Skip to content
All legal docs

Compliance

ROPA / Verzeichnis von Verarbeitungstätigkeiten

GDPR/DSGVO Article 30 processing records

Brand
Nidai
Owner / Inhaber
Mohamed Essam Mohamed Shafey
Address / Anschrift
Frankfurter Allee 281, 10317 Berlin, Germany
Website
https://nidai.eu
Email / E-Mail
hallo@nidai.eu
Phone / Telefon
+49 157 51456670
Legal form / Rechtsform
Einzelunternehmen (sole proprietorship, not registered in the commercial register)
VAT / USt.
VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
Tax / Steuer
Steuernummer pending; USt-IdNr. pending.

Purpose

This record documents Nidai processing activities as controller and processor. It should be reviewed whenever a new service, customer category, sub-processor, AI model provider, hosting location, or data category is added.

A. Controller-Side Processing by Nidai

ActivityPurposeData subjectsPersonal dataLegal basisRecipientsRetention
Website and inbound lead handlingPresent services, answer inquiries, arrange demosWebsite visitors, prospectsName, email, phone if provided, company, IP/log data, message contentArt. 6(1)(b) precontractual steps; Art. 6(1)(f) legitimate interestHosting, email provider, CRM/internal toolsLeads: 24 months after last contact unless earlier deletion requested; logs: 30–180 days
Customer account and contract administrationCreate and manage B2B customer accounts, contracts and supportCustomer admins, billing contacts, employeesName, role, email, organization, usage metadata, support ticketsArt. 6(1)(b) contract; Art. 6(1)(c) legal obligationsDatabase/hosting provider, payment provider, email provider, support toolsContract term + statutory limitation/accounting retention periods
Billing and paymentSubscriptions, invoices, payment collection, bookkeepingCustomer billing contactsBilling address, VAT/tax data, payment metadata, invoicesArt. 6(1)(b), Art. 6(1)(c)Payment provider, tax advisor/accounting toolsGenerally 10 years for accounting/tax records where required
Marketing to B2B contactsInform prospects/customers about Nidai servicesBusiness contactsName, business email, company, interaction historyArt. 6(1)(f) legitimate interest or consent where requiredEmail providerUntil objection/unsubscribe or 24 months inactivity
Security and abuse preventionProtect systems, detect misuse, investigate incidentsUsers, visitors, attackersIP, device/browser data, logs, login events, audit trailsArt. 6(1)(f) security interest; Art. 32 GDPRHosting/security providers30–180 days; longer if incident investigation requires

B. Processor-Side Processing for Customer Services

ServicePurpose on customer instructionData subjectsData categoriesSpecial categories?Retention/default deletion
AI Document Processing (Nidai DocuFlow)Extract invoice/receipt data, validate fields, prepare DATEV/Lexware exportsCustomer employees, suppliers, invoice recipients, business contactsInvoices, receipts, tax IDs, addresses, IBANs, amounts, emails, attachments, audit metadataPossible if invoices contain health/union/etc. data; generally avoid/minimizeCustomer-configured; default deletion/export archive rules in order form; accounting retention may apply to customer
Company Knowledge Assistant (Nidai Brain)Index internal documents and generate cited answersCustomer employees, clients, suppliers, third parties named in documentsDocuments, emails, SOPs, manuals, embeddings, questions, answer logs, access metadataPossible depending on uploaded documents; customer must classify dataPer customer configuration; delete workspace on termination after export window
Business Portals & Dashboards (Nidai Portal Studio)Operate custom portals/dashboards where Nidai hosts or maintains themPortal users, customer staff, applicants/clients/project partiesDepends on portal: login data, uploaded files, workflow status, commentsDepends on project; document in project annexProject-specific
Web Apps & SaaS Development (Nidai Studio)Build/operate AI websites, MVPs and integrationsEnd users, customer staff, prospectsProject-specificProject-specificProject-specific
AI ReceptionistCustomer communication, appointment workflows and related notificationsCallers/customers, provider staffNames, phone numbers, booking info, messages, transcripts/audio if enabledAvoid unless explicitly agreed; clinic use requires stronger controlsCall/audio retention must be short by default unless customer chooses otherwise

C. Transfers and Sub-processors

Nidai must maintain a current sub-processor list and obtain customer authorization under the AVV before using sub-processors for customer data. International transfers require appropriate safeguards, e.g., EU hosting, SCCs, EU-US Data Privacy Framework where applicable, and transfer risk review for sensitive use cases.

D. Review Checklist

  • Review every 6 months and before launching any new service.
  • Confirm data categories and retention per signed customer order form.
  • Confirm sub-processors and hosting regions match public list.
  • Check whether a DPIA/DSFA is required for high-risk processing.
  • Record decisions and approvals in an internal compliance folder.