Privacy Policy
Effective date: March 1, 2025. Last updated: March 1, 2025.
§ 1 Overview
Wonderblogs is a B2B AI-powered content marketing engine operated by SKAJ Ventures GmbH. This Privacy Policy explains how we collect, use, store, and protect data when you use the Wonderblogs platform ("Service").
The Service processes limited personal data related to user accounts alongside business data such as AI-generated content, run execution logs, and account configurations. This Privacy Policy applies to the personal data portion in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
§ 2 Data Controller
The data controller within the meaning of Art. 4(7) GDPR is:
SKAJ Ventures GmbHSonnenlandstraße 4
14471 Potsdam, Germany
Managing Director: Stefan Köhn
Email: datenschutz@wonderblogs.org
§ 3 Data We Collect
We collect and process the following categories of data:
3.1 Account Data (Personal Data)
- Email address
- Full name
- Password (stored as a bcrypt hash, never in plaintext)
- User role (user or admin)
3.2 Account Configurations (Business Data)
- Account name
- Target service URL and target webhook URL
- Target API key (encrypted at rest)
- Cron schedule configuration
- AI model preferences (provider and model selection)
3.3 AI-Generated Content (Business Data)
- Markdown blog posts
- SEO metadata (titles, descriptions, slugs)
- Tags and categories
3.4 Run Execution Logs (Business Data)
- Workflow execution status and timestamps
- Step-by-step execution traces
- AI model feedback and evaluation scores
- Trigger type (manual, cron, or API)
3.5 Payment Data
Payment information (credit card numbers, billing addresses) is collected and processed exclusively by Stripe, Inc. We do not store payment card details on our servers. We retain only the Stripe customer ID, subscription ID, and plan information necessary for service delivery.
§ 4 Legal Basis for Processing
We process personal data on the following legal bases under the GDPR:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of contract | Art. 6(1)(b) |
| AI content generation and publishing | Performance of contract | Art. 6(1)(b) |
| Rate limiting and abuse prevention | Legitimate interest (security) | Art. 6(1)(f) |
| Billing data retention (10 years) | Legal obligation (§ 147 AO) | Art. 6(1)(c) |
§ 5 Account Data and Authentication
User passwords are hashed using bcrypt with 12 rounds of salting before storage. We never store or transmit passwords in plaintext.
Authentication sessions are managed via NextAuth v5 using JSON Web Tokens (JWT). Session tokens are issued upon successful login and are valid for 30 days. Sessions are stored client-side in a secure, HTTP-only cookie.
§ 6 AI Content Generation
Content is generated using AI language models provided by OpenAI (GPT-5.4, GPT-5 Mini, GPT-4.1), Anthropic (Claude Opus 4.6, Claude Sonnet 4.6, Claude Haiku 4.5), and Google (Gemini 2.5 Flash, Gemini 2.5 Pro, Gemini 3 Pro). The content generation process works as follows:
- Wonderblogs fetches context information (brand identity, content focus, instructions) from the Customer's target service URL.
- Research is performed using web search capabilities provided by OpenAI, Anthropic, and Google to gather up-to-date information on the topic.
- AI models generate blog post content in Markdown format, including SEO metadata and tags.
- Generated content is stored locally in the Wonderblogs database and pushed to the Customer's target webhook URL.
The context and instructions sent to AI providers may include business data from the Customer's target API. If this data contains personal information, a Data Processing Agreement (DPA) applies — see Terms of Service § 9.
§ 7 Run Logs and Execution Data
Each content generation run produces a step-by-step execution log recording the workflow progress, AI model responses, and evaluation feedback. These logs are used for debugging, quality assurance, and providing transparency into the content generation process.
Run logs are retained for 12 months from the date of creation and are automatically purged thereafter. No IP addresses, user agents, or other personal identifiers are collected as part of run log data.
§ 8 Cookies and Local Storage
Wonderblogs uses only strictly necessary cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie (JWT) | User authentication | 30 days | Strictly necessary |
We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party tracking technologies. No cookie consent banner is required as we only use strictly necessary cookies (ePrivacy Directive exemption).
§ 9 Third-Party Processors
We use the following third-party service providers to deliver the Service. Where required, Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR are in place.
| Processor | Purpose | Data Location |
|---|---|---|
| Vercel, Inc. | Application hosting and serverless functions | EU |
| Neon, Inc. | PostgreSQL database hosting | EU |
| Stripe, Inc. | Payment processing and subscription management | EU / Ireland |
| Trigger.dev | Background job execution | EU / US |
| OpenAI, Inc. | AI content generation and web search (GPT-5.4, GPT-5 Mini, GPT-4.1) | US |
| Anthropic, PBC | AI content generation and web search (Claude Opus 4.6, Claude Sonnet 4.6, Claude Haiku 4.5) | US |
| Google LLC | AI content generation, image generation, and web search (Gemini 2.5 Flash, Gemini 2.5 Pro, Gemini 3 Pro) | US |
| Mailtrap (Railsware) | Transactional email delivery | EU |
§ 10 Data Location
Application hosting (Vercel) and database storage (Neon PostgreSQL) are located in the European Union.
AI content generation involves sending prompts and context data to providers located in the United States (OpenAI, Anthropic, Google). These transfers are conducted in accordance with the EU-U.S. Data Privacy Framework or, where applicable, on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
§ 11 Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (email, name, password hash) | Until account deletion | Art. 6(1)(b) GDPR |
| Account configurations | Until account deletion | Art. 6(1)(b) GDPR |
| AI-generated content (posts) | Until account deletion | Art. 6(1)(b) GDPR |
| Run execution logs | 12 months | Art. 6(1)(f) GDPR |
| Verification / password reset tokens | 24 hours after expiry | Art. 5(1)(e) GDPR |
| Billing data (Stripe) | 10 years | § 147 AO (German tax law) |
Free-tier or cancelled accounts that have been inactive for 24 months receive an inactivity warning. If no activity occurs within 30 days of the warning, the account and all associated data are permanently deleted.
§ 12 Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data via your account settings.
- Right to erasure (Art. 17 GDPR): You may request deletion of your personal data. Account deletion is available via Settings > Data & Privacy in the dashboard.
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data under certain conditions.
- Right to data portability (Art. 20 GDPR): You may request your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to the processing of your personal data based on legitimate interests.
To exercise any of these rights, please contact us at datenschutz@wonderblogs.org.
You also have the right to lodge a complaint with the competent supervisory authority:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht BrandenburgStahnsdorfer Damm 77
14532 Kleinmachnow, Germany
§ 13 Minimum Age
The Service is intended for business use only. You must be at least 18 years of age to create an account and use the Service. We do not knowingly collect personal data from individuals under 18.
§ 14 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. Material changes will be communicated to registered users via email at least 30 days before they take effect.
The current version of this Privacy Policy is always available at wonderblogs.org/privacy.
§ 15 Contact
For questions about this Privacy Policy or the processing of your personal data, please contact:
SKAJ Ventures GmbHData Protection
Sonnenlandstraße 4
14471 Potsdam, Germany
Email: datenschutz@wonderblogs.org