Privacy Policy

Who We Are

Super44 GmbH is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

• Company: Super44 GmbH
• Address: Rheinwerkallee 6, 53227 Bonn, Germany
• Commercial register: Amtsgericht Bonn, HRB 30568
• Managing Director: Alexander Riesenkampff
• Email: hello@super44.ai

What Data We Collect

We only collect what we need to make Super44 useful for you. Here's the full list:

• Email address — collected when you sign up via Clerk authentication
• Name (if provided) — collected during sign-up
• Business name — you enter this during onboarding
• Business address / location — entered once during setup so we can tailor insights to your area
• Chat messages and conversation history — everything you ask Super44 and the responses you get
• POS / sales transaction data — pulled from your point-of-sale system when you connect it
• Google review data — pulled from your Google Business Profile when you connect it via OAuth
• Device information (OS, app version) — collected automatically when you use the app
• Crash logs and performance data — collected automatically to help us fix bugs and keep the app stable

Why We're Allowed to Process Your Data

Under GDPR, we need a legal basis for every type of processing. Here's ours:

• Account creation, AI chat, business analytics, POS analysis, and review monitoring — Contract performance (Art. 6(1)(b)). You signed up for these features, and we need your data to deliver them.
• Crash reporting and app stability — Legitimate interest (Art. 6(1)(f)). We have a legitimate interest in keeping the app running smoothly.
• Service-related email communication — Legitimate interest (Art. 6(1)(f)). This includes security alerts, billing notifications, essential product updates, and AI-generated notifications you've requested (such as reminders or scheduled task results). We don't send marketing emails under this basis.

Who Else Handles Your Data

We work with a small number of trusted service providers to run Super44. Each one has a Data Processing Agreement (DPA) in place.

• Clerk (clerk.com) — handles authentication and user management. Based in the USA, protected by EU Standard Contractual Clauses (SCCs).
• AWS (eu-central-1, Frankfurt) — hosts our servers, databases, file storage, and AI model processing (Anthropic Claude via AWS Bedrock). Your data stays in the EU.
• Google (OAuth, Reviews API) — handles Google account login and pulls your review data. Based in the USA, protected by EU Standard Contractual Clauses (SCCs).
• BetterStack — error and crash reporting to keep the service reliable. EU hosting.
• PostHog — product analytics on the website only (not the mobile app). EU hosting (EU Cloud). Not used for advertising or cross-site tracking.

How Long We Keep Your Data

We don't keep data longer than we need to.

• Active account — your data is retained for as long as your subscription is active.
• After account deletion — all personal and business data is deleted within 30 days of your deletion request. Anonymized, aggregated analytics may be retained.
• Chat history — kept for the life of your account. You can delete individual conversations at any time.
• POS data — cached while your integration is connected. Deleted when you disconnect the integration or delete your account.
• Backups — any backups containing your personal data are purged within 90 days of a deletion request.

Your Rights Under GDPR

You have strong rights over your data under the GDPR (Articles 15–22). Here's what you can do:

• Access (Art. 15) — request a copy of all personal data we hold about you.
• Rectification (Art. 16) — ask us to correct any inaccurate data.
• Erasure (Art. 17) — ask us to delete all your data (the "right to be forgotten").
• Restriction (Art. 18) — ask us to limit processing while a complaint is being resolved.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on our legitimate interest.
• Automated decision-making (Art. 22) — Super44's AI provides suggestions and insights only. We don't make automated decisions that have legal or similarly significant effects on you.

To exercise any of these rights, email us at hello@super44.ai. We'll respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. For Super44, this is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

Data Transfers Outside the EU

Your data is primarily processed in the EU — our servers run on AWS in Frankfurt (eu-central-1). Some of our processors (Clerk, Google) are based in the USA. All transfers to the USA are protected by EU Standard Contractual Clauses (SCCs) as per Art. 46(2)(c) GDPR. AI processing (Anthropic Claude) runs on AWS Bedrock in Frankfurt and does not leave the EU. We do not transfer data to any country without an adequacy decision or appropriate safeguards in place.

Cookies and Tracking

The Super44 mobile app does not use cookies or third-party advertising SDKs. We use BetterStack for error and crash reporting to keep the service stable. On our website, we use PostHog for product analytics — PostHog does not track you across other sites and is not used for ad targeting. Neither tool is used in the mobile app. We do not use any advertising or behavioral tracking tools anywhere in Super44.

Children's Data

Super44 is a business tool and is not directed at children under 16. We don't knowingly collect data from anyone under 16. If we learn that we've collected data from a child under 16, we'll delete it promptly.

Changes to This Policy

If we make material changes to this policy, we'll notify you via in-app notification and/or email. This page always shows the current version with the "Last updated" date at the top. Continued use of Super44 after we notify you of changes means you accept the updated policy. Where required, we'll ask for your consent again.

Data Protection Contact

We're a small team and haven't appointed a formal Data Protection Officer (this isn't required for most SMEs under Art. 37 GDPR). For any data protection questions, requests, or concerns, reach out to us directly at hello@super44.ai.