Privacy Policy

Last updated: July 10, 2026

This Privacy Policy explains how Sumosmash UG (haftungsbeschränkt), operating the Halvday service, processes personal data relating to visitors to the Halvday website, registered users, customer contacts and workspace administrators, prospective customers who contact us, and other persons who interact directly with Halvday.

This Privacy Policy does not cover personal data relating to third-party business contacts, companies or profiles that Halvday researches or monitors on behalf of customers. That processing is described separately in our Information under Art. 14 GDPR for Researched Business Contacts.

1. Controller

The controller responsible for the processing described in this Privacy Policy is:

Sumosmash UG (haftungsbeschränkt)
Seydelstr. 12
10117 Berlin, Germany

Represented by: Christian Gruber
Register court: Amtsgericht Charlottenburg
Commercial register number: HRB 159301 B
Email: privacy@halvday.com

Halvday is a trading name of Sumosmash UG (haftungsbeschränkt) and is not a separate legal entity.

2. Personal data, purposes and legal bases

We process the following categories of personal data:

CategoryPurposesLegal basis
Website and network data, including IP address, request time, requested URL, browser and device information, referrer, response status and error dataDelivering the website and application; maintaining security and availability; diagnosing errors; preventing abuseArt. 6(1)(f) GDPR
Identity and contact data, including name and business email addressCreating and administering accounts; identifying users; service communication; customer support; contract administrationArt. 6(1)(b) GDPR; where appropriate, Art. 6(1)(f) GDPR
Company and workspace data, including company name, workspace membership, role, permissions and settingsProviding the B2B service; managing workspaces and access rights; performing the customer contractArt. 6(1)(b) GDPR
Authentication and security data, including user identifiers, session information, authentication method, login history, IP address, device information and security eventsRegistration, login, session management, account security, fraud prevention and protection against unauthorised accessArt. 6(1)(b) and Art. 6(1)(f) GDPR
Product analytics data, including page views, events, features used, interaction data, device information and pseudonymous identifiersUnderstanding use of the website and product; measuring feature adoption; identifying usability issues; improving HalvdayArt. 6(1)(a) GDPR and, for access to or storage of information on a device, consent under § 25(1) TDDDG
Support and communication data, including support requests, messages, feedback and attachmentsResponding to requests; resolving technical or contractual issues; documenting customer communicationArt. 6(1)(b) GDPR; where appropriate, Art. 6(1)(f) GDPR
Billing and transaction data, including billing contact, address, invoice details, subscription status, transaction identifiers and payment statusProcessing subscriptions and payments; invoicing; bookkeeping; tax compliance; fraud prevention; enforcing contractual claimsArt. 6(1)(b), Art. 6(1)(c) and, where appropriate, Art. 6(1)(f) GDPR
User-submitted content, including prompts, instructions, files, notes, comments and research requestsProviding AI-supported research, analysis, monitoring, summarisation and other requested Halvday functionsArt. 6(1)(b) GDPR
AI request and output metadata, including timestamps, model request information, response information and technical error dataDelivering AI functions; troubleshooting; maintaining security and technical reliabilityArt. 6(1)(b) and Art. 6(1)(f) GDPR

Our legitimate interests under Art. 6(1)(f) GDPR include operating and securing Halvday, preventing abuse, maintaining technical reliability, supporting customers, documenting business communication, improving the service and establishing, exercising or defending legal claims.

3. Website and application hosting

We use Vercel to host and deliver the Halvday website and frontend application.

When you access Halvday, Vercel may process technical data such as your IP address, browser and device information, requested URL, timestamps, network data and error information. This processing is necessary to deliver and secure the website and application, prevent abuse and diagnose technical problems.

The legal basis is Art. 6(1)(f) GDPR.

4. DNS and domain services

We use Cloudflare for authoritative DNS and domain-related security services.

Cloudflare is currently used for DNS, not as our product analytics provider. Where Cloudflare processes technical DNS or network information, the processing is necessary to resolve and protect the Halvday domains.

The legal basis is Art. 6(1)(f) GDPR.

5. Accounts and authentication

We use Clerk for account registration, login, authentication, session management and account security.

Clerk may process:

  • name and email address;
  • account and user identifiers;
  • authentication methods;
  • session identifiers;
  • IP address and device information;
  • login history and security events; and
  • workspace or organisation membership information.

This processing is necessary to create and operate your Halvday account and to protect accounts against unauthorised access. The legal bases are Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Clerk and Halvday may use cookies, local storage or similar technologies that are strictly necessary for registration, authentication, session security and account management. The legal basis for such device access is § 25(2) TDDDG.

6. Backend and database infrastructure

We use Convex as Halvday's application backend and database infrastructure.

Our production deployment is configured for EU West (Ireland). Convex processes application data required to operate customer workspaces, accounts, saved configurations, product functions and user-submitted content.

Processing necessary to provide Halvday is based on Art. 6(1)(b) GDPR. Processing for security, maintenance, troubleshooting and abuse prevention is based on Art. 6(1)(f) GDPR.

7. AI features and agent infrastructure

Halvday uses AI systems and automated agents to perform research, analysis, monitoring, summarisation and related product functions.

Our agent infrastructure is hosted on DigitalOcean virtual private servers in Frankfurt, Germany.

We use Google Cloud Vertex AI to process content submitted to AI-enabled Halvday features. Where supported by the selected model and feature, processing is configured for Google Cloud's europe-west1 region in Belgium.

Depending on the feature, processed content may include:

  • prompts and research instructions;
  • company names and research criteria;
  • uploaded files, notes or comments;
  • user feedback;
  • contextual information required to complete a request; and
  • technical metadata required to deliver the response.

Account-registration data, billing data and ordinary workspace-administration data are not intentionally submitted to AI inference providers unless you include such information in submitted content or it is technically necessary for a requested feature.

Halvday does not use user-submitted content to train general-purpose AI models. Under the applicable Google Cloud service terms, Google does not use customer data to train or fine-tune AI or machine-learning models without the customer's prior permission or instruction. Limited provider logging may nevertheless occur for security, safety and abuse-prevention purposes, depending on the service and configuration.

Please do not submit unnecessary personal data, special-category personal data or confidential personal information into prompts, notes or uploaded files.

The legal basis for AI processing required to provide requested Halvday functionality is Art. 6(1)(b) GDPR. Technical security and error-diagnosis processing is based on Art. 6(1)(f) GDPR.

Processing concerning researched third-party business contacts is covered separately by our Information under Art. 14 GDPR.

8. Product analytics with PostHog

We use PostHog Cloud EU, hosted in Frankfurt, Germany, for website and product analytics.

PostHog helps us understand:

  • which pages and features are used;
  • how users navigate Halvday;
  • where errors or usability problems occur;
  • how features are adopted; and
  • how the service can be improved.

We use PostHog on both the public website and the logged-in Halvday application.

PostHog analytics are activated only after you have given consent. Before consent is given, or if consent is refused or withdrawn, PostHog analytics capture remains disabled.

The legal bases are:

  • your consent under § 25(1) TDDDG for access to or storage of information on your device; and
  • Art. 6(1)(a) GDPR for the subsequent processing of analytics data.

You can withdraw your consent at any time through the cookie settings link in the website footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Our PostHog configuration is intended to:

  • use the EU-hosted PostHog environment;
  • keep IP-address capture disabled;
  • avoid capturing unnecessary form content or sensitive information;
  • prevent analytics capture before consent; and
  • retain identifiable analytics data for no longer than 12 months.

We do not currently use Google Analytics.

9. Transactional emails

We use Resend, operated by Plus Five Five, Inc., to send transactional and service-related emails.

These messages may include:

  • registration and account-confirmation messages;
  • login or authentication messages;
  • security notifications;
  • product and service notifications;
  • subscription or billing messages;
  • support responses; and
  • other messages necessary to operate Halvday.

Resend may process recipient and sender information, email content, delivery status, timestamps, bounce and complaint information, and technical delivery data.

Resend's primary processing operations take place in the United States. International transfers are protected through the EU-U.S. Data Privacy Framework where applicable and Standard Contractual Clauses where required.

The legal basis for transactional messages relating to your account or contract is Art. 6(1)(b) GDPR. Security and essential operational messages may additionally be based on Art. 6(1)(f) GDPR.

Marketing emails are sent only where legally permitted and, where required, after consent has been obtained.

10. Payments through Stripe

We use Stripe to manage subscriptions, process payments, administer invoices and transactions, and prevent payment fraud.

For customers in the European Economic Area, the relevant contracting entity is generally Stripe Payments Europe, Limited, while Stripe affiliates may participate in providing the services.

Stripe may process:

  • name and contact details;
  • billing address;
  • payment instrument information;
  • transaction amount and currency;
  • subscription and invoice information;
  • payment status;
  • device and network information; and
  • fraud-prevention and compliance information.

Stripe acts as our processor for certain activities and as an independent controller for others, particularly where Stripe determines processing required for payment networks, financial regulation, security, fraud prevention and legal compliance.

The legal bases are:

  • Art. 6(1)(b) GDPR for performing the contract;
  • Art. 6(1)(c) GDPR for statutory financial and tax obligations; and
  • Art. 6(1)(f) GDPR for security, fraud prevention and the enforcement of claims.

Stripe may process personal data globally. International transfers are protected through the EU-U.S. Data Privacy Framework where applicable, Standard Contractual Clauses and other legally recognised transfer mechanisms.

11. Recipients and service providers

Where necessary for the purposes described above, we may disclose personal data to:

RecipientFunction
VercelWebsite and frontend application hosting
CloudflareDNS and domain-related security services
ClerkRegistration, authentication, sessions and account security
ConvexApplication backend, database and platform infrastructure
DigitalOceanHosting of agent and research infrastructure in Frankfurt
Google Cloud / Vertex AIAI inference for user-submitted content and requested AI features
PostHogConsent-based website and product analytics through PostHog Cloud EU
Resend / Plus Five Five, Inc.Transactional email delivery
Stripe and affiliated Stripe entitiesSubscription, payment, billing and fraud-prevention services
Tax advisers and accounting providersBookkeeping, accounting and tax compliance
Legal and professional advisersLegal advice, compliance, and the establishment, exercise or defence of claims
Courts, supervisory authorities and public bodiesCompliance with binding legal obligations

Service providers acting as processors may process personal data only in accordance with our instructions and applicable data-processing agreements, except where the law requires otherwise.

We do not sell personal data.

12. International data transfers

We configure core backend, database, analytics and agent processing in the European Union where available and appropriate.

However, several providers are headquartered outside the European Economic Area or use affiliates, support teams and subprocessors located outside the EEA. Personal data may therefore be transferred to, or accessed from, countries outside the EEA, particularly the United States.

Where required, such transfers are protected through one or more of the following mechanisms:

  • an adequacy decision issued by the European Commission;
  • the EU-U.S. Data Privacy Framework where the recipient maintains a valid certification;
  • Standard Contractual Clauses approved by the European Commission;
  • supplementary technical, organisational and contractual safeguards; or
  • another transfer mechanism permitted under Chapter V GDPR.

You may request further information about applicable safeguards by contacting privacy@halvday.com. Confidential commercial or security information may be redacted where appropriate.

13. Storage duration

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to statutory retention duties and legitimate legal requirements.

Data categoryRetention
Website, server, security and technical logsGenerally up to 12 months, unless longer storage is required to investigate a security incident, abuse, technical failure or legal claim
Account, identity, contact, company and workspace dataFor the duration of the account or customer relationship and generally deleted or anonymised within 90 days after termination
Authentication and session dataFor as long as necessary to provide secure authentication; account-related data is generally deleted within 90 days after account termination, subject to security and provider retention requirements
PostHog analytics dataUp to 12 months, after which it is deleted or anonymised
User-submitted prompts, files, notes and workspace contentFor the duration of the customer relationship or until deleted by an authorised user; remaining active copies are generally deleted within 90 days after account or contract termination
AI request and technical metadataGenerally up to 12 months unless a shorter provider setting applies or longer storage is required for security, incident investigation or legal claims
Transactional email and delivery informationFor as long as necessary to deliver and document the relevant communication; contractual communications may be retained for up to 3 years
Support messages and customer communicationDuring the customer relationship and generally for up to 3 years afterwards where required to document the communication or defend legal claims
BackupsOverwritten or deleted within the applicable backup cycle, generally within 90 days
Subscription, payment and transaction administration dataFor the customer relationship and afterwards according to statutory accounting, tax and commercial-law duties
Accounting vouchers and invoicesGenerally 8 years
Books, inventories, opening balances and annual financial statementsGenerally 10 years
Other relevant commercial correspondenceGenerally 6 years

Statutory periods generally begin at the end of the calendar year in which the relevant record was created or the final relevant entry was made.

Retention may be extended where necessary because of an ongoing contractual relationship, unresolved claims, litigation, regulatory proceedings, a tax or accounting audit, a security incident or another binding legal obligation.

Data contained in backups may remain technically present until the relevant backup is overwritten. Backup data is not used for ordinary operational purposes.

14. Your rights

Subject to the applicable legal requirements, you have the following rights:

  • right of access under Art. 15 GDPR;
  • right to rectification under Art. 16 GDPR;
  • right to erasure under Art. 17 GDPR;
  • right to restriction of processing under Art. 18 GDPR;
  • right to data portability under Art. 20 GDPR;
  • right to object under Art. 21 GDPR; and
  • right to withdraw consent under Art. 7(3) GDPR.

Where processing is based on consent, you may withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise your rights, contact privacy@halvday.com.

We may need to verify your identity before completing a request in order to prevent unauthorised access to personal data.

15. Right to object

Where we process personal data based on Art. 6(1)(f) GDPR, you have the right to object on grounds relating to your particular situation.

We will then stop the relevant processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is required for the establishment, exercise or defence of legal claims.

You may object to direct marketing at any time without providing reasons. Personal data will no longer be used for direct marketing after your objection.

16. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority under Art. 77 GDPR.

You may contact the supervisory authority responsible for your habitual residence, your place of work or the place of the alleged infringement.

The supervisory authority responsible for Sumosmash UG (haftungsbeschränkt) is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin, Germany

Email: mailbox@datenschutz-berlin.de
Telephone: +49 30 13889-0

This public authority is the competent supervisory authority. It is not Halvday's Data Protection Officer.

17. Obligation to provide personal data

You are not generally legally required to provide personal data to us.

However, certain information is necessary to:

  • create and secure a Halvday account;
  • administer a customer workspace;
  • conclude and perform a contract;
  • provide requested product functions;
  • send essential service communication;
  • process subscriptions and payments; and
  • comply with accounting and tax obligations.

Without this information, we may be unable to create an account, conclude a contract, process payment or provide some or all Halvday functionality.

Analytics consent is voluntary. Refusing or withdrawing analytics consent does not prevent you from accessing the public website or using the core Halvday service.

18. Automated decision-making

We do not use the personal data of website visitors, registered users or customer contacts for automated decision-making that produces legal effects concerning them or similarly significantly affects them within the meaning of Art. 22 GDPR.

Halvday may generate AI-supported research results, summaries, recommendations, prioritisation outputs, company assessments and suggested actions. These outputs support customer users and do not independently make legal or similarly significant decisions concerning a registered Halvday user.

Processing and profiling concerning researched third-party business contacts is addressed separately in our Information under Art. 14 GDPR.

19. Security

We maintain technical and organisational measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure and unauthorised access.

These measures are reviewed and updated in light of the nature of the processing, available technology and relevant risks. No internet-based service can guarantee absolute security.

20. Changes to this Privacy Policy

We may update this Privacy Policy where necessary to reflect changes to Halvday, our providers, processing activities, legal requirements or regulatory guidance.

The current version is published on the Halvday website. Where a change materially affects registered users or customers, we may additionally provide notice through the application or by email.