Privacy Policy
Effective Date: March 10, 2026
Important Notice (Transparency)
We use third-party service providers to operate Ratio and process user requests. Data Processing Agreements (Art. 28 GDPR) are in preparation. Until completion, we minimize data collection, restrict access, activate only necessary features, and review additional protective measures. This policy informs you about actual data processing activities.
1. Controller
Worqshop IO UG (haftungsbeschränkt)
Alboingärten 17, 12103 Berlin, Germany
Email: info[at]useratio.io
Phone: +49 160 1517018
Data Protection Officer: Not appointed. No appointment obligation exists under current assessment (Art. 37 GDPR). We review this regularly.
2. Legal Bases
Data processing is based on:
- Art. 6 (1) lit. b GDPR (contract performance/pre-contractual measures)
- Art. 6 (1) lit. f GDPR (legitimate interests: operations, security, communication)
- Art. 6 (1) lit. a GDPR (consent, where optional features are used)
3. Data We Collect
3.1 Account Data
- Email address, name, company name (if provided)
- Password (encrypted)
- Subscription details, payment status
Purpose: Account management, billing, support
Legal basis: Art. 6 (1) lit. b GDPR
3.2 Usage Data
- Login times, features used, queries made
- Browser type, IP address (anonymized after 7 days)
Purpose: Service provision, security, optimization
Legal basis: Art. 6 (1) lit. f GDPR
3.3 User-Uploaded Data
- Connected data sources (Google Sheets, Meta Ads, etc.)
- Data you upload or import
- Conversations with AI assistant
Note: You're responsible for ensuring you have rights to upload data. We don't actively scan for PII but recommend minimizing it.
3.4 Payment Data
Processed by Chargebee/PayPal (we don't store credit card details directly)
We receive: transaction ID, payment status, billing address
Legal basis: Art. 6 (1) lit. b GDPR
4. How We Use Your Data
- Provide and maintain Service
- Process analytics queries via AI
- Generate reports and dashboards
- Customer support
- Billing and payment processing
- Service improvement (anonymized data only)
- Legal compliance
5. Service Providers (Data Processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | AI inference (LLM), cloud infrastructure | EU processing (Stockholm), vendor HQ USA | EU DPA, SCCs |
| Google Cloud Platform (GCP) | Data storage (BigQuery), pipelines, AI fallback inference | EU processing (Frankfurt/Belgium), vendor HQ USA | EU DPA, SCCs |
| Supabase | Database, user data, authentication | EU processing (Frankfurt), vendor HQ USA | EU DPA, SCCs |
| Vercel | Application hosting and deployments | EU processing (Frankfurt), vendor HQ USA | EU DPA, SCCs |
| PostHog (EU Cloud) | Product analytics and LLM monitoring | EU processing (Frankfurt), vendor HQ USA | EU DPA, SCCs |
| Chargebee | Subscription and payment processing | EU, vendor HQ USA | EU DPA, SCCs |
| PayPal | Payment processing | EU, vendor HQ USA | EU DPA, SCCs |
| Google (OAuth) | Authentication for Google Ads/Sheets connectors | EU processing, vendor HQ USA | EU DPA, SCCs |
| Meta (OAuth) | Authentication for Meta Ads connector | EU processing, vendor HQ USA | EU DPA, SCCs |
Third Country Transfers: Where vendor entities are based outside the EU/EEA, transfers are protected by EU Standard Contractual Clauses (SCCs) and supplementary safeguards.
EU-Only Mode: The EU-only setting is enabled by default and routes processing to EU infrastructure. If disabled, additional non-EU fallback providers may be used.
6. AI Processing
We use EU-based inference infrastructure by default:
- AWS Bedrock (EU/Stockholm): primary LLM inference provider
- GCP (EU/Belgium or Frankfurt): fallback AI inference and data pipeline processing
AWS Bedrock may run vendor-sold models. The underlying model vendor does not receive direct technical access to your prompts, completions, or customer data; AWS remains our contractually relevant processor.
If EU-only mode is disabled by the customer, additional non-EU fallback providers may be used based on service requirements.
Legal basis: Art. 6 (1) lit. b, f GDPR
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Usage logs | Up to 12 months (anonymized where possible) |
| Uploaded/connected data | Contract term + 30 days |
| Payment records | Per legal requirements (10 years per HGB/AO) |
| Support conversations | Up to 12 months |
After retention periods, data is permanently deleted or anonymized.
8. Third-Party Data Integrations
Data Source Connectors: When you connect third-party platforms to Ratio, we access and process your data from:
- Google Ads (via Google Ads API)
- Meta Ads (via Meta Marketing API)
- Google Analytics 4 (via GA4 API)
- Google Sheets (via Google Sheets API)
What We Access:
- Campaign data, performance metrics, spend data
- Anonymized user behavior data (no personal identifiers)
- Metadata necessary for analytics (date ranges, campaign names, etc.)
What We Don't Access:
- We design connectors to exclude PII fields by default
- No access to email addresses, names, phone numbers from advertising platforms
- No access to payment information
Your Responsibility:
- You warrant you have necessary permissions to connect these accounts
- For Google Sheets/CSV uploads: You're responsible for any PII included
- You must comply with third-party platform terms (Google, Meta, etc.)
Legal Basis: Art. 6 (1) lit. b GDPR (contract performance)
8.1 Google User Data Sharing & Disclosure
If you connect Google services (e.g. Google Ads, Google Analytics 4, Google Sheets), we process Google user data only to provide requested analytics and reporting functionality.
- We share Google user data only with subprocessors listed in this policy where strictly necessary to host, secure, process, and return results.
- We do not sell Google user data and do not use it for advertising purposes.
- We disclose Google user data only as described in this policy, on your instruction, or where required by law.
- In case of merger, acquisition, or asset sale, data may be transferred subject to confidentiality and applicable data protection law.
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.
9. Cookies & Tracking
We use only technically necessary cookies. No marketing/analytics cookies without consent.
Necessary Cookies:
- Session management
- Authentication
- Security features
Optional (with consent):
- Usage analytics (anonymized)
- Feature usage tracking for improvement
You can manage cookie preferences in your browser.
10. Your Rights (GDPR)
You have the right to:
- Access your data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure ("right to be forgotten") (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing based on Art. 6 (1) lit. f GDPR
- Withdraw consent anytime (Art. 7 (3) GDPR)
To exercise rights: Contact info[at]useratio.io
Right to complain: You may file a complaint with the Berlin Commissioner for Data Protection and Freedom of Information.
11. Data Security
We implement technical and organizational measures (TOMs) per Art. 32 GDPR:
- Encryption in transit (TLS) and at rest
- Access controls and authentication
- Regular security audits
- Secure data centers (ISO 27001 certified providers)
- Backup and disaster recovery
12. Children's Privacy
Ratio is not intended for users under 18. We don't knowingly collect data from minors.
13. Changes to Privacy Policy
We may update this policy with notice via email or in-app notification. Continued use after notice constitutes acceptance.
14. Contact
For privacy questions: info[at]useratio.io
Worqshop IO UG, Alboingärten 17, 12103 Berlin, Germany