Book a Demo
← Back to Home

Privacy Policy

Last Updated: November 21, 2025

1. Controller

The controller responsible for data processing on this website is:

pi-optimal UG (limited liability)
Unter den Linden 15
72762 Reutlingen
Germany

Managing Director: Jochen Luithardt
Commercial Register: Stuttgart District Court HRB 797217
Email: hello@pi-optimal.com

Data Protection Officer: No data protection officer has been appointed as the legal requirements for this do not apply (fewer than 20 employees regularly engaged in data processing).

Website: This privacy policy applies to pi-automate.com
Company Website: pi-optimal.com

2. General Information on Data Processing

The protection of your personal data is very important to us. We process your data exclusively on the basis of legal provisions (GDPR, BDSG, TTDSG). This privacy policy informs you about the most important aspects of data processing within the scope of our website.

Personal Data

Personal data is all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes in particular name, email address, IP address, and usage behavior.

Purpose of This Privacy Policy

This privacy policy informs you about the type, scope, and purpose of the processing of personal data within our online offering and the associated websites, functions, and content (hereinafter collectively referred to as "online offering" or "website").

Target Audience

Our service is aimed exclusively at business customers (B2B) in Germany and the European Union. We do not target consumers (B2C) or users outside the European Economic Area.

Scope

This privacy policy applies to the website pi-automate.com and all associated services. Separate contracts and privacy provisions apply to our early access users with active accounts.

3. Hosting and Technical Infrastructure

3.1 Microsoft Azure Hosting

Our website and services are hosted on Microsoft Azure servers. The provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter "Azure").

Server Locations:

  • Web Hosting: Azure West Europe (Netherlands) and Germany West Central
  • Language Model Processing: Azure Sweden Central
  • All servers are located within the European Union

Processed Data:

  • IP address of the accessing computer
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes (referrer)
  • Browser and operating system

Purpose: The processing is necessary to provide the website, ensure system security, and defend against attacks.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in providing and securely operating our website).

Storage Duration: Server log files are stored for a maximum of 90 days and then automatically deleted.

Data Transfer: All servers are located in the European Union. No transfer to third countries occurs. Microsoft Azure processes data on our behalf under a standard Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.

3.2 Azure Content Delivery Network (CDN)

We use Azure CDN to deliver website content faster and more reliably. All resources (fonts, scripts, stylesheets) are hosted on our own Azure CDN infrastructure.

Processed Data: IP address (for routing purposes only), requested resources, technical access data (browser, timestamp)

Purpose: Fast and reliable delivery of website content, improvement of loading times.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in providing a fast, reliable website).

Special Note: We host all resources (including fonts) on our own CDN. No data is shared with external providers like Google Fonts or external CDNs.

Storage Duration: CDN logs are stored for a maximum of 90 days.

3.3 Azure OpenAI Service (GPT-5 Processing)

When you create workflow automations on our website (demo or after early access signup), your inputs are processed by Azure OpenAI Service, which uses GPT-5. Processing takes place on Azure servers in Sweden Central (EU).

Processed Data: Your workflow description and inputs, technical metadata (timestamp, session ID), IP address (for rate limiting)

Purpose: Generation of workflow automations based on your requirements, rate limiting to prevent abuse, understanding user needs to improve our product

Legal Basis: Art. 6(1)(b) GDPR (contract performance or pre-contractual measures) if you have signed up for early access; Art. 6(1)(f) GDPR (legitimate interest) for public demo usage

Storage Duration: Demo workflows (public demo): Stored for 12 months for product improvement purposes, then deleted. Early access workflows: Retained according to your early access agreement. IP addresses for rate limiting: Deleted after 7 days.

Third-Party Access: The data is processed exclusively by Azure OpenAI Service. Microsoft does not use the data to train GPT models or for any other purposes beyond providing the service to us.

4. Early Access Waitlist and Contact

4.1 Public Demo (No Signup Required)

You can test our workflow automation demo without registering or providing personal information. However, for technical and security purposes, we collect minimal data during demo usage.

Processed Data: IP address (for rate limiting only), workflow descriptions you create in the demo, timestamp and session metadata

Purpose: Prevent abuse and ensure fair usage (rate limiting), understand user needs to improve our product, provide the demo service

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in providing a secure demo service and improving our product).

Storage Duration: IP addresses: 7 days. Workflow descriptions: 12 months (for product improvement), then deleted.

No Account Creation: Using the public demo does not create an account and does not require you to provide personally identifiable information.

4.2 Early Access Waitlist Registration

When you register for our Early Access Waitlist via the contact form, we collect and store the data you provide to process your request and inform you about early access opportunities.

Processed Data: Name, email address, company name (if provided), workflow descriptions or use case information (if provided), timestamp of registration

Purpose: Processing your early access request, sending information about early access availability, contacting you regarding your specific use case, evaluating fit for early access program

Legal Basis: Art. 6(1)(b) GDPR (pre-contractual measures), Art. 6(1)(f) GDPR (legitimate interest in responding to your request and managing our early access program)

Storage Duration: Until early access program launch or 24 months after registration, whichever comes first. If you join the early access program: Governed by separate early access agreement. If you decline or don't respond: Deleted after 24 months. You can request deletion at any time.

Email Communication:
We use our self-built email system to send you:

  • Confirmation of your waitlist registration
  • Updates on early access availability
  • Product information relevant to your use case

You can unsubscribe from these communications at any time by:

  • Clicking the unsubscribe link in any email
  • Emailing hello@pi-optimal.com
  • Your data will be deleted upon unsubscribe request

Recipients: Your data is received and processed exclusively by pi-optimal UG. We use our own self-built systems for email and data storage. No data is shared with third-party email service providers or marketing platforms.

4.3 Contact Form

Our contact form allows you to reach us directly. The form is self-built and sends inquiries directly to hello@pi-optimal.com.

Processed Data: Name, email address, message content, timestamp, IP address (for spam prevention)

Purpose: Processing your inquiry and responding to your questions.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

Storage Duration: General inquiries: 3 years or until you request deletion. Business inquiries that lead to contracts: Subject to statutory retention periods (6-10 years under HGB/AO).

Technical Implementation: The contact form is built into our website and sends emails directly to our business email. No third-party form services are used.

5. Web Analytics with Plausible Analytics

We use Plausible Analytics, a privacy-friendly web analytics tool, to analyze and improve the use of our website. Plausible is self-hosted on our own Azure infrastructure.

Special Features of Plausible:

  • ✓ No cookies are set
  • ✓ No collection of personal data
  • ✓ IP addresses are not stored
  • ✓ No data sharing with third parties
  • ✓ 100% GDPR compliant
  • ✓ Self-hosted on our own servers

Processed Data: Pages visited, referrer (where the visitor came from), browser and operating system (anonymized), device type (desktop, mobile, tablet), country (derived by temporarily processing the IP address to determine location; the IP address itself is NOT stored)

Purpose: Analysis of user behavior to improve the website, detection of technical problems, optimization of user experience, understanding which features are most used

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in analyzing and improving our website).

Storage Duration: Aggregated, anonymous statistics are stored indefinitely. Since no personal data is collected, there is no privacy risk.

No Cookies or Consent Required: Since Plausible does not use cookies and does not store personal data, no consent is required under § 25 TTDSG. No cookie banner is needed.

Self-Hosted: Unlike cloud-based analytics services, we host Plausible on our own Azure infrastructure, ensuring that no data leaves our control or is shared with third parties.

6. Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files that are stored on your device by your browser. Cookies cannot execute programs or transfer viruses to your computer.

Use of Cookies

Our website uses cookies for marketing purposes only with your consent. When you first visit our website, you will see a cookie consent banner where you can choose to accept or reject marketing cookies.

Technically Necessary Cookies

Some cookies are technically necessary for providing our website functionality. These cookies are:

  • Session cookies (deleted when you close your browser)
  • Authentication cookies (for early access users with active accounts)
  • Security cookies (CSRF protection, rate limiting)
  • Consent storage (remembers your cookie preferences for 365 days)

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in providing secure website functionality) and § 25(2) No. 2 TTDSG (technical necessity).

Google Ads and Conversion Tracking

We use Google Ads for online advertising. To measure the success of our advertising campaigns, we use Google Conversion Tracking. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Purpose: Measuring the effectiveness of our advertisements and optimizing our marketing campaigns.

Data Processed:

  • Click and conversion data
  • Device and browser information
  • Anonymized user IDs

Legal Basis: Art. 6(1)(a) GDPR (consent). Google Ads tracking is only activated after you give consent via our cookie banner.

Google Consent Mode v2: We use Google Consent Mode v2 to transmit your privacy settings to Google. If you do not consent to cookies:

  • No cookies are set by Google
  • Only anonymized, non-personal data is collected to a limited extent (so-called "cookieless pings")
  • Your ad click information is redacted

Data Transfer: Google may transfer data to the USA. The transfer is based on standard contractual clauses of the EU Commission and Google's certification under the EU-U.S. Data Privacy Framework.

More Information:

LinkedIn Insight Tag (Prepared, Not Active)

We may use the LinkedIn Insight Tag in the future for conversion tracking. This service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. The LinkedIn Insight Tag is currently not active on our website. If we activate it, this privacy policy will be updated accordingly.

Your Cookie Settings

You can manage your cookie preferences at any time:

  • The cookie banner will reappear if you clear your browser data
  • You can delete cookies in your browser settings
  • You can contact us at hello@pi-optimal.com to withdraw consent

Please note that disabling all cookies may limit some website functionality.

Withdrawal of Your Consent

You can withdraw your consent to the use of marketing cookies at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Newsletter and Direct Marketing

We currently do not send marketing newsletters.

If you register for the Early Access Waitlist, we will send you:

  • Transactional emails (confirmation of registration)
  • Important updates about early access availability
  • Product information directly relevant to your indicated use case

These are NOT marketing emails. They are directly related to your early access request.

Unsubscribe: You can unsubscribe from early access communications at any time by:

  • Clicking the unsubscribe link in any email
  • Emailing hello@pi-optimal.com with your unsubscribe request
  • Your waitlist data will be deleted upon unsubscribe

8. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain information about the data we store about you. This includes in particular: the processing purposes, the categories of personal data, the recipients or categories of recipients, the planned storage duration, the existence of a right to rectification, deletion, restriction, or objection, the existence of a right to complain, the origin of the data if it was not collected from us, the existence of automated decision-making including profiling.

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of incorrect or the completion of incomplete data.

8.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data if: the data is no longer necessary for the purposes for which it was collected, you have withdrawn your consent and there is no other legal basis, you have objected to the processing and there are no overriding legitimate grounds, the data was processed unlawfully, deletion is necessary to fulfill a legal obligation.

Deletion may be refused if statutory retention obligations (e.g., HGB, AO: typically 6-10 years for business records) or other justification grounds exist.

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data if: the accuracy of the data is disputed by you (during verification), the processing is unlawful and you decline deletion, we no longer need the data, but you need it to assert, exercise, or defend legal claims, you have objected to the processing (pending verification of overriding legitimate grounds).

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another controller.

This applies to: early access waitlist data, workflow descriptions you created, contact form inquiries.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR.

Special Right for Direct Marketing: You have the right to object at any time to processing of your personal data for direct marketing purposes, without stating reasons.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

If the processing is based on your consent, you have the right to withdraw this consent at any time. The lawfulness of the processing carried out until the withdrawal remains unaffected.

How to Withdraw: Send an email to hello@pi-optimal.com stating your withdrawal.

8.8 Right to Complain (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Germany
Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

Exercising Your Rights

To exercise your rights, please contact: hello@pi-optimal.com

Response Time: We will respond to your request without undue delay and in any event within one month of receipt. If necessary, this period may be extended by two further months, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

Identity Verification: To protect your privacy, we may ask you to verify your identity before processing your request.

9. Data Security

We take the protection of your personal data very seriously and implement appropriate technical and organizational measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorized access.

Encryption

Transport Encryption: We use TLS/SSL encryption (Transport Layer Security / Secure Socket Layer) for all data transmitted between your browser and our servers. You can recognize encrypted connections by: the "https://" in the address bar, the lock symbol in your browser's address bar.

Encryption Standard: We support TLS 1.2 and TLS 1.3 with strong cipher suites. As a rule, we use 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit encryption as a fallback.

Storage Encryption: Data stored on Azure servers is encrypted at rest using Azure Storage Service Encryption with 256-bit AES encryption.

Technical Security Measures

Our security measures include:

  • Network Security: Firewalls, DDoS protection, intrusion detection systems
  • Access Controls: Role-based access control (RBAC), multi-factor authentication for team access
  • Monitoring: Continuous security monitoring, automated alerts for suspicious activities
  • Updates: Regular security updates and patches for all systems
  • Rate Limiting: Protection against brute-force attacks and abuse
  • CSRF Protection: Cross-Site Request Forgery protection for all forms
  • Input Validation: Strict validation and sanitization of all user inputs

Organizational Security Measures

  • Access Restrictions: Only authorized employees (2-5 people, all in Germany/EU) have access to personal data
  • Confidentiality: All team members are bound by confidentiality agreements
  • Training: Regular data protection training for all team members
  • Incident Response: Documented procedures for responding to data breaches
  • Regular Audits: Periodic review of security measures and compliance

Azure Security

Microsoft Azure provides enterprise-grade security including: ISO 27001, ISO 27018, SOC 2 certifications, physical security of data centers, redundancy and backup systems, 99.9% availability SLA.

Security Improvements

Our security measures are continuously improved in accordance with technological developments and threat landscapes. We regularly review and update our security practices.

10. No Disclosure to Third Parties

We do not sell, rent, or otherwise disclose your personal data to third parties for purposes other than those explicitly stated in this privacy policy.

When We Share Data

We only disclose your data to third parties if:

  • You have given explicit consent (Art. 6(1)(a) GDPR)
  • Legal obligation (Art. 6(1)(c) GDPR) - e.g., response to court orders
  • Contract performance (Art. 6(1)(b) GDPR) - e.g., if you become a customer and we need to share data with payment processors
  • Legitimate interests (Art. 6(1)(f) GDPR) - e.g., legal defense, fraud prevention

Data Processors (Art. 28 GDPR)

We use the following data processors who process data on our behalf:

Microsoft Azure

  • Service: Cloud hosting, CDN, language model processing
  • Location: European Union (Netherlands, Germany, Sweden)
  • Legal Basis: Standard Data Processing Agreement (DPA) under Art. 28 GDPR
  • Processing: Hosting, content delivery, language model inference

Google Ireland Limited

  • Service: Google Ads conversion tracking
  • Location: Ireland (with possible data transfer to USA under EU-U.S. Data Privacy Framework)
  • Legal Basis: Consent (Art. 6(1)(a) GDPR) via cookie banner
  • Processing: Conversion tracking, ad performance measurement

No Other Third Parties: We do NOT use: email marketing services (we use our own system), external analytics services (Plausible is self-hosted), external CDN services (Azure CDN only), CRM services, chat services, social media pixels.

Self-Built Systems

We deliberately built our own systems for: email automation, contact forms, data storage, analytics (hosting Plausible ourselves).

This means: We maintain complete control over your data and do not share it with third-party service providers.

11. Data Transfer to Third Countries

We do NOT transfer your personal data to third countries (countries outside the European Economic Area – EEA).

Current Status

All services and data processing occur exclusively within the European Union:

  • Hosting: Azure West Europe (Netherlands) and Germany West Central
  • Language Model Processing: Azure Sweden Central
  • CDN: Azure CDN (EU regions)
  • Team: All team members (2-5 people) are located in Germany/EU

Microsoft Azure

While Microsoft Corporation is a US company, we have contractually ensured that: all data is stored and processed on Azure servers in the EU, Microsoft processes data only on our behalf (data processor under Art. 28 GDPR), Standard Contractual Clauses (SCCs) are in place as additional safeguard, no access from US authorities under CLOUD Act (data stays in EU).

Future Changes

Should a data transfer to third countries become necessary in the future, this will only occur: with your express consent (Art. 6(1)(a), Art. 49(1)(a) GDPR), or on the basis of an adequacy decision by the EU Commission (Art. 45 GDPR), or using appropriate safeguards such as EU Standard Contractual Clauses (Art. 46 GDPR).

We will inform you and update this privacy policy before implementing any such changes.

12. No Automated Decision-Making or Profiling

We do NOT use automated decision-making (including profiling) as defined in Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

What This Means

  • We do not make automated decisions about your early access eligibility
  • We do not create profiles for marketing or advertising purposes
  • We do not use scoring systems
  • No automated systems make decisions about you without human review

Language Model Usage Clarification

While we use Azure OpenAI Service (GPT-5) to generate workflow automation suggestions:

  • This is done at your explicit request (you initiate the workflow generation)
  • The system provides suggestions only, which you can freely accept, modify, or reject
  • No automated decisions are made about you
  • The system does not evaluate or score you
  • Human review is always involved for early access decisions

Demo Analytics

The analysis of demo usage (understanding which workflows users create) is performed on aggregated, anonymized data and does not involve individual profiling or automated decision-making about specific users.

13. Protection of Minors

Our service is aimed exclusively at business customers (B2B) and is not intended for use by individuals under 18 years of age.

We do not knowingly collect personal data from persons under 16 years of age. Persons under 16 years of age should not transmit personal data to us without the consent of their parents or legal guardians.

If we become aware that we have collected personal data from a person under 16 without parental consent, we will delete that data promptly.

If you believe we may have collected data from a minor, please contact us immediately at hello@pi-optimal.com.

14. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with current legal requirements or to reflect changes to our services.

When We Update

This privacy policy may be updated when: legal requirements change (new GDPR guidance, court decisions), we add new services or features, we change data processing practices, we receive feedback that clarifies needed improvements.

How We Notify You

  • Significant Changes: We will announce significant changes prominently on our website and/or via email to early access waitlist members
  • Minor Updates: Minor clarifications or formatting changes will be updated without notice
  • Date: The "Last Updated" date at the top of this document shows when the last change was made

Your Responsibility

For your next visit to our website, the new privacy policy will apply. We recommend reviewing this privacy policy periodically.

Archive

Previous versions of this privacy policy are available upon request at hello@pi-optimal.com.

15. Contact for Privacy Questions

If you have questions about the collection, processing, or use of your personal data, or regarding information, correction, restriction, or deletion of data, as well as revocation of consents granted, please contact:

pi-optimal UG (limited liability)
Data Privacy Inquiries
Jochen Luithardt
Unter den Linden 15
72762 Reutlingen
Germany

Email: hello@pi-optimal.com
Company Website: pi-optimal.com
Product Website: pi-automate.com

Response Time: We will respond to privacy inquiries within 30 days.

Additional Resources:

  • Imprint - Legal information about pi-optimal UG

16. Supervisory Authority Contact

For complaints or concerns about data protection, you can also contact the responsible supervisory authority directly:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Germany

Phone: +49 711 615541-0
Fax: +49 711 615541-15
Email: poststelle@lfdi.bwl.de
Website: www.baden-wuerttemberg.datenschutz.de

Note: This privacy policy has been prepared with the utmost care based on current GDPR requirements. However, it does not constitute legal advice. For specific legal questions, we recommend consulting a qualified attorney specialized in data protection law.

Effective Date: This privacy policy is effective as of the date stated at the top of this document.