RepoArc Agent
Try without signing up
Analytics settings

Here you can reopen the banner for optional analytics technologies and change your web analytics choice.

Privacy Notice for RepoArc Agent

Version: 2026-03-17

This privacy notice provides information about the processing of personal data when using the RepoArc Agent instance made available under this domain.

1. Controller

The controller responsible for data processing is:

repoarc.com - Hannes Kühl
c/o Online-Impressum #7820
Europaring 90
53757 St Augustin
Germany

Email: contact@repoarc.com

A data protection officer is currently not appointed, unless a legal obligation to appoint one applies.

2. General information on data processing

RepoArc Agent processes personal data only to the extent necessary for providing the website, using workspaces, technical operation, communication with users, and optional analysis and optimization functions. The information obligations regarding purposes, legal bases, recipients, storage periods, and data subject rights arise in particular from Art. 13 GDPR.

Usage counters and quota data may also be processed in order to provide the assistant function in an economically and technically controlled manner.

3. Browser-local storage

When using the website and the product, certain information is stored or read locally in the browser. This may include in particular language settings, the assignment to a previously used workspace, acknowledged notices, and technically required product states.

Browser-local storage is carried out, insofar as it is required for providing the expressly requested function, on the basis of Section 25 (2) no. 2 TDDDG. Insofar as personal data is processed in this context, the subsequent processing is carried out on the basis of Art. 6 (1) lit. b GDPR or Art. 6 (1) lit. f GDPR, insofar as this is required for providing the service and for stable, consistent product operation.

Browser-local information expires 365 days after the last visit to the website, unless deleted earlier by the user or the browser.

If the browser-local storage is deleted or expires, a previously used workspace may no longer be found automatically.

4. Workspace metadata

When using RepoArc Agent, workspace metadata is processed server-side. This includes in particular the workspace name, workspace ID, creation and modification timestamps, consent states, job and run states, and further technical product and diagnostic data required for operation, resuming work, and product stability.

The processing is carried out for the purpose of providing the product, resuming work states, technical error analysis, abuse detection, and system security. The legal basis is Art. 6 (1) lit. b GDPR, insofar as the processing is necessary to provide the requested functions, and additionally Art. 6 (1) lit. f GDPR for secure and stable operation of the instance.

Workspace metadata is generally stored until the respective workspace is deleted. Deletion is performed automatically by a job:

  • in anonymous use after 30 days of inactivity,
  • when an email address for recovery has been provided and verified after 365 days of inactivity.

Deletion of the workspace means the actual removal of the associated workspace data and not merely deactivation.

5. Recovery email

Users may optionally provide an email address for workspace recovery. The email address is used exclusively for verification and for workspace recovery. Before use, verification is carried out by means of a code sent to the provided email address.

The processing is carried out on the basis of Art. 6 (1) lit. b GDPR, insofar as it serves the requested recovery function. An external email service provider is used for sending the verification email.

The stored recovery email address is completely removed when the workspace is deleted. Verification codes remain valid for a maximum of 15 minutes. Technical delivery and error metadata may be stored for up to 7 days, insofar as this is necessary for delivery analysis, abuse prevention, and error correction.

6. Assistant requests for service provision

When you use the assistant, the content you enter is processed to perform the requested function. This may include in particular prompt content, system context, responses, request metadata, timestamps, and technical runtime data, and may be transmitted to integrated AI service providers.

The processing is carried out for the purpose of handling your request, generating responses, system security, abuse detection, and technical error analysis. The legal basis is Art. 6 (1) lit. b GDPR for providing the requested assistant function and additionally Art. 6 (1) lit. f GDPR for security and stability of operations.

The OpenAI API is currently used for the assistant function. According to the current OpenAI documentation, data transmitted to the API is not used by default for training or improving OpenAI models unless an explicit opt-in has been enabled.

7. Usage counters and quota enforcement

For the purpose of controlling and enforcing daily and weekly usage limits for the assistant function, technical usage and consumption data is processed. This may include in particular the number of chat messages or requests, timestamps, workspace references, status information on quota usage, and technically required verification and blocking markers.

The processing is carried out for the purpose of cost control, providing a stable and fairly usable service, preventing abuse, and technically enforcing product-related usage limits.

The legal basis is Art. 6 (1) lit. b GDPR insofar as the processing is required for providing the assistant function within the intended product model, and additionally Art. 6 (1) lit. f GDPR based on the legitimate interest in economically sustainable, stable, and abuse-resistant operation of the instance.

The corresponding usage and consumption data is generally stored only for as long as necessary for quota verification, delimitation of the relevant daily or weekly period, abuse detection, and technical traceability. Unless longer retention is exceptionally required for investigating abuse or security incidents, this data is deleted or anonymized after the end of the relevant reference period or once the processing purpose no longer applies.

8. Optional product improvement and quality evaluation

In addition to the actual provision of the assistant, assistant requests may be stored and evaluated locally in order to assess and improve product quality. This concerns in particular prompt content, response times, and, in the future, potentially voluntary feedback such as “thumbs up” or “thumbs down”.

This processing is carried out only on the basis of your separate consent pursuant to Art. 6 (1) lit. a GDPR. Consent is optional and can be withdrawn at any time with effect for the future. Use of the product’s core function is not dependent on this consent. The consent requirements arise from the GDPR; for any additional storage/evaluation of non-essential data, a separate, freely given consent is the most robust design.

If corresponding consent has been granted, the following storage periods apply:

  • raw assistant content for quality evaluation and prompt optimization: 90 days,
  • derived quality metrics such as response times, error types, or aggregated quality data: 365 days.

9. Web analytics with Google Analytics

This website may use Google Analytics for reach measurement and usage analysis. Google provides for the transmission of consent signals and the use of Consent Mode for Analytics. In a privacy-compliant implementation, tags should only be loaded after consent has been obtained; in the basic variant of Consent Mode, no data is transmitted to Google before user interaction.

Google Analytics is used exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR and, insofar as information is stored on or read from your device, on the basis of Section 25 (1) TDDDG. Without your consent, Google Analytics will not be loaded.

You may withdraw consent once granted at any time with effect for the future via the consent banner or the corresponding privacy settings.

10. Server, error, and security logs

When accessing the website and using the product, technical log data may be processed. This includes in particular IP address, date and time of access, requested resource, status codes, browser/user-agent data, and technical error and security information.

The processing is carried out for the purpose of providing, stabilizing, detecting abuse, analyzing errors, and securing the system. The legal basis is Art. 6 (1) lit. f GDPR.

Server, error, and security logs are generally deleted or anonymized after 14 days, unless they are exceptionally required for longer to investigate specific security or abuse incidents.

11. Contact

If you contact us, for example by email, the data you provide will be processed to handle your request. This includes in particular names, contact details, the content of your message, and any attached documents.

The processing is carried out on the basis of Art. 6 (1) lit. b GDPR, insofar as the contact serves the initiation or performance of a legal relationship, otherwise on the basis of Art. 6 (1) lit. f GDPR.

12. Recipients of personal data

Recipients of personal data may in particular include:

  • netcup as hosting provider,
  • OpenAI as provider of the API used for assistant requests,
  • Mailgun as provider for sending verification and system emails,
  • Google in the context of Google Analytics, provided corresponding consent has been given.

This description for Netcup applies on the assumption that a server location in Germany has been selected for this instance. Netcup operates data center locations including, but not limited to, Nuremberg.

13. Third-country transfers and data processing agreements

Insofar as personal data is transferred to service providers outside the EU/EEA or access from there cannot be excluded, this is done only under the legal requirements of Art. 44 et seq. GDPR. OpenAI provides a Data Processing Addendum; OpenAI describes the processing of customer data under this DPA. Mailgun also provides data protection and DPA documentation. Google Analytics provides contractual Data Processing Terms.

Insofar as service providers process personal data on your behalf, the requirements for processors under Art. 28 GDPR must additionally be observed. These contractual arrangements should be fully concluded before live operation.

14. Obligation to provide data

As a rule, you are not legally obliged to provide personal data. However, without certain technical or content-related information, individual functions, in particular workspace use, recovery, or assistant use, may not be provided in whole or in part. Art. 13 GDPR requires corresponding information.

15. Automated decisions

Automated decision-making within the meaning of Art. 22 GDPR currently does not take place.

16. Data subject rights

Subject to the statutory requirements, you have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing based on Art. 6 (1) lit. e or lit. f GDPR. Consent granted may be withdrawn at any time with effect for the future. You also have the right to lodge a complaint with a data protection supervisory authority. These rights arise from the GDPR.

17. Updates to this privacy notice

This privacy notice may be updated if product functions, service providers, processing operations, or legal requirements change. The version published on this website in each case shall apply.