Privacy Policy

1. Introduction and Scope

helpful bits GmbH ("CrispDemo," "we," "us," or "our") is committed to protecting your privacy and ensuring transparent data processing practices in full compliance with the General Data Protection Regulation (GDPR) and German data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the CrispDemo desktop video editing application, website, and related services (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

As the data controller, helpful bits GmbH determines the purposes and means of processing your personal data and is responsible for ensuring compliance with applicable data protection laws.

3. Territorial Scope and Geolocation Controls

This Privacy Policy applies to data subjects located in the European Union (EU) and European Economic Area (EEA). We employ geolocation technologies to verify user location and apply appropriate data protection frameworks.

Users located outside the EU/EEA are subject to our U.S. Privacy Policy and are not covered by GDPR protections unless they are EU/EEA residents temporarily located elsewhere.

4. GDPR Definitions

For purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction, as defined in Article 4(2) GDPR.
• "Controller" means the entity that determines the purposes and means of processing personal data (Article 4(7) GDPR) - in this case, helpful bits GmbH.
• "Processor" means an entity that processes personal data on behalf of the Controller (Article 4(8) GDPR).
• "Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes (Article 4(11) GDPR).
• "Data Subject" means an identified or identifiable natural person to whom personal data relates.

5. Categories of Personal Data We Collect

5.1 Account and Authentication Data

• Email address: For account creation, authentication, and communications
• OAuth tokens: Securely stored tokens for authentication with third-party providers (Apple, Google)
• Device identifier: Unique identifier for your device to enable secure authentication
• Authentication state: Temporary session data for OAuth flows

5.2 Usage and Service Data

• Prompts and templates: Custom prompts you create or save from the community
• Knowledge base entries: Documents, notes, and content you upload to your knowledge base
• Context associations: Links between prompts/knowledge and specific applications
• AI model preferences: Your selected AI providers and model configurations
• Usage statistics: Credit consumption, feature usage metrics, API call counts
• Billing data: Payment status, credit balance, transaction history

5.3 Content and Input Data

• Video project files: Video, audio, and image files you use in projects (stored locally)
• Voice recordings: Audio files from voice dictation for chat inputs (stored locally, transcribed via third-party services)
• AI outputs: Edited video content and text generated by AI models (stored locally)
• Editing history: Record of AI-assisted video editing operations (stored locally)

5.4 Technical and Device Data

• Device information: Operating system version, device model, app version
• IP address: For geolocation verification and security purposes (not stored long-term)
• Log data: Error logs, crash reports, performance metrics
• Network information: Connection type, network provider (for optimization)

5.5 Analytics and Performance Data

• Feature usage patterns: Which features you use and how frequently
• Performance metrics: App load times, response latencies, error rates
• Session data: Session duration, feature interaction sequences

5.6 Communication Data

• Support correspondence: Email communications with customer support
• Feedback and surveys: Responses to feedback requests or user surveys

6. Legal Basis for Processing (Article 6 GDPR)

We process your personal data only when we have a valid legal basis under Article 6(1) GDPR:

6.1 Consent (Article 6(1)(a) GDPR)

We process certain data based on your explicit consent, including:

• Voice recordings for transcription and AI enhancement
• Analytics and performance monitoring (optional)
• Marketing communications (where applicable)
• Processing by third-party AI providers

You may withdraw consent at any time through the app settings. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

6.2 Contract Performance (Article 6(1)(b) GDPR)

Processing is necessary to perform our contract with you (Terms of Service), including:

• Account creation and authentication
• Providing AI-powered features (video editing, voice dictation, video analysis)
• Syncing account settings and preferences
• Processing credit purchases
• Providing customer support

6.3 Legitimate Interests (Article 6(1)(f) GDPR)

Processing is necessary for our legitimate interests, provided these interests do not override your fundamental rights:

• Security and fraud prevention: Detecting and preventing unauthorized access, abuse, or fraudulent activity
• Service improvement: Analyzing usage patterns to enhance features and user experience
• Technical operations: Maintaining, troubleshooting, and optimizing the Service
• Business analytics: Understanding aggregate usage trends and business performance

You have the right to object to processing based on legitimate interests. See Section 15 for details.

6.4 Legal Obligations (Article 6(1)(c) GDPR)

Processing is necessary to comply with legal obligations, including:

• Tax and accounting requirements
• Response to lawful requests from authorities
• Data breach notification obligations
• Retention of data as required by law

7. Desktop Application Privacy

7.1 Local Data Storage

CrispDemo is designed with privacy-first principles. Most user data is stored locally on your computer using encrypted storage:

• Video project files: Stored only on-device, never transmitted to servers unless explicitly shared
• Editing history: Cached locally for undo/redo functionality
• Voice recordings: Stored temporarily on-device for dictation, automatically deleted after transcription
• Authentication tokens: Securely stored in the OS credential store

7.2 Video Project Privacy

The CrispDemo application operates with strict privacy controls:

• Project isolation: Each video project is contained within its own folder
• No automatic upload: Video files and project data remain on your device unless you explicitly export or share
• Limited network access: Network requests are made only when you explicitly trigger AI features (video analysis, agent editing, rendering)
• Sandboxed operation: The application operates with limited access to system resources outside your project folders

7.3 Cloud Sync Data

The following data is optionally synced to our EU-based servers:

• Account and authentication data
• AI model preferences
• Usage statistics (aggregated)
• Credit balance and billing status

Video projects and media files are never automatically synced to our servers.

7.4 Desktop Permissions

CrispDemo requests the following desktop OS permissions:

• File System Access: Required to read and write video project files
• Microphone: Required for voice dictation (you can deny and use text-only features)
• Network Access: Required to communicate with AI providers and our servers

You can manage permissions through your system settings at any time.

8. Data Sharing and Processors

8.1 Third-Party Processors

We engage the following categories of processors who process personal data on our behalf under strict data processing agreements (DPAs) compliant with Article 28 GDPR:

Cloud Infrastructure

• Hosting provider: EU-based servers for backend infrastructure (Germany/Netherlands)
• Database services: PostgreSQL database hosting in EU region
• CDN provider: Content delivery for website and static assets (EU nodes)

AI Service Providers

• OpenAI: GPT models for text generation and enhancement
• Google Cloud: Gemini models and Speech-to-Text API
• Anthropic: Claude models for AI processing
• xAI: Grok models for AI processing
• OpenRouter: Model routing across supported providers

See Section 9 for detailed information on third-party AI providers.

Analytics and Monitoring

• Error tracking: Crash reporting and error monitoring (EU region)
• Performance monitoring: App performance and latency tracking

Payment Processing

• Payment provider: Credit purchase processing (see payment provider's privacy policy)

8.2 Processor Obligations

All processors are contractually obligated to:

• Process data only on our documented instructions
• Ensure confidentiality of processing personnel
• Implement appropriate technical and organizational security measures
• Engage sub-processors only with our prior authorization
• Assist with data subject rights requests
• Delete or return data upon contract termination
• Demonstrate compliance with GDPR obligations

8.3 Subprocessor List

A current list of our subprocessors is available at: www.crispdemo.com/legal/eu/subprocessors

We will notify you of any changes to our subprocessor list with at least 30 days' notice, giving you the opportunity to object.

8.4 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for monetary consideration or other valuable consideration.

9. Third-Party AI Providers

9.1 AI Processing and Data Flow

When you use AI features (video editing, voice dictation, video analysis), your inputs are transmitted to third-party AI providers. This processing is based on your consent (Article 6(1)(a) GDPR) and contract performance (Article 6(1)(b) GDPR).

9.2 OpenAI

Models: GPT-4, GPT-4 Turbo, GPT-3.5 Turbo
Location: United States (international data transfer - see Section 10)
Data processed: Your text inputs and generated outputs
Retention: OpenAI retains API data for 30 days for abuse monitoring, then deletes (subject to their privacy policy)
Privacy Policy: https://openai.com/privacy

9.3 Google Cloud (Gemini)

Models: Gemini Pro, Gemini Flash
Location: EU region available; international transfer possible depending on configuration
Data processed: Text inputs, voice recordings (for Speech-to-Text), generated outputs
Retention: Google does not use customer data to train models; API data retention per Google Cloud terms
Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

9.4 Anthropic (Claude)

Models: Claude 3 Opus, Claude 3 Sonnet, Claude 3 Haiku
Location: United States (international data transfer - see Section 10)
Data processed: Your text inputs and generated outputs
Retention: Anthropic retains API data for trust and safety purposes according to their privacy policy
Privacy Policy: https://www.anthropic.com/privacy

9.5 xAI (Grok)

Models: Grok family models
Location: United States (international data transfer - see Section 10)
Data processed: Your text inputs and generated outputs
Retention: Per xAI's data processing terms
Privacy Policy: https://x.ai/legal/privacy-policy

9.6 OpenRouter

Models: Routed access to partner models via OpenRouter
Location: United States (international data transfer - see Section 10)
Data processed: Your text inputs and generated outputs
Retention: Per OpenRouter's data processing terms
Privacy Policy: https://openrouter.ai/privacy

9.7 Your Control Over AI Providers

You can select which AI providers to use in the app settings. Some providers offer EU-region processing or enhanced privacy options. Consult each provider's privacy policy for details on their data practices.

10. International Data Transfers

10.1 Transfers to Third Countries

When you use third-party AI providers located outside the EU/EEA (OpenAI, Anthropic, xAI, OpenRouter in the United States), your personal data is transferred to countries that may not provide an equivalent level of data protection to the EU.

10.2 Transfer Mechanisms

We ensure appropriate safeguards for international transfers as required by Chapter V GDPR:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Decision 2021/914) with all processors outside the EU/EEA
• Adequacy Decisions: We transfer data to countries with adequacy decisions where available
• Supplementary Measures: We implement additional technical and organizational measures (encryption, data minimization, access controls) as recommended by the European Data Protection Board (EDPB)

10.3 U.S. Data Privacy Framework

Some of our processors participate in the EU-U.S. Data Privacy Framework. We verify framework participation and compliance for applicable processors.

10.4 Your Rights Regarding International Transfers

You have the right to:

• Request information about international transfers of your data
• Obtain a copy of the appropriate safeguards (SCCs) we use
• Object to specific international transfers (subject to contract performance requirements)

To exercise these rights, contact us at [email protected].

11. Data Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law (Article 5(1)(e) GDPR - storage limitation principle).

After the retention period expires, personal data is securely deleted or anonymized so that it can no longer be attributed to you.

12. Security Measures

12.1 Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR:

Technical Measures

• Encryption in transit: TLS 1.3 for all data transmission
• Encryption at rest: AES-256 encryption for stored data
• Secure authentication: OAuth 2.0 with PKCE, token rotation, and secure token storage
• Access controls: Role-based access control (RBAC) for backend systems
• Network security: Firewalls, intrusion detection, and DDoS protection
• Secure development: Code reviews, security testing, and vulnerability scanning
• Data minimization: Local-first architecture minimizes server-side data storage

Organizational Measures

• Data protection by design: Privacy considerations integrated into product development
• Data protection by default: Privacy-friendly default settings
• Staff training: Regular data protection training for employees
• Confidentiality agreements: All employees sign confidentiality and data protection agreements
• Incident response plan: Documented procedures for data breach response
• Regular audits: Periodic security audits and assessments
• Vendor management: Due diligence on all processors and subprocessors

12.2 Your Security Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Keeping your computer and application updated
• Reporting any security concerns or unauthorized access

13. Your GDPR Rights

As a data subject under GDPR, you have the following rights regarding your personal data:

13.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to the data and information about the processing, including:

• Purposes of processing
• Categories of personal data
• Recipients or categories of recipients
• Retention periods
• Your other GDPR rights
• The source of data not collected from you
• Existence of automated decision-making, including profiling

You can request a copy of your data in the app settings or by contacting [email protected].

13.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain correction of inaccurate personal data and to have incomplete personal data completed. You can update your account information directly in the app settings.

13.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

You can delete your account and associated data in the app settings. Note that we may retain certain data as required by law (e.g., tax records).

13.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful and you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

13.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller when:

• Processing is based on consent or contract performance
• Processing is carried out by automated means

You can export your data (prompts, knowledge base, settings) using the export feature in the app.

13.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

For direct marketing, you have an absolute right to object at any time.

13.7 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. AI processing is conducted at your explicit request for specific tasks.

13.8 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time through the app settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

13.9 How to Exercise Your Rights

To exercise any of these rights, you may:

• Use the privacy controls and export features in the app settings
• Email us at [email protected]
• Send a written request to helpful bits GmbH, Munich, Germany

We will respond to your request within one month. In complex cases, we may extend this by two additional months, and we will inform you of any such extension.

We may request additional information to verify your identity before fulfilling your request. Requests are generally free of charge, but we may charge a reasonable fee for manifestly unfounded or excessive requests.

14. Supervisory Authority and Complaints

14.1 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

14.2 Lead Supervisory Authority

Our lead supervisory authority in Germany is:

14.3 Contact Us First

While you have the right to lodge a complaint directly with a supervisory authority, we encourage you to contact us first at [email protected] so we can address your concerns.

15. Detailed Legal Basis for Processing Activities

This table provides a detailed overview of our processing activities and their legal basis:

16. Cookies and Tracking Technologies

16.1 Website Cookies (TDDDG Compliance)

Our website (www.crispdemo.com) uses cookies and similar tracking technologies in compliance with the German Telecommunications-Telemedia Data Protection Act (TDDDG).

We use the following types of cookies:

• Strictly Necessary Cookies: Essential for website operation and security (no consent required under TDDDG §25(2))
• Functional Cookies: Remember your preferences and settings (consent-based)
• Analytics Cookies: Help us understand how visitors use our website (consent-based)

16.2 Desktop Application Tracking

The CrispDemo desktop application does not use cookies. We use OS-native storage mechanisms for application functionality. Analytics, if enabled, are collected with your consent.

16.3 Cookie Management

You can manage cookie preferences through our cookie banner on the website. You may also:

• Configure your browser to reject cookies
• Delete cookies through browser settings
• Use browser extensions to block tracking

Rejecting cookies may affect website functionality but will not impact desktop application features.

17. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent.

Users aged 16-17 may use the Service with parental consent and supervision. Parents or legal guardians may exercise GDPR rights on behalf of minors.

If we become aware that we have collected personal data from a child under 16 without proper parental consent, we will take steps to delete such information promptly.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website and in the app
• Sending an email notification to your registered email address
• Displaying an in-app notification upon next login

For material changes that require consent under GDPR (e.g., new processing purposes), we will obtain your explicit consent before implementing the changes.

The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all privacy inquiries within one month. In complex cases, we may extend this period by two additional months and will inform you of any such extension.

20. Data Breach Notification

20.1 Notification to Supervisory Authority

In the event of a personal data breach, we will notify the competent supervisory authority (BayLDA) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR, unless the breach is unlikely to result in a risk to your rights and freedoms.

20.2 Notification to Data Subjects

If a data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 GDPR. The notification will include:

• The nature of the personal data breach
• The likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further inquiries

20.3 Breach Response Measures

We maintain an incident response plan that includes:

• Immediate containment and mitigation procedures
• Forensic investigation to determine breach scope and impact
• Notification to affected parties and authorities
• Implementation of remedial measures to prevent recurrence
• Documentation of all breach-related activities

21. California Privacy Rights (CPRA) - For California Residents

Note: This section applies only to California residents who may be using the Service. EU/EEA residents should refer to the GDPR provisions above.

21.1 CPRA Rights

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA):

• Right to Know: Request information about categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of sale or sharing of personal information (we do not sell personal information)
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising CPRA rights

21.2 Notice of Collection

We collect the categories of personal information described in Section 5 of this Privacy Policy for the purposes described in Section 6 and Section 15.

21.3 No Sale or Sharing

We do not sell or share (for cross-context behavioral advertising) personal information as defined by the CPRA.

21.4 Exercising CPRA Rights

To exercise your CPRA rights, contact us at [email protected] or use the privacy controls in the app settings.

22. Additional Provisions

22.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be reached at [email protected].

22.2 Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

22.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.

22.4 Legal Disclosures

We may disclose personal data when required by law, court order, or legal process, or to protect our rights, property, or safety, or the rights, property, or safety of others.

22.5 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR for processing activities that are likely to result in high risks to your rights and freedoms.

23. Effective Date and Governing Version

This Privacy Policy is effective as of January 1, 2025. If there are any conflicts between different language versions of this Privacy Policy, the English version shall prevail to the extent permitted by law.

Previous versions of this Privacy Policy are available upon request by contacting [email protected].