Privacy Policy (Datenschutzerklärung)

Last updated: April 1, 2026

1. Controller

Struct2Flow
Luiz Sergio Cinti Scheidegger
Marsopstraße 2B, 81245 München, Deutschland
Email: privacy@struct2flow.com

2. Data We Collect

Data Type	Purpose	Legal Basis (GDPR Art. 6)
Email, name	Account creation and authentication	Art. 6(1)(b) — contractual necessity
Process descriptions	AI-powered diagram generation	Art. 6(1)(b) — contractual necessity
BPMN diagrams (XML)	Storage and retrieval of your work	Art. 6(1)(b) — contractual necessity
API keys (if provided)	Using your own AI provider keys	Art. 6(1)(a) — consent
IP address, access logs	Security, abuse prevention	Art. 6(1)(f) — legitimate interest

3. Cookies

Storm2Flow does not use cookies. Authentication tokens are stored in your browser's local storage, which is not subject to the ePrivacy Directive's cookie consent requirements. No third-party tracking or analytics cookies are set.

4. Third-Party Processors

We use the following third-party services to operate Storm2Flow:

Amazon Web Services (AWS)

Hosting, authentication (Cognito), data storage (DynamoDB, S3), email delivery (SES). Data is processed in EU (Frankfurt, eu-central-1). AWS is certified under the EU-US Data Privacy Framework.

Anthropic (Claude API)

Your process descriptions are sent to Anthropic's API for diagram generation. Anthropic is based in the United States. Data transfer is covered by Standard Contractual Clauses (SCCs). As of the date of this policy, Anthropic states that API inputs are not used for model training.

OpenAI (optional)

If you or your organization configures OpenAI as an AI provider, descriptions may be sent to OpenAI's API. OpenAI is based in the United States. Data transfer is covered by SCCs. As of the date of this policy, OpenAI states that API data is not used for training.

5. Data Transfer Outside the EU

Your process descriptions are transferred to AI providers (Anthropic, OpenAI) in the United States for processing. These transfers are protected by:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• The EU-US Data Privacy Framework (where applicable)

All other data (accounts, diagrams, files) is stored and processed within the EU (AWS eu-central-1, Frankfurt).

6. Data Retention

• Account data — retained until you delete your account or request deletion
• Process descriptions and diagrams — retained until you delete them or your account is closed
• Access logs — retained for 30 days for security purposes
• API keys — encrypted at rest; deleted when you clear them or your account is closed

7. Automated Decision-Making

Storm2Flow uses artificial intelligence to generate BPMN diagrams from your text descriptions. This is an automated process, but it does not produce decisions with legal or similarly significant effects on you. The generated diagrams are suggestions that you can edit, accept, or reject. You retain full control over the final output.

8. Your Rights

Under GDPR, you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability — receive your data in a structured format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time for consent-based processing (Art. 7(3))

To exercise any of these rights, contact us at privacy@struct2flow.com.

9. Right to Complain

You have the right to lodge a complaint with your local data protection authority. For Germany, this is the relevant state data protection authority (Landesdatenschutzbeauftragte) for your Bundesland, or the Bundesbeauftragte für den Datenschutz (BfDI) for federal matters.

10. Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top indicates the most recent revision. Continued use of the Service after changes constitutes acceptance.

Terms and Conditions · Impressum