Drall

Privacy Policy (Datenschutzerklärung)

Last updated: March 2026

1. Introduction

At Drall, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By using Drall, you agree to the collection and use of information in accordance with this policy.

The controller responsible for data processing is:
TNT Ventures GmbH
Venloer Str. 240, 50823 Köln, Deutschland
Email: hello@tntventures.de

2. Data We Collect

2.1 Account Data

When you create an account, we collect your email address and firm information. This data is necessary for contract performance (Art. 6(1)(b) GDPR).

2.2 Engagement Data

Data you provide during consulting engagements — business descriptions, documents, feedback, and chat messages — is processed to deliver our services. This data is stored in our database hosted in the EU (Frankfurt).

2.3 AI Processing

Your engagement data is processed by AI language models (OpenAI, Anthropic) to generate analysis, deliverables, and recommendations. These providers have Data Processing Agreements (DPAs) in place and do not use your data for training purposes via API access.

2.4 Usage Data

We automatically collect information about your interaction with the Service: engagement progress, document uploads, agent invocations, and timestamps of activities.

3. How We Use Your Information

3.1 Performance of Contract

  • To provide and maintain the consulting workbench
  • To process your documents and generate deliverables
  • To track engagement progress and phase executions
  • To provide AI-powered analysis and recommendations

3.2 Legitimate Interests

  • To improve our service and develop new features
  • To analyze usage patterns and optimize the experience
  • To prevent fraud and ensure platform security

4. Sub-processors

ProviderPurposeLocation
SupabaseDatabase, authentication, file storageEU (Frankfurt)
VercelApplication hostingEU / US
OpenAIAI language model processingUS (DPA in place)
AnthropicAI language model processingUS (DPA in place)
TavilyWeb search for research workflowsUS (DPA in place)
LangSmithAI observability and debuggingUS (DPA in place)

5. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers are located. When we transfer personal data from the EEA to other countries, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all service providers
  • Technical and organizational security measures

6. Data Security

We implement appropriate technical and organizational security measures:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure authentication via Supabase Auth with password hashing
  • Row-level security policies in our database
  • Role-based access control (firm roles and client roles)
  • Rate limiting to prevent abuse
  • Input validation and sanitization

7. Your Rights (GDPR)

If you are a resident of the EEA, UK, or Switzerland, you have the following rights:

  • Access — request copies of your personal data (Art. 15 GDPR)
  • Rectification — request correction of inaccurate data (Art. 16 GDPR)
  • Erasure — "right to be forgotten" (Art. 17 GDPR)
  • Restrict processing — limit how we use your data (Art. 18 GDPR)
  • Data portability — receive your data in a structured format (Art. 20 GDPR)
  • Object — object to processing for certain purposes (Art. 21 GDPR)
  • Withdraw consent — where we rely on consent, withdraw at any time
  • Lodge a complaint — file a complaint with your local data protection authority

To exercise these rights, use the account settings in the application or email hello@tntventures.de. We will respond within 30 days as required by GDPR.

8. Data Export and Deletion

You can export all your data at any time via Settings → Export Data. You can delete your account and all associated data via Settings → Delete Account. Deletion is cascading and permanent.

9. Cookies

We use strictly necessary cookies for authentication and session management (Supabase auth cookies). No tracking or advertising cookies are used. See our cookie consent banner for details.

10. Data Retention

  • Account Data — retained while your account is active and for 90 days after deletion
  • Engagement Data — retained while your account is active
  • Documents — retained until deleted by the user or upon account deletion
  • Audit Logs — retained for 2 years for security and compliance

When data is no longer needed, we securely delete or anonymize it. You may request earlier deletion by contacting us, subject to legal retention requirements.

11. AI Processing Disclosure

We use artificial intelligence to power the consulting workflows. This includes:

  • Document analysis and embedding generation
  • Structured deliverable creation across engagement phases
  • Quality review gate evaluation
  • Web research and knowledge base matching

These automated processes are designed to augment professional consulting work. All AI-generated outputs should be reviewed by qualified professionals before use in business decisions.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and, for significant changes, sending an email notification. Changes are effective when posted on this page.

13. Contact

For privacy-related inquiries:
Email: hello@tntventures.de
Company Information: View Imprint