Skimmr privacy policy

  1. Who is responsible for processing your data?


The controller within the meaning of the General Data Protection Regulation (GDPR) for the Skimmr service (skimmr.app and related services, the "Service") is:

Kordiam AI Systems GmbH
Falkenried 74a
20251 Hamburg
Germany
Phone: +49 40 88 14170-0
Email: info@skimmr.ai


  1. Data Protection Officer


We have appointed an external Data Protection Officer. You can reach them at:

Email: dpo@kordiam.io

  1. Who this policy applies to


This Privacy Policy applies to the Skimmr application and related services. Skimmr processes personal data relating to two distinct groups of people, and the basis on which we process it differs between them:

  • Account holders and customers — the people who register for and use Skimmr (Section 4).

  • Individuals named in monitored content — people whose personal data appears in the published material that Skimmr collects and analyses, even though they are not Skimmr users (Section 5).


Where relevant, each section below explains what data we process, why, and on what legal basis.

  1. Account and customer data


What we process


When you register at skimmr.app/signup and use the Service, we process:


  • Account data: your first and last name, your email address, and a password that you choose. Passwords are stored only in salted, hashed form — we never store or have access to your password in plain text.

  • Company data: your company name, address, and company email address.

  • Billing data: the information required to process payments (handled through our payment provider Stripe — see Section 8). We do not store full card details on our own systems.

  • Usage data: data generated through your use of the Service that is necessary to operate it (for example, the feeds you configure and your interface preferences).


Why we process it and on what basis

  • To create and administer your account and to provide the Service to you: performance of a contract (Art. 6(1)(b) GDPR).

  • To process payments and meet statutory accounting and tax obligations: legal obligation (Art. 6(1)(c) GDPR).

  • To communicate with you about the Service, and where applicable to protect against misuse and ensure security: our legitimate interests (Art. 6(1)(f) GDPR).

  1. Personal data contained in monitored content


Skimmr is a content-monitoring service. To provide it, we collect and analyse content from publicly accessible published sources — for example news outlets, websites, and official public registers such as insolvency announcements.


What this can include

This published content may contain personal data relating to individuals who are not Skimmr users — for example first and last names, email addresses (such as those of press or PR contacts), dates of birth where these have been publicly announced, and any other personal data that appears in the published material.


Our role and legal basis

We determine which public sources are monitored. For this collection we therefore act as the controller, and we rely on our legitimate interests and those of our customers in operating a content-monitoring service (Art. 6(1)(f) GDPR) — namely the structured monitoring, retrieval, and analysis of published information. We process only personal data that is already contained in published or publicly accessible content.


Notification

Because this data is obtained from sources other than the individuals themselves, and given the volume of content processed and the fact that it originates from already-published sources, providing individual notice to each affected person would involve disproportionate effort within the meaning of Art. 14(5)(b) GDPR. This policy serves as the general information about that processing.


Your rights

If your personal data appears in content we collect through Skimmr, you have the rights set out in Section 11, including the right to object to the processing under Art. 21 GDPR. Please contact our Data Protection Officer (Section 2).


Email Ingestion (optional feature)

Email Ingestion is an optional feature that a customer chooses to activate. Where it is enabled, the customer forwards or sends email content to Skimmr — primarily publicly available material such as company PR newsletters — and we process only the data that the customer transmits to us, on the customer's instructions and for the purpose of providing the Service.

For this processing the customer is the controller and we act as a processor on the customer's behalf. It is governed by the data processing agreement (Art. 28 GDPR) concluded with the customer. If you have questions about email content processed in this way, the customer who activated the feature is your point of contact as the controller.

  1. Automated analysis and use of AI services


To deliver the Service, the content we collect and monitor (described in Section 5), together with the filter prompts and scoring criteria that account holders configure, is transmitted to and processed by large language model (LLM) services in order to score, classify, extract, and summarise it. The AI providers we use for this are listed in Section 8 and act as our processors under data processing agreements.


We use these providers under enterprise API terms that contractually prohibit them from using the transmitted data to train or improve their models and from retaining it for their own purposes. The data is processed only to return a result to the Service.


This automated analysis supports the monitoring function of the Service. It does not produce decisions that have legal effects concerning you or that similarly significantly affect you within the meaning of Art. 22 GDPR.

  1. App Cookies


Within the Service we use cookies only where they are technically necessary to provide functions you have requested. Specifically, we use cookies to store your interface preferences — primarily the order of feeds on the Feeds page.


We do not use analytics, tracking, advertising, or profiling cookies. Because the cookies we set are strictly necessary to provide functionality you have actively requested, no consent banner is required for them.

  1. Recipients and sub-processors


We pass personal data to third parties only where this is necessary to provide the Service, where we are legally obliged to do so, where it is permissible on the basis of a balancing of interests under Art. 6(1)(f) GDPR, or where you have consented.


We engage the following service providers as processors. Where a processor is involved, we have concluded a data processing agreement under Art. 28 GDPR:


  • Amazon Web Services (AWS) — hosting and infrastructure. Processing location: EU (Region eu-west-1, Ireland).

  • OpenAI — AI/LLM analysis of content. Processing location: United States.

  • Google (Gemini) — AI/LLM analysis of content. Processing location: United States.

  • Anthropic — AI/LLM analysis of content. Processing location: United States.

  • Stripe — payment processing. Processing location: EU / United States.


In addition, we may use service providers for ancillary, supporting activities (such as IT maintenance and customer support). These providers act on our instructions as processors under data processing agreements and only to the extent necessary for the relevant supporting activity.


Within the framework of tax and commercial-law requirements, data may also be passed to tax advisors, financial institutions, and tax authorities.

  1. International data transfers


Some of the providers listed in Section 8 (in particular OpenAI, Google, and Anthropic, and depending on the processing, Stripe) process personal data in the United States. This includes personal data contained in the content we collect and analyse.


Where personal data is transferred to a country outside the EU/EEA, we ensure an appropriate level of protection in accordance with Chapter V GDPR. This is achieved through the European Commission's standard contractual clauses and/or, where the recipient is certified, on the basis of the European Commission's adequacy decision for the EU–U.S. Data Protection Framework, together with supplementary measures where appropriate. You can request further information on the safeguards in place from our Data Protection Officer (Section 2).

  1. How long we store data


We process personal data only for as long as necessary for the respective purpose.


  • Account and company data is stored for the duration of your contractual relationship with us and deleted thereafter, unless statutory retention obligations apply.

  • Billing and accounting data is retained for the statutory retention periods under German commercial and tax law (generally up to 10 years).

  • Monitored content is retained for as long as necessary to provide the monitoring service.

Where statutory retention obligations exist, the relevant data is stored for the duration of that obligation and deleted once it expires and no further need for processing remains.

  1. Your rights as a data subject


Under the GDPR you have the right to:


  • access the personal data we hold about you (Art. 15);

  • rectification of inaccurate data (Art. 16);

  • erasure (Art. 17);

  • restriction of processing (Art. 18);

  • data portability (Art. 20);

  • object to processing based on our legitimate interests, including processing of your data that appears in monitored content (Art. 21).


Where we process data on the basis of your consent, you may withdraw that consent at any time with effect for the future.


To exercise these rights, please contact our Data Protection Officer (Section 2). For requests not made in writing, we may ask you for proof of identity to confirm that you are the person you claim to be.

  1. Right to lodge a complaint


You have the right to lodge a complaint with a data protection supervisory authority. The authority competent for us is:


Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany


You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

  1. Changes to this policy


We may update this Privacy Policy to reflect changes to the Service or to legal requirements. The current version is always available at this URL.

Version / effective date: 1 July, 2026

  1. Website visitor data


When you visit our website (skimmr.ai), your browser automatically transmits certain technical information to our server. This data is necessary to display the website and ensure its stability and security. It may include:


  • The IP address of the requesting device

  • Date and time of access

  • Browser type and version

  • Operating system used

  • Referrer URL (the previously visited page)

  • Hostname of the accessing computer


This data is stored in server log files and automatically deleted after 7 days. It is not combined with other data or used to identify individuals.


Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in the secure and efficient operation of the website.


We do not use analytics, tracking tools, social media plugins, or any third-party integrations on this website. Website visitor data is not disclosed to third parties or transferred outside the EU.

15. Cookies

When you visit our website, cookies and similar technologies may be stored on or read from your device. Cookies are small text files that your browser stores. We distinguish between technically necessary cookies and cookies or comparable technologies that are only used with your consent.

Technically necessary cookies are used to ensure the proper functioning of the website (for example, for display and security purposes via Framer, as well as to store your consent status). These cookies do not require consent.

Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25(2) No. 2 TDDDG

Technologies requiring consent — including analytics tools, external fonts, and embedded services — are only loaded after your active consent via our consent banner. On skimmr.ai, this includes in particular: Google Fonts, Matomo Analytics, Calendly, and Brevo. Details on the services used, the data processed, and the respective legal bases can be found in the following sections of this Privacy Policy.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG

You can withdraw your consent at any time with effect for the future by adjusting the settings in our consent banner. You can also view and delete any cookies already stored via your browser at any time.

16. Consent Banner – Cookiebot

On skimmr.ai, we use a consent banner to obtain your consent for the storage of certain cookies on your device or the use of certain technologies, and to document this in compliance with data protection law.

Provider: Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany

When you visit our website, the following personal data is transmitted to the provider:

  • Opt-in and opt-out data (your consent(s) or withdrawal thereof)

  • IP address (anonymized)

  • Referrer URL

  • User agent

  • User settings

  • Consent ID

  • Time of consent

  • Consent type

  • Template version

  • Banner language

  • Geographic location

Processing takes place within the European Union. Consent data is stored for one year and then deleted without delay. A data processing agreement (DPA) under Art. 28 GDPR is in place with Usercentrics GmbH.

Cookiebot is used to obtain the legally required consents for the use of cookies and to document this in compliance with data protection law.

Legal basis: Art. 6(1)(c) GDPR in conjunction with § 25(2) No. 2 TDDDG

Further information: https://www.cookiebot.com/de/privacy-policy/

17. Hosting of skimmr.ai – Framer

The websites skimmr.ai are hosted and provided via the Framer service.

Provider: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands

When you visit our websites, Framer collects various log files, including your IP address. Framer is a tool for creating and hosting websites. Framer stores cookies or other recognition technologies that are necessary for displaying the page, providing certain website functions, and ensuring security (necessary cookies).

Framer processes data on servers in the Netherlands (EU). The transfer of data to the Netherlands is based on the European Commission's standard contractual clauses (Art. 46(2)(c) GDPR), insofar as Framer uses sub-processors outside the EU. A data processing agreement (DPA) under Art. 28 GDPR is in place with Framer.

The use of Framer is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable possible display of our website. Where consent has been requested, processing takes place exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent covers the storage of cookies or access to information on the user's device (e.g. via device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Further information: https://www.framer.com/legal/privacy-statement/
Standard Contractual Clauses (DPA): https://www.framer.com/legal/data-processing-addendum/

18. Google Fonts

Our websites embed fonts from the Google Fonts service.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
EU representative: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

When these fonts are loaded, your IP address is transmitted to Google servers, which may be located in the United States. Even though Google Fonts itself does not set cookies, the transmission of the IP address constitutes processing of personal data.

Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), which, based on an adequacy decision of the European Commission (Art. 45 GDPR), ensures compliance with European data protection standards for data processing in the USA. Further information on Google's DPF certification can be found at: https://www.dataprivacyframework.gov

The integration of Google Fonts is based on your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. Google Fonts are only loaded after your active consent via our cookie banner. You can withdraw your consent at any time with effect for the future by adjusting the settings in our cookie banner. If your browser does not support Google Fonts or consent has not been given, a default font from your computer will be used.

Further information: https://developers.google.com/fonts/faq and https://policies.google.com/privacy

19. Web Analytics – Matomo (Cookie-Free)

We use Matomo Analytics in cookie-free mode to analyze website usage.

Provider: InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand (Matomo Cloud)
Processing location: servers in the EU (France)

We use Matomo without the use of cookies. No information is stored on your device. However, the embedded JavaScript tracking does access information on your device in order to collect and process the following data in anonymized form:

  • Shortened IP address (the last octet is removed before storage)

  • Pages visited and time spent

  • Referrer URL

  • Browser type, operating system, screen resolution

  • Time of access

Matomo is only loaded after your active consent via our consent banner. Without your consent, no data collection by Matomo takes place.

Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG, since the JavaScript tracking accesses information on your device.

You can withdraw your consent at any time with effect for the future by adjusting the settings in our consent banner. The lawfulness of processing carried out prior to withdrawal remains unaffected.

Data transfer: Analytics data is transmitted to InnoCraft Ltd., based in New Zealand. The transfer is based on the European Commission's adequacy decision under Art. 45 GDPR. Data is stored on Matomo servers in Europe.

Data processing agreement: A data processing agreement (DPA) under Art. 28 GDPR is in place with InnoCraft Ltd.

Purpose of processing: analysis of usage behavior to optimize our website.

Further information: https://matomo.org/privacy-policy/

20. Newsletter Signup – Brevo (Sendinblue)

On skimmr.ai, we offer the option to sign up for our newsletter. Processing is carried out via Brevo (formerly Sendinblue).

Provider: Brevo SAS, 7 rue de Madrid, 75008 Paris, France

As part of the newsletter signup, the following data is transmitted to Brevo:

  • Email address

  • Time of registration

  • IP address at the time of registration

The data you provide for the purpose of receiving the newsletter is stored on Brevo's servers within the EU. We use the double opt-in procedure: after signing up, you will receive a confirmation email in which you must confirm your registration by clicking a link. Only then will you be added to our mailing list.

With the help of Brevo, we are able to analyze our newsletter campaigns. For example, we can see whether a newsletter message was opened and which links were clicked, as well as whether certain predefined actions were carried out (conversion rate). If you do not want to be analyzed by Brevo, you must unsubscribe from the newsletter. We provide a corresponding unsubscribe link in every newsletter message.

A data processing agreement (DPA) under Art. 28 GDPR is in place with Brevo.

Legal basis: Art. 6(1)(a) GDPR (consent).

The data you provide for the purpose of receiving the newsletter is stored until you unsubscribe from the newsletter and is deleted from the newsletter distribution list after unsubscribing. You can unsubscribe from the newsletter at any time by clicking the unsubscribe link in any newsletter email or by sending us a message at dpo@kordiam.io.

Further information: https://www.brevo.com/de/newsletter-software/ and https://www.brevo.com/en/legal/privacypolicy/

21. Calendly

Our website allows you to schedule appointments with us. We use the tool "Calendly" for appointment booking.

The provider is Calendly LLC, 271 17th St NW, 10th Floor, Atlanta, Georgia 30363, USA (hereinafter "Calendly").

For the purpose of scheduling an appointment, you enter the requested data and your desired appointment time into the provided form. The data entered is used for planning, conducting, and, where applicable, following up on the appointment. The appointment data is stored for us on Calendly's servers; you can view Calendly's privacy policy here: https://calendly.com/privacy.

The data you enter remains with us until you request its deletion, withdraw your consent to storage, or the purpose for storing the data no longer applies. Mandatory statutory provisions — in particular retention periods — remain unaffected.

The transfer of data to the USA is based on the European Commission's standard contractual clauses. Details can be found here: https://calendly.com/pages/dpa.

As the website operator, we have a legitimate interest in enabling straightforward appointment scheduling with prospects and customers.

Purpose of processing: straightforward appointment scheduling with prospects and customers.

Legal basis: Art. 6(1)(f) GDPR

22. Pipedrive

We use the CRM system "Pipedrive" (Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia) on our website. When contacting us (via the contact form), the user data is recorded and processed in Pipedrive. Pipedrive allows us to process and respond to requests and messages more quickly. For this purpose, data is transferred to Pipedrive and stored on Pipedrive servers. We use the Pipedrive CRM system from the provider Pipedrive OÜ on the basis of our legitimate interests (efficient and fast processing of user inquiries, existing customer management, new customer business).

You can access Pipedrive's privacy policy here: https://www.pipedrive.com/en/privacy. Further information on data protection at Pipedrive can also be found at https://support.pipedrive.com/de/article/pipedrive-and-gdpr.

Purpose of processing: fast and effective processing of contact inquiries

Legal basis: Art. 6(1)(f) GDPR

23. Social Media – LinkedIn

We operate company profiles on LinkedIn:

Skimmr: https://www.linkedin.com/company/skimmr

Data may be processed outside the European Union in this context.

Data processing by us

All data you enter on our LinkedIn profiles (e.g. comments, messages) is published by the platform operator and used by us exclusively for public relations purposes and for up-to-date information and interaction with our visitors.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication)

Data processing by LinkedIn

When our profiles are accessed, LinkedIn, as the platform operator, processes data. We have neither control over nor full insight into the form this processing takes. The extent of processing depends, among other things, on whether you are yourself logged into LinkedIn. LinkedIn may also process data outside the EU; we cannot fully guarantee GDPR-compliant processing in this regard.

We operate our LinkedIn pages jointly with LinkedIn within the meaning of Art. 26 GDPR (joint controllership). This is based on LinkedIn's Joint Controller Addendum.

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Purpose of processing: fast and effective processing of contact inquiries as well as public relations

Legal basis: Art. 6(1)(f) GDPR

Kordiam AI Systems GmbH, Falkenried 74a, 20251 Hamburg, Germany

German Impressum:

Geschäftsführer: Matthias Kretschmer

Phone: +49 40 88 14 170 - 0

Email: info@kordiam.io

AG Hamburg - HRB 121060

UStID: DE280338545

Inhaltlich Verantwortlicher: Matthias Kretschmer

Datenschutzbeauftragter: dpo@kordiam.io