# Privacy Policy for Tachyonik Website and Products

*Last updated: June 2026*

## 1. Overview

This Privacy Policy explains how Tachyonik GmbH ("Tachyonik", "we", "us") collects, processes, and protects personal data. It applies both to our website (the "Website") and to the Tachyonik CSM application — where "CSM" stands for Cyber-Security-Management — (the "Application"), whether the Application is operated as a software-as-a-service platform ("SaaS") or installed on your infrastructure as an on-premise appliance ("Appliance").

Personal data (or personal information) is any data with which you could be personally identified. The first part of this policy gives a simple overview of what happens to your personal information when you visit our Website. The subsequent sections describe in detail how we process personal data in connection with the Application.

We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Digital Services Act (DDG), and the German Telecommunications-Telemedia Data Protection Act (TDDDG).

## 2. Controller / Responsible Party

The controller within the meaning of Article 4(7) GDPR responsible for data processing on the Website and through the Application is:

**Tachyonik GmbH**
Albert-Einstein-Str. 1
49076 Osnabrück
Germany

Email: info@tachyonik.com

For Appliance deployments, the customer operating the Appliance is typically the data controller for all data processed within the Application. Tachyonik acts as controller only for data processed through its own infrastructure (e.g. licence verification, AI service requests, support interactions).

## 3. Data Processing on the Website

### 3.1 Hosting

This Website is hosted externally. The personal data collected on this Website is stored on the servers of the host. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access, and other data generated through a website. The external hosting is carried out for the purpose of fulfilling our contract with our potential and existing customers and in the interest of a secure, fast, and efficient provision of our online offering.

### 3.2 Data Collection on the Website

Our Website does not use cookies, analytics tools, or tracking technologies. We do not collect personal data when you simply visit our Website. Data is only processed when you voluntarily contact us via email.

### 3.3 Contact via Email

If you contact us by email, your request including all resulting personal data (name, email address, content of the request) will be stored and processed by us for the purpose of handling your request. We will not share this data without your consent. The processing of this data is based on Art. 6(1)(b) GDPR if your request is related to a contract or is required for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of requests addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR).

### 3.4 SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock icon in your browser line.

## 4. Data We Collect Through the Application

### 4.1 Account Data (Registered and Professional Users)

When you register, we collect:

- Email address
- Username (chosen by you)
- Password (stored as a bcrypt hash; we cannot access the plaintext)
- Account creation timestamp
- User role (anonymous, registered, professional)

**Legal basis:** Art. 6(1)(b) GDPR (performance of a contract).

### 4.2 Anonymous Session Data

For Anonymous Users, we create a temporary session with:

- A session identifier
- Session creation timestamp

No personally identifiable information is collected. Anonymous sessions expire automatically.

**Legal basis:** Art. 6(1)(f) GDPR (legitimate interest in providing the service).

### 4.3 User-Generated Content

Data you upload, create, or generate through the Application, including:

- Uploaded files (scan results, reports, configuration files)
- Assets, vulnerabilities, and detections derived from your data
- Actions and recommendations generated by the system
- Chat conversations with the AI assistant
- Dashboard configurations and preferences

**For SaaS:** This data is stored on our infrastructure.

**For Appliance:** This data is stored on your own infrastructure. Tachyonik does not have access to it unless you explicitly share it (e.g. through support interactions).

**Legal basis:** Art. 6(1)(b) GDPR (performance of a contract).

### 4.4 Technical and Usage Data

When you use the Application, the following data may be processed:

- IP address
- Browser type and version
- Operating system
- Timestamps of access
- Pages/sections accessed within the Application
- WebSocket connection metadata

**For SaaS:** This data is collected by our servers.

**For Appliance:** This data remains on your infrastructure.

**Legal basis:** Art. 6(1)(f) GDPR (legitimate interest in ensuring security and functionality).

### 4.5 AI Service Data

When you use AI-powered features (ChatAI, automated analysis, code generation, dashboard summaries), the following data may be transmitted to third-party AI service providers:

- The content of your query or the data being analysed
- Contextual information required for the AI to generate a response (e.g. asset data, vulnerability descriptions, scan results)

This applies to both SaaS and Appliance deployments when AI features are enabled and configured to use external AI providers.

**Legal basis:** Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in providing AI-powered features).

### 4.6 Proxy and Tool Data

When you connect security proxies to the Application:

- Proxy connection metadata (name, URL, connection mode, status, last seen timestamp)
- Tool inventory (tools available on connected proxies)
- Tool execution requests and results

**For SaaS:** Processed on our infrastructure.

**For Appliance:** Processed on your infrastructure; proxy communication occurs directly between your Appliance and your proxies.

**Legal basis:** Art. 6(1)(b) GDPR (performance of a contract).

## 5. Cookies and Session Tokens

5.1 The Application uses a JSON Web Token (JWT) stored in your browser's local storage for authentication. This is a technical necessity and does not constitute tracking.

5.2 Neither the Website nor the Application uses third-party cookies, advertising cookies, or tracking technologies.

5.3 Session-related data (authentication token, user preferences, table column settings, filter preferences) is stored in your browser's local storage. This data is not transmitted to third parties.

**Legal basis:** TDDDG Section 25(2) (strictly necessary for the service).

## 6. Purpose of Processing

We process personal data for the following purposes:

- (a) Providing and operating the Website and the Application, including user authentication, session management, and feature access control.
- (b) Handling enquiries and requests submitted to us (e.g. via email).
- (c) Processing and analysing security data uploaded by you (vulnerability scanning, asset management, threat detection).
- (d) Generating AI-powered analyses, recommendations, and automated code (when AI features are used).
- (e) Orchestrating security tools on connected proxies on your behalf.
- (f) Sending service-related communications (e.g. email verification, security notifications).
- (g) Maintaining the security and integrity of the Website and the Application (e.g. detecting and preventing misuse, logging access).
- (h) Improving functionality and user experience.
- (i) Fulfilling legal obligations (e.g. retention requirements under German commercial and tax law).

## 7. Data Sharing and Recipients

### 7.1 AI Service Providers

When AI features are used, data may be transmitted to third-party AI service providers for processing. The specific provider depends on your configuration (self-hosted AI models do not involve third-party transmission). We select providers that offer adequate data protection guarantees.

### 7.2 Hosting and Infrastructure Providers

The Website is hosted externally as described in Section 3.1. For SaaS deployments, the Application and its data are hosted on infrastructure provided by third-party hosting providers within the European Union.

### 7.3 No Sale of Data

We do not sell, rent, or trade your personal data to third parties.

### 7.4 Legal Obligations

We may disclose personal data if required by law, court order, or to protect our legal rights.

### 7.5 Sub-Processors

A current list of sub-processors used for the SaaS platform is available upon request by contacting info@tachyonik.com.

## 8. International Data Transfers

8.1 We endeavour to process all data within the European Economic Area (EEA).

8.2 If data is transferred outside the EEA (e.g. when using AI service providers based in third countries), we ensure adequate safeguards are in place, such as:

- EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
- An adequacy decision by the European Commission (Art. 45 GDPR)

8.3 For Appliance deployments, international transfers depend on your own configuration of AI service providers. You are responsible for ensuring adequate safeguards for any transfers you initiate.

## 9. Data Retention

Unless a more specific storage period is stated below or elsewhere in this policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing it; in such cases, deletion takes place after these reasons cease to apply.

9.1 **Email Enquiries (Website):** Data from email contact is retained until your request has been fully handled and any related retention period has expired.

9.2 **Account Data:** Retained for the duration of the account. Upon account deletion, personal data is deleted within 30 days, unless longer retention is required by law.

9.3 **Anonymous Session Data:** Automatically deleted upon session expiry (typically 24 hours of inactivity).

9.4 **User-Generated Content (SaaS):** Retained for the duration of the account. Upon termination, data is deleted within 30 days unless a longer period is agreed upon with Professional Users.

9.5 **User-Generated Content (Appliance):** Retention is under the customer's control on their own infrastructure.

9.6 **Technical Logs (SaaS):** Server access logs are retained for up to 90 days for security purposes.

9.7 **AI Interaction Data:** Chat conversations and AI-generated content are retained as part of your User-Generated Content. Data transmitted to third-party AI providers is subject to their respective retention policies.

9.8 **Legal Retention Obligations:** Where German commercial law (Section 257 HGB) or tax law (Section 147 AO) requires longer retention (typically 6 or 10 years for business records), we retain the relevant data for the legally required period.

## 10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

- **(a) Right of Access (Art. 15 GDPR):** You may request information about the personal data we hold about you, its origin and recipients, and the purpose of data processing.
- **(b) Right to Rectification (Art. 16 GDPR):** You may request correction of inaccurate personal data.
- **(c) Right to Erasure (Art. 17 GDPR):** You may request deletion of your personal data, subject to legal retention obligations.
- **(d) Right to Restriction of Processing (Art. 18 GDPR):** You may request that we restrict the processing of your data under certain circumstances.
- **(e) Right to Data Portability (Art. 20 GDPR):** You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- **(f) Right to Object (Art. 21 GDPR):** You may object to processing based on legitimate interests. Where processing is based on Art. 6(1)(f) GDPR, we will cease processing unless we demonstrate compelling legitimate grounds.
- **(g) Right to Withdraw Consent (Art. 7(3) GDPR):** Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

**Right to Lodge a Complaint:** You have the right to lodge a complaint with a supervisory authority. The competent authority is:

**Die Landesbeauftragte für den Datenschutz Niedersachsen**
Prinzenstraße 5
30159 Hannover
Germany
https://www.lfd.niedersachsen.de

To exercise your rights, contact us at: info@tachyonik.com

## 11. Data Processing Agreement

11.1 For SaaS deployments where Tachyonik processes personal data on behalf of the customer, a Data Processing Agreement (Auftragsverarbeitungsvertrag) pursuant to Article 28 GDPR shall be concluded.

11.2 For Appliance deployments where Tachyonik provides support services that involve access to personal data, a Data Processing Agreement shall be concluded to the extent required.

11.3 Professional Users may request a Data Processing Agreement by contacting info@tachyonik.com.

## 12. Security Measures

12.1 We implement appropriate technical and organisational measures to protect your personal data, including:

- Encryption of data in transit (TLS/SSL)
- Encryption of sensitive data at rest (e.g. credentials stored with AES-256)
- Password hashing using bcrypt
- Role-based access controls
- Regular security assessments
- Access logging and monitoring

12.2 For Appliance deployments, the customer is responsible for implementing adequate security measures on their own infrastructure, including network security, physical access controls, and backup procedures.

## 13. Appliance-Specific Provisions

13.1 When operating the Application as an Appliance, you are the data controller for all personal data processed within the Application on your infrastructure.

13.2 Tachyonik does not have access to data stored on your Appliance unless you explicitly provide access (e.g. for support purposes).

13.3 If your Appliance is configured to use external AI services, data transmitted to those services is subject to Section 4.5 (AI Service Data) and Section 8 (International Data Transfers) of this Privacy Policy. You are responsible for ensuring that your AI service configuration complies with applicable data protection laws.

13.4 Software updates provided by Tachyonik for the Appliance do not involve transmission of your data to Tachyonik.

## 14. SaaS-Specific Provisions

14.1 In SaaS mode, Tachyonik hosts the Application and processes User-Generated Content on its infrastructure.

14.2 Data is stored in data centres within the European Union.

14.3 Tachyonik implements measures in accordance with the state of the art (Stand der Technik) to ensure the security, availability, and integrity of the SaaS platform.

14.4 Tachyonik may engage sub-processors for hosting, monitoring, and AI services. Material changes to sub-processors will be communicated to Professional Users in advance.

## 15. Children's Privacy

The Application is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us so we can delete it promptly.

## 16. Legal Basis

The data processing described in this Privacy Policy is based on the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Digital Services Act (DDG), and the German Telecommunications-Telemedia Data Protection Act (TDDDG).

## 17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Application or by email (for Registered and Professional Users). The current version is always available on the Website and within the Application. Continued use after notification constitutes acknowledgement of the updated Privacy Policy.

## 18. Contact

For questions regarding data protection, please contact:

**Tachyonik GmbH**
Albert-Einstein-Str. 1, 49076 Osnabrück, Germany
info@tachyonik.com