All legal docs
Compliance
ROPA / Verzeichnis von Verarbeitungstätigkeiten
GDPR/DSGVO Article 30 processing records
- Brand
- Nidai
- Owner / Inhaber
- Mohamed Essam Mohamed Shafey
- Address / Anschrift
- Frankfurter Allee 281, 10317 Berlin, Germany
- Website
- https://nidai.eu
- Email / E-Mail
- hallo@nidai.eu
- Phone / Telefon
- +49 157 51456670
- Legal form / Rechtsform
- Einzelunternehmen (sole proprietorship, not registered in the commercial register)
- VAT / USt.
- VAT is not charged pursuant to § 19 UStG (Kleinunternehmerregelung).
- Tax / Steuer
- Steuernummer pending; USt-IdNr. pending.
Purpose
This record documents Nidai processing activities as controller and processor. It should be reviewed whenever a new service, customer category, sub-processor, AI model provider, hosting location, or data category is added.
A. Controller-Side Processing by Nidai
| Activity | Purpose | Data subjects | Personal data | Legal basis | Recipients | Retention |
|---|---|---|---|---|---|---|
| Website and inbound lead handling | Present services, answer inquiries, arrange demos | Website visitors, prospects | Name, email, phone if provided, company, IP/log data, message content | Art. 6(1)(b) precontractual steps; Art. 6(1)(f) legitimate interest | Hosting, email provider, CRM/internal tools | Leads: 24 months after last contact unless earlier deletion requested; logs: 30–180 days |
| Customer account and contract administration | Create and manage B2B customer accounts, contracts and support | Customer admins, billing contacts, employees | Name, role, email, organization, usage metadata, support tickets | Art. 6(1)(b) contract; Art. 6(1)(c) legal obligations | Database/hosting provider, payment provider, email provider, support tools | Contract term + statutory limitation/accounting retention periods |
| Billing and payment | Subscriptions, invoices, payment collection, bookkeeping | Customer billing contacts | Billing address, VAT/tax data, payment metadata, invoices | Art. 6(1)(b), Art. 6(1)(c) | Payment provider, tax advisor/accounting tools | Generally 10 years for accounting/tax records where required |
| Marketing to B2B contacts | Inform prospects/customers about Nidai services | Business contacts | Name, business email, company, interaction history | Art. 6(1)(f) legitimate interest or consent where required | Email provider | Until objection/unsubscribe or 24 months inactivity |
| Security and abuse prevention | Protect systems, detect misuse, investigate incidents | Users, visitors, attackers | IP, device/browser data, logs, login events, audit trails | Art. 6(1)(f) security interest; Art. 32 GDPR | Hosting/security providers | 30–180 days; longer if incident investigation requires |
B. Processor-Side Processing for Customer Services
| Service | Purpose on customer instruction | Data subjects | Data categories | Special categories? | Retention/default deletion |
|---|---|---|---|---|---|
| AI Document Processing (Nidai DocuFlow) | Extract invoice/receipt data, validate fields, prepare DATEV/Lexware exports | Customer employees, suppliers, invoice recipients, business contacts | Invoices, receipts, tax IDs, addresses, IBANs, amounts, emails, attachments, audit metadata | Possible if invoices contain health/union/etc. data; generally avoid/minimize | Customer-configured; default deletion/export archive rules in order form; accounting retention may apply to customer |
| Company Knowledge Assistant (Nidai Brain) | Index internal documents and generate cited answers | Customer employees, clients, suppliers, third parties named in documents | Documents, emails, SOPs, manuals, embeddings, questions, answer logs, access metadata | Possible depending on uploaded documents; customer must classify data | Per customer configuration; delete workspace on termination after export window |
| Business Portals & Dashboards (Nidai Portal Studio) | Operate custom portals/dashboards where Nidai hosts or maintains them | Portal users, customer staff, applicants/clients/project parties | Depends on portal: login data, uploaded files, workflow status, comments | Depends on project; document in project annex | Project-specific |
| Web Apps & SaaS Development (Nidai Studio) | Build/operate AI websites, MVPs and integrations | End users, customer staff, prospects | Project-specific | Project-specific | Project-specific |
| AI Receptionist | Customer communication, appointment workflows and related notifications | Callers/customers, provider staff | Names, phone numbers, booking info, messages, transcripts/audio if enabled | Avoid unless explicitly agreed; clinic use requires stronger controls | Call/audio retention must be short by default unless customer chooses otherwise |
C. Transfers and Sub-processors
Nidai must maintain a current sub-processor list and obtain customer authorization under the AVV before using sub-processors for customer data. International transfers require appropriate safeguards, e.g., EU hosting, SCCs, EU-US Data Privacy Framework where applicable, and transfer risk review for sensitive use cases.
D. Review Checklist
- Review every 6 months and before launching any new service.
- Confirm data categories and retention per signed customer order form.
- Confirm sub-processors and hosting regions match public list.
- Check whether a DPIA/DSFA is required for high-risk processing.
- Record decisions and approvals in an internal compliance folder.