Privacy Policy
Effective Date: January 7, 2025
Important Notice (Transparency)
We use third-party service providers to operate Ratio and process user requests. Data Processing Agreements (Art. 28 GDPR) are in preparation. Until completion, we minimize data collection, restrict access, activate only necessary features, and review additional protective measures. This policy informs you about actual data processing activities.
1. Controller
Worqshop IO UG (haftungsbeschränkt)
Friedenstraße 3, 10249 Berlin, Germany
Email: info[at]useratio.io
Phone: +49 160 1517018
Data Protection Officer: Not appointed. No appointment obligation exists under current assessment (Art. 37 GDPR). We review this regularly.
2. Legal Bases
Data processing is based on:
- Art. 6 (1) lit. b GDPR (contract performance/pre-contractual measures)
- Art. 6 (1) lit. f GDPR (legitimate interests: operations, security, communication)
- Art. 6 (1) lit. a GDPR (consent, where optional features are used)
3. Data We Collect
3.1 Account Data
- Email address, name, company name (if provided)
- Password (encrypted)
- Subscription details, payment status
Purpose: Account management, billing, support
Legal basis: Art. 6 (1) lit. b GDPR
3.2 Usage Data
- Login times, features used, queries made
- Browser type, IP address (anonymized after 7 days)
Purpose: Service provision, security, optimization
Legal basis: Art. 6 (1) lit. f GDPR
3.3 User-Uploaded Data
- Connected data sources (Google Sheets, Meta Ads, etc.)
- Data you upload or import
- Conversations with AI assistant
Note: You're responsible for ensuring you have rights to upload data. We don't actively scan for PII but recommend minimizing it.
3.4 Payment Data
Processed by Stripe/PayPal (we don't store credit card details)
We receive: transaction ID, payment status, billing address
Legal basis: Art. 6 (1) lit. b GDPR
4. How We Use Your Data
- Provide and maintain Service
- Process analytics queries via AI
- Generate reports and dashboards
- Customer support
- Billing and payment processing
- Service improvement (anonymized data only)
- Legal compliance
5. Service Providers (Data Processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud (BigQuery, Cloud Run) | Data storage & background processing | Frankfurt, DE | DPA in preparation |
| Supabase | User data & authentication | Frankfurt, DE | DPA in preparation |
| Vercel | Application hosting | Frankfurt, DE | DPA in preparation |
| Anthropic | AI/LLM inference | USA | DPA in preparation, SCCs |
| OpenAI | AI/LLM inference | USA | DPA in preparation, SCCs |
| Groq | AI/LLM inference | USA | Zero data retention policy, SCCs |
| Braintrust Data | Agent interaction logs | USA | DPA in preparation, SCCs |
| Stripe | Payment processing | Global | GDPR-compliant, DPA in place |
| PayPal | Payment processing | Global | GDPR-compliant, DPA in place |
Third Country Transfers: Data transfers to USA (Groq, Anthropic, OpenAI, Braintrust) are secured via EU Standard Contractual Clauses (SCCs) and additional safeguards.
Note: User-uploaded data (Google Sheets, file uploads) may contain PII. If so, it will be processed by our data and LLM providers. All providers operate securely, but we note this for GDPR transparency.
6. AI Processing
We may use one or more of the following AI/LLM providers for natural language understanding and processing:
- Anthropic: DPA in preparation, located in USA (secured via SCCs)
- OpenAI: DPA in preparation, located in USA (secured via SCCs)
- Groq: Zero data retention policy (no training on your data), located in USA (secured via SCCs)
Your queries and data snippets may be sent to one or more of these providers depending on service requirements. We may use some or all of the mentioned providers at our discretion.
Legal basis: Art. 6 (1) lit. b, f GDPR
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 180 days |
| Usage logs | 180 days, then anonymized |
| Uploaded/connected data | Until you disconnect source or delete account + 180 days |
| Payment records | Per legal requirements (10 years per HGB/AO) |
| Support conversations | 180 days after resolution |
After retention periods, data is permanently deleted or anonymized.
8. Third-Party Data Integrations
Data Source Connectors: When you connect third-party platforms to Ratio, we access and process your data from:
- Google Ads (via Google Ads API)
- Meta Ads (via Meta Marketing API)
- Google Analytics 4 (via GA4 API)
- Google Sheets (via Google Sheets API)
What We Access:
- Campaign data, performance metrics, spend data
- Anonymized user behavior data (no personal identifiers)
- Metadata necessary for analytics (date ranges, campaign names, etc.)
What We Don't Access:
- We design connectors to exclude PII fields by default
- No access to email addresses, names, phone numbers from advertising platforms
- No access to payment information
Your Responsibility:
- You warrant you have necessary permissions to connect these accounts
- For Google Sheets/CSV uploads: You're responsible for any PII included
- You must comply with third-party platform terms (Google, Meta, etc.)
Legal Basis: Art. 6 (1) lit. b GDPR (contract performance)
9. Cookies & Tracking
We use only technically necessary cookies. No marketing/analytics cookies without consent.
Necessary Cookies:
- Session management
- Authentication
- Security features
Optional (with consent):
- Usage analytics (anonymized)
- Feature usage tracking for improvement
You can manage cookie preferences in your browser.
10. Your Rights (GDPR)
You have the right to:
- Access your data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure ("right to be forgotten") (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing based on Art. 6 (1) lit. f GDPR
- Withdraw consent anytime (Art. 7 (3) GDPR)
To exercise rights: Contact info[at]useratio.io
Right to complain: You may file a complaint with the Berlin Commissioner for Data Protection and Freedom of Information.
11. Data Security
We implement technical and organizational measures (TOMs) per Art. 32 GDPR:
- Encryption in transit (TLS) and at rest
- Access controls and authentication
- Regular security audits
- Secure data centers (ISO 27001 certified providers)
- Backup and disaster recovery
12. Children's Privacy
Ratio is not intended for users under 18. We don't knowingly collect data from minors.
13. Changes to Privacy Policy
We may update this policy with notice via email or in-app notification. Continued use after notice constitutes acceptance.
14. Contact
For privacy questions: info[at]useratio.io
Worqshop IO UG, Friedenstraße 3, 10249 Berlin, Germany