DEEN

Privacy Policy

Last updated: June 2026

1. Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Philip Hilgendorf
Bachstr. 2
53115 Bonn, Germany
Phone: 01575 7146184
Email: philip@philip-hilgendorf.com

Hereinafter referred to as “Liefertreu”, “we”, or “the provider”.

2. Overview of processing

Liefertreu is a software-as-a-service (SaaS) solution that helps companies fulfil their due-diligence obligations under the German Supply Chain Due Diligence Act (LkSG). As part of this service, we process personal data in two different roles:

  • As controller for our customers' own data (e.g. account data, billing data, platform usage data).
  • As processor within the meaning of Art. 28 GDPR for data that our customers enter into the software about suppliers, their contact persons, or other third parties (e.g. supplier master data, questionnaire responses, uploaded certificates). For this processing, we enter into a separate data processing agreement (DPA) with each customer pursuant to Art. 28 GDPR.

This privacy policy provides information about the processing for which we ourselves act as controller, as well as general information about the technical and organisational basis of the data processing carried out on behalf of our customers.

3. Hosting and server location

Our application and the associated database are operated on servers within the European Union. We exclusively use hosting and infrastructure providers that operate their servers in the EU (in particular the Frankfurt am Main region, Germany) or that have agreed to the EU Standard Contractual Clauses pursuant to Art. 46 GDPR with us.

4. Processing of personal data using artificial intelligence (AI)

A central component of our software is the automated, AI-assisted evaluation of supplier questionnaires as well as the automated review of uploaded certificates. We place particular emphasis on transparency regarding this processing step.

4.1 Models and service providers used

For AI-assisted evaluation, we use the following language models, which are accessed via the intermediary platform OpenRouter, Inc.:

  • GPT-OSS-20B (open-weight model)
  • GPT-4o-mini (OpenAI)

These models are used exclusively for the following processing operations:

  • Automated content evaluation of self-assessment questionnaires completed by suppliers (e.g. plausibility checks of free-text answers, derivation of a risk indicator).
  • Automated reading and verification of uploaded certificates (e.g. recognition of certificate type, expiry date, and company name from the document).

4.2 Privacy configuration (Zero Data Retention)

The connection to the models named above is configured with the following privacy-relevant settings:

  • Zero Data Retention (ZDR): the model providers used are configured so that prompt content and the responses returned are not permanently stored after the request has been processed. The models are not trained using the data submitted.
  • EU hosting setting: where technically supported by the respective model provider, processing is preferentially routed via infrastructure with an EU connection.

Please note that fully contractually guaranteed processing exclusively within the EU (so-called EU in-region routing) may depend on additional agreements with some model providers. We will update this notice as soon as the technical or contractual configuration changes.

Even though the Zero Data Retention setting means prompt content is not stored, the intermediary service OpenRouter and the model providers may briefly process technical metadata of the request (e.g. token count, timestamp, response time) for billing and security purposes.

4.3 Legal basis and transparency

Processing is carried out on the basis of Art. 6 (1)(b) and (f) GDPR (performance of a contract or legitimate interest in efficient processing) or, in relation to our customers, on the basis of the respective data processing agreement.

The automated evaluation results in an assessment (e.g. a risk indicator or compliance score) which, however, does not constitute an automated decision with legal effect within the meaning of Art. 22 GDPR. The final assessment and decision on the consequences always remains with our customer as the controller responsible under data protection law in relation to its suppliers.

5. What data we process

5.1 Data of our contractual partners (customers)

  • Master data: company name, contact person, address, email address, phone number
  • Account and usage data: login data, IP address, time of use, saved settings
  • Billing data: billing address, payment information (where processed via a payment service provider)

5.2 Data processed on behalf of our customers

  • Supplier master data (company name, country, industry, contact person, contact details)
  • Responses from self-assessment questionnaires
  • Uploaded certificates and supporting documents
  • Communication history (e.g. reminder emails, processing status)

This data is processed exclusively on behalf of and in accordance with the instructions of our customers. Data subjects (e.g. employees of a supplier) with questions about the processing of this data should contact the respective customer company directly, as it acts as the controller responsible under data protection law.

6. Other service providers used (processors)

To provide our service, we use the following categories of subcontractors, with each of whom we have entered into data processing agreements pursuant to Art. 28 GDPR:

  • Hosting and infrastructure providers (database and server operations, EU region)
  • Email delivery service providers (sending of questionnaires, reminders, and notifications)
  • AI intermediary service OpenRouter, Inc. and the model providers accessed through it (see section 4)

We provide our customers with a current and complete list of all subcontractors used as part of the data processing agreement.

7. Storage period

Personal data is only stored for as long as is necessary for the respective purposes or as required by statutory retention periods. As part of data processing carried out on behalf of customers, the storage period is governed by our customers' instructions and the contractual agreements in the respective DPA.

8. Your rights as a data subject

Insofar as we act as controller, you have the following rights:

  • Right of access to data stored about you (Art. 15 GDPR)
  • Right to rectification of inaccurate data (Art. 16 GDPR)
  • Right to erasure of your data (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)

To exercise these rights, please contact us using the contact details given in section 1. You also have the right to lodge a complaint with a data protection supervisory authority, e.g. the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen.

9. Data security

We take appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR to protect your data against manipulation, loss, destruction, or unauthorised access. These include, among other things, encryption of data transmission (TLS/SSL), access restrictions, and regular security reviews.

10. Changes to this privacy policy

We reserve the right to amend this privacy policy in order to adapt it to changed legal requirements or to changes in our service or in the AI models and service providers used. The version current at the time of your visit shall apply in each case.