Privacy Policy — SteerMind AI

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws for the operation of the service SteerMind AI at www.steer-mind.com is:

Name: Nicolas Schraml
Legal form: business name: SteerMind AI
Address: Heide 2, 33824 Werther, Germany
E-mail: privacy@steer-mind.com

2. General information on data processing

SteerMind AI is an AI-powered application for controlled-environment plant cultivation. The service processes personal data only to the extent technically necessary for the provision and secure operation of the service. The following sections describe what data is collected in which situations, for what purpose, and on what legal basis.

Personal data is processed in particular in the following situations:

Accessing the website and processing of server log files
Creating and using user accounts and authentication
Using the AI-powered chat and diagnostic features
Storing and retrieving conversation histories
Submitting optional feedback on AI responses
Making in-app purchases and subscriptions via Google Play
Technical and organisational security measures to protect the service

The service is technically designed to collect only the data necessary for each processing purpose (principle of data minimisation). Grow-related inputs (plant images, grow parameters, contextual entries) are processed to generate AI responses and are not, at their core, persistently identifying data within the user profile.

3. Website access and server log files

Each time our website is accessed and each time a file is retrieved, the web server automatically collects technical access data and stores it in server log files. The following data is processed:

IP address of the requesting device
Date and time of access
Requested path (URL)
HTTP status code of the response
Browser and operating system used (User-Agent)

This data is required for the technical operation, error diagnosis, and security of the service. This data is not merged with other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring trouble-free operation and IT security)
Retention: Server log files are automatically deleted or rotated after no more than 30 days.

4. Use of user accounts, authentication, and app instance ID

The app transmits a device-bound App Instance ID (X-App-Instance-Id header) with each request. This is used for the technical assignment of requests, quota management (rate limiting), and entitlement verification.

When using authenticated features, the service issues a signed JWT (JSON Web Token) upon login, which is transmitted as a Bearer token in subsequent requests. The token contains a client ID and entitlement information. Session data is cached in Redis for the duration of the session.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in abuse prevention and secure operation)
Retention: Redis-backed rate-limit tracking: short-lived, typically ≤ 60 minutes. JWT validity per configuration; no server-side session persistence beyond Redis TTL. Database-backed entitlement and account data: for the duration of the active account.

5. Chat, diagnostic, and AI requests

User inputs (text messages, grow context, parameters) are submitted to the AI engine to generate structured recommendations and diagnoses. Requests are forwarded to external AI providers (Google Gemini API) for processing.

Conversation data is stored in PostgreSQL when the persistent conversations feature is used. Users can delete individual conversations or all conversations via the app.

Legal basis: Art. 6(1)(b) GDPR (contract performance — provision of the AI service)
Third-party transfer: Requests are forwarded to the Google Gemini API (Google LLC, USA). See Google AI Terms for Google's data handling practices.
Retention: Persistent conversations are stored for the duration of the user account. Individual conversations can be deleted at any time via the app. Non-persistent requests are deleted after the server-side configurable retention period expires.

6. Image uploads for diagnostic functions

Users may upload images (e.g. leaf, root zone, or canopy photos) for AI-assisted visual diagnosis. These images are transmitted to the AI engine (Google Gemini API) for processing.

Images are not permanently stored on our servers unless the user has enabled the persistence feature for conversations. In that case, images are stored together with the associated conversation and are deleted when the conversation is deleted.

Legal basis: Art. 6(1)(b) GDPR (contract performance)
Retention: Temporary for the duration of request processing unless persistence is enabled. With persistence enabled: for the duration of the conversation or the user account.

7. User profile, settings, and preferences

User-defined settings (preferences, grow-specific context, preferred language, and other configuration options) are stored in PostgreSQL to enable a personalised use of the service.

Legal basis: Art. 6(1)(b) GDPR (contract performance)
Retention: For the duration of the user account. When the account is deleted, all profile data is irrevocably removed.

8. Optional feedback

Users may optionally submit feedback on AI responses (e.g. ratings or free-text comments). This feedback is stored in the database (PostgreSQL) and is used exclusively to improve the quality of the service.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving service quality)
Retention: Until account deletion or upon explicit request by the user.

9. Subscriptions and in-app purchase verification

When using the Android app with Google Play subscriptions, the app submits a purchase token to our service. This token is forwarded to the Google Play Developer API for verification. We store transaction references (purchase token, order ID, product identifier, timestamp) for managing entitlements and quotas.

No payment data (credit card number, IBAN, etc.) is stored on our systems. Payment processing is handled exclusively by Google Play.

Legal basis: Art. 6(1)(b) GDPR (contract performance)
Retention: Transaction references for the duration of the subscription relationship and beyond for compliance with statutory retention obligations.

10. External recipients and services used

In the course of providing the service, personal data is transferred to the following external recipients and service providers:

Provider	Purpose	Location	Transfer basis
Hosting infrastructure	Server operation, database, cache	EU/EEA	Data Processing Agreement
Google LLC (Gemini API)	AI response generation, image analysis	USA	EU-U.S. Data Privacy Framework (DPF)
Pinecone Systems Inc.	Vector search (knowledge retrieval)	USA	Standard Contractual Clauses (SCCs)
Tavily AI Inc.	Supplementary web search	USA	Standard Contractual Clauses (SCCs)
Google Play (Billing API)	In-app purchase and subscription verification	USA	EU-U.S. Data Privacy Framework (DPF)

11. Transfers to third countries

Some of the service providers we use are based in the USA, a country outside the European Economic Area (EEA). The transfer of personal data to the USA is carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR:

Google LLC (Gemini API, Google Play): Google is certified under the EU-U.S. Data Privacy Framework (DPF). An adequacy decision by the European Commission pursuant to Art. 45 GDPR is in place.
Pinecone Systems Inc.: The data transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
Tavily AI Inc.: The data transfer is based on Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

We regularly review whether the safeguards in place ensure an adequate level of protection and adjust our measures as needed.

12. Notes on Google Gemini API

SteerMind AI uses the Google Gemini API (paid version) for processing AI requests. According to Google's terms of service for the paid Gemini API:

Google may process submitted data for the purposes of abuse monitoring and enforcement of the terms of service.
When using the paid API, submitted data is not used by Google for general AI model training.

For further information, please refer to the Google AI Terms of Service and the Gemini API Additional Terms of Service.

13. Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning the data subject or similarly significantly affects them.

The AI-powered recommendations and diagnoses provided by the service are intended solely as guidance and informational support and do not constitute legally binding decisions.

14. Cookies and local storage

The public pages at www.steer-mind.com do not use tracking cookies and do not employ client-side JavaScript for analytics purposes. No third-party cookies are set.

Only technically necessary cookies are used:

Session cookie: The administrative area of the service uses a session cookie for administrator authentication (HttpOnly, SameSite=Strict). This cookie is not accessible to and not relevant for regular users.
Admin auth cookie: Used for session management in the internal administration area and is deleted at the end of the session or after the configured validity period expires.

15. Legal bases at a glance

The processing of personal data by SteerMind AI is based on the following legal bases under the GDPR:

Art. 6(1)(b) GDPR (contract performance): Processing is necessary for the performance of a contract with the data subject or for carrying out pre-contractual measures. This includes the provision of the AI service, account management, subscription management, and the storage of user profiles and conversations.
Art. 6(1)(f) GDPR (legitimate interest): Processing is necessary for the purposes of the legitimate interests pursued by the controller. This includes in particular IT security, abuse prevention (rate limiting), analysis of server log files, and processing of optional feedback for quality improvement.
Art. 6(1)(a) GDPR (consent): Where processing is based on consent, you have the right to withdraw your consent at any time with effect for the future. SteerMind AI does not currently employ any processing operations based on consent.

16. Retention period

Personal data is stored only for as long as necessary to fulfil the respective processing purpose or as required by statutory retention obligations. The following principles apply:

Server log files: up to 30 days
Rate-limit tracking (Redis): short-lived, typically ≤ 60 minutes
Account data, profile data, preferences: for the duration of the active user account
Conversation data: for the duration of the user account or until deleted by the user
Feedback: until account deletion or upon explicit request
Transaction references: for the duration of the subscription relationship and statutory retention periods

Once the processing purpose has been fulfilled or statutory retention periods have expired, data is routinely deleted or blocked in accordance with applicable law.

17. Your rights

As a data subject, you have the following rights under the GDPR with respect to the controller:

Right of access (Art. 15 GDPR): You may request information about the personal data stored concerning you, including information on processing purposes, categories, and recipients.
Right to rectification (Art. 16 GDPR): You may request the prompt rectification of inaccurate data or the completion of incomplete data.
Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data, provided no statutory retention obligations apply and no other exception applies.
Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing of your data in certain circumstances.
Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): You may object at any time, on grounds relating to your particular situation, to processing based on legitimate interests (Art. 6(1)(f) GDPR).

To exercise your rights, you may contact us at any time at the address given in Section 1 or at privacy@steer-mind.com.

18. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

The supervisory authority responsible for us is:

Authority: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Address: Postfach 20 04 44, 40102 Düsseldorf, Germany
Website: https://www.ldi.nrw.de

19. Deletion requests and contact

The service provides technical endpoints for data deletion that are accessible via the app:

Deletion of all user data (account, conversations, feedback, preferences)
Deletion of individual conversations

Alternatively, you may submit a deletion request by e-mail to privacy@steer-mind.com. We will process your request without undue delay and in any event within one month.

20. Data security

We employ technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, and manipulation. All data transmission between the app and our servers uses exclusively TLS-encrypted connections (HTTPS).

The measures we employ include in particular:

Encrypted communication (TLS 1.2/1.3)
JWT-based authentication with defined validity periods
Password hashing with modern algorithms (Argon2)
Rate limiting to prevent abuse
Strict access controls on administrative functions
Regular security reviews of server configuration
Read-only containers and minimal capabilities in the production environment

21. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in legal requirements, technical developments, or changes to the service. The date of the last update is shown at the top of this page.

In the event of material changes that affect your rights as a data subject, we will endeavour to notify you separately.