Privacy Policy
Last updated: May 1, 2026. This notice is not legal advice and must be reviewed by qualified counsel before production launch.
Controller
Impersona GmbH, Germany, is the intended controller for this service. Until the final company address is published, privacy requests go to privacy@impersona.io and legal notices go to legal@impersona.io. A Data Protection Officer is not currently appointed because the MVP does not require one; this will be reassessed as processing volume grows.
Data, purposes, and lawful bases
- Account email, name, organization, and session data: account creation and service delivery, Art. 6(1)(b) GDPR.
- Payment metadata handled by Stripe: subscription and tax records, Art. 6(1)(b) and Art. 6(1)(c) GDPR. We do not store raw card numbers.
- Brand domains, keywords, alerts, verdicts, and evidence packs: contracted brand monitoring, Art. 6(1)(b) GDPR.
- IP-derived rate-limit hashes and security logs: abuse prevention and service security, Art. 6(1)(f) GDPR.
- Contact form messages and support mail: answering your request, Art. 6(1)(b) or Art. 6(1)(f) GDPR.
- Prospect research, when enabled: legitimate interest in security outreach, Art. 6(1)(f) GDPR, subject to a balancing test, DPIA, suppression, and lawyer-reviewed templates.
Brand-check evidence boundary
When you submit a domain to the brand-check service, we analyze public domain, certificate, DNS, crawl, and website signals to determine whether related infrastructure may impersonate that brand. Evidence is associated with the submitted brand-monitoring workflow and is not used to profile individuals.
Recipients and transfers
- EU-hosted cloud infrastructure, platform services and storage
- Stripe Ireland, billing and subscription metadata
- PostHog EU or self-hosted, analytics after opt-in only
- EU-hosted AI services, verdict synthesis
- WHOIS, RDAP, CT, and NRD data providers, domain enrichment
Production infrastructure is hosted within the EU. If a provider requires a transfer outside the EEA, we will document the transfer mechanism before launch.
Retention
- Account data: account lifetime plus 30 days after deletion request unless law requires longer retention.
- Billing records: up to 7 years for tax and accounting obligations.
- Raw crawl evidence and brand-check report metadata: 30 days unless a shorter TTL is configured.
- Security logs: normally 14 to 90 days depending on the system.
Your rights
You may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where consent applies. Authenticated users can export their data and request account deletion from Settings. You may complain to your competent supervisory authority, including the Baden-Wuerttemberg DPA if applicable.
Automated decision-making
Impersona.io uses deterministic signals and AI assistance to explain likely risk. The service does not make solely automated legal or similarly significant decisions about individuals under Art. 22 GDPR.