Privacy Policy
Effective date: March 1, 2025. Last updated: March 1, 2025.
§ 1 Overview
Wonderblogs is a B2B AI-powered content marketing engine operated by SKAJ Ventures GmbH. This Privacy Policy explains how we collect, use, store, and protect data when you use the Wonderblogs platform ("Service").
The Service processes limited personal data related to user accounts alongside business data such as AI-generated content, run execution logs, and account configurations. This Privacy Policy applies to the personal data portion in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
§ 2 Data Controller
The data controller within the meaning of Art. 4(7) GDPR is:
SKAJ Ventures GmbHSonnenlandstraße 4
14471 Potsdam, Germany
Managing Director: Stefan Köhn
Email: datenschutz@wonderblogs.org
§ 3 Data We Collect
We collect and process the following categories of data:
3.1 Account Data (Personal Data)
- Email address
- Full name
- Password (stored as a bcrypt hash, never in plaintext). Users who register via Google OAuth do not have a password stored.
- User role (user or admin)
- Authentication provider (credentials or Google OAuth). For Google-authenticated users, email and name are received from Google during the OAuth flow.
3.2 Account Configurations (Business Data)
- Account name
- Target service URL and target webhook URL
- Target API key (encrypted at rest)
- Cron schedule configuration
- AI model preferences (provider and model selection)
3.3 AI-Generated Content (Business Data)
- Markdown blog posts
- SEO metadata (titles, descriptions, slugs)
- Tags and categories
3.4 Source File Uploads (Business Data)
When you trigger a content generation run, you may optionally attach a source document (PDF, TXT, MD, CSV, JSON, or XML). We extract the text content from the file and discard the original. The extracted text is stored alongside the run record and is processed by our AI providers (OpenAI, Anthropic, or Google, depending on your model selection) to generate the blog post. If the extracted text is large, we generate an AI summary which is also stored on the run record.
3.5 Run Execution Logs (Business Data)
- Workflow execution status and timestamps
- Step-by-step execution traces
- AI model feedback and evaluation scores
- Trigger type (manual, cron, or API)
3.6 Payment Data
Payment information (credit card numbers, billing addresses) is collected and processed exclusively by Stripe, Inc. We do not store payment card details on our servers. We retain only the Stripe customer ID, subscription ID, and plan information necessary for service delivery.
3.7 Brand Assistant Chat Data (Pseudonymized Data)
When visitors interact with a Brand Assistant chat widget embedded on a customer's website, we collect:
- Chat messages (user questions and AI-generated responses). User messages are scanned for personal information (emails, phone numbers) which is redacted before storage.
- A pseudonymized visitor identifier derived from a hash of the visitor's IP address and user agent string. We do not store raw IP addresses.
- Page URL where the conversation took place and basic session metadata (referrer, device type).
- Lead capture form submissions (name, email, message) when voluntarily provided by the visitor.
- Vector embeddings of knowledge base content, generated via OpenAI's text-embedding-3-small model, stored in PostgreSQL using the pgvector extension.
Chat conversations, lead submissions, and usage records are automatically deleted after 12 months. Knowledge base embeddings are retained until the associated source or site is deleted.
§ 4 Legal Basis for Processing
We process personal data on the following legal bases under the GDPR:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of contract | Art. 6(1)(b) |
| AI content generation and publishing | Performance of contract | Art. 6(1)(b) |
| Rate limiting and abuse prevention | Legitimate interest (security) | Art. 6(1)(f) |
| Billing data retention (10 years) | Legal obligation (§ 147 AO) | Art. 6(1)(c) |
§ 5 Account Data and Authentication
Wonderblogs supports two authentication methods:
- Email and password: User passwords are hashed using bcrypt with 12 rounds of salting before storage. We never store or transmit passwords in plaintext.
- Google OAuth: Users may sign up and sign in using their Google account. In this case, we receive your email address and name from Google during the OAuth flow. No password is stored for Google-authenticated users. We do not access your Google contacts, calendar, or any other Google data beyond your basic profile information (email and name).
Authentication sessions are managed via NextAuth v5 using JSON Web Tokens (JWT). Session tokens are issued upon successful login and are valid for 30 days. Sessions are stored client-side in a secure, HTTP-only cookie. The same session mechanism applies regardless of the authentication method used.
§ 6 AI Content Generation
Content is generated using AI language models provided by OpenAI (GPT-5.4, GPT-5 Mini, GPT-4.1), Anthropic (Claude Opus 4.6, Claude Sonnet 4.6, Claude Haiku 4.5), and Google (Gemini 2.5 Flash, Gemini 2.5 Pro, Gemini 3 Pro). The content generation process works as follows:
- Wonderblogs fetches context information (brand identity, content focus, instructions) from the Customer's target service URL.
- Research is performed using web search capabilities provided by OpenAI, Anthropic, and Google to gather up-to-date information on the topic.
- AI models generate blog post content in Markdown format, including SEO metadata and tags.
- Generated content is stored locally in the Wonderblogs database and pushed to the Customer's target webhook URL.
The context and instructions sent to AI providers may include business data from the Customer's target API. If this data contains personal information, a Data Processing Agreement (DPA) applies (see Terms of Service § 9).
§ 7 Run Logs and Execution Data
Each content generation run produces a step-by-step execution log recording the workflow progress, AI model responses, and evaluation feedback. These logs are used for debugging, quality assurance, and providing transparency into the content generation process.
Run logs are retained for 12 months from the date of creation and are automatically purged thereafter. No IP addresses, user agents, or other personal identifiers are collected as part of run log data.
API Request Logs
When you use the Wonderblogs REST API (endpoints under /api/v1/), we log the following data for each request for rate limiting, abuse prevention, and usage analytics:
- IP address of the requesting client
- User agent string
- API key identifier (not the key itself)
- Endpoint, HTTP method, and response status code
- Timestamp
This data is processed under Art. 6(1)(f) GDPR (legitimate interest) for security and abuse prevention. API request logs are retained for 12 months and are deleted when the associated site is deleted.
§ 8 Cookies and Local Storage
Wonderblogs uses only strictly necessary cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie (JWT) | User authentication | 30 days | Strictly necessary |
We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party tracking technologies. No cookie consent banner is required as we only use strictly necessary cookies (ePrivacy Directive exemption).
§ 9 Third-Party Processors
We use the following third-party service providers to deliver the Service. Where required, Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR are in place.
| Processor | Purpose | Data Location |
|---|---|---|
| Vercel, Inc. | Application hosting and serverless functions | EU |
| Neon, Inc. | PostgreSQL database hosting | EU |
| Stripe, Inc. | Payment processing and subscription management | EU / Ireland |
| Upstash, Inc. | Background job dispatch (QStash) and rate limiting (Redis) | EU |
| OpenAI, Inc. | AI content generation, web search (GPT-5.4, GPT-5 Mini, GPT-4.1), and text embeddings for Brand Assistant knowledge base (text-embedding-3-small) | US |
| Anthropic, PBC | AI content generation and web search (Claude Opus 4.6, Claude Sonnet 4.6, Claude Haiku 4.5) | US |
| Google LLC | OAuth authentication (Google Identity Services), AI content generation, image generation, and web search (Gemini 2.5 Flash, Gemini 2.5 Pro, Gemini 3 Pro) | US |
| Mailtrap (Railsware) | Transactional email delivery | EU |
| Cloudflare, Inc. | Bot protection (Turnstile), global CDN. Privacy-friendly, no tracking cookies. | Global / EU |
§ 10 Data Location
Application hosting (Vercel) and database storage (Neon PostgreSQL) are located in the European Union.
AI content generation involves sending prompts and context data to providers located in the United States (OpenAI, Anthropic, Google). These transfers are conducted in accordance with the EU-U.S. Data Privacy Framework or, where applicable, on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
§ 11 Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (email, name, password hash) | Until account deletion | Art. 6(1)(b) GDPR |
| Account configurations | Until account deletion | Art. 6(1)(b) GDPR |
| AI-generated content (posts) | Until account deletion | Art. 6(1)(b) GDPR |
| Run execution logs | 12 months | Art. 6(1)(f) GDPR |
| Verification / password reset tokens | 24 hours after expiry | Art. 5(1)(e) GDPR |
| Billing data (Stripe) | 10 years | § 147 AO (German tax law) |
| Brand Assistant chat conversations and messages | 12 months | Art. 6(1)(f) GDPR |
| Brand Assistant lead capture submissions | 12 months | Art. 6(1)(f) GDPR |
| Brand Assistant usage records | 12 months | Art. 6(1)(f) GDPR |
| Knowledge base embeddings | Until source or site deletion | Art. 6(1)(b) GDPR |
Free-tier or cancelled accounts that have been inactive for 24 months receive an inactivity warning. If no activity occurs within 30 days of the warning, the account and all associated data are permanently deleted.
§ 12 Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data via your account settings.
- Right to erasure (Art. 17 GDPR): You may request deletion of your personal data. Account deletion is available via Settings > Data & Privacy in the dashboard.
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data under certain conditions.
- Right to data portability (Art. 20 GDPR): You may request your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to the processing of your personal data based on legitimate interests.
To exercise any of these rights, please contact us at datenschutz@wonderblogs.org.
You also have the right to lodge a complaint with the competent supervisory authority:
Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht BrandenburgStahnsdorfer Damm 77
14532 Kleinmachnow, Germany
§ 13 Minimum Age
The Service is intended for business use only. You must be at least 18 years of age to create an account and use the Service. We do not knowingly collect personal data from individuals under 18.
§ 14 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. Material changes will be communicated to registered users via email at least 30 days before they take effect.
The current version of this Privacy Policy is always available at wonderblogs.org/privacy.
§ 15 Contact
For questions about this Privacy Policy or the processing of your personal data, please contact:
SKAJ Ventures GmbHData Protection
Sonnenlandstraße 4
14471 Potsdam, Germany
Email: datenschutz@wonderblogs.org