Carried GmbH (“CarriedAI”) reserves the right to adjust the privacy policy at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the application process or other processes.

‍

General Information

"Personal data" refers to any information relating to an identified or identifiable individual  (“User”).

"Processing" of data encompasses any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

The legal basis for data protection can be found in particular in the General Data Protection Regulation (GDPR), specifically Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in the UK General Data Protection Regulation (UK GDPR), which is the retained EU law version of the GDPR applicable in the United Kingdom. Additionally, specific national data protection laws, such as the Federal Data Protection Act (BDSG) and Telemedia Act (TMG) in Germany, and the Data Protection Act 2018 in the UK, also provide relevant legal frameworks.

CarriedAI processes personal data only to the extent necessary and for the purpose of providing a functional and user-friendly internet presence, including its contents and the services offered there.

‍

Contact Information

CarriedAI GmbH

Goethestr. 5, 10623 Berlin

Represented by Managing Director: Guillem Sagué

Registered with the local court of Amtsgericht Berlin (Charlottenburg) under HRB 257189 B

‍

Scope and Location of Data Processing

CarriedAI, as well as its external service partners, processes data for the purpose of providing the website and its services, including providing hardware and software through such external service partners. The data categories affected are contact information, user behavior, or other information that constitutes personal data provided to CarriedAI. CarriedAI primarily processes personal data in Frankfurt, Germany, which is within the European Union (EU) / European Economic Area (EEA). If CarriedAI processes personal data outside the EU/EEA and/or the United Kingdom (UK), data protection standards applicable in the EU/EEA and/or the UK (as appropriate) are ensured, and users will be informed accordingly. For details on other controllers or processors handling data for the purposes mentioned in this privacy policy, please refer to Data Processing Agreement.

CarriedAI processes personal data as follows:

• Data: Contact data, contract data, usage data, other data provided. Purpose: Communication in order to establish, implement, and/or process a contractual relationship (also orally) with you. Legal basis: Art. 6 para. 1 s.1 lit. b. GDPR (and UK GDPR, where applicable).
• Data: Contact data, contract data, other data provided. Purpose: Compliance with legal obligations, e.g., commercial, tax, and social security detention obligations. Legal basis: Art. 6 para. 1 s.1 lit. c. GDPR (and UK GDPR, where applicable).
• Data: Contact data, contract data, other data provided. Purpose: Enforcement, exercise, and defense of legal claims with CarriedAI's legitimate interest that may be, for example, in the assertion of legal claims and defense in legal disputes. Legal basis: Art. 6 para. 1 s.1 lit. f. GDPR (and UK GDPR, where applicable).
• Data: Contact data, contract data, other data provided. Purpose: Analysis of data with CarriedAI's legitimate interest of, for example, quality assurance or marketing. Legal basis: Art. 6 para. 1 s.1 lit. f. GDPR (and UK GDPR, where applicable).
• Data: Contact data, contract data, other data provided. Purpose: Consent to data processing for the purpose named in this privacy policy or information provided to you. Legal basis: Art. 6 para. 1 s.1 lit. a. GDPR (and UK GDPR, where applicable).

Furthermore, CarriedAI has implemented technical and organizational measures (TOMs) to ensure that the data protection regulations are observed both by it and by external service providers. For further information, please refer to the Data Processing Agreement.

The user has the following rights:

• The right to access,
• The right to rectification or erasure,
• The right to restriction of processing,
• The right to data portability,
• The right to withdraw consent.

The users further have the right to object, on grounds relating to their particular situation, at any time to processing of personal data based on point (e) or (f) of Art. 6 para. 1 s.1 GDPR (and UK GDPR, where applicable), including profiling based on those provisions.

To exercise such rights set forth above, the user may contact CarriedAI via email at info@carriedai.com.

The user has the right to lodge a complaint with the data protection authority of their choice.

‍

Storing and Deleting Data

The data are deleted if the users withdraw their consent and/or such data are no longer necessary for the purpose of processing. CarriedAI or the engaged third-party services delete the data according to the following criteria: time and completion of requests, lapse of legal retention periods, settings provided by third-party providers, etc. Furthermore, CarriedAI only stores the data if it is obliged to do so in accordance with legal retention periods (e.g., as stipulated by German law such as the Commercial Code (HGB) or the Fiscal Code (AO), or relevant UK legislation).

‍

Data Processing on the Website

CarriedAI (or its web space provider) collects data on each visit to its website (so-called server log files) for statistical evaluations aimed at optimizing its services and guaranteeing the stability and operational security of the website.

• Data: Name of the website visited, file, date and time of the visit, data amount transferred, information on a successful call, browser type as well as version, operating system of the user, referrer URL (the page visited before), IP address and the requesting provider, as well as the following, if a mobile end device is being used: country code, language, name of device, name of operating system and version. Purpose: Optimizing CarriedAI's services and guaranteeing the stability and operational security of the website. Legal basis: Art. 6 para. 1 s.1 lit. f. GDPR (and UK GDPR, where applicable) based on CarriedAI's legitimate interest in quality assurance.

CarriedAI's website partly uses so-called technical cookies for a user-friendly and technically adequate presentation of the website. Cookies are small text files which are stored on the user’s device and browser.

CarriedAI uses so-called session cookies. After the end of the session, these cookies will be deleted automatically. The session cookies are used in order to associate successive page requests with the individual users who at the same time access the website. Other cookies will be stored on the user’s device until deleted by the user. These cookies enable CarriedAI to recognize the browser during the user’s next visit.

In the event personal data are processed, such processing is based on Art. 6 para. 1 s.1 lit. f. GDPR (and UK GDPR, where applicable) with CarriedAI's legitimate interest in the presentation of a user-friendly and technically correct website, or, where required, your consent (legal basis Art. 6 para. 1 s.1 lit. a. GDPR, and UK GDPR, where applicable).

‍

Contacting CarriedAI via Email

Requests sent to CarriedAI via email are processed as follows:

• Data: Contact data, name, email address, and other data provided. Purpose: To deal with your inquiry or to be able to contact you at a later time for follow-up questions. Legal basis: Art. 6 para. 1 s.1 lit. a GDPR (and UK GDPR, where applicable).‍

Data Processing When Using CarriedAI Software

When signing up for CarriedAI's software service or entering into an agreement with CarriedAI, it will process customer’s and user’s data on the basis of initiating a business relationship or continuing an existing business relationship (legal basis Art. 6 para. 1 s.1 lit. b GDPR and UK GDPR, where applicable).

CarriedAI acts as a data processor for its (business) customers. For more details on the use of data for CarriedAI's software service, please also refer to CarriedAI Master Terms and Data Processing Agreement.

‍

Data Security When Using CarriedAI Software

CarriedAI implements appropriate technical and organizational measures to ensure data processing aligns with legal requirements and adequately protects data subjects' rights. CarriedAI's internal organizational structure is designed to meet specific data protection requirements, with measures tailored to the nature of the data categories being protected.

To protect personal data, CarriedAI employs several key measures:

• Data Encryption: CarriedAI utilizes end-to-end encryption through Transport Layer Security (TLS) with HTTPS for data in transit. For data at rest, its cloud provider (Azure) employs service-managed keys for server-side encryption of data in services like Data Storage and SQL DBs. User credentials are also stored as hashes using bcrypt and PBKDF2.
• Access Controls: Authentication is secured with Two-Factor Authentication (2FA), and IP whitelisting is enforced for database administrators. CarriedAI implements Role-Based Access Control (RBAC), granting only system administrators necessary permissions for system configuration access and modification, while other users are restricted by default, adhering to a least-privilege security model. An implicit deny principle is also in place, meaning access is denied by default and only granted when explicitly authorized.
• Incident Response and Data Resilience: CarriedAI ensures ongoing confidentiality, integrity, availability, and resilience of systems. Confidentiality is maintained through data encryption in transit and at rest, and enforced authentication. Availability is supported by daily backups with multiple backup copies retained. For resilience, CarriedAI's services are deployed on an autoscalable Kubernetes cluster for high availability and performance. The ability to quickly restore data is supported by Microsoft Azure measures in Germany West Central (Frankfurt), which include physical security, data integrity, and data security protocols.
• Other Measures: CarriedAI maintains audit logs for all critical activities, including access to sensitive data, system configuration changes, and user actions, which are regularly reviewed to track actions and accountability. Data validation rules are applied at the point of data entry to ensure data quality. Upon client termination, all client data is deleted within 60 days of cancellation or contract expiration. For data deletion requests, a 7-day retention period is applied before permanent removal. CarriedAI has a Data Protection Officer accountable for data policy enforcement.

‍