Scope
This overview describes all external service providers used in connection with our website michmatz.me and our product MichMatz ReadMe. It supplements our Privacy Policy with detailed information on data processing activities, data processors, and the handling of AI services.
Controller
MichMatz GmbH, Nikolausplatz 3, 50937 Cologne, Germany. Represented by Michael Schulz and Mathias Würthle. Email: hello@michmatz.me
Website (michmatz.me)
For the website michmatz.me, we use the following external services. Detailed information can be found in our Privacy Policy.
Product (MichMatz ReadMe)
Core Data Architecture Principle
Personal data (name, email, billing address, school affiliation, student profiles, learning progress) is stored exclusively at Hetzner in Germany.
AI providers receive only anonymous creative instructions (theme, genre, age group, language, CEFR level), never personal data.
Data Processors (Personal Data)
The following service providers process personal data on our behalf. Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR have been concluded with all of them.
| Provider | Purpose | Data Processed | Legal Basis | DPA | Location |
|---|---|---|---|---|---|
| Hetzner | Database hosting, servers, backups | All user data (email, name, credentials, profiles, learning progress) | Art. 6(1)(b) GDPR | Yes (DPA via Hetzner portal) | Germany (EU) |
| Stripe | Payment processing, subscriptions | Email, billing address, payment method, subscription | Art. 6(1)(b) GDPR | Yes (automatic via SSA + DTA for SCCs) | USA (EU data residency available) |
| Brevo | Transactional emails (auth links) | Email addresses, email content | Art. 6(1)(b) GDPR | Yes (via Brevo dashboard) | France (EU) |
AI Providers: No Personal Data
These providers generate fictional content (stories, images, audio). They receive only anonymous creative instructions, no personal data. No user can be identified from the data these providers receive.
Example: What AI providers receive
- LLM prompt: "Write an interactive adventure story for age group 9–11 in German (CEFR level B1). Theme: An adventure in New Zealand in a distant future. Genre: adventure."
- Image prompt: "A futuristic landscape with hovering vehicles above lush New Zealand mountains"
- TTS text: "Lena stood at the edge of the hovering platform and looked down at the glowing forests of New Zealand…"
None of these examples contain personal data. The story is AI-generated fiction.
| Provider | Type | Data Received | Personal Data? |
|---|---|---|---|
| Anthropic (Claude) | Text (LLM) | Anonymous creative instructions | No |
| OpenAI | Text (LLM) | Anonymous creative instructions | No |
| Google Gemini | Text (LLM) | Anonymous creative instructions | No |
| Mistral | Text (LLM) | Anonymous creative instructions | No |
| BFL / Black Forest Labs (FLUX) | Image | AI-generated image prompts | No |
| OpenAI (DALL-E) | Image | AI-generated image prompts | No |
| Google Imagen | Image | AI-generated image prompts | No |
| Hyperbolic (SDXL) | Image | AI-generated image prompts | No |
| ElevenLabs | Audio (TTS) | AI-generated fiction text | No |
| OpenAI TTS | Audio (TTS) | AI-generated fiction text | No |
| Google Cloud TTS | Audio (TTS) | AI-generated fiction text | No |
| Gemini TTS | Audio (TTS) | AI-generated fiction text | No |
| Inworld AI | Audio (TTS) | AI-generated fiction text | No |
| Fish Audio | Audio (TTS) | AI-generated fiction text | No |
Self-Hosted Services
The following services run entirely on our own Hetzner infrastructure in Germany. No external data transfer takes place.
Supabase (Postgres, Auth, Storage), NATS (message broker), Infisical (secrets management), Traefik (reverse proxy), Uptime Kuma (monitoring), Dozzle (log aggregation), CrowdSec (intrusion detection), Fail2ban (brute-force protection), Internal CA (mTLS certificates)
Data Processing Agreements (DPAs)
We have concluded Data Processing Agreements pursuant to Art. 28 GDPR with all providers that process personal data.
| Provider | DPA Status | SCCs (Art. 46) |
|---|---|---|
| Hetzner | DPA via Hetzner account portal | Not required (EU) |
| Stripe | Automatic via Services Agreement | Yes, via Data Transfers Addendum |
| Brevo | Accepted via Brevo dashboard | Not required (EU), DPF certified |
Data Transfers to Third Countries
Some service providers are based in the USA. Data transfers are carried out on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR or an adequacy decision (EU-U.S. Data Privacy Framework). AI providers in the USA receive no personal data, no third-country transfer of personal data to these providers takes place.
Further Information
The full privacy policy with information on your rights as a data subject can be found in our Privacy Policy.