LoginRegistrieren

Rechtliches

Privacy Policy

Ongeist (www.ongeist.com) — Dobalo, Inc.

Stand: May 2026

This Privacy Policy describes how Dobalo, Inc. (registered at 131 Continental Dr, Suite 305, Newark, DE 19713, United States of America) ('Ongeist', 'we') processes your personal information (used interchangeably with personal data) when you visit www.ongeist.com, use mobile applications ('Website') and Ongeist services ('Service'), as well as the rights you have with respect to your personal information. This Privacy Policy is amended from time to time at our discretion, so be sure to check this page periodically as the information provided here may change. We will inform you separately in case we make any important changes to this Privacy Policy.

1. What personal information do we collect and why?

We collect the bare minimum of your personal data, e.g. the information needed for account creation, payment processing, customer support and similar purposes.

1.1 Cookies and device information

When you browse the Website, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Website, and information about how you interact with the Website. We refer to this automatically-collected information as 'Device Information'. We collect Device Information using cookies and pixels. Cookies and pixels are data files that are placed on your device and often include an anonymous, unique identifier. We use the Device Information that we collect to help us to improve and optimize our Website (for example, by generating analytics about how our customers browse and interact with the Website, and to assess the success of our marketing and advertising campaigns) and Services. The legal basis for processing your data for this purpose is our legitimate interest in analyzing and improving the performance of our Website and Service, as well as assessing the success of our marketing campaigns (Art. 6(1)(f) of the General Data Protection Regulation ('GDPR') and UK Data Protection Act 2018 ('UK GDPR')) and your consent (Art. 6(1)(a) of the GDPR and the UK GDPR). More information about the cookies and pixels that we use is provided in our Cookies Policy.

1.2 Creation of your account

If you decide to use our Service, you will need to create a user account by providing your identifier (email address). We will store the following information: your email address, the verification date of this email address, and the date of account creation. We collectively refer to this information as 'Account Information'. The legal basis for processing your Account Information is the performance of a contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR).

1.3 Provision of Ongeist Service

To fully use our Service, you may voluntarily provide certain personal identifiers in your account, including your full name, address details (country, state, city, ZIP code, and street address), phone number, and date of birth. Additionally, you may authorize us to act on your behalf when submitting data erasure requests to data brokers and online platforms. Ongeist also allows you to add email addresses, phone numbers, and linked social media accounts (e.g. Facebook, Instagram, LinkedIn, TikTok) to your account so we can monitor these for data exposures. You may optionally provide the last four digits of payment cards solely for the purpose of anonymized matching against known data breach databases — we never store full card numbers. If you use the Digital Testament feature, you may store information about your digital accounts and emergency contacts. Any sensitive credentials stored in the Digital Testament are encrypted using AES-256 encryption and are never accessible to Ongeist in plaintext. The legal basis for processing your data for this purpose is the performance of a contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR). Note that we will retain a copy of your authorization, along with the information provided in it, such as your full name and address, as well as the dates of creation and modification. To keep you informed about the data deletion requests, we will keep information about the status of these requests, the names of the data brokers, and the removal IDs. The legal basis for processing your data for this purpose is the performance of a contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR).

1.4 Gmail Integration (optional)

If you choose to connect your Google account via OAuth 2.0, we access your Gmail account solely with your explicit consent to: identify spam and newsletter senders in your inbox, perform automated unsubscribes from unwanted mailing lists on your behalf, and send GDPR data erasure requests in your name. We do not read, store, or analyze the content of your emails. Access is limited to sender metadata and List-Unsubscribe headers. The legal basis for processing your data for this purpose is your consent (Art. 6(1)(a) of the GDPR and the UK GDPR). You may revoke access at any time via myaccount.google.com/permissions.

1.5 Banking connection (optional)

If you choose to connect your bank account via our PSD2-licensed partner Nordigen (GoCardless Ltd.), we receive read-only access to your transaction data solely to identify recurring charges (subscriptions) and display them to you. We do not initiate payments, store full account numbers, or share banking data with third parties beyond what is required to provide this feature. The legal basis for processing your data for this purpose is your consent (Art. 6(1)(a) of the GDPR and the UK GDPR). You may revoke this connection at any time in your account settings.

1.6 Subscription management and payment processing

When you subscribe to the Ongeist Service, we will collect certain subscription information, including the payment provider (Stripe) subscription ID, subscription creation date, validity date, subscription status, subscription type and any changes to the subscription type. The processing of such data is based on our contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR). As for payment-related information, our payment processing partner Stripe, Inc. collects the standard data necessary for processing payments and handling refund requests. This includes the subscription ID, subscription creation date, validity date, transaction date, payer's IP address, credit card number, and credit card owner's full name. In some jurisdictions, residential address may also be collected. The processing and transfer of this data are based on our contractual relationship with you (Art. 6(1)(b) of the GDPR and the UK GDPR).

1.7 AI-powered features

We use AI services provided by Anthropic, PBC (Claude) to generate personalized security reports, explain data breach findings in plain language, assist with Digital Testament creation, and compose GDPR request letters on your behalf. Your data is processed solely to generate these outputs and is not stored by the AI model or used for model training. Anthropic maintains a zero data retention policy for API usage. The legal basis for processing your data for this purpose is the performance of a contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR).

1.8 Customer support

We also keep communication with you regarding the Service provided and issues that arise when rendering the Service. For this purpose, we process personal information such as the inquiry ID, your name, your email address, the date and content of the inquiry, and your evaluation of the customer support service. The legal basis for processing your data for this purpose is our contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR) and our legitimate interest (Art. 6(1)(f) of the GDPR and the UK GDPR).

1.9 Data exposure report

If you use our data exposure report service, we will collect personal identifiers such as your email address, phone number, and optionally your address. Once the scan is complete, we will send you a report detailing which data brokers, spam lists, and breach databases have exposed your personal information. The legal basis for processing your data for this purpose is our contract with you (Art. 6(1)(b) of the GDPR and the UK GDPR).

1.10 Dispute resolution

We may have to protect our legitimate interests and legal rights in case there is a dispute between you and us. In these cases, we may be required to collect and store a limited amount of certain information: email address, subscription information, legal documents, communication with you and other information related to the disputed situation. Please note that we do not collect and store this information by default. We only store this information in cases in which a dispute has been raised, a court proceeding, legal claim or other legal action has been or is likely to be initiated.

1.11 Marketing and other communications

To send you offers, security alerts, and other marketing content, and to ensure you get the best Ongeist offers and updates, we collect your registration email address, the content of the email letter, and the date and time the email letter was sent. The legal basis for processing this personal data is your consent (Art. 6(1)(a) of the GDPR and the UK GDPR) or our legitimate interest to conduct marketing activities (Art. 6(1)(f) of the GDPR and the UK GDPR). We will process your information for this purpose until we receive your opt-out request. Additionally, to help you with your order, we might send an email letting you know if a purchase was not completed (an unfinished order), which is based on our legitimate interest in improving your experience with us and assisting you with any issues related to your orders. If you do not wish to receive marketing emails from us, you can opt out by clicking 'unsubscribe' at the bottom of any correspondence or by contacting support@ongeist.com. However, even if you opt out of marketing, we will continue to communicate with you for essential service delivery, to address your inquiries, and to provide transactional product or service-related updates, such as updates on the status of your data removal requests.

1.12 Market Research and Internal Analytics

To better understand your needs, analyze sales, and identify business trends, we create aggregated statistical data and conduct market research. This analysis helps us improve our services and operate our business more effectively. For these purposes, we aggregate and anonymize the data we collect, maintaining and using it strictly in a de-identified, non-personal form. Our legal basis for processing this anonymized data is our legitimate interest in improving our business operations (Art. 6(1)(f) of the GDPR and the UK GDPR). Because this information is completely anonymized and can no longer identify you, we may retain and process it indefinitely. As part of this internal analytics, we set a functional, server-side HttpOnly cookie named 'geist_visitor' the first time you visit our onboarding flow. The cookie stores a randomly generated anonymous identifier (UUID) and is used solely to measure step-by-step drop-off and completion rates within our own onboarding funnel. It contains no personal data, is not shared with any third party, is not used for advertising or cross-site tracking, and expires after 90 days. Raw event data is automatically deleted after 90 days; only aggregated statistics are retained.

2. Sharing your personal information

We do not sell your personal information and have not done so in the past 12 months or at any time in the past.

The primary function of the Ongeist Service is to act on your behalf to contact data brokers and website owners, enabling the exercise of your privacy rights. To successfully process removal requests, we must transmit certain personal information (name, email address, address) to these third parties so they can locate your profile and remove your information. We strictly limit the information shared to only what is required by these entities to verify your identity and process the opt-out or deletion request under applicable privacy laws. Please note that once your information is transmitted for this purpose, these data brokers and website owners act as independent data controllers governed by their own privacy policies.

We collaborate with several trusted partners (data processors) to deliver and enhance our Service and share your personal information with them for business purposes necessary for each partner to fulfill their role. We share your personal information with the following recipients (data processors):

  • Stripe, Inc. (United States)

    Payment processing. Data shared: subscription ID, subscription creation date, validity date, transaction date, payer's IP address, credit card number, credit card owner's full name.

  • Supabase, Inc. (United States)

    Database infrastructure and authentication. Data shared: account information, breach records, monitoring data, testament data (encrypted).

  • Vercel, Inc. (United States)

    Hosting and edge functions. Data shared: technical request data, IP addresses.

  • Resend, Inc. (United States)

    Transactional email delivery. Data shared: your email address and email content.

  • Anthropic, PBC (United States)

    AI-powered text generation for security reports and GDPR letters. Zero data retention — your data is processed to generate output only and is not stored or used for training.

  • Cloudflare, Inc. (United States)

    Security, bot protection (Turnstile), and file storage (R2 for Digital Testament PDFs). Data shared: IP addresses, technical request data.

  • GoCardless Ltd. / Nordigen (United Kingdom / European Union)

    PSD2-licensed banking API for optional bank account connection. Data shared: read-only transaction data with your explicit consent only.

  • ipapi.co

    IP geolocation for onboarding display purposes. Data shared: IP address. No personal data stored.

When your data is transferred outside the European Economic Area (EEA), we apply appropriate safeguards to ensure that your personal data is transferred and processed in line with the applicable privacy laws. The measures include signing Standard Contractual Clauses approved by the European Commission and considering the adequacy of decisions issued by the European Commission.

3. Your privacy rights

You have certain privacy rights regarding the collection and processing of your data that can be exercised by contacting us at support@ongeist.com.

California residents

  • Right to Access/Know

    You have the right to request what personal information we have collected, used, disclosed, and sold about you, unless doing so proves impossible or would involve disproportionate effort.

  • Right to Deletion

    You have the right to request the deletion of your personal information that we collect or maintain, subject to certain exceptions.

  • Right to Correct

    You have the right to correct inaccurate personal information that we collect or maintain.

  • Right to Opt Out of Sale/Sharing

    You have the right to opt out of the sale or sharing of your personal information to third parties for behavioral advertising. We do not sell your personal information.

  • Right to Non-Discrimination

    You have the right to not receive discriminatory treatment if and when you exercise your privacy rights under the CCPA.

Contact: support@ongeist.com

Individuals in the European Union and United Kingdom

  • Right to access

    You have the right to access your personal data or receive a copy of it by contacting us.

  • Right to rectification

    The right to correct any inaccurate personal data and the completion of incomplete personal information.

  • Right to erasure

    The right to delete your personal data specified in this Privacy Policy, unless we are legally required or we have a legal basis to maintain certain personal information.

  • Right to restriction of processing

    If you believe that your personal data is inaccurate, that our processing is unlawful, or that we do not need your personal data for a specific purpose, you have the right to request that we restrict the processing of this personal data.

  • Right to object

    The right to object to the processing of your personal data when that processing is based on our legitimate interests. To exercise this right, you must reference your personal circumstances that justify the objection.

  • Right to data portability

    You have the right to request that we transfer the personal data you have provided to us to another organization or directly to you, where technically feasible.

  • Right to lodge a complaint

    You have the right to complain to a data protection authority. If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office. If you are located in the EU, you have the right to lodge a complaint with the relevant Supervisory Authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

  • Right to withdraw consent

    If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.

Contact: support@ongeist.com

4. Data retention

We store your personal information for a minimum necessary period needed for a concrete purpose before deleting it permanently. We apply different retention periods depending on the purpose for which your personal information is processed as detailed above.

  • Cookies and other trackers

    In line with the retention periods described in our Cookie Policy.

  • Account and service data (sections 1.2, 1.3, 1.4, 1.5, 1.6, 1.9)

    No longer than 24 months after the termination of providing our Service or until you ask us to delete it and there are no legal restrictions preventing us from doing so.

  • Customer support data (section 1.8)

    Up to 6 years following the receipt of your message or request, based on the standard statute of limitations for legal claims.

  • Dispute resolution data (section 1.10)

    2 years or until the dispute is ultimately resolved or a final decision by a competent authority is made, whichever occurs later.

  • AI-generated security reports (section 1.7)

    30 days, after which they are automatically deleted.

  • Digital Testament data (section 1.3)

    Until account cancellation or upon your explicit deletion request.

5. Contact us

For more information about our privacy practices, or if you have questions, please contact us by email at support@ongeist.com.

Dobalo, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States of America.

For EU/UK users: As we are in the process of establishing a formal EU representative, all data protection inquiries should be directed to support@ongeist.com. We are committed to responding to all privacy-related requests within the timeframes required by applicable law.