Privacy Policy
1. Controller
HNSK e.U.
Christoph Hanausek
Vienna, Austria
Email: hello@agenticchris.com
2. Principles
The protection of your personal data is of particular importance to us. We therefore process your data exclusively on the basis of statutory provisions (GDPR, Austrian Data Protection Act, TKG 2021).
3. Hosting
This website is hosted by Vercel Inc. (EU region). Vercel automatically processes technical access data (IP address, browser type, time of access) for the purpose of providing the website. Legal basis is Art. 6(1)(f) GDPR (legitimate interest).
4. Fonts
We exclusively use self-hosted fonts (via @fontsource). When you visit this website, no connections to external font servers (e.g. Google Fonts) are established.
5. Web Analytics
We use two complementary cookieless, privacy-friendly analytics solutions.
5.1 Vercel Web Analytics: integrated with our hosting provider Vercel. Cookieless, no user tracking, no personal data stored or shared with third parties.
5.2 Umami Analytics (self-hosted): we operate our own Umami instance at analytics.agenticchris.com (open source, EU-region data). Umami works fully cookieless and stores no IP addresses in plaintext. Instead, a daily-rotating salted hash (HASH_SALT) is generated which cannot be traced back to a specific person. We measure page views, time on page, device type, referrer domain and selected funnel steps (which industry was selected in the form, whether an instant preview was loaded, whether a source anchor was clicked). No names, email addresses, phone numbers or other identifying data are collected. Data is stored in the same EU database as our form submissions (Supabase, Frankfurt) within a separate „umami" schema. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in aggregated funnel optimization). We respect the browser „Do-Not-Track" header — if your browser signals DNT, no tracking pixel is triggered.
6. Contact via email
If you contact us by email, the data you provide (email address, possibly name and message) will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. Legal basis is Art. 6(1)(b) GDPR.
7. Online forms (Context, Friends, Discover Call)
When you fill out one of our online forms — "Optimization potentials" on /en/context/,
the AI Agents nugget on /en/friends/, or the contact form on /en/discover-call/ —
we process the data you provide (first and last name, email address, company, optionally phone
number, as well as topic-specific form responses such as industry choice, selected optimization
potentials, AI knowledge level and chosen metaphor) for the following purposes:
- Delivery of the requested report or nugget by email and on a personalized status URL (legal basis: Art. 6(1)(b) GDPR — pre-contractual measures).
- Preparation of a Discover Call, if you book one (legal basis: Art. 6(1)(b) GDPR).
- Direct outreach with thematically relevant follow-up content (e.g. further reports, reminder of a Discover Call, industry-specific updates) in the sense of our legitimate interest in maintaining existing contacts (legal basis: Art. 6(1)(f) GDPR). You can object to this use at any time by sending us a short message at hello@agenticchris.com.
The data is stored encrypted in an EU GDPR-compliant database and processed exclusively by Christoph Hanausek (HNSK e.U.) and technical service providers (hosting, mail dispatch). The data will not be passed on to third parties for their marketing purposes.
7.4 AI processing via AWS Bedrock + Anthropic Claude
What we do: When you submit data on our funnel sub-pages ("/en/context/" and "/en/friends/"), parts of this data are transmitted to an AI processing service for the generation of the personalized instant preview, the detail report and the preparation of a Discover Call. We use Amazon Web Services (AWS) Bedrock with Anthropic Claude models, operated in the European Union.
EU region routing (data does not leave the EU): All AI processing takes place exclusively in 6 EU regions (Frankfurt, Dublin, Paris, Stockholm, Milan, Spain). Our inference profile setup technically guarantees that your data does not leave EU geography.
Three guarantees (contractually + technically assured):
- No storage: AWS Bedrock does not store prompts, inputs, outputs or tool data. Processing is transient (only for the generation process itself).
- No training on your data: Anthropic is not permitted under EULA Section B to use customer data for training its models. You retain all rights to your inputs and to the generated outputs.
- GDPR-compliant data processing agreement (DPA): Anthropic and AWS are engaged as processors within the meaning of Art. 28 GDPR. Both DPAs apply automatically.
What is transmitted to Anthropic:
- Aggregated metrics (token counts, model IDs, request counts) — anonymized, no GDPR issue.
- Prompt content and outputs are NOT transmitted to Anthropic — they remain transient in the Bedrock service.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures — you actively request an assessment) and Art. 6(1)(f) GDPR (legitimate interest — precise creation of your preview, reports and call preparation).
7.5 Local processing (Mac daemon + trigger files)
What we do: For detail report generation and nugget storytelling generation, a local daemon is used on the controller's working machine (Christoph Hanausek, HNSK e.U., Vienna). This daemon checks the database every 60 seconds for new requests and triggers the next steps of processing.
Local trigger files: For each new request, the daemon creates a short job file (Markdown format) in the encrypted data directory of the controller's machine. This file contains the form inputs required for further processing and serves as an audit trail. The trigger files are deleted after processing is complete (no later than 30 days).
Where this happens: Processing takes place entirely locally with the controller — no additional processor is involved here. The daemon communicates exclusively with our database (Supabase, EU region), the AI service (AWS Bedrock, EU region) and the mail server (Zoho EU). The Mac is operated with FileVault full-disk encryption.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
7.6 Human-in-the-loop approval flow (detail report)
What we do: Detail reports are not sent fully automatically. After the AI generation, a manual review step is performed by the controller (Christoph Hanausek), who checks the generated report for plausibility, tonality and factual accuracy before it is sent to you.
Why: This ensures that you do not receive a purely machine-generated assessment, but a result that has been reviewed at least once by a human before sending. This step is part of our quality assurance and at the same time a safeguard within the meaning of Art. 22 GDPR (no purely automated decision-making with significant impact).
What you notice: The instant preview (on the status URL directly after submission) is generated fully automatically, as it is only a first indication. The detail report only arrives once Chris has approved it — typically within 1–2 business days.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) + Art. 22(2)(a) GDPR (contractual performance with human oversight step).
7.7 Data processing agreements (processor list)
The following processors are engaged within the meaning of Art. 28 GDPR:
| Provider | Purpose | Location / region | DPA |
|---|---|---|---|
| Anthropic, PBC | AI generation (Claude models) | USA / EU region routing | Anthropic DPA |
| Amazon Web Services EMEA SARL | AI hosting (Bedrock service) | Luxembourg / EU regions | AWS DPA |
| Vercel Inc. | Website and API hosting | USA / EU function region | Vercel DPA |
| Supabase, Inc. | Database hosting | EU region (Frankfurt) | Supabase DPA |
| Zoho Corporation B.V. | Mail dispatch and mail hosting | EU / worldwide | Zoho DPA |
| Notion Labs, Inc. | CRM database for lead management (first and last name, email, company, industry) | USA / Standard Contractual Clauses | Notion DPA + EU SCCs |
| Discord Inc. | Internal notification system (submission notification to controller, no user contact) | USA / Standard Contractual Clauses | Discord DPA + EU SCCs |
All DPAs are permanently activated through our contractual relationships with the named providers. You can request access to the respective DPAs upon request.
7.8 Storage and deletion periods
Form submissions without booking a Discover Call: automatic deletion after 6 months without follow-up activity (no Discover Call booked, no mail correspondence).
Form submissions with booked Discover Call: retention in accordance with Austrian retention obligations for business records (BAO § 132: 7 years); deletion thereafter. Within this period, the data record remains maintained in the CRM (Notion) for follow-up activities.
Mail logs: mail dispatch logs (technical delivery receipts) are stored for 90 days by the mail provider (Zoho).
Trigger files (local): job files on the controller's working machine are deleted after processing is complete, no later than 30 days.
AI wording-drift logs: we store technical quality metrics per generation (wording-drift findings) for internal pipeline optimization. These logs do not contain user identifiers and are kept in our database (Supabase, EU region) together with the respective submission.
7.9 Data category overview
The following table provides an overview of which data categories are stored where:
| Storage location | Data categories | Region |
|---|---|---|
| Supabase (submissions database) | Form inputs, reports (Markdown + JSON), status tokens, quality logs | EU (Frankfurt) |
| Notion (CRM) | Master data (name, email, company, industry), activity log | USA (with EU SCCs) |
| Mac working machine | Trigger files (Markdown, max. 30 days), FileVault-encrypted | Vienna, Austria (local) |
| Zoho mail server | Mail traffic incl. attachments, mail logs (90 days) | EU |
| Discord (internal notifications) | First and last name, email, company — as notification to controller | USA (with EU SCCs) |
| AWS Bedrock (transient) | Prompts and outputs during generation — no persistent storage | EU (eu-central-1 Frankfurt) |
8. Your rights
You generally have the right to access, rectification, deletion, restriction, data portability and objection. To exercise these rights, please contact: hello@agenticchris.com.
9. Right to lodge a complaint
You have the right to lodge a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at.