thirdmind
Contact
Contact
Legal thirdmind GmbH

Privacy Policy

Privacy policy of thirdmind GmbH.

Last updated: 15 June 2026

1. Introduction and overview

thirdmind GmbH provides this privacy policy under the General Data Protection Regulation (EU) 2016/679 and applicable national data protection laws to explain which personal data we process as controller and which rights you have.

This privacy policy applies when you visit our website, communicate with us, use Yuno, use the AI quick analysis, book an appointment, or interact with our social media profiles. The website is a custom-built Astro website hosted on Cloudflare Workers.

2. Scope

This privacy policy explains the type, scope, and purposes of personal data processing when you visit our website, contact us, use website functions, submit enquiries, or use our digital assistant and analysis functions.

Personal data means information under Article 4(1) GDPR relating to an identified or identifiable natural person. This may include name, email address, phone number, company affiliation, message content, technical access data, or usage data.

The scope of this policy includes in particular:

  • our website and online presences,
  • communication by email, phone, website functions, and social media,
  • Yuno as website assistant,
  • the AI quick analysis and personal report pages,
  • appointment bookings and related calendar and email functions.

3. Legal bases

We process personal data only where there is a legal basis. We rely in particular on:

  • Article 6(1)(a) GDPR: consent, for example for analytics cookies, comparable technologies, or voluntary contact and marketing consent.
  • Article 6(1)(b) GDPR: contract or pre-contractual steps, for example when you send an enquiry, request an offer, request an analysis, or book an appointment.
  • Article 6(1)(c) GDPR: legal obligations, for example tax or commercial retention obligations.
  • Article 6(1)(f) GDPR: legitimate interests, for example secure website operation, abuse prevention, technical error analysis, documentation of business communication, and internal organisation.

Where information is stored on or accessed from your device, we also comply with applicable Austrian telecommunications rules. We use non-essential cookies and comparable technologies only after your consent.

4. Controller

thirdmind GmbH
Mollardgasse 70C / 5
1060 Vienna, Austria
Email: office@thirdmind.ai
Phone: +43 1 890 80 93

5. Storage period and deletion

We store personal data only for as long as required for the respective purpose or as long as statutory retention obligations apply. When the purpose ceases to apply or a legal retention period expires, we delete or restrict the data according to legal requirements.

General retention periods

Data categoryLegal basisRetention or deletion period
Contact enquiries without contract conclusionArticle 6(1)(f) GDPRGenerally 3 years after the last contact
Contract and customer master dataArticle 6(1)(b) GDPR; Article 6(1)(f) GDPRUp to 30 years where required to defend or assert possible claims
Business and commercial correspondenceArticle 6(1)(c) GDPR7 years
Tax and invoice-related documentsArticle 6(1)(c) GDPR7 years
Technical web server and security logsArticle 6(1)(f) GDPRGenerally up to 6 months, unless longer storage is required to investigate security incidents
Personal AI quick analysis reports in Cloudflare KVArticle 6(1)(b) GDPR; Article 6(1)(f) GDPRGenerally 90 days

The possible maximum period of 30 years follows civil limitation periods and serves the defence or assertion of long-running claims. Data that is no longer required for this is deleted or anonymised earlier.

If you withdraw consent or object to processing, we delete the relevant data unless mandatory statutory retention duties, evidence duties, or other legitimate reasons prevent deletion. The lawfulness of processing before withdrawal remains unaffected.

Cookies and consent logs

Specific cookie lifetimes are shown in the cookie settings on our website. There you can find information about name, provider, purpose, lifetime, and legal basis. You can delete cookies in your browser at any time or withdraw consent through the cookie settings.

Usercentrics Cookiebot records consent choices so that we can meet our accountability obligations. This may involve consent IDs, timestamps, consent status, shortened or hashed IP address, browser and device information, and technical configuration data. Consent log data is stored according to provider and product settings and then deleted or anonymised unless legal duties require longer storage.

Google Analytics 4 retention

For Google Analytics 4, retention periods depend on the property settings and the options provided by Google. Event data may be stored for a limited period and then deleted automatically. Aggregated reporting data may remain available longer where it no longer directly relates to an identifiable person.

6. Your rights

Subject to the GDPR, you have in particular the following rights:

  • Access under Article 15 GDPR: you may ask whether and which data we process about you, for which purposes, from which categories, to which recipients, for how long, and with which safeguards for third-country transfers.
  • Rectification under Article 16 GDPR: you may request correction of inaccurate or incomplete data.
  • Erasure under Article 17 GDPR: you may request deletion where no legal or legitimate reason requires further storage.
  • Restriction under Article 18 GDPR: you may request restricted processing under certain conditions.
  • Data portability under Article 20 GDPR: you may request certain data in a common, machine-readable format.
  • Objection under Article 21 GDPR: you may object to processing based on legitimate interests. You may object to direct marketing at any time.
  • Withdrawal under Article 7(3) GDPR: you may withdraw consent at any time with future effect.
  • Automated decisions under Article 22 GDPR: under certain conditions, you have the right not to be subject to a solely automated decision with legal or similarly significant effect.

To exercise your rights, contact us at office@thirdmind.ai.

7. Right to lodge a complaint

If you believe that the processing of your personal data violates data protection law, you may lodge a complaint with a supervisory authority. For Austria, this is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

8. Recipients, processors, and disclosures

We disclose personal data only where this is required for the described purposes, where a legal basis exists, or where we are legally obliged to do so. Recipients may include:

  • employees and internal staff responsible for processing,
  • IT, hosting, security, infrastructure, and maintenance providers,
  • consent management, analytics, appointment booking, email, calendar, and office providers,
  • AI, model, observability, and infrastructure providers,
  • tax advisors, legal advisors, banks, insurers, and authorities,
  • independent controllers with whom we work to provide our services.

Where service providers act as processors, we conclude agreements under Article 28 GDPR. Independent controllers provide their own privacy information. Data may also be disclosed to authorities, courts, or other bodies where required by law, to defend or assert claims, prevent abuse, or protect the rights and freedoms of others.

9. Third-country transfers

Some providers have their registered office or technical infrastructure outside the EU or EEA, in particular in the United States. Where personal data is transferred to third countries, we rely, where required, on adequacy decisions of the European Commission, the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other appropriate safeguards. Residual risks in third-country transfers cannot be fully excluded.

10. Security of processing

We use technical and organisational measures to protect personal data. These include TLS encryption, access restrictions, role-based permissions, logging, pseudonymisation or shortening of data, abuse prevention, rate limits, and infrastructure-level security features. Article 25 GDPR describes this as data protection by design and by default.

Our website uses Cloudflare services for delivery, DDoS protection, web application firewall, rate limiting, and technical security measures. For AI functions, we aim to process only the content required for the respective purpose and to limit data flows to the providers described here.

11. Which data is collected?

Communication

If you contact us by email, phone, website function, social media, or online form, we process the data you provide and the data required for handling the request. This may include:

  • name,
  • address, where provided,
  • company or organisation affiliation and role,
  • email address,
  • phone number,
  • subject, content, and course of the message,
  • technical communication metadata.

We process this data to handle your enquiry, prepare or carry out a collaboration, and document communication internally. Depending on the context, the legal bases are Article 6(1)(b), Article 6(1)(f), and, where statutory retention obligations apply, Article 6(1)(c) GDPR.

Phone

If you call us, call data may be processed on the respective device and by the telecommunications provider. Name, phone number, and call notes may also be stored internally to answer the enquiry. The data is deleted when the matter is closed and legal requirements allow deletion.

Email

If you communicate with us by email, data is processed on the involved devices and email systems. We store email communication for as long as required for handling, documentation, defence or assertion of claims, or legal duties.

Online forms and website functions

If you communicate with us through a website function, request an analysis, or prepare an appointment, the entered data is processed server-side and may be forwarded via email, Google API, or internal workflow to the responsible people at thirdmind. The concrete processing depends on the respective function.

Website visit

When you access our website, technically necessary data is processed so that the page can be delivered, secured, and operated reliably. This may include:

  • IP address and approximate IP location,
  • date and time of access,
  • requested URL and file,
  • referrer URL,
  • browser, browser version, language setting, and device type,
  • operating system, screen resolution, and technical device information,
  • amount of data transferred and HTTP status,
  • security events, performance data, and log data.

The legal basis is our legitimate interest in secure, stable, and user-friendly website operation under Article 6(1)(f) GDPR. Technically necessary cookies or comparable technologies are also based on applicable telecommunications rules. Analytics and marketing technologies are used only after consent.

Social media

We may link to thirdmind social media profiles, in particular LinkedIn. If you visit our social media pages or interact with us there, your username, comments, reactions, shared content, direct messages, and possibly personal data of third parties may be processed. The platform processes data under its own rules; depending on the function, the platform and operator may be joint controllers.

No active social media feeds or like buttons are currently required as tracking plugins on our website. If we embed social media elements, this is done according to cookie and consent settings. LinkedIn information is available at https://www.linkedin.com/legal/privacy-policy.

12. Cookies and comparable technologies

We use cookies and comparable technologies to technically provide the website, store cookie choices, ensure security, and, after your consent, analyse website usage. Technically necessary cookies cannot be fully disabled where they are required for website operation. If you disable cookies in your browser, website functionality may be limited.

If you allow analytics or marketing technologies, the processed data may include page views, clicked buttons or links, time of page access, browser, device, operating system, approximate location, referrer, and other usage events.

What are cookies?

Cookies are small text files stored in the browser. They may contain information such as settings, session information, or consent choices. First-party cookies are set directly by our website; third-party cookies may come from embedded services.

Types of cookies

  • Technically necessary cookies: required for core functions, security, delivery, or consent storage.
  • Functional cookies: may store settings or entries where such functions are used.
  • Analytics cookies and measurement signals: help us understand website usage after consent.
  • Marketing or advertising cookies: may be used for campaign measurement or interest-based advertising where such services are active and permitted by you.

Cookie settings and objection

You can delete, block, or restrict cookies in your browser. You can also change your selection through the cookie settings on our website. Necessary cookies are processed on the basis of applicable telecommunications rules and Article 6(1)(f) or Article 6(1)(b) GDPR. Analytics and marketing technologies are used only on the basis of your consent under Article 6(1)(a) GDPR.

13. Third-party services used

We use third-party providers where required for website operation, security, analytics after consent, appointment booking, communication, AI functions, or internal processing. This currently includes in particular:

  • Cloudflare for hosting, delivery, security, Workers, KV, WAF, rate limiting, and Turnstile,
  • Usercentrics Cookiebot for consent management,
  • Google Analytics 4 for web analytics after consent,
  • OpenRouter and connected model providers for AI functions,
  • LangSmith by LangChain for prompt management and technical observability where enabled,
  • Calendly for appointment bookings,
  • Google APIs for calendar, email, and Sheets in certain website functions.

Cloudflare hosting, CDN, WAF, Workers, KV, and Turnstile

Our website runs on Cloudflare Workers and uses Cloudflare services for hosting, delivery, load balancing, DDoS protection, web application firewall, rate limiting, technical security measures, and, in part, short-term or time-limited storage of technical data. The provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Cloudflare may process technical access data and security data, in particular IP addresses, request metadata, log data, security characteristics, performance data, and technical browser or challenge signals. Cloudflare processes data partly in the EU or EEA and partly in third countries, in particular the United States. According to Cloudflare, safeguards for third-country transfers may include the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

Cloudflare is part of the technical operation of this website, not an optional marketing service. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is a secure, fast, and resilient website infrastructure. Further information is available at https://www.cloudflare.com/privacypolicy/ and https://www.cloudflare.com/cloudflare-customer-dpa/.

Cloudflare Turnstile may be used on the AI quick analysis to detect automated submissions and abuse. Turnstile processes technical browser and challenge signals. Information is available at https://www.cloudflare.com/turnstile-privacy-policy/.

Usercentrics Cookiebot

We use Cookiebot by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to manage consent. Cookiebot stores your choices so that we can document consent and respect your decision on later visits. This may involve an abbreviated or hashed IP address, browser information, timestamp, consent status, consent ID, and device information.

The legal basis is Article 6(1)(f) GDPR in connection with our obligation to manage consent in a verifiable way. Where Cookiebot sets or reads technically necessary information, applicable telecommunications rules also apply. Usercentrics information is available at https://usercentrics.com/privacy-policy/.

Google Analytics 4

We use Google Analytics 4 to understand how the website is used and which content is relevant to visitors. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; depending on the processing, Google LLC in the United States may also be involved.

Google Analytics is integrated on this website with Google Consent Mode. When the page loads, analytics and advertising storage are set to “denied” by default. If consent is denied, analytics and advertising storage remain denied; Google Consent Mode then controls the behaviour of the Google tags. If you consent through Cookiebot, analytics cookies or comparable measurement signals may be used for Google Analytics. We also set ads_data_redaction and disable URL passthrough.

If you consent, the data processed may include page views, events such as CTA clicks, mailto clicks, Yuno start, Calendly display, AI quick analysis start and completed lead forms, technical device information, approximate location, referrer, and usage timestamps. Our own marketing events remove obvious personal parameters such as name, email, or phone number before passing them to Google Analytics.

Google processes the data and provides us with reports, for example about audiences, acquisition, behaviour, conversions, and real-time usage. These reports help us improve the website technically and editorially. We do not use Google Analytics to transmit obvious form content such as names, email addresses, or phone numbers to Google.

The legal basis is your consent under Article 6(1)(a) GDPR. You can withdraw consent at any time through the cookie settings. Google's information is available at https://policies.google.com/privacy, Consent Mode information at https://developers.google.com/tag-platform/security/guides/consent, and IP anonymisation information at https://support.google.com/analytics/answer/2763052?hl=en.

Yuno

Yuno is our website assistant for short qualification, orientation, and appointment preparation. When you use Yuno, we process your chat messages, the visible conversation history, language setting, technical metadata and, if you provide them, company name, company size, role, concrete request, name, business email address, and appointment preferences.

Yuno runs server-side on our Cloudflare Workers infrastructure. For response generation, we use OpenRouter as an interface to AI models. The messages and context information required for the response are transmitted to OpenRouter. Depending on the selected model, further model providers may be involved. We configure AI usage so that entered content should not be used to train third-party models. Because provider terms can change, we review these settings and provider information regularly.

LangSmith by LangChain may be used for prompt management and technical observability. If raw tracing is enabled, Yuno inputs, outputs, and technical runtime data may be processed as traces in LangSmith. thirdmind uses the documented EU endpoint or EU workspace setup where configured for the relevant environment. Raw tracing should only be active after reviewed approval because conversation content may contain sensitive business information.

If Yuno offers an appointment, an embedded Calendly widget is normally shown. Name and email address may be used for pre-filling if they are already present in the conversation. The booking itself is handled by Calendly. If Calendly does not work and you say so in the chat, Yuno may use Google Calendar server-side as a fallback to check availability and book a single appointment. In that case, name, business email address, company, request, and appointment time may be processed and an invitation may be sent. In addition, internal notifications to thirdmind may be sent via the Gmail API.

The legal bases are Article 6(1)(b) GDPR for pre-contractual communication and appointment preparation and Article 6(1)(f) GDPR for abuse prevention, technical security, internal handoff, and quality control. Provider information: OpenRouter https://openrouter.ai/privacy, OpenRouter Provider Logging https://openrouter.ai/docs/guides/privacy/provider-logging, LangSmith https://docs.langchain.com/langsmith/regions-faq, Calendly https://calendly.com/legal/privacy-notice, Google https://policies.google.com/privacy.

AI quick analysis

For the AI quick analysis, you enter a website URL. We access that publicly available website, read limited public content, apply technical safeguards against abusive target addresses, and create an initial assessment of possible AI processes. The processed data may include the URL, publicly visible website content, analysis results, answers in the analysis flow, technical metadata, and generated evaluation texts.

For analysis, free-text interpretation, concept generation, and dossier generation, we use OpenRouter and AI models. The required website excerpts, answers, and analysis contexts may be transmitted to OpenRouter and, depending on the model, to further model providers. We configure usage so that this content should not be used to train third-party models.

If you request your evaluation or ask to be contacted, we additionally process name, company, business email address, phone number, role, answers, analysis result, contact consent, and timestamp. This data may be stored in a Google Sheet for internal processing and sent through the Gmail API as an internal notification and as an evaluation email to you.

Personal evaluation pages are stored in Cloudflare KV and protected by an access code. Access generally remains active for 90 days; after that, the report and URL lookup are deleted automatically unless legal or legitimate reasons require longer storage.

The legal bases are Article 6(1)(b) GDPR for the requested evaluation and contact initiation and Article 6(1)(f) GDPR for abuse prevention, system security, recognition of active evaluations, and internal lead handling.

Calendly

If you book an appointment via Calendly, Calendly processes the booking data you enter, in particular name, email address, appointment time, answers in the booking form, technical data, and possibly calendar information. The provider is Calendly LLC. Data may be transferred to the United States. Calendly refers to a Data Processing Addendum, the EU-U.S. Data Privacy Framework, and other safeguards.

The legal basis for appointment booking is Article 6(1)(b) GDPR. Further information is available at https://calendly.com/legal/privacy-notice and https://calendly.com/legal/data-processing-addendum.

Google APIs for calendar, email, and Sheets

We use Google APIs for certain website functions. These include Google Calendar for Yuno's fallback appointment booking, Gmail API for internal notifications and evaluation emails, and Google Sheets for structured storage of AI quick analysis leads. The provider is Google Ireland Limited; depending on the processing, Google LLC in the United States may also be involved.

We use these accesses for the specific function only. The legal bases are Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Information about Google Workspace API User Data is available at https://developers.google.com/workspace/workspace-api-user-data-developer-policy.

14. Changes

We update this privacy policy when website functions, providers, data flows, or legal requirements change. The current version is available on this page.