Privacy Policy

1. Data Controller

The controller within the meaning of the GDPR is:

Mandu Studios AI Solutions
Rasmus Tumert
— address to be added —
Germany
Email: [email protected]

2. Purposes and Legal Bases

We process personal data for the following purposes:

• Website operation: Logging of technically necessary server data (IP address, browser, timestamp) for the secure operation of the site. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure operation).
• B2B business contact: Research of publicly accessible company data (legal notices, websites, industry directories) and outreach to prospective business customers. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in B2B direct marketing as per Recital 47 GDPR) and § 7 (2) no. 2 UWG for first contact with companies (presumed interest).
• Personalised analysis pages: Generation of individual AI analyses for researched companies. Pages are not indexed publicly and only accessible via a company-specific link. Legal basis: Art. 6 (1) (f) GDPR.
• AI-assisted phone calls: Outbound calls are conducted by an AI-powered phone assistant. The AI nature of the call is disclosed at the start of the conversation pursuant to Art. 50 EU AI Act. Call recordings are stored only with explicit consent (Art. 6 (1) (a) GDPR). Without consent, no recording takes place; only a text-based transcript is kept for quality control and deleted after 30 days.
• Email outreach: Sending contact emails to business addresses in a B2B context. Every email contains a working one-click unsubscribe link pursuant to Art. 21 (2) GDPR.
• Responding to enquiries: Processing of emails, phone calls, and contact form submissions addressed to us. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or (f) GDPR.

3. Data Sources

Unless you contact us directly, the data we process comes exclusively from publicly accessible sources: the legal notice of the respective company website, public industry and commercial directories (e.g. commercial register, Yellow Pages), the job board of the German Federal Employment Agency, and public business social networks (LinkedIn, Xing).

4. Recipients / Processors

We transfer personal data to the following processors (Art. 28 GDPR) solely for fulfilling the purposes listed above:

• Telnyx LLC (USA/EU) — Voice and AI telephony services. Data transfer to the USA on the basis of EU Standard Contractual Clauses.
• Mailgun Technologies, Inc. (USA/EU) — Email sending, deliverability tracking. Data transfer to the USA on the basis of EU Standard Contractual Clauses.
• OpenAI, L.L.C. (USA) — Processing of conversation transcripts and prompts for language models (gpt-4o-mini). Data transfer to the USA on the basis of EU Standard Contractual Clauses.
• Deepgram, Inc. (USA) — Speech-to-text (STT). Data transfer to the USA on the basis of EU Standard Contractual Clauses.
• Cal.com (self-hosted, Germany) — Appointment bookings. Data you enter into the booking form is stored on our own server in Germany (Hetzner).
• Hetzner Online GmbH (Germany) — Server hosting.
• Cloudflare, Inc. (USA/EU) — CDN, DNS and tunnel proxy for public domains. Processes IP address, browser user agent, and request headers as technically necessary transport metadata on every page load. Data transfer to the USA on the basis of EU Standard Contractual Clauses.

5. Retention Period

We store personal data only for as long as necessary for the respective purposes or as required by statutory retention periods. Call transcripts and call metadata are deleted after a maximum of 90 days, email interaction data after a maximum of 180 days. Objections to marketing (Art. 21 (2) GDPR) and entries in our internal suppression list are stored indefinitely to the extent necessary to enforce the objection (Art. 17 (3) (e) GDPR).

6. Cookies and Tracking

This website uses only strictly necessary cookies and storage accesses required for site operation (§ 25 (2) no. 2 TTDSG). No consent is required for this.

On personalised analysis pages, we collect anonymised page views (view count, scroll depth, CTA clicks) to measure the effectiveness of our direct outreach. This processing takes place only after your explicit consent via our cookie banner (§ 25 (1) TTDSG, Art. 6 (1) (a) GDPR). Without consent, no tracking data is transmitted to our servers. You can withdraw your consent at any time with effect for the future by reopening the cookie banner (link in the footer).

7. Your Rights as a Data Subject

You have the following rights:

• Access to stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR) — in particular against direct marketing. An objection results in immediate inclusion in our permanent suppression list. An informal email to [email protected] is sufficient.
• Withdrawal of consent (Art. 7 (3) GDPR)
• Lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is the data protection authority of your state of residence.

8. Automated Decision-Making

We use AI systems for prioritisation and formulation of initial contacts. Automated decision-making with legal effect within the meaning of Art. 22 GDPR does not take place — all contract-relevant decisions are made by a human. Pursuant to Art. 50 EU AI Act, we explicitly disclose at the start of every AI-conducted phone call that you are speaking with an artificial intelligence.

9. Suppression List

To effectively and permanently implement your objection to further contact, we maintain an internal suppression list containing phone numbers, email addresses, and domains that may not be contacted again. The legal basis for the continued storage of these suppression markers is Art. 17 (3) (b) GDPR (compliance with a legal obligation).