and relevant commitment or routine-cycle data may be evaluated automatically for verdicts and dispute reviews. The purpose is to assess whether submitted proof satisfies the predefined proof specifications and whether a commitment or routine cycle is deemed completed or not completed.

6.2 Use of AI Service Providers

For automated evaluation, proof specification generation, and dispute resolution, data may be transmitted to third-party AI service providers, in particular OpenAI, L.L.C., acting as a data processor on behalf of Commitery. Processing is purpose-limited to proof requirement generation, review, dispute handling, abuse prevention, and quality assurance. Where Commitery uses the relevant contractual settings, inputs and outputs are not used to train or improve the AI provider’s models. Further information is available in the OpenAI Privacy Policy.

6.3 Automated Decisions under Art. 22 GDPR

Automated evaluations may constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR, particularly where a negative verdict may lead to a conditional charge. Such processing is necessary to perform the user-selected commitment contract where an automated verdict or dispute review is used. Users may challenge failed verdict proposals through the dispute mechanism provided by the Platform during the displayed dispute window, currently 48 hours, and request a further review. Automated dispute review may produce a recommended decision, confidence value, reasoning summary, evidence summary, model identifier, and risk flags. Commitery uses these records to resolve the dispute, prevent abuse, document payment-risk decisions, and decide whether to reverse or uphold the failed verdict proposal.

7. Cookies and Similar Technologies

We use cookies and similar technologies (e.g. local storage) to operate the Platform and, where you consent, to enable analytics and marketing functionality. Cookies and similar technologies are divided into categories, including (i) technically necessary technologies required for core functionality and security, (ii) analytics technologies that help us understand usage, and (iii) marketing technologies used to measure advertising performance.

Further details, including specific technologies, purposes, retention periods, and how to manage preferences, are provided in our Cookie Policy.

8. Data Retention and Deletion

Personal data is stored only for as long as necessary for the purposes described in this Privacy Policy and is deleted or anonymized thereafter, unless statutory retention obligations apply.

In particular, (i) account data is stored until the user deletes the account or the account is otherwise terminated, subject to mandatory legal retention and the need to establish, exercise, or defend legal claims, (ii) commitment, routine, cycle, consent, checkout, withdrawal, dispute, and verdict data is stored for as long as necessary to perform the contract, administer active or past commitments, evidence charge authorizations, prevent abuse, and defend legal claims, (iii) proof files and goal-related evaluation data are stored until a verdict has been issued and any applicable dispute or chargeback period has ended, and may be retained longer where necessary to resolve disputes, prevent abuse, handle chargebacks, or establish, exercise, or defend legal claims, (iv) referral, attribution, Stripe Connect, and payout data is stored for as long as necessary to assess payout eligibility, prevent fraud, handle clawbacks, and comply with legal obligations, (v) analytics data is retained according to the retention settings configured within the relevant analytics service and is processed only with consent where required, and (vi) consent records and preference signals are retained until they are revoked, reset, or deleted by the user, or until the applicable storage expires.

Accounting, tax, transaction, and payout-related data is retained in accordance with applicable statutory commercial and tax retention periods. Where data must be retained to comply with legal obligations, processing is based on Art. 6(1)(c) GDPR.

9. Payments, Stripe Connect, and Commitery Creator

Payment methods, Setup Intents, customer data, conditional charges, refunds, chargebacks, and payment status are processed via Stripe. Commitery does not receive full payment details such as credit card numbers. For payment purposes, we may process name, email address, billing address, Stripe customer ID, payment method ID, Setup Intent ID, Payment Intent ID, charge status, refund status, and related commitment or routine-cycle IDs. Processing is required for contract performance pursuant to Art. 6(1)(b) GDPR; where data is processed for fraud prevention, payment-risk review, legal defense, or legal obligations, the legal basis is Art. 6(1)(f) or Art. 6(1)(c) GDPR.

For Commitery Creator and referral payouts, users may set up a Stripe Connect account. Stripe and Commitery may process data such as email address, name, country, payout status, account ID, onboarding status, requirements, tax or identity verification status, referral code, attribution, payout amounts, clawbacks, and suspension reasons. Stripe processes certain data as an independent controller under its own terms. Further information is available in the Stripe Privacy Policy and the applicable Stripe Connect terms.

Referral links and Commitery Creator require the processing of referral codes, link IDs, campaign information, referrer and referred-user IDs, attribution data, validation status, payout conditions, dispute, refund and chargeback information, and anti-abuse signals. This processing is used to operate the Commitery Creator program, prevent fraud, control payouts, and defend legal claims.

10. Analytics and Marketing

10.1 Consent-Based Activation and Preference Management

Analytics and marketing technologies are activated only if you provide consent via our consent banner (cookie banner). Your choice is recorded as a preference signal and stored locally (e.g. in a cookie and/or local storage) so that we can honor your selection on future visits.

You may revoke or change your consent at any time with effect for the future by adjusting your preferences via the consent settings accessible on the Platform (for example via a link in the footer or within the Cookie Policy). Until consent is given, analytics and marketing technologies that are not strictly necessary remain disabled.

The legal basis for consent-based processing is Art. 6(1)(a) GDPR. Where strictly necessary technologies are used, the legal basis is Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR, as applicable.

10.2 Google Analytics

Google Analytics is used only after explicit user consent. Usage and interaction data may be processed for statistical analysis. The legal basis is Art. 6(1)(a) GDPR. Further information is available in the Google Privacy Policy.

10.3 Google Ads

Google Ads technologies are used solely with explicit marketing consent to measure advertising performance and attribute conversions. The legal basis is Art. 6(1)(a) GDPR. Further information is available in the Google Privacy Policy.

11. Internal Access Control

Access to personal data is restricted to authorized persons on a need-to-know basis and solely for defined operational, security, and support purposes.

12. Hosting and Infrastructure

The Platform is hosted by Vercel Inc. and uses Supabase Inc. for database, authentication, and file storage services. Where required, we conclude data processing agreements (Art. 28 GDPR) with service providers.

Where personal data is transferred to third countries (including the United States), appropriate safeguards pursuant to Art. 44 et seq. GDPR are implemented, in particular the use of EU Commission-approved Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures.

Further information is available in the Vercel Privacy Policy and the Supabase Privacy Policy.

13. Data Subject Rights

Users have the rights under Arts. 15–21 GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

You also have the right to lodge a complaint with a supervisory authority, in particular the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA): BayLDA.

14. Data Security

All data transmissions are protected using TLS/HTTPS encryption.

15. Amendments to this Privacy Policy

This Privacy Policy may be updated to reflect legal or technical changes. The current version is always available on the Platform.

Account-level Creator Attribution

Merely opening or visiting a Creator link does not establish or change account-level attribution. It is stored only when a user successfully completes checkout for an eligible commitment through a valid Creator or challenge link. The data processed includes the Creator user ID, referral-link ID where applicable, source, establishment time, and expiry.

Attribution generally applies to future commitments for up to twelve months. A later successful checkout through another Creator replaces it prospectively. Users may remove the active attribution at any time in account settings. Commitments already created and their recorded attribution remain unchanged for accounting, fraud-prevention, and evidentiary purposes.

Saved Payment Methods

When you deliberately select “Save payment method” in the payment step, Stripe stores that method as your default for this and future commitments. Commitery processes the Stripe customer and payment method identifiers, consent time, disclosure version, and limited display data such as card brand, last four digits, and expiry date. Commitery does not store the complete card number or security code.