Trust

Privacy is product architecture, not a policy PDF bolted on later.

This page describes the planned approach for pilot companies. Privacy gate, DPA, pseudonymization and audit logs are architectural commitments in the roadmap and will be tested live with the first pilot company.

Ask a trust question View pilot phase

Planned architecture

Raw data stays in your storage.

Under the planned model, Raumdeuter processes only pointers, metadata and task-specific evidence slices. External AI calls should be purpose-bound, minimized, pseudonymized and logged.

Storage

No full copy

Email, invoices, photos and notes remain in customer storage: Dropbox, Google Drive, NAS or existing cloud setup.

Privacy gate

Before every AI call

Only the necessary slice is processed. Names, emails and license plates become placeholders, mapping remains local.

DPA

Narrow processing scope

Data processing is not handwaved away. The scope should be narrower than full-hosted company-brain tools.

Audit

Logs, not vibes

Which data, which purpose, which provider, which approval. The path needs to remain traceable.

Data classes

Not every document should be treated the same.

Sensitive classes like personnel records, health data, conflict correspondence, tax and payment data need stronger gates and explicit approval per case.

Standard

Project photos, status notes, non-sensitive work documents and ordinary project communication.

Sensitive

Finance, tax, personnel and conflict data. Default: blocked or only processed with narrow approval.

Lab-only

Material that does not belong in marketing, social or external demos, even if it is technically useful.

FAQ

What pilot companies need to know first.

What happens to our data?

Your raw data should remain physically in your storage. Under the planned model, Raumdeuter stores only pointers plus minimal metadata in the index database.

Can this be GDPR-compliant?

Raumdeuter should be treated as a processor under Art. 28 GDPR. DPA, subprocessors and technical measures need legal review before paid pilot use.

Do data slices go to OpenAI, Anthropic or other providers?

External AI calls are part of the planned architecture, but only as minimized and pseudonymized evidence slices with purpose binding and logs. We do not claim that data never reaches providers.

What happens if we leave?

Raw data remains with you. Index, audit and metadata layers should be exportable in readable formats like Markdown and JSONL.

Why not host everything centrally?

Because owner-led companies need trust. Raumdeuter should win by better decisions, not by data ownership or format lock-in.