Privacy Policy

Last updated: February 2026

1. Data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Raoul Hoffmann
Raoul Hoffmann Research & Development
Staudingerstrasse 69
81735 Munich, Germany
Email: contact@brainstorm.gift

2. Overview of data processing

brainstorm.gift is designed with privacy in mind. We do not collect or store any personal data. We do not use tracking cookies or any third-party tracking services. We collect only anonymous aggregate statistics (daily page view counts and referring website domains) that cannot be linked to any individual user.

3. Session data

When you use the site, your answers to gift-related questions and your product feedback are temporarily stored in server memory for the duration of your session. This data:

Is never written to disk or a database
Is automatically deleted when your session expires (after 60 minutes of inactivity)
Is not associated with any personal identifier (no IP address, no user account)
Contains only gift-preference answers (e.g. "the gift is for a friend", "they like reading"), not personal data about you

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in providing the service you requested.

4. Cookies and local storage

We use a single entry in your browser's local storage to remember that you have acknowledged the cookie notice. This entry:

Contains no personal data
Is not used for tracking
Can be removed at any time by clearing your browser's local storage

We do not set any tracking cookies, advertising cookies, or third-party cookies.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in a functional website (strictly necessary for the service).

5. LLM processing (AI-generated suggestions)

Your gift-related answers are sent to an external AI service to generate personalized gift suggestions. The data is transmitted to:

OpenRouter (OpenRouter, Inc., USA) — acts as an API intermediary that routes requests to the configured AI model provider
Model provider (currently Mistral AI, Paris, France) — processes the request and generates the response

The data sent includes only your gift-related answers and product feedback. No personal identifiers (name, email, IP address) are transmitted to these services.

Mistral AI is based in the EU and processes data within the European Economic Area. OpenRouter is based in the United States; data routed through OpenRouter is transferred to a third country outside the EU/EEA. OpenRouter participates in and has certified its compliance with the EU-U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in providing AI-powered gift suggestions, which is the core function of this service.

For more information, see: OpenRouter Privacy Policy, Mistral AI Privacy Policy.

6. Affiliate links (Amazon)

Product suggestions include affiliate links to Amazon. When you click these links, you leave our website. Amazon may then set their own cookies and process your data according to their own privacy policy. We receive a commission if you make a purchase, but we do not receive any personal data about you from Amazon.

For more information, see: Amazon Privacy Notice.

7. Anonymous aggregate statistics

We do not use Google Analytics, Facebook Pixel, or any third-party analytics tools. We do not collect IP addresses, browser fingerprints, or individual usage patterns. We do collect anonymous aggregate statistics: the total number of page views per day and which website domains referred visitors to us (e.g. “google.com: 10 visits”). These statistics contain no personal data and cannot be used to identify or track any individual user. This data is stored on our server and is not shared with any third party.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding aggregate site usage.

8. Data recipients

Your gift-related answers are shared with the following third parties solely for the purpose of generating suggestions:

OpenRouter, Inc. (API routing)
The configured AI model provider (currently Mistral AI, France)

No other third parties receive any data from us.

9. Data retention

Session data: Automatically deleted after 60 minutes of inactivity. Never persisted to disk.
Cookie consent entry: Stored in your browser's local storage until you clear it.
Server logs: We do not maintain access logs or store IP addresses.
Aggregate statistics: Daily page view counts and referrer domain tallies are retained for 90 days and then automatically deleted. These contain no personal data.

10. Your rights under GDPR

Under the General Data Protection Regulation, you have the following rights:

Right of access (Art. 15 GDPR) — You can request information about whether we process your personal data.
Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — You can request deletion of your data.
Right to restriction of processing (Art. 18 GDPR) — You can request that we restrict the processing of your data.
Right to data portability (Art. 20 GDPR) — You can request your data in a machine-readable format.
Right to object (Art. 21 GDPR) — You can object to processing based on legitimate interest at any time.

Since we do not store any personal data beyond your temporary session, there is typically nothing to access, correct, or delete. Your session data is automatically removed after 60 minutes of inactivity.

11. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our business is:

Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de

12. Changes to this policy

We may update this privacy policy from time to time. The current version is always available at this URL. The date at the top indicates the last update.

13. Contact

For privacy-related questions, please contact us at: contact@brainstorm.gift