Privacy Policy (Datenschutzerklärung)

Last updated: February 10, 2026

ColossalLaw ("we", "our", "the Service") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data, in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Bundesdatenschutzgesetz (BDSG).

1. Data Controller (Verantwortlicher)

The data controller responsible for the processing described in this policy is identified in our Impressum. For data protection inquiries, please contact us using the information provided there.

2. Data We Process

2.1 Data Minimization Approach

ColossalLaw follows the principle of data minimization (Art. 5(1)(c) DSGVO). We process data in pseudonymized form and apply proactive PII redaction to minimize data collection. We acknowledge that:

The anonymous user ID (Google sub claim) constitutes pseudonymized data under Art. 4(5) DSGVO, as Google could theoretically re-identify the user.
Our automated PII removal system may not detect all personal data in query content. Pseudonymized data remains personal data under GDPR.

2.2 Data We Do NOT Actively Collect or Store

Email addresses — Google OAuth is used solely for login verification; your email is checked in memory for domain validation and immediately discarded. It is never written to our database.
Personal names — We do not store your Google profile name.
IP addresses — We do not log or store IP addresses. (Note: Google Cloud infrastructure may temporarily process IP addresses for routing; this is governed by Google Cloud's DPA.)

2.3 Data We Do Process

Pseudonymous User ID — A Google-generated opaque identifier (not your email) used to associate your chat sessions with your account. This is pseudonymized data under Art. 4(5) DSGVO.
Chat Sessions — Your conversation history (questions and AI responses) stored in Google Cloud Firestore. All messages pass through our PII removal system before storage.
Language Preference — Your selected interface language, stored in browser localStorage.
Feedback — If you provide feedback on responses (helpful/not helpful/report), this is stored with the session.

3. Legal Basis for Processing (Rechtsgrundlage)

We process your data on the following legal bases:

Art. 6(1)(b) DSGVO — Performance of a contract: Processing your queries and maintaining chat sessions is necessary for providing the Service you requested by agreeing to our Terms of Service.
Art. 6(1)(f) DSGVO — Legitimate interests: Maintaining service security and improving service quality based on anonymized, aggregated patterns. Our legitimate interest is providing a reliable legal information service.

4. PII Removal System (Proactive Data Protection)

ColossalLaw employs an automated PII removal system that:

Detects and replaces names, phone numbers, email addresses, IBANs, and other identifiers with anonymized placeholders (e.g., [NAME], [PHONE], [EMAIL])
Processes all user input before it reaches the AI model or is stored
Uses pattern matching for common PII formats across multiple languages

Limitation: No automated system guarantees 100% detection accuracy. Contextual information (e.g., specific legal scenarios) may still enable indirect identification. You are responsible for avoiding personal data input. See our Terms of Service.

5. How We Use Your Data

Providing the Service — Chat history allows you to continue conversations and review past queries.
AI Processing — Your PII-redacted queries are sent to Google Gemini AI for processing.
Quality Improvement — Anonymized, aggregated usage patterns may be used to improve the Service. No individual user profiling is performed.

6. Data Storage & Security

Location: All user data is stored on Google Cloud Platform in the EU (europe-west3, Frankfurt am Main, Germany).
Encryption: All data is encrypted at rest (AES-256, Google Cloud default) and in transit (TLS 1.3).
Access: Only the service operator has access to stored data. No third parties are given direct access to user data.
Retention: Chat sessions are retained until you delete them via the application interface, or until your account is terminated. You can delete sessions at any time.

7. Third-Party Services & Data Processing Agreements

We use the following third-party services. Data processing is governed by Data Processing Agreements (Auftragsverarbeitungsvertrag / AVV) pursuant to Art. 28 DSGVO:

Service	Purpose	Data Shared	DPA / AVV
Google OAuth	Authentication	Email verified in memory only, not stored	Google Cloud DPA
Google Gemini AI	AI query processing	PII-redacted query text	Google Cloud DPA
Google Cloud Firestore	Session storage (EU)	Pseudonymous user ID + PII-redacted chat history	Google Cloud DPA
Google Cloud Storage	Vector database (legal knowledge)	No user data — only legal reference materials	N/A

All Google Cloud services are covered by the Google Cloud Data Processing Addendum, which includes Standard Contractual Clauses (SCCs) for any incidental cross-border data processing. Primary data storage and processing occurs within the EU (Frankfurt, Germany).

8. Cookies & Local Storage (§ 25 TDDDG)

Pursuant to § 25 of the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), we use browser localStorage for the following strictly necessary purposes:

Authentication Token: Your Google OAuth token is stored in browser localStorage for session persistence. It is removed on logout. This storage is strictly necessary for the Service to function (§ 25(2) Nr. 2 TDDDG).
Language Preference: Stored in localStorage to maintain your interface language selection.

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party tracking technologies. No cookie consent banner is required because all storage is strictly necessary for providing the Service.

9. Your Rights Under GDPR (Betroffenenrechte)

Under the DSGVO/GDPR, you have the following rights:

Right of Access (Art. 15 DSGVO): You can view all your chat sessions within the application at any time.
Right to Rectification (Art. 16 DSGVO): You can delete and re-create chat sessions to correct information.
Right to Erasure (Art. 17 DSGVO): You can delete individual chat sessions or all your data via the application's delete function.
Right to Data Portability (Art. 20 DSGVO): Your chat history can be exported upon request in a machine-readable format.
Right to Restriction of Processing (Art. 18 DSGVO): You can stop using the Service at any time, which ceases all new processing.
Right to Object (Art. 21 DSGVO): You may object to processing based on legitimate interest. Since we do not use data for marketing or profiling, this right has limited applicability.
Right to Complain (Art. 77 DSGVO): You have the right to lodge a complaint with a data protection supervisory authority. For Berlin: Berliner Beauftragte für Datenschutz und Informationsfreiheit. For Hessen (server location): Hessischer Beauftragter für Datenschutz und Informationsfreiheit.

10. Google OAuth & Your Sign-In Data

When you click "Sign in with Google", you interact directly with Google's authentication service. Before signing in, please review Google's Privacy Policy. ColossalLaw receives only:

Your email address (used only in memory for domain validation, immediately discarded)
An opaque user identifier (sub claim, pseudonymized)

11. Data Protection Officer (Datenschutzbeauftragter)

Under § 38 BDSG, the appointment of a Data Protection Officer is mandatory when 20 or more persons are permanently involved in automated processing of personal data. As a solo-operated service, we are currently not required to appoint a DPO. Should this change, we will update this policy accordingly.

12. Children's Privacy

The Service is not intended for use by individuals under 16 years of age (Art. 8 DSGVO, in conjunction with German implementation setting the age of consent at 16). We do not knowingly process data from minors.

13. Data Breach Notification

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours (Art. 33 DSGVO). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay (Art. 34 DSGVO).

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected in the "Last updated" date above. Material changes will be communicated through the Service interface. Continued use of the Service after changes constitutes acceptance.

15. Contact

For privacy-related questions or to exercise your data rights, please contact us using the information in our Impressum, or use the feedback mechanism within the application.