Informativa sulla Privacy

The controller within the meaning of the GDPR and other applicable data protection laws is:

PUNKU GmbH has designated a Data Protection Officer. You can contact them at:

We process personal data only to the extent necessary and on the basis of at least one of the following legal grounds under Art. 6(1) GDPR:

• Art. 6(1)(a) - Consent: you have given clear, informed consent for a specific purpose (e.g. analytics cookies, marketing emails).
• Art. 6(1)(b) - Contract performance: processing is necessary to provide the Service you have subscribed to (e.g. account management, billing).
• Art. 6(1)(c) - Legal obligation: processing is required to comply with a statutory obligation (e.g. invoice retention under § 257 HGB / § 147 AO).
• Art. 6(1)(f) - Legitimate interests: processing is necessary for our legitimate interests, balanced against your rights (e.g. security monitoring, fraud prevention, product analytics with PostHog). You have the right to object - see Section 20.

Where we rely on legitimate interests, we carry out a balancing test. You may request details of that test by writing to datenschutz@punku.ai.

When you visit punku.ai, our web server automatically records standard access log data.

Server / Access Logs

When you contact us via email, the contact form, or other channels, we process the data you provide to respond to your inquiry.

Contact / Support Inquiries

To use the PUNKU Service, you must create an account. We process the data you provide during registration and throughout your subscription.

Account and Subscription Data

We use Stripe to process all subscription payments. We do not store full payment card details on our servers.

Payment Data

We use HubSpot to manage our customer relationships and, where you have opted in, to send marketing communications.

Marketing / CRM Data

We use PostHog to understand how users interact with the Service, identify usability issues, and prioritise product improvements.

Product Analytics Data

We use Google Analytics 4 on the punku.ai website to measure traffic and marketing effectiveness.

Google Analytics Data

Cookies are small text files stored on your device by your browser. We use cookies to ensure the website functions correctly, remember your preferences, and (with your consent) analyse usage.

11.1 Strictly Necessary Cookies

These cookies are required for the website to function and cannot be switched off. They include session management, authentication tokens, and your cookie consent preference. No consent is required for these.

11.2 Analytics Cookies (Consent Required)

11.3 Managing Cookie Preferences

You can update your cookie preferences at any time via the Cookie Settings button in the website footer. You may also manage cookies via your browser:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Settings → Privacy & Security
• Safari: Preferences → Privacy
• Edge: Settings → Cookies and site permissions

Cookie consent management is provided by CookieYes (Civic Technologies). See cookieyes.com/privacy-policy for their privacy policy.

The PUNKU Service enables you to build AI agents that call third-party language model APIs. When your AI agents run, input data (prompts) and output data (model responses) may be transmitted to our AI model provider partners.

AI Model API Data

We use the following tools for internal collaboration and external communications.

Communication Tools

When our B2B customers use the PUNKU Service to process personal data of their own customers or end users, PUNKU GmbH acts as a data processor within the meaning of Art. 4(8) GDPR. In this capacity:

• The B2B customer is the data controller and determines the purpose and means of processing.
• PUNKU GmbH processes such data only on documented instructions from the customer.
• This processing relationship is governed by a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, which is available at punku.ai/privacy and is incorporated into our Terms of Service.
• We implement appropriate technical and organisational measures to ensure the security of customer-controlled data.

If you are an end user of a business that uses the PUNKU platform and wish to exercise your GDPR rights, please contact that business directly (they are the data controller for your data). We will assist the controller in fulfilling data subject requests as required by our DPA.

Several of our subprocessors are located in the United States. The transfer of personal data to these subprocessors is governed by Standard Contractual Clauses (SCCs) adopted under Art. 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914), supplemented by a Transfer Impact Assessment (TIA) where required. Additionally, some providers participate in the EU-U.S. Data Privacy Framework (DPF).

You can obtain copies of the applicable SCCs by contacting datenschutz@punku.ai. The EU-U.S. Data Privacy Framework list is publicly available at dataprivacyframework.gov.

Last updated: March 12, 2026. This list is reviewed quarterly.

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law.

When a retention period expires, data is securely deleted or irreversibly anonymised.

We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or alteration. These include:

• Encryption in transit: all connections use TLS 1.2 or higher.
• Encryption at rest: all data stored on AWS (eu-central-1) is encrypted using AES-256.
• Access controls: role-based access control (RBAC); least-privilege principle; mandatory multi-factor authentication for all infrastructure access.
• Network security: VPC isolation; firewall rules; intrusion detection monitoring.
• Vulnerability management: automated dependency scanning (Dependabot / GitHub); regular penetration testing; responsible disclosure programme (security@punku.ai).
• Data minimisation: we collect only the data necessary for each processing purpose.
• Subprocessor due diligence: all subprocessors are contractually bound to maintain equivalent security standards.
• Incident response: documented breach notification procedure; GDPR Art. 33/34 72-hour supervisory authority notification capability.

To report a security vulnerability, contact security@punku.ai. We will acknowledge within 48 hours.

We do not make decisions about you based solely on automated processing (including profiling) that would produce legal or similarly significant effects, within the meaning of Art. 22 GDPR. Product analytics and usage data are used only to improve the Service and are reviewed by humans before any business decisions are made.

The Service is directed exclusively at businesses and professionals (B2B). We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we hold data about a minor, please contact datenschutz@punku.ai.

Under the GDPR, you have the following rights regarding your personal data. To exercise any right, contact datenschutz@punku.ai. We will respond within one calendar month (with a possible extension of two further months for complex requests, of which we will notify you).

Right of Access (Art. 15 GDPR)

You may request confirmation of whether we process your personal data, and if so, a copy of that data together with information about the processing (purposes, categories, recipients, retention periods, rights).

Right to Rectification (Art. 16 GDPR)

You may request correction of inaccurate personal data or completion of incomplete data. Many details can be updated directly in your account settings.

Right to Erasure / 'Right to be Forgotten' (Art. 17 GDPR)

You may request deletion of your personal data where: (a) it is no longer necessary for the purpose for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object and we have no overriding legitimate interest; or (d) the data was processed unlawfully. This right does not apply where retention is required by law (e.g. 10-year invoice retention under HGB) or where the data is necessary for legal claims.

Right to Restriction of Processing (Art. 18 GDPR)

You may request that we restrict processing (i.e. store but not use) your data while we verify accuracy, consider your objection, or if processing was unlawful but you prefer restriction over erasure.

Right to Data Portability (Art. 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and have it transmitted to another controller where technically feasible. Applies to data you actively provided (account data, usage data).

Right to Object (Art. 21 GDPR)

You may object at any time to processing based on Art. 6(1)(f) legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is needed for legal claims. You have an absolute right to object to direct marketing (including profiling for marketing). We will stop immediately on receipt of your objection.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Use the unsubscribe link in marketing emails, adjust cookie settings via the cookie banner, or email datenschutz@punku.ai.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data violates the GDPR (Art. 77 GDPR).

As PUNKU GmbH is established in Baden-Württemberg, the competent supervisory authority is:

You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work.

We may update this Privacy Policy from time to time. When we make material changes (e.g. new processing purposes, new categories of data, or new international transfers), we will:

• Update the “Last Updated” date at the top of this page;
• Notify registered users by email at least 30 days before the change takes effect; and
• Where required by law, obtain fresh consent for new consent-based processing activities.

The current version is always available at punku.ai/privacy.

Privacy / Data Protection Queries

PUNKU GmbH, c/o Campus Founders, Bildungscampus 1, 74076 Heilbronn.

E-Mail: info@punku.ai

Wir verarbeiten Ihre personenbezogenen Daten auf folgenden Rechtsgrundlagen:

• Art. 6 Abs. 1 lit. a DSGVO - Einwilligung (z.B. Cookies, Newsletter)
• Art. 6 Abs. 1 lit. b DSGVO - Vertragserfüllung (Kontoführung, Zahlungsabwicklung)
• Art. 6 Abs. 1 lit. c DSGVO - Rechtliche Verpflichtung (Buchführung nach HGB)
• Art. 6 Abs. 1 lit. f DSGVO - Berechtigte Interessen (Sicherheit, Produktanalyse)

Wir setzen Auftragsverarbeiter ein (AWS, Google, Stripe, HubSpot, PostHog, OpenAI, Anthropic u.a.). Drittlandübermittlungen in die USA erfolgen auf Grundlage von Standardvertragsklauseln (Art. 46 Abs. 2 lit. c DSGVO). Die vollständige Liste finden Sie in Abschnitt 15 der englischen Fassung.

Sie haben das Recht auf: Auskunft (Art. 15), Berichtigung (Art. 16), Löschung (Art. 17), Einschränkung der Verarbeitung (Art. 18), Datenübertragbarkeit (Art. 20), Widerspruch (Art. 21) und Widerruf einer Einwilligung (Art. 7 Abs. 3). Anfragen richten Sie bitte an datenschutz@punku.ai.

Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)

Königstraße 10a, 70173 Stuttgart

www.baden-wuerttemberg.datenschutz.de

Wir setzen keine automatisierte Entscheidungsfindung einschließlich Profiling im Sinne von Art. 22 DSGVO ein, die rechtliche oder ähnlich erhebliche Auswirkungen auf Sie hätte.