Skip to content
Legal

PRIVACY POLICY

Last updated: March 2026

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website or use our platform. Personal data is any data by which you can be personally identified (e.g., name, email address, IP address).

Data Collection on This Website

We process personal data for the following purposes: provision and operation of the website and platform, handling contact inquiries, conducting the beta program, evaluating surveys for product development, managing job applications, and web analytics. Details on each processing activity can be found in the following sections.

2. Data Controller

The entity responsible for data processing on this website and the ForestHub platform is:

ForestHub GmbH

Schluchseestrasse 25

78054 Villingen-Schwenningen

Email: root@foresthub.ai

The appointment of a Data Protection Officer is not legally required, as we employ fewer than 20 staff members who are regularly involved in the automated processing of personal data. For data protection inquiries, please contact us directly at root@foresthub.ai.

3. Your Rights

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): You may request information about your personal data processed by us.
  • Right to Rectification (Art. 16 GDPR): You may request the correction of inaccurate data or completion of incomplete data.
  • Right to Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to Restriction of Processing (Art. 18 GDPR): You may request the restriction of processing of your data.
  • Right to Data Portability (Art. 20 GDPR): You may receive your data in a structured, commonly used, and machine-readable format.
  • Right to Object (Art. 21 GDPR): You may object to the processing of your data based on Art. 6(1)(f) GDPR at any time.
  • Withdrawal of Consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the competent supervisory authority. The competent authority is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI BaWü), Germany.

4. Hosting

This website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). When you access our website, the hosting provider automatically collects information (server log files), including your IP address, pages accessed, date and time of access, and the browser used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of the website).

Data transfer to the USA: Vercel is certified under the EU-US Data Privacy Framework (DPF). Additionally, Standard Contractual Clauses (SCCs) are in place as a safeguard.

Retention period: Server logs are retained by Vercel for a maximum of 30 days.

5. SSL/TLS Encryption

This website uses SSL/TLS encryption for security purposes (indicated by "https://" in the address bar). This ensures that the transmission of your data between your browser and our server is protected from third-party access.

6. Contact Form

When you send us an inquiry via the contact form, we process the following data:

Data collected: Name, email address, company (optional), subject, message.

Purpose: Processing your contact inquiry and any follow-up questions.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

Processing: The data is stored in our Supabase database (EU region Frankfurt). Notification emails are sent via Resend (USA, DPF-certified).

Retention period: Your contact inquiry will be deleted 6 months after final processing, unless statutory retention obligations apply.

7. Beta Program

For registration in the beta program, we process the following data:

Data collected: Name, email address, and optionally mini-survey responses (industry, company size, primary use case).

Purpose: Management of the beta program, prioritization of participants, product development.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by contacting us at root@foresthub.ai.

Processing: The data is stored in our Supabase database (EU region Frankfurt). Confirmation emails are sent via Resend.

Retention period: Your data will be retained until the end of the beta program plus 3 months, then deleted.

8. Extended Survey

As part of the beta program, you may participate in an extended survey:

Data collected: 7 questions about your infrastructure, requirements, and use cases. Drafts are saved locally in your browser (localStorage).

Purpose: Product development and understanding user needs.

Legal basis: Art. 6(1)(a) GDPR (consent through active submission of the survey).

Processing: The responses are stored in our Supabase database (EU region Frankfurt).

Retention period: 24 months after receipt, then anonymization for statistical analysis.

9. Job Applications

When you apply via our application form, we process the following data:

Data collected: Name, email address, phone number (optional), LinkedIn profile (optional), desired position, message, resume (PDF).

Purpose: Conducting the application process.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures in the context of the application process).

Processing: Form data is stored in our Supabase database. The resume (PDF) is not persistently stored but is forwarded exclusively as an email attachment via Resend to our team.

Retention period: 6 months after completion of the application process, then deletion. If you consent to inclusion in our talent pool, retention will be longer.

10. Third-Party Services

We use the following third-party services for operating the website and platform:

Supabase

Database service for form data and platform backend. Server location: EU (Frankfurt). A Data Processing Agreement (DPA) is in place.

Resend

Email delivery service for confirmations and internal notifications. Location: USA. Resend is certified under the EU-US Data Privacy Framework (DPF). A DPA is in place.

Cloudflare

CDN and DDoS protection. Location: USA. Cloudflare is certified under the EU-US DPF. A DPA is in place.

Firebase / Google Cloud Platform

Backend infrastructure for the ForestHub platform (authentication, database). A DPA with Google is in place.

Note: ForestHub does not use any AI service providers as sub-processors. AI integration nodes in the platform exclusively use the users' own API keys (see Section 16).

11. Web Analytics

Umami Analytics

We use Umami as our primary analytics tool. Umami is cookieless and does not store any personal data. No cookies are set and no IP addresses are stored. Hosting: EU. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analyzing website usage).

Google Analytics 4 (GA4) via Google Tag Manager (GTM)

Additionally, we use GA4, but only with your consent via the cookie banner. GA4 uses cookies and transfers data to Google servers (USA). Google is certified under the EU-US DPF. Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time via the cookie banner.

12. Cookies and Local Storage

For details on cookies and localStorage entries used on this website, please see our Cookie Policy.

13. Spam Protection

To protect our forms from automated abuse, we use technical measures: a hidden honeypot field, rate limiting on form submissions, and timestamp validation. No data is transmitted to third parties and no external services (such as reCAPTCHA) are used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against spam and abuse).

14. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place.

15. Data Processing During Platform Use

When using the ForestHub platform, we process the following data:

Data processed: Project files and workflow configurations, generated C code, usage data (last access, API calls, compilations), device information (Device Registry — user-entered metadata such as device type, firmware version).

Purpose: Provision and operation of the platform, technical service delivery.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in improving the platform).

Processing: Data is stored in our Supabase database (EU region Frankfurt). Access to project content occurs only for the purpose of technical service delivery.

Retention period: For the duration of the usage relationship. After termination, there is a 30-day export period, after which data is deleted.

16. AI Integration Nodes

The ForestHub platform provides workflow nodes through which users can integrate external AI services (e.g., OpenAI, Google AI) into their projects. Integration is carried out exclusively via the users' own API keys. ForestHub only generates the C code for communication with the external service.

ForestHub has no access to: the users' API keys, the data transmitted to the AI service, or the results from the AI service. In this regard, no processing of personal data by ForestHub takes place.

The user is solely responsible for data processing by the external AI service. We recommend reviewing the privacy policy of the respective AI provider.

17. Transactional Emails

In the context of platform use, we send transactional emails (e.g., registration confirmation, password reset) via the service Resend.

Legal basis: Art. 6(1)(b) GDPR (contract performance). A Data Processing Agreement (DPA) with Resend is in place. For further details on Resend, see Section 10 (Third-Party Services).