ConceptNote.

Subprocessors

Last updated: 13 Jul 2026

Deutsch · English

This page supplements our Privacy Policy and lists every external provider that processes personal data on our behalf (Art. 28 GDPR). There are four — no more. Everything else runs on our own server in Germany.

No provider outside the EU. In particular, we do not send your content to any US AI provider.

External subprocessors

netcup GmbH — hosting and email delivery

Daimlerstraße 25, 76185 Karlsruhe, Germany

Receives: all data stored in ConceptNote (as the operator of the server running the application and the database), plus the recipient address and content of transactional emails.

Processing location: Germany. DPA: in place.

Mistral AI — AI-assisted text features

15 rue des Halles, 75001 Paris, France

Receives: only the content required for the feature you request — for example the text of an uploaded CV during CV import, the tender during a tender match, or your profile when drafting an application. Data is transmitted only when you trigger the action.

Does not receive: your password, your payment details, your email address.

Processing location: EU. DPA: in place (Data Processing Addendum). Mistral primarily uses EU-based sub-processors and covers exceptions with the EU Standard Contractual Clauses.

No training: your content is not used to train AI models.

Mistral AI privacy policy

Stripe Payments Europe Ltd. — payment processing

Dublin, Ireland

Receives: your payment details plus name and email address for billing. Card and bank details go from your browser straight to Stripe; we never store them.

Processing location: EU. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Stripe privacy policy

Cloudflare — CDN and DNS

Cloudflare Germany GmbH, Munich — parent company: Cloudflare, Inc., USA

Receives: technical connection data when you open the site (IP address, browser information). No content from your account.

Processing location: delivered via European data centres; processing in the USA cannot be ruled out and is covered by the EU Standard Contractual Clauses. Legal basis: Art. 6(1)(f) GDPR.

Cloudflare privacy policy

What we run ourselves

The following components run on our own server in Germany. No data goes to third parties:

  • Database, file storage and queue (PostgreSQL, Redis) — this is where your profiles, CVs, ToRs and proposals live.
  • Search (Meilisearch) — self-hosted.
  • AI gateway (LiteLLM) — forwards AI requests to Mistral AI; we run it ourselves so we can switch providers at any time.
  • Web analytics (Plausible Analytics) — self-hosted, no cookies, no IP storage, only with your consent.

Changes

Whenever we add or replace a provider, we update this page. For questions about data processing — including signing your own DPA with us — please contact datenschutz@conceptnote.eu.

🍪 We respect your privacy

We use cookies to keep the platform running and to improve the service. Essential cookies are technically required. Functional and analytics cookies are only activated with your consent. Learn more