GDPR Compliance
InfiniUm Tools is built for EU users. Our server is hosted in Frankfurt, Germany (EU). We collect minimal data, use privacy-preserving analytics, and never sell personal data. This page explains our GDPR compliance in plain language.
1. Data Controller
InfiniUm Tools acts as the data controller for personal data processed through infinium.tools. As data controller, we determine the purposes and means of processing your personal data.
Contact: contact@infinium.tools
We do not currently require a Data Protection Officer (DPO) as we do not process large volumes of sensitive personal data. However, all privacy inquiries are handled directly and promptly.
2. GDPR Principles We Follow
| Principle | How we apply it |
|---|---|
| Lawfulness, fairness, transparency | We document all processing activities and publish this information publicly |
| Purpose limitation | Data collected for tool functionality is not used for any other purpose |
| Data minimisation | We collect only what is strictly necessary β tool inputs are not stored |
| Accuracy | Account data can be updated at any time from the dashboard |
| Storage limitation | Server logs: 7 days. Rate limit counters: 24 hours. Account data: until deletion |
| Integrity & confidentiality | TLS 1.3, bcrypt password hashing, firewall-restricted server access |
| Accountability | We maintain records of processing activities and respond to all GDPR requests |
3. Lawful Basis for Processing
| Processing activity | Lawful basis | Details |
|---|---|---|
| Running tool requests | Contract performance (Art. 6(1)(b)) | Necessary to provide the service you requested |
| Account management | Contract performance (Art. 6(1)(b)) | Necessary to manage your account and plan |
| Rate limiting | Legitimate interests (Art. 6(1)(f)) | Preventing abuse and ensuring fair service for all users |
| Security logging | Legitimate interests (Art. 6(1)(f)) | Detecting and preventing security threats |
| Payment processing | Contract performance (Art. 6(1)(b)) | Processing Pro/Team subscriptions via Stripe |
| Payment records retention | Legal obligation (Art. 6(1)(c)) | Required by EU tax law (7 years) |
| Analytics (aggregated) | Legitimate interests (Art. 6(1)(f)) | Privacy-preserving, cookieless Umami analytics |
| Transactional email | Contract performance (Art. 6(1)(b)) | Account verification, password reset only |
4. Your Rights Under GDPR
Request a complete copy of all personal data we hold about you.
Correct inaccurate or incomplete personal data. Update from your dashboard or contact us.
Request deletion of your personal data. Delete your account from the dashboard for immediate erasure.
Request that we limit how we process your data while a dispute is resolved.
Receive your personal data in a structured, machine-readable format (JSON).
Object to processing based on legitimate interests. We will stop unless we have compelling grounds.
Withdraw consent at any time without affecting the lawfulness of prior processing.
We do not make automated decisions with significant effects on individuals.
To exercise any right, email contact@infinium.tools with subject "GDPR Request β [Right]". We respond within 30 days. No fee applies. We may ask you to verify your identity before processing the request.
5. International Data Transfers
Our primary server is located in Frankfurt, Germany (EU). However, some sub-processors are based outside the EU:
| Sub-processor | Location | Transfer mechanism | Purpose |
|---|---|---|---|
| Anthropic (Claude AI) | USA | Standard Contractual Clauses (SCCs) | AI tool processing |
| Stripe | USA/EU | EU-US Data Privacy Framework | Payment processing |
| Google (OAuth) | USA | EU-US Data Privacy Framework | Optional login method |
| Zoho Mail | EU | No transfer β EU-based | Transactional email |
| DigitalOcean | EU (Frankfurt) | No transfer β EU-based | Server hosting |
All international transfers are governed by appropriate safeguards under GDPR Chapter V.
6. Data Protection Measures
Technical measures
- TLS 1.3 encryption for all data in transit
- Bcrypt password hashing (passwords never stored in plain text)
- SHA-256 hashing for API keys
- IP addresses stored only as one-way hashes for rate limiting
- Server access restricted by firewall β no public SSH access
- Regular security dependency audits
Organisational measures
- Minimal data collection by design (privacy by default)
- Tool inputs are not logged or stored after processing
- Server logs automatically purged after 7 days
- AI Prompt Privacy tool operates 100% client-side β no data reaches our servers
- Privacy-first analytics (Umami β cookieless, no cross-site tracking)
7. Data Breach Procedure
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR)
- Notify affected users without undue delay if the breach is likely to result in high risk to their rights (Art. 34 GDPR)
- Document the breach, its effects, and remedial actions taken
If you discover or suspect a security vulnerability, please report it responsibly to contact@infinium.tools.
8. Contact & Complaints
InfiniUm Tools β Data Controller
π infinium.tools
We respond to all GDPR requests within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In the EU, you can find your national authority at edpb.europa.eu.
For general privacy information, see our full Privacy Policy.