1. Scope and controller
This Privacy Policy applies to pharen.de, the browser-based Pharen Hub at pharen.app and our mobile applications where they refer to this policy. The controller under the GDPR is Pharen IT GmbH, Hauptstraße 40
04683 Naunhof OT Fuchshain
Germany.
You can send privacy requests to info@pharen.de. Please do not include passwords, API keys or other credentials in such messages.
2. Our privacy role in the Hub
Pharen generally determines the purposes and means of processing account, contract, billing, security and support data and acts as controller for that data.
For content that organisations upload to the Hub or process through integrations, the respective organisation will usually determine purposes and means. Pharen then processes such customer data as a processor on documented instructions. Statutory duties and processing needed to secure the service remain unaffected.
3. Website access, hosting and content delivery
When our services are accessed, technically necessary connection data is processed. This may include IP address, date and time, destination address, referrer, browser and device information, transferred volume, status codes and error codes. We use this data to deliver and stabilise the service, diagnose errors and defend against attacks.
Website images and videos may be delivered through Amazon Web Services CloudFront. The delivering server receives in particular the IP address, requested file, timestamp and technical browser data. Temporary service animations are loaded automatically from Vimeo when the relevant section approaches the viewport; your browser then connects directly to Vimeo.
The legal basis is Article 6(1)(f) GDPR. Our legitimate interests are the secure, fast and reliable operation of our digital services. Article 6(1)(b) GDPR also applies where processing is required to take steps before or perform a contract.
4. Contact, appointment booking and waitlist
For contact requests, we process name, email address, optional company, activity, budget and preferred contact channels, message, language and source page. For technical protection, we also process the timestamp, user agent and a server-salted hash of the IP address. This is done to handle the request under Article 6(1)(b) GDPR and prevent abuse under Article 6(1)(f) GDPR.
For waitlist signups, we process email address, optional company, language, source page, signup time, user agent and a salted IP hash for abuse prevention. By signing up, you consent to launch updates and early-access messages under Article 6(1)(a) GDPR. You can withdraw consent at any time by email with future effect.
When you open Microsoft Outlook's external appointment booking service, you leave our website. Microsoft processes the data entered there under its own notices and responsibility. You can contact us directly by email instead.
5. Account, workspace and collaboration
For registration and sign-in, we process in particular first and last name, email address, password verifiers, login and security tokens, language, account and workspace assignments, roles, permissions, sign-in events and security events. For social login, we receive the approved profile data and identifiers from the selected provider.
In the Hub, we process content that users provide or generate. Depending on use, this may include messages, email, calendar and contact data, tasks, documents, files, knowledge bases, workflows, agent runs, meetings, audio, image and video content, and collaboration metadata.
The legal basis for account and product features is Article 6(1)(b) GDPR. Security logs, abuse detection and service quality are additionally based on Article 6(1)(f) GDPR and our legitimate interest in operating a secure and auditable service.
6. Account and abuse protection
Cloudflare Turnstile may be used on registration, sign-in and password pages. Technical browser, device, network and interaction data is sent to Cloudflare to assess automated access. This is necessary to secure those functions and is based on Article 6(1)(f) GDPR and Section 25(2)(2) TDDDG.
When a password is chosen, Have I Been Pwned may be used to determine whether it appears in known data breaches. The password itself is not sent. Only a short prefix of a cryptographic password hash is transmitted using k-anonymity, and the response includes many possible hash matches. The legal basis is Article 6(1)(f) GDPR and our interest in protecting accounts from known compromised passwords.
7. User-activated integrations
The Hub can be connected to external services at the user's request. Depending on availability and activation, these include Google services such as Gmail, Drive, Calendar, Contacts, Docs, Sheets, BigQuery, YouTube and Google Analytics; Microsoft services such as Outlook, OneDrive, SharePoint, Teams, To Do, Excel, Dynamics and Entra ID; GitHub; and the customer's own SMTP/IMAP email servers.
Only after an authorised user configures or uses an integration are the required access tokens, account and resource identifiers, permission scopes and content requested by the workflow exchanged between Pharen and the relevant service. Scope and purpose depend on the chosen action and granted permissions.
External providers may act as separate controllers for their platforms. Workspace administrators must only enable integrations for data they may lawfully access, apply the narrowest practical permissions and revoke connections that are no longer needed.
8. AI, media and automation features
When an AI feature is used, prompts, instructions, context, selected workspace content, attachments and technical metadata are sent to the selected model or configured provider. Outputs and usage metadata are returned to the Hub. Depending on configuration, models from OpenAI, Anthropic, Google, DeepSeek, ElevenLabs or Black Forest Labs, as well as customer-owned, self-hosted or OpenAI-compatible models, may be used.
Data is sent only for the selected feature and on the basis of Article 6(1)(b) GDPR or, for customer data, on the controller organisation's instruction. Users must not send data to a model unless they have the required authority and legal basis. Confidential or special-category data may only be processed where this has been contractually and legally approved.
AI results may be inaccurate or incomplete. Decisions with legal or similarly significant effects must not be based solely on an unreviewed AI output. As part of its standard features, Pharen does not make solely automated decisions about users within the meaning of Article 22 GDPR.
9. Contracts, billing and self-hosted licences
For offers, subscriptions, invoices and self-hosted licences, we process contact details, company and billing address, country, optional VAT ID, selected plan, user and term options, discount or renewal details, order status, amounts, payment references and invoice references. Complete payment details are generally processed by the payment provider identified at checkout.
The legal basis is Article 6(1)(b) GDPR. We process records required under tax and commercial law under Article 6(1)(c) GDPR.
10. Audience measurement and browser storage
On pharen.de, we use Umami for cookieless page statistics. It measures page views, referrers, browser, operating system, device type, approximate country, selected interactions and technical performance metrics such as LCP, INP and CLS. We do not use session recording or Google Analytics on pharen.de. Our Cookie Policy explains local preferences, necessary Hub cookies and external media.
This statistical analysis is used to improve technology and content under Article 6(1)(f) GDPR. Our interest is to understand which content is used without creating marketing profiles or tracking visitors across websites.
11. Recipients and categories of service providers
Internally, data is available only to people who require it for operations, support, security, sales, accounting or the agreed service. External recipients may include hosting and infrastructure companies, content delivery, email, communications, security, billing and payment providers, AI and media providers, and integration providers activated by users.
Providers that process data solely on our behalf are contractually bound under Article 28 GDPR. Other providers act under their own responsibility where users call their service directly or connect their own account to the Hub. Authorities or professional advisers receive data only under a legal obligation or to establish, exercise or defend legal claims.
12. Transfers outside the EEA
Some providers or subcontractors are located outside Germany or the European Economic Area, particularly in the United States. A transfer takes place only where the requirements of Articles 44 et seq. GDPR are met, for example through an adequacy decision, valid certification under the EU-US Data Privacy Framework, or EU Standard Contractual Clauses with any required supplementary safeguards.
For user-activated integrations, the location may additionally depend on the provider, account and storage location selected by the user.
13. Retention and deletion
We keep personal data only for as long as needed for its purpose. Relevant criteria include contract term, account and workspace status, retention settings chosen by the customer, limitation periods, and tax and commercial record-keeping duties.
Contact requests are deleted after they have been handled unless needed for a contract or legal evidence. Waitlist data is processed until launch and early-access communications end or consent is withdrawn. Security data is retained only as long as needed for prevention and investigation.
Technical execution histories for workflows and agents are retained for up to 90 days by default unless another lawful workspace configuration applies. After account or workspace deletion, production data is deleted after the displayed safety period; billing records subject to legal retention and time-limited backups may remain longer.
14. Required data
Technical connection data is required to access the service. Account, contact and billing data marked as mandatory is required for the relevant request or contract. Without it, we cannot provide the requested feature or service. Optional information is marked accordingly.
15. Your privacy rights
To exercise your rights, email info@pharen.de. We may request additional information where necessary to verify your identity securely.
- Access under Article 15 GDPR and rectification under Article 16 GDPR.
- Erasure under Article 17 GDPR and restriction under Article 18 GDPR where the requirements are met.
- Data portability under Article 20 GDPR for automated processing based on consent or contract.
- Withdrawal of consent at any time with future effect; prior processing remains lawful.
- Objection under Article 21 GDPR to processing based on legitimate interests for reasons relating to your particular situation. You may object to direct marketing at any time without giving reasons.
16. Right to lodge a complaint
You may lodge a complaint with a data protection authority. Our competent authority is generally the Saxon Commissioner for Data Protection and Transparency, Maternistraße 17, 01067 Dresden, Germany, email: post@sdtb.sachsen.de. Information and the complaint form are available at datenschutz.sachsen.de.
17. Data security and changes
We use appropriate technical and organisational measures to protect personal data against loss, alteration, unauthorised disclosure and unauthorised access. Measures include transport encryption, role-based access, logging and protection against abusive sign-ins.
We update this policy if functions, providers or applicable law materially change. The current version is available on this page. We will also provide appropriate notice where a change concerns consent or contractual information.