Legal
Privacy Policy
Last updated: March 2026
1. Controller
The data controller responsible for your personal data is:
No data protection officer has been appointed, as the requirements under Art. 37 GDPR are not met. For data protection matters, contact us at: hello@firstdemand.io
2. Data we collect
2.1 Account data
When you create an account, we collect your name, email address, and a hashed password. If you sign up via GitHub or Google OAuth, we receive your name and email from those providers. We do not receive your OAuth password.
2.2 Project data
When you use firstdemand, we store the project intake data you provide — your product description, target audience, goals, and any landing page URL you submit. We also store the AI-generated outputs (diagnosis, channel recommendations, playbook, assets) associated with your projects.
AI request inputs and model outputs are logged internally via Langfuse, a self-hosted observability tool running on our own infrastructure in Frankfurt, Germany (Hetzner). These logs are used exclusively for debugging and quality improvement and are not shared with any third party.
2.3 Payment data
Payments are processed by Polar (POLAR SOFTWARE INC.), our Merchant of Record. We do not store your credit card number or billing address. We receive order status, product type, and a transaction ID from Polar for order fulfillment and audit purposes.
2.4 Technical data
We store session tokens, IP addresses, and user agent strings as part of our authentication system. These are deleted when a session expires (30-day TTL).
2.5 Marketing consent
If you opt in during signup, we record your consent to receive product updates and marketing emails. We store the consent flag and timestamp. Marketing emails are dispatched via Listmonk, a self-hosted mailing tool running on our own infrastructure in Frankfurt, Germany (Hetzner). Your email address and consent record are stored on that server and are not transmitted to any third-party email marketing platform. You can withdraw consent at any time by emailing hello@firstdemand.io.
3. Legal basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)): Account data, project data, and session data are processed to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)): Technical data (IP address, user agent) is processed for security, fraud prevention, and debugging.
- Consent (Art. 6(1)(a)): Marketing emails are sent only if you explicitly opted in at signup. You may withdraw consent at any time.
4. Data sharing
We share your data with the following third parties, who act as data processors under contract with us:
| Service | Purpose | Location |
|---|---|---|
| Neon (PostgreSQL) | Database hosting | EU (Frankfurt, AWS eu-central-1) |
| Vercel | Application hosting, CDN, and serverless functions | USA (CDN edge global); serverless functions in EU (Frankfurt) and USA |
| Amazon SES | Transactional email | EU (eu-central-1) |
| OpenAI | AI generation — diagnosis and utility steps (project data processed) | USA (SCCs apply) |
| OpenRouter | AI inference gateway — playbook and asset generation steps (project data processed) | USA (SCCs apply) |
| Upstash | Redis — rate-limit counters (session IDs and IP addresses processed) | EU (Frankfurt, AWS eu-central-1) |
| Polar | Payment processing | EU |
We do not sell your data. We do not share your data with advertisers.
For transfers to the USA (Vercel, OpenAI, OpenRouter), we rely on Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Art. 46(2)(c). More information: vercel.com/legal/privacy-policy
5. Retention
We retain your data for as long as your account is active. If you delete your account (see Section 7), all personal data is permanently deleted immediately, including projects, results, and session records.
Payment records may be retained for up to 10 years to satisfy German commercial law retention obligations (§ 257 HGB, § 147 AO), even after account deletion. These records contain only transaction metadata (amount, date, product type) and no payment instrument data.
Anonymous URL-level diagnosis cache entries (not linked to any user) are automatically purged after 14 days.
6. Your rights (GDPR Art. 15–22)
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of all data we hold about you.
- Portability (Art. 20): Export your data as machine-readable JSON from Account settings.
- Rectification (Art. 16): Correct inaccurate personal data.
- Erasure (Art. 17): Delete your account and all associated data from Account settings.
- Restriction (Art. 18): Request that we restrict processing of your data.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): Withdraw marketing consent at any time with no effect on the lawfulness of prior processing.
To exercise any right, email hello@firstdemand.io. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. The authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf. www.ldi.nrw.de
7. Account deletion
You can permanently delete your account at any time from the Account settings page. Deletion is immediate and irreversible. All projects, results, and session data are deleted via cascade. See Section 5 for the exception on payment record retention.
8. Web Analytics (Umami)
We use Umami, a privacy-friendly open-source analytics tool that runs on our own self-hosted infrastructure in the EU.
Umami does not collect any personal data. Specifically:
- No cookies are set
- No IP addresses are stored
- No cross-device tracking takes place
- No fingerprints are created
- No data is shared with third parties
Umami collects exclusively aggregated, anonymous usage statistics such as page views, session duration, and country of origin (derived from the IP address, which is not stored). Since no personal data is processed, neither consent nor a cookie banner is required.
9. Cookies
We use two cookies, both strictly necessary for authentication:
better-auth.session_token— authenticates your session. Expires in 30 days.better-auth.last_used_login_method— remembers which login method (email, GitHub, or Google) you last used, so the login form can pre-select it. Contains no personal data beyond the method name (e.g. "github"). Persists until cleared.
We do not use tracking cookies, analytics cookies, or third-party advertising cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under German law (TTDSG § 25(2)).
10. Changes to this policy
We will notify you by email (if you have an account) of any material changes to this privacy policy. The latest version is always available at this URL.