æternacy ← Back

Privacy Policy

Last updated: March 2026

1. Data Controller

The party responsible for data processing on this platform is:

æternacy UG (haftungsbeschränkt)
Handelsregister: Amtsgericht München, HRB 311168
Represented by: Florian Drahorad (Managing Director)
Franz-Joseph-Straße 11
80801 Munich, Germany
Email: privacy@aeternacy.com

Data Protection Officer:
The appointment of a Data Protection Officer is currently not mandatory for our company pursuant to § 38 BDSG in conjunction with Art. 37 GDPR.

Supervisory Authority:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, https://www.lda.bayern.de

2. Data Collected

We process the following categories of personal data:

  • Registration data: Email address, display name, and profile settings.
  • Uploaded media: Photos, videos, and voice recordings that you anchor in your archive. Voice recordings used for Voice Legacy constitute biometric data under Art. 9 GDPR.
  • AI-generated content: Narratives, metadata, and synthesized stories created by æterny.
  • Memory data (Memory Layer): Facts and relationships extracted from your conversations with æterny (e.g. preferences, places, family members). These are stored exclusively on our own server in Germany (see Section 6).
  • Usage data: IP addresses, browser types, access times, and interaction logs.
  • Payment data: Transaction details processed securely via Stripe.

3. Legal Basis (Art. 6 GDPR)

Processing is based on the following legal grounds:

  • Art. 6 (1) (a) GDPR (Consent): For media processing and AI narrative generation.
  • Art. 6 (1) (b) GDPR (Contract): For providing our archive services and account management.
  • Art. 6 (1) (f) GDPR (Legitimate Interest): For platform security, stability, and optimization.

4. AI Processing (Google Gemini API)

For AI-powered processing (conversation management, fact extraction, and semantic search), we use the Google Gemini API as a paid service. The following applies:

  • No model training: According to Google's terms of service for paid services, your inputs and outputs are not used to train AI models.
  • Data processing: Your chat messages are transmitted encrypted to Google servers for processing. The Data Processing Addendum (DPA) applies for products where Google acts as a data processor.
  • No persistent storage at Google: Google does not permanently store your prompts and responses. Operational metadata (e.g. token counts, error reports) are subject to Google's Controller-Controller Data Protection Terms.
  • Third-country transfer: Processing may take place on Google servers outside the EU. The transfer is secured by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).

Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (a) GDPR (consent for AI features).

5. Voice Legacy & Voice Cloning (ElevenLabs)

For the "Voice Legacy" feature, we use ElevenLabs to clone and synthesize your voice. Voice recordings submitted for this feature constitute biometric data under Art. 9 GDPR (special categories of personal data).

Legal basis: Art. 9 (2) (a) GDPR — your explicit consent is required and obtained before any voice data is transmitted to ElevenLabs.

Data processed:

  • Voice recordings you submit for cloning
  • Voice models and voiceprints generated from your recordings
  • Synthesized audio output created using your voice model

Data transfer: ElevenLabs, Inc., USA. The transfer is secured by Standard Contractual Clauses (SCCs) pursuant to Art. 46 (2) (c) GDPR. DPA available at elevenlabs.io/dpa.

Your rights:

  • You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • You may request the complete deletion of all voice data, voice models, and voiceprints at any time.

Retention: Voice data and voiceprints are deleted upon withdrawal of consent or upon account deletion.

AI Act compliance: In accordance with the EU AI Act, all synthesized voice content generated through Voice Legacy is clearly marked as AI-generated.

6. Third-Party Providers & Infrastructure

We work with specialized service providers. For each provider that processes personal data, a Data Processing Agreement (DPA) exists pursuant to Art. 28 GDPR:

  • Hetzner Online GmbH (Gunzenhausen, Germany)
    Hosting the memory database (Memory Layer) on a dedicated server in Nuremberg, Germany. Data does not leave Germany.
  • Google LLC / Google Ireland Ltd.
    (a) Firebase: Authentication, hosting, and database (EU Frankfurt). (b) Gemini API: AI processing (see Section 4). The Google Cloud Data Processing Addendum (CDPA) applies.
  • Stripe Inc. (USA, EU-US DPF certified)
    Secure payment processing and subscription management.
  • PostHog Inc. (EU Cloud, Frankfurt)
    Web analytics and product optimization. EU cloud instance. No data transfer outside the EU.
  • Functional Software Inc. (Sentry) (USA, EU-US DPF certified)
    Error tracking and stability monitoring. Transfer secured by DPF and SCCs.
  • ElevenLabs, Inc. (USA)
    Voice cloning and voice synthesis. Transfer secured by SCCs and DPA.
  • Brevo (Sendinblue GmbH) (EU)
    Email delivery and waitlist management. Processing takes place in the EU.

7. Memory Data (Memory Layer)

When you chat with æterny, relevant facts are automatically extracted and stored:

  • Extraction: The Google Gemini API analyzes your chat messages and identifies personal facts.
  • Storage: Stored on our own server at Hetzner in Nuremberg — both as searchable text entries (PostgreSQL) and as a relationship graph (Neo4j).
  • Access: You can view and search all stored memories at any time.
  • Deletion: You can delete individual or all memories. Deletion is immediate and irreversible.
  • Deactivation: You can deactivate the memory feature at any time.

Legal basis: Art. 6 (1) (a) GDPR (consent).

8. International Transfers

Your primary data is stored in Germany and the EU:

  • Memory data: Hetzner, Nuremberg, Germany (no third-country transfer).
  • App data: Google Firebase, Frankfurt, Germany.
  • AI processing: Google Gemini API — secured by EU-US DPF and SCCs.
  • Payments: Stripe — USA, secured by EU-US DPF.
  • Voice cloning: ElevenLabs — USA, secured by SCCs and DPA.

9. AI Processing and Transparency

We do not train our own AI models with your personal data.

All AI functions are provided via the Google Gemini API as a paid service and accessed exclusively through Firebase Cloud Functions (server-side).

Labeling: In accordance with the EU AI Act, all AI-generated content on our platform is labeled as "AI-generated".

10. Data Locations

Service Purpose Location Legal Basis
Google FirebaseHosting, Auth, DatabaseFrankfurt, DEArt. 6 (1)(b)
Google Gemini APIAI Content AnalysisEU (CDPA)Art. 6 (1)(a)
Hetzner CloudMem0 Memory ServerNuremberg, DEArt. 6 (1)(b)
CloudinaryStatic Website AssetsEUArt. 6 (1)(b)
PostHogWeb AnalyticsFrankfurt, DEArt. 6 (1)(a)
SentryError TrackingUSA (DPF + SCCs)Art. 6 (1)(f)
ElevenLabsVoice cloning & synthesisUSA (DPA + SCCs)Art. 9 (2)(a)
BrevoEmail DeliveryEUArt. 6 (1)(a)
StripePayment ProcessingEU/US (SCCs)Art. 6 (1)(b)

11. Your Rights Regarding AI-Generated Content

  • Right to deletion of AI content: You may request the complete deletion of all AI-generated content at any time.
  • Right to opt out of AI features: You can disable AI-powered features at any time in your account settings.
  • Right to explanation: You have the right to receive an understandable explanation of how AI-generated insights were created.

To exercise these rights, please contact: privacy@aeternacy.com

12. Retention Periods

  • Account data: For the duration of your active account. Deleted within 30 days after account deletion.
  • Server logs: Maximum 30 days.
  • Payment data: 10 years (§257 HGB, §147 AO).
  • Analytics data (PostHog): Maximum 12 months.
  • Error data (Sentry): Maximum 90 days.
  • Memory data: Until deleted by you or upon account deletion.
  • Voice data & voiceprints: Deleted upon withdrawal of consent or account deletion.

13. Your Rights (Art. 15-21 GDPR)

You have the right to access, rectification, deletion, restriction of processing, and data portability. You may also object to processing based on legitimate interests.

The competent supervisory authority is: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.

14. Cookies & Consent

We use technically necessary cookies for authentication and security. These do not require consent (§ 25 (2) No. 2 TDDDG).

For analytics cookies (PostHog), we obtain your explicit consent pursuant to § 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR.

15. Legacy Protocol

Our unique Legacy Protocol ensures that your data is handled according to your wishes after inactivity, with access potentially transferred to verified heirs as defined in your account settings.

16. Changes to This Policy

We may update this policy to reflect changes in our technology or legal requirements. Material changes will be communicated via the platform or by email.

17. Contact

For privacy-related inquiries or to exercise your rights, please contact:

privacy@aeternacy.com

æternacy UG (haftungsbeschränkt) · HRB 311168, AG München · Institutional Compliance v5.0 (EN)