Privacy Policy

1. Overview

This privacy policy explains how Markus Schäfer, trading as getdisco ("disco," "we," "us"), collects, processes, and protects your personal data when you visit getdisco.dev or use our services. We process data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Telemedia Data Protection Act (TTDSG).

2. Data Controller & Contact

Markus Schäfer
trading as getdisco
Schulstraße 57, 63303 Dreieich, Germany
Email: privacy@getdisco.dev

For data protection inquiries, please contact:
privacy@getdisco.dev

3. Data Collection When Visiting Our Website

When you visit getdisco.dev, certain personal data is automatically processed by our hosting provider's servers. This includes your IP address, browser type and version, operating system, referrer URL (the page from which you accessed our site), requested page, date and time of access, HTTP status code, and the volume of data transferred. This data is necessary for the technical delivery of the website and to ensure its security and stability. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Server logs are encrypted in transit and deleted regularly (see section 12).

4. Data We Collect Through Our Services

Account creation: Name, email address, company name, job title. Provided voluntarily during sign-up. Legal basis: contract performance (Art. 6(1)(b) GDPR).

Payment: Credit card details processed by Stripe, Inc. We do not store card numbers on our servers. Legal basis: contract performance (Art. 6(1)(b) GDPR).

Product usage: Discovery conversations, evidence data, team interactions within the disco platform. Legal basis: contract performance (Art. 6(1)(b) GDPR).

5. Contact & Support Inquiries

When you contact us by email (e.g., to legal@getdisco.dev, support@getdisco.dev, or privacy@getdisco.dev), we store the personal data transmitted with your inquiry — in particular your email address, name, and the content of your message. We use this data exclusively to process and respond to your inquiry. Legal basis: legitimate interest in responding to your request (Art. 6(1)(f) GDPR), or contract performance if the inquiry relates to an existing contractual relationship (Art. 6(1)(b) GDPR). Your inquiry data is deleted once the matter is resolved, unless statutory retention obligations apply.

6. Email Communications

If you reserve a early alpha spot or create an account, we may use your email address to send you transactional notifications directly related to your reservation or account (e.g., payment confirmations, launch notifications, service updates). Legal basis: contract performance (Art. 6(1)(b) GDPR). We may also send you information about similar services or product updates. You may opt out of such communications at any time by clicking the unsubscribe link in any email or by contacting support@getdisco.dev. Legal basis: legitimate interest (Art. 6(1)(f) GDPR, § 7 Abs. 3 UWG).

7. Legal Basis for Processing (Art. 6 GDPR)

Consent (Art. 6(1)(a)): Analytics cookies, marketing communications. You may withdraw consent at any time.

Contract performance (Art. 6(1)(b)): Account creation, service delivery, payment processing, early alpha reservations.

Legitimate interest (Art. 6(1)(f)): Security, fraud prevention, service improvement, anonymized analytics, server log processing, responding to inquiries.

Legal obligation (Art. 6(1)(c)): Retention of payment records and invoices as required by German tax law (§ 147 AO, § 257 HGB).

8. Third-Party Services & Data Processors

We use external service providers to operate our platform. All processors are contractually bound by data processing agreements pursuant to Art. 28 GDPR. They are obligated to process personal data only on our instructions and in compliance with applicable data protection standards. Processing takes place within the EU/EEA where possible.

Stripe (payments): Stripe, Inc., USA. Processes payment data as a data processor on our behalf. Data transfers based on the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs). Legal basis: contract performance (Art. 6(1)(b) GDPR).

Clerk (authentication): Clerk, Inc., USA. Handles sign-in, session management, and identity verification. Data transfers safeguarded by EU Standard Contractual Clauses (SCCs). Legal basis: contract performance (Art. 6(1)(b) GDPR).

PostHog (analytics): PostHog, Inc., USA. Product analytics for understanding site usage. Starts in cookieless mode; full tracking only after explicit consent. EU data residency available. Legal basis: consent (Art. 6(1)(a) GDPR, § 25 Abs. 1 TTDSG).

Sentry (error monitoring): Functional Software, Inc., USA. Captures technical errors and performance data for service reliability. Data transfers safeguarded by SCCs. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Vercel (hosting & analytics): Vercel, Inc., USA. Hosts the application and processes server-side requests. Vercel Analytics collects page view data and Speed Insights measures Core Web Vitals — both require explicit opt-in consent before any data is collected. No cookies are used; visitors are identified by anonymized IP hash, discarded after 24 hours. Data transfers safeguarded by SCCs. Legal basis: consent (Art. 6(1)(a) GDPR, § 25 Abs. 1 TTDSG).

Brevo (email): Sendinblue SAS, France. Processes email addresses and names for double opt-in email subscription management and transactional email delivery. Data stored in the EU (France/Belgium). Legal basis: consent (Art. 6(1)(a) GDPR) for marketing communications; contract performance (Art. 6(1)(b) GDPR) for transactional notifications.

c15t (consent management): Open-source consent management tool. Stores your cookie preferences locally in your browser (localStorage). No personal data is transmitted to external servers. Legal basis: legitimate interest (Art. 6(1)(f) GDPR, § 25 Abs. 2 Nr. 2 TTDSG).

Arcjet (security): Arcjet, Inc. Processes IP addresses for rate limiting and bot protection on authentication pages. Legal basis: legitimate interest in security (Art. 6(1)(f) GDPR).

Tally (surveys): Tally NV, Belgium. Processes survey responses, name, and email address when you participate in our product research surveys. Data stored in the EU. Legal basis: consent (Art. 6(1)(a) GDPR).

Scheduling (self-hosted): We use a self-hosted scheduling tool at cal.msrcx.com to facilitate discovery calls. When you book a call, we process your name, email address, and chosen time slot. Data is stored on our own infrastructure. Legal basis: consent (Art. 6(1)(a) GDPR).

9. International Data Transfers

Several of our processors are based in the United States (Stripe, Clerk, Sentry, Vercel). A transfer of personal data to a third country is permissible when the European Commission has determined that an adequate level of data protection exists in the respective country.

Where the processor is certified under the EU-US Data Privacy Framework (DPF), transfers are covered by the adequacy decision of the European Commission. For all other US-based processors, data transfers are safeguarded by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. We verify that appropriate technical and organizational measures are in place to ensure a level of protection equivalent to that within the EU.

10. AI Data Processing (EU AI Act)

disco's AI-guided discovery system processes user inputs to extract underlying problems from feature requests. All AI interactions are clearly disclosed. AI-generated outputs are marked as such. Discovery data is processed solely to deliver the service you requested.

Our AI infrastructure providers are contractually committed to not using customer data — including prompts, outputs, embeddings, or conversation content — to train, improve, or develop their AI models. Your discovery data remains yours and is never shared with or made available to other customers or third-party model developers.

11. Cookies & Consent

Essential cookies: Required for site functionality, including consent preference storage (via c15t, locally in your browser). No consent needed (Art. 6(1)(f) GDPR, § 25 Abs. 2 Nr. 2 TTDSG).

Analytics cookies: PostHog (active), Vercel Analytics (active). Require explicit opt-in consent before any tracking data is collected (Art. 6(1)(a) GDPR, § 25 Abs. 1 TTDSG).

You can manage your cookie preferences at any time via the "Cookie Settings" link in the footer.

12. Data Retention

We store personal data only for as long as (i) it is necessary to provide our services to you, and/or (ii) it is required in connection with the contractual relationship with you. After that, data is deleted unless statutory retention obligations apply.

Server logs: 30 days. Account data: deleted within 30 days of account closure. Contact inquiries: deleted after the matter is resolved, unless statutory retention applies. Payment records: retained as required by German tax and commercial law (§ 147 AO, § 257 HGB — up to 10 years). Analytics data: anonymized after 26 months. Consent records: retained for 3 years as proof of consent (Art. 7(1) GDPR). Processor-specific retention: Clerk session data deleted within 30 days of account closure. Stripe payment records retained up to 10 years per § 147 AO. Brevo contact data retained until consent withdrawn or unsubscribed. Sentry error data retained for 90 days. Vercel server logs 30 days, Analytics data up to 12 months. Arcjet IP data up to 30 days. c15t consent preferences stored locally in your browser. Tally survey responses retained until deleted by us or account closure. Scheduling (Cal.com) booking data retained on our infrastructure, deleted upon request.

13. Your Rights (Art. 15–22 GDPR)

You have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data — "right to be forgotten" (Art. 17)
• Restrict processing (Art. 18)
• Data portability in machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3))
• Lodge a complaint with a supervisory authority (Art. 77) — the competent authority is Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden (https://datenschutz.hessen.de)

To exercise your rights, contact: privacy@getdisco.dev
We will respond within 30 days.