How we collect, use, and protect your personal data
Version 1.0 • March 12, 2026
This Privacy Policy explains how Tessera Software UG (haftungsbeschränkt) ("Tessera", "we", "us", "our") collects, uses, and protects your personal data when you use our Tessera software platform ("Service").
We are committed to protecting your privacy and ensuring transparency about our data practices in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
This policy applies to: • Account holders and users of our Service • Visitors to our website • Business contacts and leads
The data controller responsible for your personal data is:
Tessera Software UG (haftungsbeschränkt) Rheingasse 34 50676 Köln Germany
Email: info@tessera-software.com Phone: +49 178 38 38 455
Managing Directors: Raphael Parr & Noah El Maani Register Court: Amtsgericht Köln Register Number: HRB 125524 VAT ID: DE458343526
Account Information • Name and email address • Company/business name • Password (encrypted) • Account preferences and settings
Google Account Data (when you connect) • Google account identifier • Business Profile information (name, address, phone, hours) • Customer reviews and ratings • Your responses to reviews • Google Posts content
Usage Data • Login timestamps and IP addresses • Feature usage and interactions • Browser type and device information • Error logs and performance data
Payment Information (processed by Stripe) • Billing address • Payment method details • Transaction history • VAT/Tax ID (if provided)
Website Visitor Data (for websites you create) • Page views and visitor counts • Referrer information • Geographic region (country/city level)
Communication Data • Support requests and responses • Email communications • Feedback and survey responses
We use your personal data to:
Provide the Service • Create and manage your account • Display and manage your Google reviews • Generate AI-powered reply suggestions • Publish content to Google on your behalf • Host and serve your websites • Process your payments
Improve the Service • Analyze usage patterns to improve features • Debug errors and fix issues • Develop new features
Communicate with You • Send service notifications and updates • Respond to support requests • Send billing and payment confirmations
Legal and Security • Comply with legal obligations • Protect against fraud and abuse • Enforce our Terms of Service
We process your personal data based on the following legal grounds under GDPR:
Contract Performance (Art. 6(1)(b) GDPR) Processing necessary to provide the Service you subscribed to: • Account management • Service delivery • Payment processing
Legitimate Interest (Art. 6(1)(f) GDPR) Processing for our legitimate business interests: • Service improvement and analytics • Security and fraud prevention • Customer support
Legal Obligation (Art. 6(1)(c) GDPR) Processing required by law: • Tax and accounting records • Responding to legal requests
Consent (Art. 6(1)(a) GDPR) Where you have given explicit consent: • Marketing communications (if opted in) • Optional analytics cookies
We share your data with the following categories of recipients:
Service Providers (Sub-processors)
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting | EU (Frankfurt) |
| Vercel Inc. | Application hosting | Global (EU primary) |
| Stripe Inc. | Payment processing | USA (EU data) |
| OpenAI Inc. | AI reply generation | USA |
| Resend Inc. | Transactional emails | USA |
| Google LLC | Business Profile API | USA |
Data Transfers Outside EU Some of our providers are located in the USA. We ensure appropriate safeguards through: • EU Standard Contractual Clauses • Provider's participation in data protection frameworks • Additional technical measures (encryption)
We Never • Sell your personal data • Share data for third-party advertising • Allow unauthorized access to your data
When you connect your Google account, we access data through Google Business Profile API.
Data We Access • Business location information • Customer reviews and ratings • Your review responses • Google Posts
How We Use Google Data • Display reviews in your dashboard • Generate AI reply suggestions • Post responses to Google on your behalf • Sync business info to your websites • Provide performance analytics
Google API Services User Data Policy Tessera's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We specifically: • Do NOT use Google data for advertising • Do NOT allow humans to read your data unless you consent, it's necessary for security, or required by law • Do NOT transfer data to third parties except as necessary to provide the Service
Revoking Access You can revoke our access at any time: • In Tessera: Settings → Connections → Disconnect • Via Google: myaccount.google.com/permissions
Upon revocation, we stop accessing your Google data immediately and delete cached data within 30 days.
We use OpenAI's services to generate review reply suggestions.
What We Send to OpenAI • Review text and rating • Your business name and category • Your tone/style preferences
What We Don't Send • Customer personal information (names are anonymized) • Your account credentials • Payment information
OpenAI's Data Handling • Data sent to OpenAI API is not used to train their models • Data is processed and deleted according to OpenAI's retention policy • We use OpenAI's enterprise API with enhanced privacy protections
You can opt out of AI features and manually write all responses.
We use only essential cookies required for the Service to function.
Essential Cookies (No Consent Required) • Authentication cookies - Keep you logged in • Security cookies - Protect against CSRF attacks • Preference cookies - Remember your settings
We Do NOT Use • Third-party advertising cookies • Social media tracking pixels • Cross-site tracking
Local Storage We store some data in your browser's local storage: • UI preferences (theme, language) • Cached data for performance
You can clear local storage through your browser settings.
We retain your data for the following periods:
Active Account • Account data: Duration of subscription • Usage logs: 90 days • Support communications: 2 years
After Account Deletion • Account data: Deleted within 30 days • Anonymized analytics: May be retained indefinitely • Backup copies: Deleted within 90 days
Legal Requirements • Billing/tax records: 10 years (German law) • Contract records: 3 years after termination
Published Websites When your subscription ends, websites are unpublished immediately. Data is retained for 30 days to allow reactivation, then deleted.
You have the following rights regarding your personal data:
Right of Access (Art. 15) Request a copy of your personal data. Use Settings → Privacy → Export Data.
Right to Rectification (Art. 16) Request correction of inaccurate data. Edit your profile in Settings.
Right to Erasure (Art. 17) Request deletion of your data. Use Settings → Privacy → Delete Account.
Right to Data Portability (Art. 20) Receive your data in a structured format. Use the Export Data feature.
Right to Restriction (Art. 18) Request limited processing in certain circumstances.
Right to Object (Art. 21) Object to processing based on legitimate interests.
Right to Withdraw Consent Where processing is based on consent, withdraw at any time.
How to Exercise Your Rights • Self-service: Most rights can be exercised in Settings → Privacy • Email: info@tessera-software.com • Response time: Within 30 days
Complaints You have the right to lodge a complaint with a supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit NRW Kavalleriestraße 2-4, 40213 Düsseldorf https://www.ldi.nrw.de
We implement appropriate technical and organizational measures to protect your data:
Technical Measures • Encryption in transit (TLS 1.3) • Encryption at rest (AES-256) • Secure password hashing (bcrypt) • Regular security assessments
Organizational Measures • Access controls and authentication • Employee confidentiality agreements • Security awareness training • Incident response procedures
Infrastructure • EU-hosted database (Supabase, Frankfurt) • DDoS protection • Regular backups • Monitoring and alerting
Incident Response In case of a data breach affecting your rights, we will: • Notify you within 72 hours • Inform the supervisory authority as required • Take immediate remediation steps
Our Service is designed for businesses and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
If you believe we have collected data from a minor, please contact us immediately at info@tessera-software.com.
We may update this Privacy Policy from time to time. We will notify you of material changes by: • Email notification • Notice in the Service • Updated "Last Modified" date
We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
For any questions about this Privacy Policy or to exercise your rights:
Tessera Software UG (haftungsbeschränkt) Rheingasse 34 50676 Köln, Germany
Email: info@tessera-software.com Phone: +49 178 38 38 455
We aim to respond to all inquiries within 5 business days.