Privacy Policy
As of: June 2026 Applies to: CT Flow web application (app.ct-flow.com) and related backend API
§ 1 Controller
The controller responsible for data processing is: Centraltec GmbH Blütenstraße 15 80799 Munich, Germany Represented by managing director André Scheffer Email: andre.scheffer@centraltec.de
Please direct data protection requests to the email address above. We are currently not legally required to appoint a data protection officer.
§ 2 Purposes of processing and legal bases
We process personal data solely for defined purposes:
- Providing CT Flow, managing user accounts and tenants (Art. 6(1)(b) GDPR) - Structured process capture, analysis and optimization including AI-assisted features (Art. 6(1)(b) GDPR) - Authentication, email verification and operationally necessary system notifications (Art. 6(1)(b) GDPR) - Billing paid plans and meeting tax and commercial-law obligations (Art. 6(1)(b) and (c) GDPR) - Protection against abuse and bots, IT security, technical operation and error analysis (Art. 6(1)(f) GDPR) - Processing based on consent (Art. 6(1)(a) GDPR), which you may withdraw at any time with effect for the future
§ 3 Data we process
Depending on usage, we process in particular:
- Master data: email address, company or tenant name - Authentication data: password (stored solely as a cryptographic hash), login and session tokens - Content data: process descriptions, BPMN models, analyses, measures, reports and chat histories with the Process Agent - Contract and billing data for paid plans - Technical log data: IP address, date and time of access, browser/device information, error logs
You decide which process and company data you enter. Please do not enter personal data of third parties that is not necessary for representing the process.
§ 4 Cookies and session management
CT Flow uses only technically necessary cookies or comparable tokens to keep you signed in after login (session and refresh tokens). These are required to operate the application (Section 25(2) TDDDG; Art. 6(1)(f) GDPR). No tracking for advertising or analytics purposes takes place.
§ 5 Processors and recipients
We use carefully selected service providers that process personal data on our behalf and on our instructions (Art. 28 GDPR):
- Hetzner Online GmbH – hosting and server operation (data centers in Germany/EU) - Brevo (Sendinblue GmbH) – delivery of transactional emails (e.g. registration and verification emails) - Stripe Payments Europe, Ltd. – processing payments for paid plans - Cloudflare, Inc. (Turnstile) – bot protection during registration and login - AI providers (in particular Anthropic, possibly OpenAI) – processing chat and process content to provide the AI features
We do not pass on your data for the providers' own purposes, nor do we sell it to third parties.
§ 6 Transfers to third countries
Some services (in particular Cloudflare, Stripe and the AI providers OpenAI/Anthropic) may process personal data in the USA. Where a provider is certified under the EU-US Data Privacy Framework, we base the transfer on that adequacy decision of the EU Commission. Otherwise – in particular for Anthropic – the transfer is based on EU standard contractual clauses together with supplementary safeguards (Art. 46 GDPR). We continuously review each provider's current certification status. A copy of the appropriate safeguards is available on request (Art. 44 et seq. GDPR).
§ 7 Processing by artificial intelligence (AI)
AI-assisted features process the process and chat content you enter in order to generate drafts, analyses and suggestions. The following applies:
- Your content is not used to train the providers' AI models. - All AI results are to be understood as drafts and only take effect once you approve them. - Avoid entering personal data of process participants into AI inputs where this is not necessary.
§ 8 Retention
We store personal data for as long as your account exists and the respective purpose requires it. After account deletion, the related content data is deleted. Excepted is data subject to statutory retention obligations (in particular invoice and accounting data under Section 257 HGB and Section 147 AO, with periods of up to 10 years); such data is restricted from processing until the period expires and then deleted.
§ 9 Data security
We take appropriate technical and organizational measures under Art. 32 GDPR. These include encrypted transmission (TLS/HTTPS), storage of passwords solely as a hash, tenant separation and role- and access-restricted data processing.
§ 10 Your rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object to processing based on legitimate interests (Art. 21 GDPR). You may withdraw any consent at any time with effect for the future.
To exercise your rights, a message to andre.scheffer@centraltec.de is sufficient.
§ 11 Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is: Bavarian State Office for Data Protection Supervision (BayLDA) Promenade 18, 91522 Ansbach, Germany
§ 12 Changes to this policy
We update this privacy policy when processing or the legal situation changes. The version published at app.ct-flow.com applies.

