Privacy Policy

Last updated: March 2, 2026

This privacy policy describes how hallostu ("we" or "us") collects, uses, and protects your personal data when you visit hallostu.com. hallostu is a non-commercial university project created as part of the MTM_02 | Agile Engineering Management course at Code University of Applied Sciences, Berlin.

1. Controller (Verantwortlicher)

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR/DSGVO) is:

hallostu
Berlin, Germany
Email: info@hallostu.com

hallostu is a non-commercial student project. We are not a registered company and do not have a VAT ID or commercial register number.

2. What Data We Collect and Why

Email addresses (signup)
When you sign up to stay updated, we collect your email address. This data is stored in our Supabase database.
Legal basis: Your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by emailing info@hallostu.com.

Account data (Supabase Auth)
When you create an account, we store your email address and a hashed password via Supabase Auth. Passwords are never stored in plain text — they are hashed using bcrypt. You can delete your account at any time by emailing info@hallostu.com.
Legal basis: Contract performance (Art. 6(1)(b) GDPR) for providing the user account service.

Website usage data (Google Analytics 4)
We use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 uses cookies to collect anonymized information including browser type, pages visited, and time on site.
Legal basis: Your consent (§ 25 TTDSG). You can manage cookie preferences through your browser settings.

Behaviour analytics (Microsoft Clarity)
We use Microsoft Clarity to analyse how visitors interact with our website through heatmaps, session recordings, and click tracking. Clarity does not collect personally identifiable information. Session recordings automatically mask sensitive input fields. Data is processed by Microsoft Corporation under the Microsoft Privacy Statement. Microsoft is certified under the EU-US Data Privacy Framework.
Legal basis: Your consent (§ 25 TTDSG).

Chat messages (Google Gemini API)
When you use our chatbot, your messages are sent to the Google Gemini API to generate AI responses. Messages are processed by Google to generate a response and are subject to Google's Privacy Policy.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in providing the chatbot service.

Anonymous question logging (analytics)
We log the text of questions asked in the chatbot to understand which topics students need help with and to improve our service. This data is fully anonymous — we do not store IP addresses, user IDs, cookies, or any other personal identifiers alongside questions. Only the question text, a detected topic category, and a timestamp are stored in our Supabase database.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in improving the service based on usage patterns.

3. Cookies

Our website uses cookies from Google Analytics 4 and Microsoft Clarity to analyze website traffic and user behaviour. Cookies are small text files stored on your device. You can configure your browser to refuse cookies, though some features may not function properly. The legal basis for analytics cookies is your consent under § 25 TTDSG. For full details, see our Cookie Policy.

4. Third-Party Services

  • Supabase (Supabase Inc.) — user authentication, email signup storage, and anonymous question logs. Data is stored on Supabase-managed infrastructure (AWS eu-central-1). Subject to Supabase's Privacy Policy.
  • Google Analytics 4 (Google LLC) — website traffic analysis. Data is transmitted to Google servers.
  • Google Gemini API (Google LLC) — AI-powered chat responses. Chat messages are sent to Google for processing.
  • Microsoft Clarity (Microsoft Corporation) — behaviour analytics including heatmaps and session recordings. No personally identifiable information is collected. Subject to Microsoft's Privacy Statement.

5. Data Transfer to Third Countries

Data processed by Google and Microsoft services may be transferred to the United States. Both Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection in accordance with Art. 45 GDPR.

6. Data Retention

  • Account data: Duration of account + 30 days post-deletion.
  • Audit logs: 24 months (anonymised after 12 months).
  • Anonymised analytics: Indefinite (no personal data).
  • Google Analytics data: Retained for 14 months (Google's default setting).
  • Chat messages: Full conversations are not stored. Anonymous question text (without personal identifiers) is retained for service improvement.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — request information about your stored data
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data
  • Right to erasure (Art. 17 GDPR) — request deletion of your data
  • Right to restriction (Art. 18 GDPR) — restrict processing of your data
  • Right to data portability (Art. 20 GDPR) — receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time
  • Right to lodge complaint (Art. 77 GDPR) — file a complaint with the competent data protection supervisory authority

To exercise any of these rights, contact us at info@hallostu.com. Requests are processed within 30 days in accordance with Art. 12(3) GDPR.

8. Right to Complain

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
www.datenschutz-berlin.de

9. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.