Grunwald
EN
DE EN

Privacy Policy

Last updated: 18 June 2026

Limitation of liability for internal content

The contents of our pages have been created with the utmost care. However, we cannot guarantee the contents' accuracy, completeness or topicality. According to statutory provisions, we are furthermore responsible for our own content on these web pages. In this context, please note that we are accordingly not obliged to monitor merely the transmitted or saved information of third parties, or investigate circumstances pointing to illegal activity. Our obligations to remove or block the use of information under generally applicable laws remain unaffected by this as per §§ 8 to 10 of the Telemedia Act (TMG).

Limitation of liability for external links

Responsibility for the content of external links (to web pages of third parties) lies solely with the operators of the linked pages. No violations were evident to us at the time of linking. Should any legal infringement become known to us, we will remove the respective link immediately.

Copyright

This website and its contents are subject to German copyright law. Unless expressly permitted by law (§ 44a et seq. of the copyright law), every form of utilizing, reproducing or processing works subject to copyright protection on this website requires our prior consent. Individual reproductions of a work are allowed only for private use, so must not serve either directly or indirectly for earnings. Unauthorized utilization of copyrighted works is punishable (§ 106 of the copyright law). All trademarks belong to their respective owners.

I. Introduction

The Grunwald team will be happy to answer any questions you may have regarding the use of personal data (hereinafter referred to mostly as "data") within the scope of our online offer. You can find the corresponding contact data in the imprint of https://www.grunwald.ai/. The protection of your privacy and your data is important to us. The collection, storage and use of your data is carried out exclusively in accordance with Regulation (EU) 2016/679 (hereinafter referred to as "GDPR") and national data protection regulations. Within the framework of this data protection declaration, we would like to inform you in what way, to what extent and for what purpose your personal data is used when using our online offer, insofar as we alone or with third parties used by us to optimize the use of our online offer decide on your data.

For privacy-related requests you can also reach us directly at privacy@1017.ai.

II. What is personal data?

Personal data is information about a specific or identifiable person. This includes in particular information about your identity, such as your name, your e-mail address or your postal address. All information that cannot be associated with your person (for example statistical values) is not data in the sense of the GDPR. Your data will only be stored and processed by us within the necessary and permissible framework. In accordance with Art. 4 II GDPR, "processing" is defined as any operation or series of operations, carried out with or without the aid of automated procedures, relating to personal data, such as the collection, recording, organisation, organisation, filing, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison or combination, restriction, deletion or destruction of personal data.

III. Legal basis of the processing of your data

If and insofar as we obtain your consent for the processing of personal data, this will serve as the legal basis in accordance with Art. 6 Para. 1 lit. a) GDPR. Should we use your data in the course of fulfilling a contract concluded with you, Art. 6 para. 1 lit. b) GDPR is the legal basis. If we use your data in the context of fulfilling another legal obligation towards you, Art. 6 para. 1 lit. c) GDPR is the legal basis. Reference is made to the other legal bases contained in Art. 6 para. 1 GDPR. If data processing is necessary to safeguard the legitimate interests of the person responsible or of a third party (cf. Art. 6 para. 1 letter f) GDPR), you have the right to object to the further processing of the data concerning you in accordance with Art. 21 GDPR.

IV. Processing of personal data

The storage and processing of your data is indispensable for the use of our online offer. Storage takes place on servers within the European Union: our hosting provider Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) executes the website and all server-side functions exclusively in the Frankfurt am Main region (eu-central-1). Our database, authentication and file storage are provided by Supabase Pte. Ltd. (970 Toa Payoh North #07-04, Singapore 318992) in the Ireland region (eu-west-1).

The necessary technical and organisational measures have been taken to secure your data against destruction, unauthorised access, loss, alteration or distribution by unauthorised third parties. This includes in particular the encryption of your data during transmission over the internet by TLS, encryption at rest in our databases, and restrictive access control for internal staff. Only a limited group of persons has authorised access to your data. We would like to point out, however, that absolute protection is not possible and that there is always a residual risk in the transmission of data over the internet.

V. Transfer of personal data to third parties

As a matter of principle, we only use your data to provide the service you have requested. Personal data is transmitted to the following processors within the meaning of Article 28 GDPR:

  • Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA — website hosting and execution of server-side functions in Frankfurt am Main.

  • Supabase Pte. Ltd., 970 Toa Payoh North #07-04, Singapore 318992 — database, authentication and file storage (Ireland region).

  • Anthropic, PBC, 548 Market St., PMB 90375, San Francisco, CA 94104, USA — AI language model used for our valuation and research features.

  • Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — sending transactional emails (e.g. confirmation links, valuation reports, login links, internal notifications about new enquiries).

  • Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland — Microsoft Clarity (only with your consent).

  • Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland — Meta Pixel (only with your consent; joint controllership under Article 26 GDPR).

Several of the providers named have their headquarters or parent companies outside the European Economic Area (EEA), in particular in the United States. With all such providers we have entered into Data Processing Agreements as well as the EU Standard Contractual Clauses (SCCs) issued by the European Commission pursuant to Article 46(2)(c) GDPR, to ensure an adequate level of data protection. A copy of these safeguards may be requested at privacy@1017.ai.

Beyond this we do not pass your data to third parties without your express consent, unless we are legally required or compelled to do so by an authority or court order.

VI. Deletion of your personal data

In accordance with our legal obligations, we delete your data as a matter of principle when the purpose for which it was stored no longer applies. A storage beyond this can take place if we are subject to any storage and documentation obligations. Should this be the case, your data will be deleted immediately after the expiry of the obligation.

The specific retention periods are as follows:

  • Server log data: max. 30 days.

  • Requests via the valuation or buyer tool: for the duration of processing; thereafter in accordance with German commercial and tax retention obligations (generally 6 or 10 years under §§ 257 HGB, 147 AO), where applicable.

  • Account and communication data: for as long as your account exists or until your enquiry has been resolved.

  • Cookies and similar storage: see Section X.

VII. Processing of server data

When you visit our website, our hosting provider Vercel Inc. automatically records technical information transmitted by your browser in server log files. These include your IP address, date and time of the request, the URL requested, the referring URL, browser type and version, operating system, and the data volume transferred.

The legal basis is Article 6(1)(f) GDPR; our legitimate interest is the technical operation, security and stability of the website. Processing takes place in the Frankfurt am Main region (eu-central-1) and the logs are automatically deleted after no more than 30 days.

Emails sent to privacy@1017.ai are processed solely to respond to your enquiry. The legal basis is Article 6(1)(b) or (f) GDPR. Your correspondence will be deleted once it is no longer required for further handling, subject to statutory retention obligations.

VIII. Processing in our valuation and buyer tools

If you use our free AI-based valuation tool or our strategic buyer identification tool, we process the information you voluntarily enter (such as company name, website, industry, key figures, contact details) solely to provide the service you have requested. The legal basis is Article 6(1)(b) GDPR (performance of pre-contractual measures at your request).

For generating the valuation and the buyer analysis we use the Claude AI service provided by Anthropic, PBC as a processor. The content you submit is transmitted to Anthropic for this purpose. Under our contract, Anthropic processes this data solely to respond to your request and does not use it for training AI models. For details on international transfers, see Section V.

IX. User accounts and transactional emails

If you create an account on our platform or request a valuation report, we process the data required for registration, authentication and communication — in particular your email address, name, optionally phone number and password hash, and login timestamps.

Account data is stored in our Supabase database in the Ireland region (eu-west-1). Transactional emails (such as confirmation links, valuation reports, login links, and internal notifications about new enquiries) are sent via Resend, Inc. Your email address and the content of the respective message are transmitted to Resend for that purpose.

The legal basis is Article 6(1)(b) GDPR. Account and enquiry data is stored for as long as your account exists or until your enquiry has been resolved; statutory retention obligations remain unaffected.

X. Use of cookies

Grunwald.ai uses the following cookies and comparable storage mechanisms:

Strictly necessary (without consent):

  • gw_locale — stores your language preference (lifetime: session). Legal basis § 25(2) No. 2 TDDDG.

  • gw_cookie_consent — stores your cookie preferences (lifetime: 180 days).

  • sb-... — Supabase session and authentication cookies, only after login (lifetime: until end of session).

Analytics cookies and storage (only with your consent):

  • gw_anonymous_id (Local Storage) — anonymous visitor identifier for our own usage analytics (persistent).

  • _clck — Microsoft Clarity, unique visitor ID (lifetime: 1 year).

  • _clsk — Microsoft Clarity, session ID (lifetime: 1 day).

Advertising cookies (only with your consent):

  • _fbp — Meta Pixel, browser identifier (lifetime: 90 days).

  • _fbc — Meta Pixel, click identifier when accessed via an advertisement (lifetime: 90 days).

You can adjust your consent at any time via the cookie banner, or use your browser settings to block or delete cookies.

XI. Analytics and session recording (only with your consent)

With your express consent (Article 6(1)(a) GDPR, § 25(1) TDDDG) we use the following analytics tools on our website:

  • Vercel Analytics and Vercel Speed Insights (Vercel Inc.) — collection of anonymous usage statistics and performance data.

  • Microsoft Clarity (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) — pseudonymised session recordings and heatmaps to improve usability.

We additionally use our own first-party analytics feature that stores a random anonymous identifier in your browser's local storage (gw_anonymous_id) so that page views and tool usage can be evaluated in pseudonymous form across sessions.

You can withdraw your consent at any time, with effect for the future, by changing your cookie preferences via the banner on our website.

XII. Marketing and conversion tracking (only with your consent)

With your express consent (Article 6(1)(a) GDPR, § 25(1) TDDDG) we use Meta Pixel, a service provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

Meta Pixel allows us to measure the success of our advertising on Facebook and Instagram (conversion tracking) and to build custom audiences. The cookies fbp and, where applicable, fbc are set; your IP address and browser information are transmitted to Meta.

For processing within the Meta Pixel, we and Meta Platforms Ireland Limited are joint controllers within the meaning of Article 26 GDPR. The corresponding joint-controller arrangement is available at https://www.facebook.com/legal/controller_addendum. You can withdraw your consent at any time, with effect for the future, by changing your cookie preferences.

XIII. Your rights

Under the GDPR you have the right to:

  • request access to the personal data we hold about you (Art. 15),

  • have inaccurate data rectified (Art. 16),

  • have your data erased (Art. 17),

  • have processing restricted (Art. 18),

  • receive your data in a portable format (Art. 20),

  • object to processing (Art. 21),

  • withdraw any consent at any time, with effect for the future (Art. 7(3)).

To exercise any of these rights, email privacy@1017.ai.

XIV. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority — for example, the data protection authority of the German state in which we are headquartered (Bavarian State Office for Data Protection Supervision, BayLDA, Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de), or the authority of your place of residence or alleged infringement.

XV. Links to social media platforms

Our website contains links to our profiles on LinkedIn and Instagram. These are simple hyperlinks — no content, scripts, or tracking pixels from LinkedIn or Instagram are embedded on our website, and no personal data is transmitted to those platforms until you actively click one of the links.

If you click such a link, you leave our website and are taken to the respective platform, which then becomes responsible for any further data processing in accordance with its own privacy policy:

We have no influence over the data processed by these providers once you have left our website.