Privacy Policy
Effective: 12 May 2026
Note: This English Privacy Policy is a non-binding translation provided for the convenience of international users. In the event of any discrepancy with the German version (Datenschutzerklärung), the German version prevails.
This Privacy Policy informs you about the nature, scope and purposes of the processing of personal data ("Data") by Sabia GmbH ("Sabia", "we") when you visit our website and use our platform at sabia.de (including subdomains).
1. Controller
Sabia GmbHStuckstraße 10
12435 Berlin
Germany
Represented by: Patrick Alex, Lukas Wagner
Commercial Register: Local Court of Berlin-Charlottenburg, HRB 286212 B
Email: founders@sabia.de
Sabia has not appointed a data protection officer as the statutory thresholds are not currently met. Data protection inquiries may be sent to the email address above.
2. Terminology and Legal Bases
(1) The terms used in this policy (in particular "personal data", "processing", "controller", "processor") correspond to the definitions in Article 4 GDPR.
(2) Where legal bases are mentioned below:
- Art. 6 (1)(a) GDPR — consent;
- Art. 6 (1)(b) GDPR — performance of a contract or pre-contractual measures;
- Art. 6 (1)(c) GDPR — legal obligation;
- Art. 6 (1)(f) GDPR — legitimate interests.
3. Processing When Visiting the Website
3.1 Server log files
When you access our website, the hosting provider automatically collects the following information in server log files:
- browser type and version,
- operating system,
- referrer URL,
- hostname of the accessing device,
- time of the server request,
- IP address (typically truncated).
Purpose: stable, secure operation, IT security, statistical evaluation.
Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in stable, secure operation).
Retention: log files are generally deleted after 30 days; longer retention only in anonymized form or in case of security incidents.
3.2 Cookies and tracking technologies
We use cookies and comparable technologies. Cookies are small data packages stored on your device.
We distinguish:
- Technically necessary cookies (e.g. session, login, language preference) — legal basis: § 25 (2) no. 2 TDDDG, Art. 6 (1)(f) GDPR. No consent required.
- Functional and analytics cookies (e.g. PostHog) — legal basis: § 25 (1) TDDDG, Art. 6 (1)(a) GDPR. Consent required; revocable at any time via the cookie banner.
The cookies used, their function and retention are disclosed transparently in the cookie banner / cookie settings.
4. Processing Within the Platform
4.1 Registration and user account
To use the platform you create a user account. We process the following data:
- email address,
- name, where applicable,
- authentication data (password hash, login tokens),
- additional profile information you voluntarily add,
- account activity metadata (e.g. login time, last activity).
Purpose: providing the user account, authentication, performance of the contract.
Legal basis: Art. 6 (1)(b) GDPR (performance of contract).
Retention: for the duration of the contractual relationship; on account deletion, data is deleted or anonymized unless statutory retention obligations apply.
4.2 Waitlist and Marketing Communications
If you sign up for the waitlist, we process your email address to send you a later invitation to the platform. If you have additionally consented to receive marketing communications (e.g. product updates, status reports, newsletters, news about Sabia), we also use your email address for that purpose.
Data processed: email address, name where applicable; metadata on sending and opening emails (e.g. send time, opens, clicks) to the extent you have separately consented.
Purposes and legal bases:
- Sending the platform invitation and managing the waitlist: Art. 6 (1)(b) GDPR (pre-contractual measure);
- Sending marketing communications (newsletter, product updates, news): Art. 6 (1)(a) GDPR (consent) in conjunction with § 7 (2) no. 3 UWG. Consent is voluntary and not a condition for entering the waitlist ("non-coupling principle");
- Performance measurement of marketing communications (open- and click-tracking): Art. 6 (1)(a) GDPR (separate consent), where obtained.
Withdrawal: You may withdraw your consent to marketing communications at any time with effect for the future — via the unsubscribe link in any email or by message to founders@sabia.de. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Retention: waitlist data until invitation and account activation or until withdrawal of consent; without activation, no longer than 24 months. Marketing consents and the proof of their grant are retained for the duration of the marketing relationship and to meet evidentiary obligations (Art. 5 (2), Art. 7 (1) GDPR) for up to 3 years after withdrawal.
4.3 Account and transaction data (WealthAPI / PSD2)
Within the platform we offer the option of retrieving account, securities and transaction data of your bank via the third-party provider WealthAPI. Retrieval is based on the PSD2 consent granted by you to WealthAPI. WealthAPI is a licensed account information service provider under the German Payment Services Supervision Act (ZAG) and acts as your own contracting party (account information service contract).
As part of this function, Sabia processes in particular:
- account holder data (name, account references),
- balances,
- transaction data (date, amount, purpose, counterparty),
- securities holdings and securities transactions.
Purpose: aggregation and visualization of your financial data within the platform.
Legal basis: Art. 6 (1)(b) GDPR (performance of contract); to the extent special categories of data may incidentally appear in transaction descriptions, additionally Art. 9 (2)(a) GDPR (consent).
Retention: for as long as you maintain the PSD2 consent or until you delete your account. You may withdraw consent at any time vis-à-vis WealthAPI or your bank; existing data will then be deleted or anonymized.
For further information on processing by WealthAPI, please refer to its privacy policy.
4.4 AI features (generative AI)
Within the platform we use generative AI services to process text inputs and generate general, non-individualized content (e.g. answering general financial questions, explaining terms). The following providers are used:
- Google Gemini API (Google Ireland Ltd. / Google LLC, USA),
- OpenAI API (OpenAI Ireland Ltd. / OpenAI LLC, USA) — fallback,
- Langfuse (Langfuse GmbH, Germany; potentially with US sub-processors) for logging / quality assurance of AI calls.
Conversational context for AI features (e.g. prior inputs within a session) is stored in our own EU-hosted database (Supabase, eu-west region); no transmission to external memory providers takes place.
What we transmit: your inputs (prompts) and context needed for a response (e.g. general profile information, prior conversation contributions).
What we do not transmit: your individual bank account, securities or transaction data is, as a rule, not transmitted in plain text to external AI providers; where aggregated information is needed, abstractions are used (categories, magnitudes).
Purpose: providing the AI features, quality assurance.
Legal basis: Art. 6 (1)(b) GDPR (performance of contract); for quality assurance and product improvement also Art. 6 (1)(f) GDPR (legitimate interest); for special categories of data, where applicable, Art. 9 (2)(a) GDPR (consent).
Training: the use of your inputs to train the providers' general models is contractually excluded where the providers offer an opt-out for enterprise/API access; we use the respective non-training-relevant tiers.
Retention: technical AI-call logs generally no longer than 30 days; conversational context in our EU-hosted database for the duration of the relevant session or until account deletion.
4.5 Product analytics (PostHog)
We use PostHog to collect pseudonymized usage statistics (e.g. how often which features are used). No account or transaction data content is processed.
Purpose: improvement of the platform, identification of errors and bottlenecks.
Legal basis: Art. 6 (1)(a) GDPR (consent via cookie banner).
Retention: generally no longer than 12 months.
4.6 Email contact / support
If you contact us by email, we process your data (name, email, content) to handle your request and any follow-up questions.
Legal basis: Art. 6 (1)(b) GDPR (pre-contractual / contractual) or Art. 6 (1)(f) GDPR (legitimate interest in efficient communication).
Retention: until conclusion of the matter; beyond that only as required by statutory retention obligations (generally max. 3 years).
5. Recipients / Processors
To provide the Service we use the following processors and other recipients. Art. 28 GDPR processor agreements are in place with all processors.
| Service | Provider / Location | Function | Third-country basis |
|---|---|---|---|
| Supabase | Supabase Inc., USA — data storage in EU region (eu-west) | Database, authentication, storage | EU hosting; SCC via Supabase DPA for any administrative access from the US (Supabase itself not DPF-certified) |
| Vercel | Vercel Inc., USA | Hosting, web application delivery, edge | DPF-certified (EU-U.S. Data Privacy Framework); SCC as supplement |
| WealthAPI | WealthAPI GmbH, Germany | Account/securities aggregation (PSD2) | EU |
| Google Gemini API | Google Ireland Ltd., Ireland / Google LLC, USA | Generative AI | Google LLC DPF-certified; SCC as supplement |
| OpenAI API | OpenAI Ireland Ltd., Ireland / OpenAI Inc. & OpenAI Global LLC, USA | Generative AI (fallback) | OpenAI DPF-certified (OpenAI Inc., OpenAI Global LLC); SCC as supplement |
| Langfuse | Langfuse GmbH, Germany | Logging of AI calls | EU; SCCs where US sub-processors are used |
| PostHog | PostHog Inc., USA / EU hosting (Frankfurt) | Product analytics | EU hosting (Frankfurt); additionally DPF-certified, SCC as supplement where US sub-processors are used |
A current, complete list of processors including sub-processors is available on request.
6. Third-Country Transfers
To the extent data is transferred to third countries (in particular the USA), this is based on:
- Standard Contractual Clauses of the EU Commission under Art. 46 (2)(c) GDPR,
- where applicable, the EU-US Data Privacy Framework adequacy decision (Art. 45 GDPR),
- and/or your explicit consent (Art. 49 (1)(a) GDPR).
A copy of the Standard Contractual Clauses is available on request.
7. Your Rights
You have the following rights vis-à-vis Sabia:
- access (Art. 15 GDPR),
- rectification (Art. 16 GDPR),
- erasure (Art. 17 GDPR),
- restriction of processing (Art. 18 GDPR),
- data portability (Art. 20 GDPR),
- objection to processing based on legitimate interests (Art. 21 GDPR),
- withdrawal of consent with effect for the future (Art. 7 (3) GDPR).
To exercise your rights an informal notice to founders@sabia.de is sufficient.
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for Sabia is the Berlin Commissioner for Data Protection and Freedom of Information (Friedrichstr. 219, 10969 Berlin, https://www.datenschutz-berlin.de).
8. Obligation to Provide Data
The provision of data required for registration and performance of the contract (in particular email address, authentication data) is voluntary but necessary for use of the platform. Without this data the contract cannot be performed.
Linking with WealthAPI, the use of AI features and the receipt of marketing communications are voluntary and not a precondition for use of the platform. Functional and analytics cookies (e.g. PostHog) are set only with your explicit consent. Without these consents the corresponding functions are not available, or only to a limited extent; the remainder of the platform remains usable.
9. Automated Decision-Making, Profiling
There is no solely automated decision-making within the meaning of Art. 22 GDPR. The platform produces automated evaluations and visualizations, but these do not produce legal effects or similarly significant impacts on you.
10. Data Security
We implement technical and organizational measures to protect your data against unauthorized access, loss and manipulation. These include in particular:
- TLS encryption of data transmission,
- access restrictions on a need-to-know basis,
- two-factor authentication for administrative access,
- regular security reviews.
11. Changes to This Privacy Policy
We may adapt this Privacy Policy to reflect changes in the law, case law or our Service. The current version is available at https://www.sabia.de/datenschutz. For material changes you will additionally be informed by email or within the Service.
12. Objection to Advertising Emails
The use of contact data published in the imprint for the transmission of unsolicited advertising is hereby objected to. We reserve the right to take legal action in the event of unsolicited advertising mailings.
End of Privacy Policy.