Privacy Policy

Last updated: February 24, 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

[Insert name and address of the data controller]

Privacy inquiries: privacy@everstrategy.ai

2. Overview of Data Processing

EverStrategy.ai is an AI-powered management consulting platform that covers the complete AI Transformation Lifecycle — from company analysis through strategy development, team qualification, and execution to agent monitoring and compliance. In the course of these services, we process various categories of personal data.

Types of data processed

  • Account data (email address, password, organization name)
  • Company data (industry, company size, department structure, processes, technology stack)
  • Usage data (platform activities, feature usage, page views)
  • Content data (strategy documents, chat histories, course progress, uploaded documents)
  • AI interaction data (prompts, responses, token usage, models used)
  • Integration data (API keys, project management tasks, synchronization logs)
  • Financial data (subscription information, credit transactions — credit card data is processed by Stripe only)
  • Log data (IP addresses, timestamps, request IDs, audit trail entries)

Categories of data subjects

  • Registered users of the platform
  • Organization administrators and team members
  • Visitors of the public website (technically necessary data only)

3. Legal Bases for Processing

The processing of personal data is based on the following legal bases pursuant to Art. 6 GDPR:

Consent (Art. 6(1)(a) GDPR)

Where we obtain the data subject's consent for processing, e.g., for optional document uploads or the use of certain AI features.

Performance of contract (Art. 6(1)(b) GDPR)

For providing the platform, managing subscriptions, credit-based billing, and delivering the agreed consulting services.

Legitimate interest (Art. 6(1)(f) GDPR)

For improving the platform, ensuring IT security, fraud prevention, anomaly detection, and analysis of aggregated usage data.

Legal obligation (Art. 6(1)(c) GDPR)

For maintaining the audit trail in accordance with the EU AI Act, tax retention obligations, and fulfilling data protection disclosure requirements.

4. Hosting and Infrastructure

We use the following infrastructure service providers to operate the platform:

Vercel Inc. (Web hosting)

The website is hosted on the Vercel platform. With each page request, server log data is automatically collected (IP address, timestamp, requested URL, HTTP status, user agent). Vercel uses a global edge network with locations in the EU.

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA

Supabase Inc. (Database, Authentication, File Storage)

All application data is stored in a PostgreSQL database at Supabase. Supabase also provides authentication (JWT-based), Row-Level Security (RLS), and encrypted file storage. The database is encrypted with AES-256 (at rest).

Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992

Upstash Inc. (Rate Limiting)

To protect against abuse, we use Upstash Redis for rate limiting. Only short-lived counters per user ID and time window are stored — no personal data is permanently retained.

Upstash Inc., San Francisco, CA, USA

5. Registration and Authentication

During registration, we collect:

  • Email address (as username and for account-related notifications)
  • Password (stored hashed by Supabase Auth — we have no access to the plaintext password)

Session management uses secure, HTTP-only cookies containing JWT-based authentication tokens. These cookies are automatically renewed and deleted upon logout.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

6. Company Profile and Onboarding

As part of the AI Readiness Assessment, you complete an 8-step wizard in which the following company data is collected:

  • Company name and industry
  • Company size and department structure
  • Existing business processes and pain points
  • Current technology stack
  • Business goals and growth strategy
  • Team competencies in AI
  • Compliance requirements and regulatory framework

In the optional Deep Mode, additional dynamically AI-generated follow-up questions are asked to create a more precise company profile. Answering is voluntary.

Based on your answers and uploaded documents, follow-up questions are automatically generated. Answering these is optional and improves strategy quality.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). This data is required to create an individualized AI strategy.

7. AI-Powered Analysis and Strategies

EverStrategy.ai uses AI models to generate corporate strategies. The following data is processed:

AI models used

You can choose between different AI models, including Claude Opus 4.6 (Anthropic) and Gemini 3.1 (Google). The choice of model is yours.

Data processed

  • Your company profile is transmitted as context to the chosen AI model
  • The AI generates: executive summary, 8 department strategies, quick wins, roadmap, and 3-year ROI projection
  • Each strategy version is versioned and stored with a timestamp
  • Token usage (input/output) is recorded per request and attributed to the credit system

System Prompt Transparency

EverStrategy.ai makes the complete system prompt transmitted to the AI visible and editable. You can view at any time what context the AI uses. This includes: your company profile, current strategy, your goals, and implementation status.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). Your data is transmitted to the respective AI provider to carry out the agreed strategy generation.

8. AI Business Advisor (Chat)

The integrated AI Business Advisor is an AI-powered chat that accesses your company profile, strategy, and implementation status.

  • Chat histories are stored to maintain the advisory context across multiple sessions
  • Each message consumes credits, calculated based on token usage and the chosen model
  • The complete system prompt — including all contextual data — is viewable by you at any time
  • The advisor references: company profile, current strategy, Kanban tasks, goals/KPIs, and agent performance data

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

9. Documents and Knowledge Management

You can upload documents to expand the context for AI strategy consulting.

Supported formats: PDF, DOCX, TXT (maximum 10 MB per file).

Document processing

  • Text extraction from the uploaded document
  • AI-powered summarization of the content
  • Storage of the original file in encrypted Supabase Storage
  • Integration of the summary into the AI's system prompt

Documents are stored permanently to maintain strategy contextualization. You can delete documents at any time through the platform.

Legal basis: Consent (Art. 6(1)(a) GDPR). Upload is voluntary and serves to improve strategy quality.

10. Learning Platform and Custom Courses

EverStrategy.ai offers an integrated learning platform with over 20 pre-installed courses and a Custom Course Generator.

  • Course progress and quiz results are stored per team member
  • The Custom Course Generator creates individual learning paths based on: your strategy, department needs, Kanban tasks, or freely chosen topics
  • Generated courses contain lessons with markdown content and quizzes
  • Course generation consumes credits (token usage and model are recorded)

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

11. Business Development and Opportunity Pipeline

EverStrategy.ai generates AI-powered business opportunity suggestions based on your company profile and strategy.

  • Business development suggestions: automatically generated proposals for new markets, products, partnerships, and process optimizations
  • Opportunity Pipeline: identified opportunities are managed in a Kanban pipeline with status tracking
  • AI deep analyses: on request, the AI creates detailed market analyses, risk assessments, and implementation steps
  • ROI Calculator: interactive cost-benefit analysis for each investment from your strategy

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

12. Kanban Board and Project Management Integrations

EverStrategy.ai offers an integrated Kanban board and bidirectional synchronization with external project management tools.

Supported PM tools

  • ClickUp
  • Notion
  • Jira
  • Trello
  • Asana
  • Monday.com

Synchronized data

  • Task titles, descriptions, and status
  • Assignments and due dates
  • Status mapping between EverStrategy.ai Kanban and the external PM tool
  • Synchronization logs (timestamps, counts of created/updated/deleted tasks, errors)

Connection data

To establish the connection, we store an encrypted API key (AES-256-GCM) and the workspace name. Only administrators can set up integrations.

Webhook processing

External PM tools can report changes to EverStrategy.ai via webhooks. These webhooks are verified through provider-specific signature checks and processed idempotently.

Automatic synchronization

Synchronization occurs every 15 minutes by default (configurable) and can also be triggered manually.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). Synchronization is actively set up by the user.

13. Agent Monitoring and Cost Intelligence

EverStrategy.ai enables monitoring and cost analysis of external AI agents across multiple providers.

Supported AI providers (read-only monitoring)

  • OpenAI (Assistants API): Agents, Threads, Runs, Messages
  • Google Gemini: Available models and configurations
  • Anthropic Claude: Available models and configurations
  • OpenClaw (WebSocket): Agent status, health snapshots

Data collected per agent run

  • Run ID, Thread ID, Status (completed/failed/cancelled)
  • Input and output summaries
  • Token usage (input, output, total)
  • Timestamps and duration
  • Calculated costs based on the current model pricing matrix

API keys

External provider API keys are stored encrypted with AES-256-GCM in the database. Upon account deletion, all API keys are immediately and irrevocably deleted.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). The connection is actively established by the user; EverStrategy.ai only accesses external APIs in read-only mode.

14. Alignment Scoring and Anomaly Detection

Alignment Scoring

Each agent run is automatically evaluated against your business goals. The AI (Claude) analyzes the run output and assigns a weighted alignment score (0–100) with reasoning and confidence level. This assessment is purely informational and has no automatic consequences.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in measuring the goal contributions of AI agents.

Anomaly Detection

The system automatically detects unusual patterns in your agent data:

  • Cost spikes (sudden increase in token usage)
  • Theme drift (agent output deviates from goals)
  • Error rate (increased number of failed runs)

When detected, anomalies are displayed in the platform. You can configure thresholds and email notifications.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in ensuring AI infrastructure integrity.

15. Payment Processing and Credit System

Stripe (Payment processing)

Payment processing is handled by Stripe Inc. We transmit to Stripe: email address, organization name, and chosen plan. Credit card data is processed exclusively by Stripe and never stored on our servers. Stripe is PCI-DSS certified.

Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA

Credit system

All AI-powered features consume credits. Each transaction is logged with the following data:

  • Transaction type (e.g., AI advisor, strategy chat, course generation, document processing)
  • Credits consumed and resulting account balance
  • AI model used and token usage
  • API costs in cents (for internal billing)
  • Timestamp and user ID

Subscriptions

EverStrategy.ai offers three plans (Starter, Business, Enterprise) with different monthly credit allowances (5,000 / 25,000 / 100,000 credits). Unused credits expire on the first of each month.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

16. Cookies and Tracking

EverStrategy.ai uses only technically necessary cookies.

Authentication cookies

Secure, HTTP-only cookies for session management (JWT tokens). These cookies are strictly necessary for platform operation and are deleted upon logout.

Theme preference

A local storage value for the chosen color scheme setting (light/dark mode). This value is not a cookie and is stored only in the browser.

No tracking cookies, marketing cookies, third-party analytics tools (such as Google Analytics, Hotjar, Facebook Pixel), or fingerprinting technologies are used. EverStrategy.ai does not use retargeting or personalized advertising.

17. Data Security

We implement comprehensive technical and organizational measures to protect your data:

Encryption in transit

All data is transmitted encrypted via TLS 1.2+ (HTTPS). HSTS (HTTP Strict Transport Security) is enabled with a validity of 2 years.

Encryption at rest

The PostgreSQL database and file storage are encrypted with AES-256 (at rest). API keys for external services are additionally encrypted with AES-256-GCM at the application level.

Access control

Row-Level Security (RLS) in Supabase ensures that users can only access data from their own organization. A role-based permission system (Admin, Member, Viewer) limits access at the feature level.

Security headers

  • Content-Security-Policy: Strict policy allowing only own sources and Stripe/Supabase
  • X-Frame-Options: DENY (protection against clickjacking)
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: Camera, microphone, and geolocation disabled

Rate limiting

All API endpoints are protected by tiered rate limits (e.g., 10 requests/minute for standard operations, 3/minute for billing operations, 1/minute for AI generations).

18. Data Processors and International Transfers

We use the following data processors that may have access to personal data:

DienstleisterZweckStandortRechtsgrundlage
Vercel Inc.Web hosting, edge network, serverless functionsUSA (EU edge locations)EU Standard Contractual Clauses (SCC)
Supabase Inc.Database, authentication, file storageSingapore (data storage)EU Standard Contractual Clauses (SCC)
Stripe Inc.Payment processing, subscription managementUSAEU Standard Contractual Clauses (SCC), PCI-DSS
Anthropic PBCAI model (Claude) for strategy generation, advisory, alignment scoringUSAEU Standard Contractual Clauses (SCC)
Google LLCAI model (Gemini) for strategy generation and advisoryUSAEU Standard Contractual Clauses (SCC)
OpenAI Inc.Agent monitoring (read-only access to Assistants API)USAEU Standard Contractual Clauses (SCC)
Upstash Inc.Rate limiting (Redis-based)USAEU Standard Contractual Clauses (SCC)

Optional PM tool providers (only with active integration)

When setting up a project management integration, data is synchronized with the respective provider. This connection is optional and initiated exclusively by the user:

  • ClickUp (ClickUp Inc., USA)
  • Notion (Notion Labs Inc., USA)
  • Jira (Atlassian Pty Ltd, Australia)
  • Trello (Atlassian Pty Ltd, Australia)
  • Asana (Asana Inc., USA)
  • Monday.com (monday.com Ltd., Israel)

For all transfers to third countries (outside the EEA), EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR apply. In addition, we regularly assess the adequacy of the data protection level in recipient countries.

19. Data Retention and Deletion

We store personal data only as long as necessary for the respective purpose or as required by statutory retention periods:

DatenartSpeicherdauer
User account and profile dataUntil account deletion by the user
Company profile and strategiesUntil account deletion (all changes versioned)
Chat histories (advisor & strategy chat)Until account deletion
Uploaded documentsUntil manual deletion or account deletion
Agent runs and monitoring dataUntil account deletion
Credit transactions10 years (statutory retention obligation, § 147 AO)
Audit trail90 days (Starter), 1 year (Business), unlimited (Enterprise)
PM synchronization logsUntil integration deactivation or account deletion

Account deletion

When deleting your account, all associated data is cascadingly deleted: organization, members, goals, agents, runs, costs, alignment scores, anomalies, integrations, courses, Kanban items, opportunities, strategies, audit logs, and documents. API keys for external services are irrevocably deleted beforehand. This process is irreversible.

Data export

You can export your data at any time as a JSON file. The export includes: organization, goals, KPIs, agents, agent runs (last 10,000), costs, alignment scores, anomalies, and audit logs (last 10,000). Encrypted API keys and payment data at Stripe are not included in the export for security reasons.

20. Automated Decision-Making

EverStrategy.ai uses automated processes in the following areas, which are exclusively informational and supportive — no automated decision has legal effect or similarly significantly affects you (Art. 22 GDPR):

Alignment Scoring

AI-based assessment of how strongly an agent run contributes to your business goals. The score (0–100) serves informational purposes and triggers no automatic actions.

Anomaly Detection

Automatic detection of unusual patterns (cost spikes, theme drift, error rate). Anomalies are displayed — the decision on measures is yours.

Business Development Suggestions

AI-generated business opportunity suggestions based on your company profile. Each suggestion is a recommendation, not a decision.

Strategy Generation

AI-generated strategies, roadmaps, and ROI projections. These serve as a starting point for your own decisions and only become effective through your active adoption.

21. Audit Trail and EU AI Act Compliance

EverStrategy.ai maintains a complete, append-only audit trail that documents all relevant events in a forensically sound manner:

  • Authentication (login, logout, registration)
  • Billing operations (plan changes, credit purchases)
  • Integration events (PM tool connection, synchronization)
  • Strategy operations (creation, versioning, chat changes)
  • System synchronizations (agent sync, cost calculation)
  • Data access and export
  • Account deletion

With regard to the EU AI Act (Regulation (EU) 2024/1689), which becomes fully applicable on August 2, 2026, EverStrategy.ai documents: AI models used, alignment evidence, token usage, decision bases, and compliance reports. This documentation supports the requirements for transparency and traceability pursuant to Art. 13 and Art. 14 of the EU AI Act.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR) in conjunction with the requirements of the EU AI Act.

22. Your Rights

As a data subject, you have the following rights under the GDPR:

Right of access (Art. 15 GDPR)

You can request information about your personal data stored with us at any time. Use the data export function of the platform or contact us by email.

Right to rectification (Art. 16 GDPR)

You can request the correction of inaccurate or completion of incomplete data. Company profile data can be edited directly in the platform.

Right to erasure (Art. 17 GDPR)

You can request the deletion of your personal data. Complete account deletion with cascading data deletion is available directly in the platform.

Right to restriction (Art. 18 GDPR)

You can request the restriction of processing of your data. You can deactivate integrations and pause synchronization.

Right to data portability (Art. 20 GDPR)

You can receive your data in a structured, commonly used, and machine-readable format (JSON). Use the data export function of the platform.

Right to object (Art. 21 GDPR)

You can object to the processing of your data based on legitimate interests at any time. Contact us at privacy@everstrategy.ai.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence or the seat of the data controller.

For all data protection inquiries, please contact us at: privacy@everstrategy.ai

23. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed to reflect changes in legislation, new features, or modified data processing activities. The current version is always available on this page. Registered users will be informed by email of material changes. The date of the last update can be found at the beginning of this privacy policy.