Dici GmbH — Privacy Policy

Version 2026-07-09 · Effective 2026-07-09

1. Controller

The controller responsible for the processing of personal data described in this Privacy Policy (within the meaning of Art. 4(7) GDPR) is Dici GmbH, [Street, Postal Code, City], Germany. Email: [privacy@dici.cc / •].

2. Scope

This Privacy Policy explains how Dici GmbH ("Dici," "we") processes personal data when you register for and use the Dici platform (the "Service"), including our website. It does not cover the practices of third-party sites linked from the Service.

3.1 Account and authentication data

We process your email address (stored encrypted at rest, with a separate cryptographic lookup value that lets us find your account without storing your email in plain text), passkey (WebAuthn) public key credentials (your private key never leaves your device), one-time email verification codes (cached temporarily, currently five minutes, and deleted after use or expiry), and session tokens stored as cookies to keep you signed in.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR); security of the Service is pursued as a legitimate interest (Art. 6(1)(f) GDPR).

3.2 Terms & Conditions / Privacy Policy consent records

When you register, we record that you accepted our Terms and this Privacy Policy, together with the version accepted, the date and time, and (where available) the IP address from which consent was given.

Legal basis: compliance with our legal obligation to demonstrate valid contract formation and consent (Art. 6(1)(c) GDPR, in conjunction with our accountability obligations under Art. 5(2) and Art. 7(1) GDPR).

3.3 Organization data

Based on your email domain, your Account may be associated with an Organization shared with colleagues who register with the same domain, so that product and questionnaire data can be shared within your organization.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3.4 Product, questionnaire, and document Content

Data you or your organization input into the Service, including questionnaire answers, generated Assessments, product/component/material data, and uploaded documents.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Where such Content includes personal data of third parties provided by you (e.g., supply-chain contacts), you act as controller for that data and we act as your processor under a separate Data Processing Agreement.

3.5 Technical and log data

IP address, device/browser information, and timestamps, collected as part of normal operation of the Service (e.g., request logs, security monitoring, and the consent records described in § 3.2).

Legal basis: legitimate interest in operating and securing the Service (Art. 6(1)(f) GDPR).

4. Cookies

We use a small number of strictly necessary cookies to operate the Service (authentication session tokens and a WebAuthn challenge cookie). These are essential for the Service to function and are not used for advertising or cross-site tracking. Because they are strictly necessary, they do not require consent under applicable e-privacy rules, but we describe them here for transparency.

5. Recipients and Sub-Processors

We share personal data with the following categories of recipients, each bound by a data processing agreement where required by Art. 28 GDPR. We do not sell personal data.

  • Resend — transactional email delivery (verification codes and other account-related emails).
  • Object storage provider [name/location to confirm] — storage of uploaded documents and images.
  • Infrastructure/hosting provider [name/location to confirm] — hosting of the application, database, and cache.
  • Professional advisors, auditors, or authorities, where required by law.

6. International Transfers

Where a sub-processor listed in § 5 is located outside the European Economic Area (in particular, U.S.-based providers), we rely on an adequacy decision or Standard Contractual Clauses (Art. 46 GDPR), together with supplementary measures where applicable, to ensure an adequate level of protection.

7. Retention

We retain personal data only for as long as necessary for the purposes described above.

  • Account data: for the duration of the Account plus a limited period thereafter to comply with legal retention obligations (e.g., commercial/tax record-keeping under HGB/AO, generally up to 10 years for relevant business records).
  • Consent records (§ 3.2): for the duration of the Account plus the statutory limitation period for contract-related claims (generally up to 10 years under German law).
  • Email verification codes: deleted automatically after use or after their five-minute validity period, whichever is earlier.
  • Content: retained for the duration of the Account; upon termination, retained for a limited export period as described in the Terms, then deleted or anonymized, subject to legal retention obligations.

8. Your Rights

Subject to the conditions set out in the GDPR, you have the right to:

  • request access to the personal data we hold about you (Art. 15 GDPR);
  • request rectification of inaccurate data (Art. 16 GDPR);
  • request erasure of your data (Art. 17 GDPR);
  • request restriction of processing (Art. 18 GDPR);
  • receive your data in a portable format (Art. 20 GDPR);
  • object to processing based on legitimate interest (Art. 21 GDPR);
  • withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR); and
  • lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

9. Security

We apply technical and organizational measures appropriate to the risk, including encryption of stored account data, phishing-resistant passkey authentication, and transport encryption (TLS) for data in transit. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Children

The Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time, in particular to reflect changes in the Service or legal requirements. We will indicate the effective date of the current version at the top of this page and, for material changes, provide notice as described in our Terms.

12. Contact

Dici GmbH, [Street, Postal Code, City], Germany. Email: [privacy@dici.cc / •].