Privacy Policy

CDC Holding UG (haftungsbeschränkt)

Effective: February 25, 2026

Thank you for your interest in our service. The protection of your personal data is a top priority for the management of CDC Holding UG (haftungsbeschränkt). The use of our web application is generally possible without providing personal data; however, if you wish to use our services such as workspace collaboration or AI-powered analysis tools, the processing of personal data is required.

The processing of personal data, such as your name, your e-mail address or your workspace data, is always carried out in accordance with the General Data Protection Regulation (GDPR) and the country-specific data protection regulations that apply to us. With this privacy policy, we would like to inform you about the type, scope and purpose of the personal data we collect, use and process. You will also be informed about your rights.

As the controller, we have implemented numerous technical and organizational measures to ensure that the personal data processed via this web application is protected as completely as possible. Nevertheless, Internet-based data transmissions can generally have security gaps, meaning that absolute protection cannot be guaranteed.

1. Definitions

The data protection declaration is based on the terms used in the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for both the public and our users.

a) Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the data subject.

b) Data subject

Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

c) Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Controller

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

e) Processor

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

f) Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws as well as other data protection regulations is:

CDC Holding UG (haftungsbeschränkt)
Gottfried-von-Cramm-Weg 45
14193 Berlin
Germany

Represented by: Clemens Chaskel, Managing Director

E-mail: hello@innovationflow.app
Website: https://www.innovationflow.app

3. Data protection contact

If you have any questions about data protection, please contact:

Data protection contact: E-mail: hello@innovationflow.app

Data Protection Officer (DPO): Due to our current company size and the nature of our data processing activities, we are not legally required to appoint a Data Protection Officer pursuant to Art. 37 GDPR. For all data protection inquiries, please contact us at hello@innovationflow.app.

4. Infrastructure and data storage

4.1 Our technology infrastructure

We take data security and data protection seriously. Our services are based on a robust, GDPR-compliant infrastructure to protect your personal data.

4.2 Primary database and hosting

Database provider: EU-based cloud infrastructure provider (PostgreSQL)

  • Location: European Union (Frankfurt, Germany)
  • Certifications: SOC 2 Type II certified, GDPR-compliant
  • Security: All data is encrypted at rest and in transit
  • Data processing: We have concluded a data processing agreement (DPA) with our database provider

Application hosting: EU-based application hosting provider

  • Location: European Union / Global Edge Network
  • Services: Application hosting, frontend provisioning, serverless functions
  • Security: Encryption at rest and in transit
  • Data processing: GDPR-compliant hosting with corresponding data protection guarantees

4.3 File storage

User-uploaded files and workspace data are stored with our cloud infrastructure provider:

  • Location: European Union (Frankfurt, Germany)
  • File types: Workspace exports, organizational assets, user avatars
  • Security: All files are stored and transferred encrypted
  • Access control: Role-based access control restricts access to authorized users

4.4 Backup and restore

  • Location: European Union (same region as primary data)
  • Frequency: Automatic daily backups
  • Retention period: Backups are retained for 90 days
  • Encryption: All backups are encrypted

4.5 Data processing agreements

We have concluded data processing agreements (DPAs) with all our infrastructure providers to ensure the following:

  • Processing only in accordance with our instructions
  • Appropriate technical and organizational security measures
  • Support for requests from data subjects
  • Reporting procedures in the event of data breaches
  • Compliance with the requirements of Art. 28 GDPR

5. Cookies, SessionStorage and LocalStorage

5.1 Essential cookies and storage

We use session management cookies and browser storage for:

  • Maintaining your login session
  • Storing your preferences and settings
  • Enabling the core functionality of the application
  • Caching data for better performance

These are essential for the operation of our services and cannot be disabled without affecting functionality.

5.2 Cookie management

You can prevent the use of cookies, localStorage and sessionStorage at any time via your browser settings. Please note that if you deactivate cookies, not all functions of our application may be fully usable.

6. Collection of general data and information

Our web application collects a range of general data and information each time it is accessed. This general data and information is stored in the server log files. The following can be recorded:

  1. Browser types and versions used
  2. The operating system used
  3. The website from which an accessing system reaches our site (referrer)
  4. The sub-websites which are accessed
  5. The date and time of access
  6. An internet protocol address (IP address)
  7. The Internet service provider
  8. Screen resolution and viewport information
  9. Device type (desktop, tablet, mobile)

Storage period of log files: Server log files are stored for 12 months for security and system optimization purposes and then automatically deleted.

7. Registration and account management

7.1 Registration methods

Registration with InnovationFlow.app can take place via email and password, or via third-party authentication providers (such as Google OAuth or Microsoft/Azure OAuth).

Data provided by you: E-mail address, password (stored hashed, never in plain text), display name (optional).

Automatically collected information: IP address at registration, date and time of registration, browser information, unique account identification (UUID).

7.2 Purpose

By registering, you enable us to provide personalized services, authenticate your identity, enable workspace collaboration, provide AI-powered analysis features, and communicate with you about your account and our services.

7.3 Legal basis

  • Article 6(1)(b) GDPR: Processing is necessary for the performance of a contract
  • Article 6(1)(a) GDPR: You have given your consent
  • Article 6(1)(f) GDPR: Processing is necessary for our legitimate interests (fraud prevention, account security)

7.4 Account data management

You can at any time view your account information, customize your settings, or request the deletion of your account and associated data.

7.5 Account deletion

Your account will be deactivated immediately after deletion request. Personal data will be deleted within 30 days. Backup copies may be retained for up to 90 days.

8. Workspace and tool data

8.1 Data collected

When you use InnovationFlow.app, we collect and process workspace data (organization/workspace names and configurations, member lists and role assignments, process templates and workflow graph data), tool data (all content created within your workspaces and tools), and user settings.

8.2 Purpose

We process your workspace and tool data for service provision, real-time collaboration, AI assistance, technical support, and service improvement.

8.3 Legal basis

  • Article 6(1)(b) GDPR: Performance of the contract
  • Article 6(1)(f) GDPR: Legitimate interests (service improvement)

9. AI services

9.1 AI-powered features

Our application integrates artificial intelligence for PESTLE analysis (suggesting trends), trend radar (suggesting emerging trends), and idea cloud (AI-powered thematic clustering).

9.2 AI service provider

We use third-party AI service providers. Data sent to AI providers is used solely for generating responses and is not used for model training.

9.3 Data sent to AI providers

When using AI features, only tool content relevant to the specific AI task and session identifiers (not linked to your personal identity) are sent. Your full name, email address, and unrelated data are NOT sent.

9.4 Security measures

All data transmitted to AI providers is encrypted during transmission (TLS 1.3) with secure API connections.

9.5 Disclaimer

AI outputs do not replace professional business strategy advice, may contain errors, and should be verified with qualified professionals.

10. Analytics

During the Early Access phase, InnovationFlow.app uses minimal internal analytics. No external third-party analytics services are currently active. If we integrate third-party analytics in the future, this privacy policy will be updated accordingly.

11. International data transfers

Your personal data is primarily stored and processed in the European Union (Frankfurt, Germany). Some service providers (AI services) are located outside the EEA. We use EU-approved Standard Contractual Clauses (SCCs) for all international transfers.

Contact hello@innovationflow.app for more information about our international data transfers.

12. Routine erasure and blocking of data

The controller processes and stores personal data only for the period necessary to achieve the purpose of storage or as required by law.

13. Rights of the data subject

You have the following rights under GDPR:

  • Right to confirmation — whether personal data is being processed
  • Right to information (Art. 15) — access to stored personal data
  • Right to rectification (Art. 16) — correction of inaccurate data
  • Right to erasure (Art. 17) — deletion of personal data ("right to be forgotten")
  • Right to restriction (Art. 18) — restrict processing
  • Right to data portability (Art. 20) — receive data in machine-readable format
  • Right to object (Art. 21) — object to processing
  • Right to withdraw consent — at any time

We respond to all data subject rights requests within 30 days. Contact: hello@innovationflow.app

14. Legal basis for processing

Processing is based on Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation), and Art. 6(1)(f) GDPR (legitimate interests).

15. Retention periods

Data CategoryRetention Period
Account dataWhile account is active; anonymized within 30 days of deletion
Workspace and tool dataWhile account is active; anonymized within 30 days of deletion
AI interaction dataWhile account is active; deleted on termination
Analytics data (internal)14–26 months; automatically deleted
Server log files12 months; automatically deleted
Financial transaction records10 years (§ 147 AO, § 257 HGB)
Backup copies90 days; automatically purged

16. Data security measures

Technical: Encryption at rest and in transit (TLS 1.3, AES-256), role-based access controls, row-level security policies, security monitoring, EU infrastructure.

Organizational: Security guidelines, confidentiality agreements, restricted data access, supplier management, regular audits.

17-19. DPIA, Data Breaches, Protection of Minors

We conduct Data Protection Impact Assessments for high-risk processing. In the event of a data breach, we notify the supervisory authority within 72 hours. Our services are intended for users at least 18 years old.

20. Changes to this privacy policy

We may update this statement from time to time. Material changes will be communicated by clear notice on the website and e-mail notification.

21. Contact information

CDC Holding UG (haftungsbeschränkt)
Gottfried-von-Cramm-Weg 45
14193 Berlin, Germany

E-mail: hello@innovationflow.app

22. Supervisory authority

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61, 10555 Berlin, Germany
Website: https://www.datenschutz-berlin.de

You can also contact the data protection authority in your country of residence or place of work.

As of: February 2026 — Document version: 1.2.0-early-access

How effective is your roadmapping?

Answer a few quick questions about how your organisation handles roadmapping and strategy execution. Get a personalised report with actionable recommendations.

Take the survey