Privacy Policy for Newzy
Effective as of: May 18, 2026
Controller responsible for data processing:
Christoph Mandl
Vally-Weigl-Gasse 5/4/451, 1100 Vienna, Austria
Email: hello@newzy.eu
1. General Information on Data Processing
The use of our software "Newzy" (app.newzy.eu) and our landing page (www.newzy.eu) is only possible after registration and login. We process personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Austrian Data Protection Act (DSG 2018), as well as the current adjustments made by the Digital Omnibus (2026).
2. Categories of Personal Data Processed
We process the following categories of personal data:
2.1 Registration and User Data
The provision of your registration data (email address) is required for the conclusion of the user agreement. Without this data, we cannot provide you with the service.
2.2 Technical Data
When accessing our services, the following data is automatically processed to the extent necessary for the provision and security of the services:
2.3 Chat and User Content
Important:
3. Automated Decision-Making and Profiling
No automated decision-making or profiling in accordance with Art. 22 GDPR takes place.
5. Use of AI Chatbots and Large Language Models (LLMs)
We integrate AI chatbots based on Large Language Models (LLMs) to enhance our services. You can select the appropriate model for each message or task or bring your own AI model.
5.1 Data Processed
When interacting with our AI standard models, the following data may be processed:
5.2 Important Notes on Data Processing by AI Providers
5.3 Provider-Specific Information
We use the following AI models. Your data is not used by any of the providers for training or improving their models.
6. Use of Cookies
On app.newzy.eu, we use only technically necessary session cookies to ensure authentication during your session.
7. Recipients and Processors
We work with the following processors who process data exclusively on our behalf and in accordance with data processing agreements (DPAs) under Art. 28 GDPR:
8. Data Transfer to Third Countries
In principle, your data is stored and processed exclusively on servers in the EU (Frankfurt, AWS).
Exceptions:
Use of OpenAI (ChatGPT), Anthropic or Perplexity:
If you select these models, data may be transferred to the USA.
Legal Basis:
Primary: EU-US Data Privacy Framework (DPF) – The USA is considered a safe third country for certified companies (such as OpenAI, Anthropic and Perplexity) under Art. 45 GDPR.
Additional Safeguard: Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 as supplementary protection.
Note:
Despite the DPF, US authorities (e.g., under FISA 702) may access data under certain circumstances. We point out that there is a residual risk when using these models.
You can refuse to use these models at any time and instead choose EU-based models (e.g., Mistral AI) or add your own model to the web app.
Standard Contractual Clauses (SCCs) as Additional Safeguards:
In addition to the EU-US Data Privacy Framework (DPF), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) as an additional legal safeguard for data transfers to third countries. These SCCs impose binding obligations on our AI providers (e.g., OpenAI, Anthropic), including:
AWS (Amazon Web Services):
In exceptional cases (e.g., maintenance work), access from third countries (e.g., USA) cannot be completely ruled out. Here, too, Standard Contractual Clauses (SCCs) apply as a safeguard.
10. Rights of Data Subjects
You have the following rights under the GDPR and the Austrian Data Protection Act (DSG 2018):
11. Data Protection Impact Assessment (DPIA)
For the processing of data through AI chatbots (particularly in the case of possible transfers to third countries), we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR.
Risk Assessment: High (due to possible third-country transfers and processing of special categories of data by users).
Risk Mitigation Measures:
12. Contact for Data Protection Inquiries
For questions regarding data protection or to exercise your rights, please contact us at: hello@newzy.eu
Christoph Mandl, Vally-Weigl-Gasse 5/4/451, 1100 Vienna, Austria
13. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy in the event of changes to the legal framework or our services.
Controller responsible for data processing:
Christoph Mandl
Vally-Weigl-Gasse 5/4/451, 1100 Vienna, Austria
Email: hello@newzy.eu
1. General Information on Data Processing
The use of our software "Newzy" (app.newzy.eu) and our landing page (www.newzy.eu) is only possible after registration and login. We process personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Austrian Data Protection Act (DSG 2018), as well as the current adjustments made by the Digital Omnibus (2026).
2. Categories of Personal Data Processed
We process the following categories of personal data:
2.1 Registration and User Data
- Verified email address
- Username
- Membership in editorial teams (if applicable)
- Timestamp of registration and last activity
The provision of your registration data (email address) is required for the conclusion of the user agreement. Without this data, we cannot provide you with the service.
2.2 Technical Data
When accessing our services, the following data is automatically processed to the extent necessary for the provision and security of the services:
- IP address (anonymized for the duration of the session)
- Browser information (type, version, language settings)
- Device information (operating system, screen resolution)
- Connection data (date, time, pages accessed)
2.3 Chat and User Content
- Content of your chats or queries (including any personal data you provide, e.g., text, images, metadata).
- Storage Period: Your chat history is stored until you manually delete it to provide you with a seamless user experience (e.g., restoring conversations, personalized suggestions).
- Legal Basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in improving user experience).
Important:
- Avoid entering sensitive data (e.g., health data, ethnic origin, religious beliefs, biometric data, or data related to sexual orientation) into the chat unless you added your own ai endpoint that allows processing of sensitive data.
- If you nevertheless enter such data, processing will only take place on the basis of your explicit consent (Art. 9(2)(a) GDPR). You can revoke this consent at any time.
3. Automated Decision-Making and Profiling
No automated decision-making or profiling in accordance with Art. 22 GDPR takes place.
Purpose | Legal Basis | Data Categories |
Provision and operation of the software | Art. 6(1)(b) GDPR | Registration data, technical data |
Management of user accounts and editorial teams | Art. 6(1)(b) GDPR | Username, team membership |
Ensuring IT security and functionality | Art. 6(1)(f) GDPR | IP address, connection data |
Storage of chat history for user experience | Art. 6(1)(b) and (f) GDPR | Chat content, metadata |
Improvement of services (e.g., troubleshooting) | Art. 6(1)(f) GDPR | Anonymized usage data |
5. Use of AI Chatbots and Large Language Models (LLMs)
We integrate AI chatbots based on Large Language Models (LLMs) to enhance our services. You can select the appropriate model for each message or task or bring your own AI model.
5.1 Data Processed
When interacting with our AI standard models, the following data may be processed:
- Content of your chats or queries (including any personal data you provide).
- Technical data (IP address, browser information, timestamps).
5.2 Important Notes on Data Processing by AI Providers
- The API usage of AI models does not involve training. Your prompts and the generated responses are not used by the AI providers offered out-of-the-box in Newzy to train their models.
- The transfer of your data to AI model providers cannot be excluded, as it is necessary for the provision of chatbot functionality, unless you add your own AI model to the web app.
5.3 Provider-Specific Information
We use the following AI models. Your data is not used by any of the providers for training or improving their models.
Provider | Model | Data Processing | Privacy Policy | Certification |
Mistral AI | Mistral 3 | Data is not used for model training. Processing takes place exclusively in the EU. | – | |
OpenAI | ChatGPT (gpt-5.4) | Data is not used for model training. Data transfer to the USA is possible (see Section 7). | EU-US Data Privacy Framework (DPF) | |
Anthropic | Claude-Opus-4.7 | Data is not used for model training. Data transfer to the USA is possible (see Section 7). | EU-US Data Privacy Framework (DPF) | |
Perplexity AI | sonar-pro-search, sonar-reasoning-pro | Data is not used for model training. Processing takes place primarily in the EU/USA. | EU-US Data Privacy Framework (DPF) |
6. Use of Cookies
On app.newzy.eu, we use only technically necessary session cookies to ensure authentication during your session.
- Purpose: Enables login and use of the software.
- Storage Period: Cookies are automatically deleted at the end of your session.
- Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality of the services).
7. Recipients and Processors
We work with the following processors who process data exclusively on our behalf and in accordance with data processing agreements (DPAs) under Art. 28 GDPR:
Service Provider | Purpose | Location | Data Protection Measures |
Amazon Web Services (AWS) | Hosting of the application and database (Supabase), email dispatch (Amazon SES) | Frankfurt, EU | GDPR-compliant contracts, Standard Contractual Clauses (SCCs) for possible third-country access |
Supabase | Database hosting | EU (AWS Frankfurt) | GDPR-compliant, data remains in the EU |
8. Data Transfer to Third Countries
In principle, your data is stored and processed exclusively on servers in the EU (Frankfurt, AWS).
Exceptions:
Use of OpenAI (ChatGPT), Anthropic or Perplexity:
If you select these models, data may be transferred to the USA.
Legal Basis:
Primary: EU-US Data Privacy Framework (DPF) – The USA is considered a safe third country for certified companies (such as OpenAI, Anthropic and Perplexity) under Art. 45 GDPR.
Additional Safeguard: Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 as supplementary protection.
Note:
Despite the DPF, US authorities (e.g., under FISA 702) may access data under certain circumstances. We point out that there is a residual risk when using these models.
You can refuse to use these models at any time and instead choose EU-based models (e.g., Mistral AI) or add your own model to the web app.
Standard Contractual Clauses (SCCs) as Additional Safeguards:
In addition to the EU-US Data Privacy Framework (DPF), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) as an additional legal safeguard for data transfers to third countries. These SCCs impose binding obligations on our AI providers (e.g., OpenAI, Anthropic), including:
- Purpose limitation: Data may only be processed for the agreed purpose (e.g., generating AI responses).
- Technical safeguards: Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Access controls: Only authorized personnel can access the data.
- Deletion obligations: Data must be deleted or returned upon contract termination.
- Transparency: Providers must notify us immediately if government authorities request access to data.
AWS (Amazon Web Services):
In exceptional cases (e.g., maintenance work), access from third countries (e.g., USA) cannot be completely ruled out. Here, too, Standard Contractual Clauses (SCCs) apply as a safeguard.
Data Category | Storage Period | Legal Basis |
Registration data | Duration of the user relationship + 30 days after account deletion | Art. 6(1)(b) GDPR |
Chat history | Until manual deletion by the user | Art. 6(1)(b) and (f) GDPR |
Technical data (IP, browser, etc.) | 7 days (anonymized) | Art. 6(1)(f) GDPR |
Email address (after account deletion) | 30 days (for recovery) | Art. 6(1)(f) GDPR |
10. Rights of Data Subjects
You have the following rights under the GDPR and the Austrian Data Protection Act (DSG 2018):
- Right of Access (Art. 15 GDPR): You can request confirmation as to whether personal data concerning you is being processed and obtain information about this data.
- Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten", Art. 17 GDPR): You can request the erasure of your data unless legal retention obligations (e.g., tax or commercial law) prevent this.
- Chat history: Can be deleted by you at any time within the application.
- Account deletion: Leads to the deletion of all data within 30 days.
- Right to Restriction of Processing (Art. 18 GDPR): You can request the restriction of processing, e.g., if the accuracy of the data is contested.
- Right to Data Portability (Art. 20 GDPR): You can receive your data in a machine-readable format (e.g., JSON).
- Right to Object (Art. 21 GDPR): You can object to the processing of your data on grounds relating to your particular situation (does not apply to contract performance).
- Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw your consent (e.g., for the use of US-based AI models) at any time. The lawfulness of the processing carried out until the withdrawal remains unaffected.
- Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. In Austria, this is the Austrian Data Protection Authority (DSB).
11. Data Protection Impact Assessment (DPIA)
For the processing of data through AI chatbots (particularly in the case of possible transfers to third countries), we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR.
Risk Assessment: High (due to possible third-country transfers and processing of special categories of data by users).
Risk Mitigation Measures:
- EU-US Data Privacy Framework (DPF) for certified providers (OpenAI, Anthropic, Perplexity).
- Standard Contractual Clauses (SCCs) as additional safeguards.
- Warnings to avoid sensitive data in chatbots.
- Regular review of the data protection measures of AI providers.
12. Contact for Data Protection Inquiries
For questions regarding data protection or to exercise your rights, please contact us at: hello@newzy.eu
Christoph Mandl, Vally-Weigl-Gasse 5/4/451, 1100 Vienna, Austria
13. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy in the event of changes to the legal framework or our services.