Privacy Policy
How Newfect collects, uses, and protects account and project data across the opportunity-to-article workflow.
Last updated: May 8, 2026
1. Data Controller
The data controller responsible for processing personal data on this platform is:
48DESIGN GmbHGartenstr. 4, 75045 Walzbachtal
Email: info@newfect.com
2. Data We Collect and Why
2.1 Account Data
When you register, we collect your name, email address, and a hashed password. We also record the date and time you accepted this Privacy Policy.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract (providing the service).
Retention: Until you delete your account.
2.2 Project & Business Data
You can create projects containing your business name, website URL, keywords, location, target customer descriptions, and writing-style preferences. This data is used solely to generate content opportunities and articles for you.
Legal basis: Art. 6(1)(b) GDPR.
Retention: Until you delete the project or your account.
2.3 Usage Data
We log which actions you perform (e.g. article generation, opportunity generation) and how many API tokens were consumed, in order to enforce plan limits and display usage statistics.
Legal basis: Art. 6(1)(b) GDPR.
Retention: 2 years, then automatically deleted.
2.4 Payment Data
Stripe customer and subscription IDs are stored in our database to link your account to your subscription. Your actual payment details (card number, bank details) are processed and stored exclusively by Stripe and never touch our servers.
Legal basis: Art. 6(1)(b) GDPR.
Retention: Until you delete your account; Stripe retains billing records per their own retention policy.
2.5 Security Logs (Login Attempts)
Failed login attempts are logged (email address used + timestamp) to protect accounts from brute-force attacks.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in securing user accounts.
Retention: 30 days, then automatically deleted.
2.6 WordPress Credentials
If you connect a WordPress site, the Application Password you provide is encrypted (AES-256-CBC) before storage. It is used only to push articles to your site and is never shared with third parties.
Legal basis: Art. 6(1)(b) GDPR.
Retention: Until you disconnect the site or delete your account.
2.7 Cookies and Browser Storage
We use the following technically necessary storage mechanisms:
lang cookie— stores your language preference (e.g. en or de). Expires after 1 year. Legal basis: Art. 6(1)(f) GDPR / strictly necessary.token in localStorage— stores your session token (JWT) so you remain logged in. Cleared when you sign out or after 30 days. Legal basis: Art. 6(1)(b) GDPR / strictly necessary.notice_dismissed in localStorage— records that you dismissed the cookie notice banner. Legal basis: Art. 6(1)(f) GDPR / strictly necessary.
We use a self-hosted instance of Matomo Analytics to understand how visitors navigate the public pages of this site. No cookies are set; the analysis relies on anonymised data only. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in improving the product.
You can opt out of statistical analysis at any time using the controls below.
2.8 Sign in with Google
If you choose “continue with Google”, we load Google Identity Services only after your explicit checkbox consent in the login/register form. Google then processes technical connection data (such as IP address, browser metadata, and the Google account identity token) to authenticate you and provide your Google account identifier, email address, display name, and optional profile image to us. We use this data solely for authentication and account linking.
Legal basis: Art. 6(1)(a) GDPR (consent for loading Google identity resources) and Art. 6(1)(b) GDPR (authentication required to provide the service).
Retention: Google-derived account fields are stored until you delete your account. You can stop using Google sign-in at any time by using password login and requesting account deletion if desired.
3. Third-Party Processors
We use the following sub-processors. Each has been assessed for an adequate level of data protection. By using this service you acknowledge this processing.
| Processor | Purpose | Country | Privacy Policy |
|---|---|---|---|
| OpenAI | AI-generated article content. Your project description, keywords, and business context are sent as part of the prompt. | USA (SCCs / EU DPA) | openai.com |
| Stripe | Payment processing and subscription management. | USA / EU (SCCs) | stripe.com |
| Google Identity Services | User authentication via “Sign in with Google”. Google account identity data is used to sign you in and link your account. | USA (SCCs) | google.com |
| SerpAPI | SERP data and Google Trends data for keyword research. Keywords and location are transmitted; no personal data. | USA (SCCs) | serpapi.com |
| Brave Search API | SERP data for keyword research. Keywords and location are transmitted; no personal data. | USA (SCCs) | brave.com |
| Exa | SERP data for keyword research. Keywords and location are transmitted; no personal data. | USA (SCCs) | exa.ai |
| Reddit API | Public Reddit posts for trend analysis. Keywords are transmitted; no personal data. | USA (SCCs) | reddit.com |
SCCs = EU Standard Contractual Clauses per Art. 46(2)(c) GDPR.
4. Your Rights
Under the GDPR you have the following rights regarding your personal data:
- Art. 15 — Right of Access: You can request a copy of all data we hold about you. Use the "Download my data" button in your account settings.
- Art. 16 — Right to Rectification: You can correct your name and email in your account settings at any time.
- Art. 17 — Right to Erasure: You can permanently delete your account and all associated data via account settings.
- Art. 18 — Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
- Art. 20 — Right to Data Portability: You can download your data as a machine-readable JSON file via account settings.
- Art. 21 — Right to Object: You may object to processing based on legitimate interests (Art. 6(1)(f)).
To exercise any right not available in self-service, contact us at: info@newfect.com
You also have the right to lodge a complaint with the competent supervisory authority (Landesdatenschutzbehörde) in your country of residence.
5. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. Continued use of the service after changes constitutes acceptance of the updated policy.