Effective Date: 28 November 2025
THIS PRIVACY POLICY (the "policy") DESCRIBES HOW RM HOLDING GMBH, AUCHTWEIDE 32, D-87775 SALGEN, GERMANY (the "controller"), COLLECTS, USES, STORES, AND PROCESSES PERSONAL DATA IN CONNECTION WITH THE USE OF THE WEBSITE, DOCUMENTATION, AND SOFTWARE-AS-A-SERVICE PLATFORM "offgen" (the "services"). BY ACCESSING OR USING THE SERVICES, THE USER (the "user") ACKNOWLEDGES AND AGREES TO THE PRACTICES DESCRIBED IN THIS POLICY. IF THE USER DOES NOT AGREE WITH THIS POLICY, THE USER MUST NOT ACCESS OR USE THE SERVICES.
THIS POLICY APPLIES TO BOTH WEBSITE VISITORS AND USERS OF THE SERVICES, AND OPERATES IN ACCORDANCE WITH THE GENERAL DATA PROTECTION REGULATION (EU) 2016/679 ("GDPR") AND OTHER APPLICABLE DATA PROTECTION LAWS.
Clarifying key terms used throughout this policy
"controller" means RM Holding GmbH, determining the purposes and means of the processing of personal data collected through the services.
"user" means any natural person accessing the website, interacting with documentation, or using the services on behalf of a corporate customer.
"personal data" means any information relating to an identified or identifiable natural person, as defined under Article 4(1) GDPR.
"processing" means any operation performed on personal data, such as collection, storage, transmission, or deletion.
"services" means the offgen application, including the web platform, Microsoft Office add-in, documentation pages, and associated functionalities.
"technical and organizational measures" or "toms" means safeguards implemented by the controller to protect personal data in accordance with Article 32 GDPR.
RM Holding GmbH acts as controller for: (a) website analytics, (b) customer accounts and authentication, (c) billing and subscription administration, (d) support interactions, (e) monitoring of product usage and performance.
The corporate customer acts as a separate controller for personal data uploaded by its users into slide content or AI prompts. The controller does not access or inspect such content except as required to operate the services.
"sub-processors" means third-party providers supporting the services, including but not limited to:
These providers process personal data in accordance with their respective privacy commitments and data protection addenda.
Identifying the categories and sources of personal data processed through the services
The controller collects personal data voluntarily provided by the user, including: (a) name, (b) email address, (c) Microsoft 365 authentication details, (d) organization and tenant identifiers, (e) billing and subscription information, (f) communication content sent to support channels, (g) preferences and configuration settings within the services.
This information is collected during account creation, login, subscription management, or direct communication with the controller.
When a user accesses or interacts with the services, the controller automatically processes technical data, including: (a) IP address, (b) browser type and version, (c) device and operating system identifiers, (d) timestamp and session information, (e) telemetry and performance metrics, (f) page views, feature usage, and navigation patterns.
Such data is collected through server logs, Microsoft Office add-in APIs, telemetry endpoints, and secure product instrumentation.
The services use strictly necessary cookies and local storage technologies to: (a) maintain user sessions, (b) enable authentication flows, (c) store preferences and interface states, (d) ensure security and fraud prevention, (e) enable core operational functionality.
The services do not use advertising cookies or third-party marketing pixels.
The controller uses PostHog to collect pseudonymised analytics data, including: (a) user actions within the services, (b) feature usage metrics, (c) performance indicators, (d) aggregated behavioral statistics.
All analytics data is pseudonymised and processed without identifying natural persons unless explicitly necessary for debugging or support.
The controller may process personal data through third-party communication or CRM tools, including:
These tools may receive: (a) name, (b) email address, (c) company affiliation, (d) communication metadata, (e) subscription or interest category.
No slide content or AI prompt data is transferred to these tools.
The services may technically process metadata derived from slide files or AI prompts, such as structural layout information, formatting parameters, and feature usage patterns.
However, the controller does not: (a) read, (b) extract, (c) store, (d) analyse, or (e) scan any personal data contained within slide content or AI prompts, except where strictly required to operate the services.
The customer remains solely responsible for any personal data embedded in such content.
Subscription and payment information is processed through Stripe, including: (a) billing contact details, (b) payment method metadata, (c) invoice history, (d) transaction identifiers, (e) tax information where required.
The controller does not store full credit card numbers.
When the user contacts the controller through email or the documentation website, the controller may process: (a) email content, (b) attachments voluntarily provided, (c) metadata associated with the request, (d) follow-up communication history.
Support requests may be processed internally or via third-party systems integrated for workflow efficiency.
Explaining the legitimate and operational purposes for which personal data is processed
The controller processes personal data to operate, maintain, and deliver the services, including: (a) enabling authentication via Microsoft 365, (b) providing access to the offgen add-in and platform, (c) restoring sessions and preserving state, (d) ensuring technical functionality and performance, (e) enabling AI-assisted features and content-generation tools, (f) maintaining compatibility with Microsoft Office environments.
Personal data is processed to: (a) create and manage user accounts, (b) administer subscriptions and renewals, (c) issue invoices and process payments, (d) manage tax and regulatory obligations, (e) verify customer eligibility for enterprise features.
Billing data is processed in cooperation with Stripe.
The controller processes personal data to: (a) respond to support inquiries, (b) send operational or security-related updates, (c) provide onboarding and enterprise implementation assistance, (d) deliver transactional messages via SendGrid.
Personal data is not used to send unsolicited marketing unless permitted under applicable law.
The controller uses pseudonymised analytics data to: (a) measure feature usage, (b) identify usability patterns, (c) detect issues and optimize performance, (d) plan roadmap and product improvements.
No identifiable user content is used for model training or analytics beyond what is necessary for operating the services.
Personal data is processed to: (a) monitor system integrity, (b) prevent fraud or abuse, (c) detect unauthorized access, (d) maintain audit logs, (e) comply with legal obligations, (f) implement security incident responses.
Support logs and telemetry may be used to detect misuse or enforce the agreement.
Where permitted under applicable law and initiated by the user or organization, personal data may be processed in: (a) Lemlist for outreach communication, (b) Attio for CRM management and pipeline operations, (c) Cognism for business-to-business prospecting where legally permissible.
No slide content or AI prompt data is shared with these tools.
Personal data is processed to: (a) meet statutory retention obligations, (b) comply with financial and tax regulations, (c) fulfil contractual duties under the agreement, (d) respond to lawful requests from authorities.
The controller does not process personal data for: (a) advertising or profiling unrelated to the services, (b) sale or transfer to third parties, (c) training of third-party AI models, (d) monitoring of slide content beyond operational necessity, (e) automated decision-making with legal effects.
Identifying the lawful grounds under which personal data is processed in accordance with the GDPR
The controller processes personal data where necessary to: (a) provide access to the services, (b) authenticate users via Microsoft 365, (c) operate the offgen add-in, (d) deliver AI-assisted features, (e) manage accounts, subscriptions, and enterprise implementations, (f) provide support and troubleshooting.
Without this processing, the services cannot function.
Personal data is processed to comply with: (a) financial reporting rules, (b) tax and invoicing regulations, (c) data retention obligations, (d) security, audit, and fraud-prevention requirements, (e) lawful requests from authorities.
Such processing is limited to what is strictly necessary.
The controller processes certain personal data based on legitimate interests, including: (a) ensuring the stability, availability, and security of the services, (b) protecting the services from misuse or unauthorized access, (c) improving performance, functionality, and user experience, (d) analyzing aggregated or pseudonymised usage patterns, (e) conducting permissible business-to-business outreach.
These interests do not override the fundamental rights of the user.
The controller may process personal data based on explicit consent for specific scenarios, including: (a) optional newsletters or product updates via SendGrid, (b) optional CRM-related actions triggered by outreach channels, (c) optional feedback submissions or surveys, (d) optional use of certain analytics features, where legally required.
Consent may be withdrawn at any time without affecting prior lawful processing.
The services are not designed to process special category data such as: (a) health information, (b) political opinions, (c) religious beliefs, (d) biometric identifiers.
If the customer uploads such data into slide content or AI prompts, the customer acts as the independent controller and bears full responsibility.
For any personal data contained in slide content or AI prompts: (a) the corporate customer acts as the independent controller, (b) the controller (RM Holding GmbH) processes only what is necessary for technical operation, (c) no training is performed on such content, (d) the controller retains no independent control over such data.
Explaining when and with whom personal data may be shared in the course of providing the services
The controller shares personal data with carefully selected sub-processors who support the technical and operational delivery of the services, including: (a) AI infrastructure providers (OpenAI, Anthropic, Google Gemini), (b) hosting providers (AWS, Hetzner, Neon), (c) analytics provider (PostHog), (d) authentication and platform provider (Microsoft), (e) payment processor (Stripe), (f) email delivery platform (SendGrid), (g) CRM and outreach tools (Attio, Lemlist, Cognism).
Sub-processors process personal data strictly in accordance with contractual data protection obligations and only to the extent required to support the services.
For subscription billing and payment processing, certain personal data is shared with Stripe, including: (a) billing contact details, (b) transaction metadata, (c) invoice identifiers, (d) subscription status.
Payment card information is handled solely by Stripe and is not stored by the controller.
When the controller sends transactional messages, email confirmations, or support responses, personal data (e.g., name, email address, content of correspondence) may be processed through SendGrid or other communication providers used by the controller.
Aggregated or pseudonymised usage data may be processed through PostHog to improve performance, stability, and functionality.
Such data does not identify individual users, unless necessary for debugging or support.
The controller does not: (a) sell personal data, (b) transfer personal data to third parties for advertising or profiling, (c) share slide content or AI prompt data with sub-processors unless technically required to operate the services, (d) allow sub-processors to use personal data for their own purposes.
Personal data may be disclosed where required to comply with: (a) statutory obligations, (b) binding court orders, (c) lawful requests from government authorities. The controller will notify the user or the corporate customer of such disclosures unless prohibited by law.
Personal data may be shared within RM Holding GmbH and its affiliates for: (a) administration, (b) accounting, (c) support and customer success, (d) internal security operations.
Such sharing is limited to what is necessary and governed by internal data protection controls.
In the event of a merger, acquisition, divestiture, or restructuring involving the controller, personal data may be transferred to the acquiring or successor entity, provided that such entity assumes the obligations under this policy.
Clarifying how personal data is transferred, stored, and protected across jurisdictions
The controller stores and processes personal data in regional hosting locations provided by its infrastructure partners, including AWS, Hetzner, and Neon.
Data may be stored in: (a) the European Union for EU-based users, (b) the United States for US-based users, or (c) other regions geographically aligned with the user's corporate location.
Such transfers are strictly limited to what is required to deliver the services.
Where personal data is transferred from the European Economic Area (EEA), Switzerland, or the United Kingdom to a third country lacking an adequacy decision, the controller ensures that transfers are made under one or more of the following safeguards: (a) standard contractual clauses (sccs) adopted by the European Commission, (b) the UK International Data Transfer Agreement (IDTA) or Addendum, (c) supplementary technical and organizational measures, (d) documented transfer risk assessments (TRAs), (e) pseudonymisation where appropriate.
When personal data is transferred outside the EEA, the controller applies additional safeguards to protect confidentiality and integrity, including: (a) encryption in transit and at rest, (b) strict access controls, (c) access logging, (d) "need-to-know" authorization restrictions, (e) vendor contractual obligations to prevent disclosure to third parties.
Sub-processors located outside the EEA may access personal data only: (a) when required for support or technical operation, (b) under binding contractual safeguards, (c) with encryption controls preventing unauthorized access, (d) in accordance with this policy and the dpa.
No sub-processor is permitted to use personal data for advertising, profiling, or model training unrelated to the services.
The controller may provide additional details upon request regarding: (a) specific transfer mechanisms applicable to each sub-processor, (b) applicable SCC modules, (c) supplementary technical measures, (d) current hosting regions.
Such information may be provided through public-facing documentation or direct communication, subject to confidentiality protections.
Explaining how long personal data is stored and how deletion is performed
The controller retains personal data only for the duration necessary to fulfill the purposes described in Section 3, unless a longer retention period is required or permitted by applicable law.
Following termination or expiration of the services, the controller shall delete personal data associated with the user's account within ninety (90) days, unless:
Billing, invoicing, and transaction records processed through Stripe or internal systems may be retained for statutory retention periods, typically six (6) to ten (10) years, depending on jurisdictional requirements.
For personal data included in slide content or AI prompts submitted by corporate customers: (a) such data is stored only as technically necessary for the operation of the services, (b) the corporate customer acts as the controller, (c) the controller (RM Holding GmbH) does not store, read, analyze, or extract such data outside technical processes, (d) deletion responsibility lies with the customer through their account or API actions.
The controller employs secure deletion practices, including: (a) cryptographic erasure, (b) scheduled purge jobs, (c) versioned overwriting, (d) controlled removal from backups when feasible, (e) audit logs of deletion events.
Upon receiving a valid request from a user or from a corporate customer acting on behalf of the user, the controller will delete personal data in accordance with applicable data protection laws, subject to legal retention obligations.
Describing the technical and organizational safeguards used to protect personal data
The controller implements security measures designed to ensure a level of protection appropriate to the risks associated with the processing of personal data, in accordance with Article 32 GDPR.
These measures include physical, technical, and administrative safeguards to maintain confidentiality, integrity, and availability.
The controller uses encryption technologies to protect personal data from unauthorized access, including: (a) encryption in transit (TLS or equivalent), (b) encryption at rest, (c) secure key management procedures, (d) monitoring and enforcing encryption standards across environments.
The controller maintains strict access controls, including: (a) multi-factor authentication (MFA) for administrative access, (b) role-based access control (RBAC), (c) "least privilege" and "need-to-know" principles, (d) secure provisioning and revocation procedures, (e) periodic reviews of access rights.
Access is limited to authorized personnel involved in operating or securing the services.
The controller and its hosting providers (AWS, Hetzner, Neon) maintain: (a) firewalls and network segmentation, (b) intrusion detection and prevention mechanisms, (c) DDoS mitigation capabilities, (d) secure VPN and remote access controls, (e) hardened server configurations, (f) physical security protections at data centers.
The controller applies secure development principles, including: (a) code reviews and peer validation, (b) automated dependency and vulnerability scanning, (c) separation of development, staging, and production environments, (d) documented deployment pipelines with integrity checks, (e) regular update and patch cycles.
The controller operates continuous monitoring across the services, including: (a) administrative audit logs, (b) event and anomaly detection, (c) error tracking and telemetry, (d) logging access to sensitive systems.
Audit logs are protected against alteration and retained for appropriate periods.
To validate the effectiveness of TOMs, the controller performs: (a) periodic penetration testing, (b) internal and external vulnerability assessments, (c) regular security reviews of sub-processors, (d) compliance evaluations of data flows and infrastructure.
The controller maintains: (a) redundant infrastructure, (b) automated backups with integrity checks, (c) disaster recovery runbooks, (d) incident response procedures, (e) emergency operations protocols.
These measures help ensure resilience and minimize downtime across the services.
The controller may adjust or enhance TOMs to reflect technological advancements, evolving threats, or regulatory requirements, provided such changes do not materially reduce the level of protection afforded to personal data.
Outlining the rights available to individuals under data protection laws and the procedures for exercising them
Depending on jurisdiction and applicable data protection laws, a user may exercise the following rights with respect to their personal data: (a) right of access, (b) right to rectification, (c) right to erasure ("right to be forgotten"), (d) right to restriction of processing, (e) right to data portability, (f) right to object to processing based on legitimate interests, (g) right not to be subject to automated decision-making where applicable.
Requests may be submitted to privacy@offgen.ai.
To protect the confidentiality of personal data, the controller may request additional information necessary to verify the identity of the individual submitting a request.
Unverified requests may be refused in accordance with data protection laws.
The controller shall respond to valid data subject requests within the time periods required under GDPR, generally one (1) month, extendable by two additional months where necessary due to complexity or volume.
For personal data processed directly by the controller, including account information, authentication details, billing data, and analytics, the controller will fulfill the applicable rights unless restricted by: (a) legal obligations, (b) compelling legitimate interests, (c) data embedded in logs or backups, (d) technical limitations with disproportionate impact.
Where personal data is embedded in slide content or AI prompt data uploaded by a corporate customer: (a) the corporate customer acts as an independent controller, (b) requests concerning such data must be directed to that customer, (c) the controller (RM Holding GmbH) cannot delete, edit, or locate such data independently, (d) any assistance is provided only upon documented instructions of the corporate customer.
Where the user or organization receives outreach via Lemlist, Attio, or Cognism and wishes to opt out: (a) objections may be submitted via privacy@offgen.ai, (b) the controller will remove or suppress contact information for such purposes, (c) this does not affect necessary operational communications.
The controller may decline a request or charge a reasonable fee where requests are: (a) manifestly unfounded, (b) repetitive, (c) excessive in nature, (d) beyond the scope of GDPR obligations.
Clarifying obligations of users and corporate customers when accessing and using the services
The user is responsible for ensuring that all personal data submitted to the services, including account details, billing information, and communication content, is accurate, current, and lawfully obtained.
The user shall: (a) keep login credentials confidential, (b) safeguard access to their Microsoft 365 account, (c) prevent unauthorized use of the services, (d) promptly notify the controller of any suspected compromise or unauthorized activity.
The controller is not liable for damages arising from compromised credentials or misuse caused by the user.
The user shall not upload or submit content containing: (a) special categories of personal data (Article 9 GDPR), (b) sensitive or regulated data (e.g., health, financial or biometric data), (c) personal data not lawfully collected, (d) content infringing intellectual property, (e) malicious code or harmful files.
If the user uploads such content, the corporate customer assumes full responsibility as the independent controller.
The user is responsible for ensuring that use of the services complies with applicable laws, internal policies, and contractual requirements, including: (a) GDPR and national data protection laws, (b) employer guidelines regarding data handling, (c) Microsoft 365 usage terms, (d) industry-specific compliance obligations.
The user shall not: (a) attempt to gain unauthorized access to the services, (b) circumvent technical protections or security controls, (c) probe or scan infrastructure or APIs, (d) use the services to generate harmful, unlawful, or abusive content, (e) interfere with or disrupt the services.
For slide content or AI prompt data uploaded by users on behalf of a corporate customer: (a) the corporate customer is the controller, (b) the controller (RM Holding GmbH) cannot independently identify, extract, or delete such data, (c) the user or corporate customer must handle data subject rights requests directly.
Where outreach or CRM tools (Lemlist, Attio, Cognism) are involved, users must ensure that: (a) contacts are lawfully sourced, (b) communication is compliant with applicable marketing laws, (c) opt-out requests are respected, (d) no sensitive personal data is uploaded into these tools.
The user shall follow: (a) the offgen documentation, (b) setup instructions and best practices, (c) enterprise deployment guidelines, (d) any technical notices issued by the controller.
Failure to follow required procedures may impact service quality or security.
Describing how support is provided and clarifying service availability obligations
The controller offers support for the services through a structured, tiered model: (a) first-level support via the offgen documentation available at https://www.offgen.ai/docs, (b) second-level support via email at support@offgen.ai, (c) third-level support in the form of individual technical assistance sessions with a dedicated implementation engineer, available exclusively to enterprise customers.
Support inquiries must include sufficient information to allow the controller to reproduce or assess the issue.
Support is provided during standard business hours in Germany (CET/CEST), excluding weekends and public holidays.
The controller strives to respond promptly to inquiries but does not guarantee specific resolution times unless expressly agreed in a separate enterprise contract.
The controller aims to maintain high availability of the services and target a level of 99.9% uptime measured as an annual average.
However, the controller does not warrant uninterrupted or error-free operation and may perform maintenance, updates, or improvements that temporarily affect availability.
Planned maintenance windows that may significantly impact the services will be communicated in advance where feasible.
Emergency maintenance may occur without prior notice if required to protect security or system integrity.
Availability may be affected by third-party services outside the controller's reasonable control, including: (a) Microsoft 365 infrastructure and authentication, (b) hosting providers (AWS, Hetzner, Neon), (c) AI model providers (OpenAI, Anthropic, Google Gemini), (d) networking or internet-service providers.
The controller is not liable for interruptions caused by such external dependencies.
Users may report service degradation, outages, or technical concerns through the designated support channels.
The controller may request logs, screenshots, or additional context to resolve issues efficiently.
Describing the procedures for identifying, assessing, and reporting personal data breaches
A personal data breach is any event leading to: (a) accidental or unlawful destruction of personal data, (b) loss, alteration, or unauthorized disclosure of personal data, (c) unauthorized access to personal data, (d) any compromise affecting confidentiality, integrity, or availability.
This definition is consistent with Article 4(12) GDPR.
The controller operates monitoring and alerting systems designed to detect anomalies and potential security incidents.
Upon identification of a suspected breach, the controller promptly: (a) initiates internal incident response procedures, (b) assesses the scope and severity, (c) determines whether personal data is affected, (d) documents all relevant facts in an incident log.
If a breach involving personal data processed on behalf of a corporate customer is likely to result in a risk to the rights and freedoms of individuals, the controller will notify the affected customer: (a) without undue delay, and (b) no later than seventy-two (72) hours after becoming aware of the breach, where feasible.
Notifications will include: (a) a description of the nature of the breach, (b) categories and approximate number of affected data subjects, (c) likely consequences, (d) mitigation or remediation measures, (e) contact information for further inquiries.
Upon request, the controller will assist the corporate customer in: (a) assessing risks to data subjects, (b) preparing notifications to supervisory authorities, (c) communicating breaches to affected data subjects, (d) implementing corrective measures.
The controller does not contact data subjects directly unless expressly instructed or required by law.
If the controller experiences a breach involving its own business or account data, it will notify affected individuals or entities in accordance with applicable data protection laws.
Following a breach, the controller undertakes reasonable measures to: (a) contain and remediate the incident, (b) assess root causes, (c) strengthen security policies and TOMs, (d) update prevention and detection mechanisms, (e) document all actions taken.
Explaining how updates to this policy are made and communicated to users
The controller may amend or update this policy from time to time to reflect: (a) changes in legal or regulatory requirements, (b) updates to the services, (c) new security practices, (d) modifications to sub-processors or infrastructure, (e) improvements in internal data protection processes.
Changes will be made in accordance with applicable data protection laws.
If updates materially affect the rights or obligations of the user, the controller will provide notice through: (a) the website, (b) the documentation portal, (c) email notifications, (d) in-product messages, where appropriate and feasible.
Each version of this policy will include an effective date at the top of the document.
The controller may maintain a revision history or changelog accessible to users for transparency purposes.
By continuing to use the services after an updated version of this policy becomes effective, the user acknowledges and agrees to the modifications.
If the user does not accept the updated policy, the user must discontinue use of the services.
Providing contact channels for privacy-related inquiries and rights requests
For questions regarding this policy, the processing of personal data, or the exercise of rights under data protection laws, the user may contact the controller at: privacy@offgen.ai
Inquiries must include sufficient information to allow the controller to identify the requester and address the matter appropriately.
Written correspondence may also be sent to the following address:
RM Holding GmbH
Auchtweide 32
D-87775 Salgen
Germany
The user has the right to lodge a complaint with a competent supervisory authority if the user believes that the processing of personal data violates applicable law. The competent authority for RM Holding GmbH is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
The controller may provide additional details regarding sub-processors, transfer mechanisms, retention periods, or security measures upon reasonable request, provided that such disclosure does not compromise security or confidentiality.