Skip to main content
Kirla Web-ServicesFocused web services and digital products.
ContactImprintPrivacyBriefing
EN
Login

Create your briefing account

Create account, choose plan, confirm email.

Back to login
Kirla Web-ServicesImprint·Privacy·Terms·Cancellation / Withdrawal··ContactFeedback
© 2026 Kirla® Web-Services

AI-assisted content.

All rights reserved

Cookie settings for Kirla Chronicle

We use technically necessary cookies and security services for sign-in, session protection, and abuse prevention. Optional categories (preferences, external services, analytics, marketing) can be allowed or rejected now and changed later at any time.

Adjust optional categories

Strictly necessary

Sign-in, session, Stripe checkout, bot protection. Always on.

Preferences

Locale, theme, font, timezone, market selection, display currency.

External services

External source links and possibly embeds (Yahoo Finance, newsroom sources).

Analytics

Clicks and reading times plus derived topic profiles — so your briefing fits better.

Marketing

Open pixel in our briefing emails — so we can see which topics are read.

Privacy policy

Version: 2026-04.4

Effective date: 2026-04-29

AI transparency

Kirla Chronicle may use AI to generate or materially transform briefing and news content. These outputs are labeled as AI-generated or created with AI by default unless a provable human-only path is explicitly documented.

Controller and Contact

The controller within the meaning of Art. 4(7) GDPR is the provider identified in the imprint.

Privacy contact: contact@kirla-webservices.com.

Processed Data Categories

Account identity data, authentication/security metadata, profile preference data, briefing content artifacts, billing ledger metadata, and support communications are processed.

  • Account identity: name, email, account role, verification state.
  • Authentication/security: session versioning, rate-limit metadata, security event logs.
  • Product/profile data: topics, regions, scheduling and preference metadata.
  • Briefing operations: generated briefings, delivery records, source archive metadata.
  • Billing metadata: wallet movements, references, and reconciliation records.
  • Checkout and consent evidence: transaction-specific consent for immediate digital performance (timestamp, language, text version, evidence hash).

Personalization Data

Topic profiles are derived and stored from a user's interactions (newsroom clicks, external source clicks, chat, briefing email opens) so the briefings can be tailored to individual interests.

  • Data categories: click behavior, derived topic weightings, and short AI-assisted notes and summaries on recurring topics.
  • Legal basis: Art. 6(1)(a) GDPR (consent for the Analytics category) and Art. 6(1)(b)/(f) GDPR (contract performance / legitimate interest in operating the service).
  • The AI-assisted distillation can be enabled or disabled centrally.
  • Pause or full deletion at any time via Settings → Privacy.

Briefing Generation, Chat, and AI Processing

Briefings, chat transcripts, and associated metadata (tokens, cost, model, provider, cost category, request purpose) are processed to deliver the core service.

  • AI processors: OpenAI Ireland Ltd. (Ireland/EU, onward processing USA via SCCs), Anthropic PBC (USA, SCCs), Google Ireland Ltd. / Gemini API (Ireland/EU, onward processing USA via EU-DPF and SCCs), and Manus AI / Butterfly Effect Pte Ltd (Singapore, SCCs).
  • Retention for AI metadata: 365 days.
  • Legal basis: Art. 6(1)(b) GDPR (contract performance).

Market Watchlists and Financial Data

Watchlist symbols and OHLCV daily-close data are processed to render the market strip. Requests to external market-data APIs contain only ticker symbols — no personal data.

  • Providers: Finnhub Inc. (USA), Yahoo Finance — all retrieved server-side without transmitting PII.
  • Since no personal data is transmitted, a Chapter V GDPR transfer mechanism is not required.
  • Legal basis: Art. 6(1)(b) GDPR.

Payment Data and Purchase Consent Evidence

Payment status, payment-provider customer identifier, credit balances, and the transaction-bound consent timestamp for immediate digital performance (including the language and version state of the consent) are retained for legal reasons.

  • Legal basis: Art. 6(1)(b) and (c) GDPR in conjunction with § 356(5) German Civil Code.
  • Retention: 10 years (tax/commercial law); purchase consent evidence at least 3 years (§ 195 German Civil Code).
  • Recipient: payment processor based in the USA, DPF-certified.

Email Delivery and Open-Pixel Tracking

Email address, delivery status, and message identifier are processed to deliver briefing emails. With active consent to the Marketing category, the fact and timing of opening a briefing email may also be recorded — consent is stored as an opt-in flag on the account.

  • Legal basis for delivery: Art. 6(1)(b) GDPR.
  • Legal basis for the open pixel: Art. 6(1)(a) GDPR and § 25(1) TTDSG (ePrivacy).
  • Withdrawal at any time via Settings → Privacy; no pixel is shipped without consent.

Engagement Credits and Novelty Tracking

Normalized topic labels, anonymous counters, and engagement-credit events (novelty bonus, referral rewards, anti-abuse counters) are processed in aggregate. Aggregate counters do not allow identification of individuals.

Processing Purposes

Data is processed to operate the service, secure accounts, deliver briefings, support billing operations, and provide support/compliance responses.

  • Account creation, login, password recovery, and account security.
  • Briefing generation, email delivery, and user-facing archives.
  • Billing balance handling and transaction transparency.
  • Service abuse prevention, diagnostics, and incident investigation.

Legal Bases

Processing is generally based on contract performance, legal obligations, and legitimate interests in operating and securing the service.

Optional cookie/service categories are processed on a consent basis and remain inactive until consent is recorded.

Recipients and Processors

Data processing agreements per Art. 28 GDPR are in place with all subprocessors.

  • Hosting and database service – dedicated server in Germany/EU
  • Email delivery service – transactional SMTP delivery from Germany/EU
  • OpenAI Ireland Ltd. – AI-assisted briefing generation; processes profile details such as topic preferences (Ireland/EU; onward processing by OpenAI L.L.C. USA under Standard Contractual Clauses)
  • Anthropic PBC – AI inference with Claude models for selected briefing and chat steps (USA; Standard Contractual Clauses per Art. 46(2)(c) GDPR)
  • Cloudflare Inc. – Turnstile bot protection and CDN/DDoS protection (USA; EU-DPF-certified with supplemental EU Standard Contractual Clauses)
  • Manus AI (Butterfly Effect Pte Ltd) – AI-assisted source enrichment (Singapore; Standard Contractual Clauses per Art. 46(2)(c) GDPR)
  • Google Ireland Ltd. (Gemini API) – AI inference on selected generation steps (Ireland/EU; onward processing by Google LLC USA under EU-DPF and supplemental Standard Contractual Clauses)

External Data Sources

Public reference sources are retrieved server-side to enrich the newsroom (e.g. market tiles). These requests originate from the server only — the user's browser does not contact these providers directly, and no personal data is transmitted.

The following data sources are currently in use:

  • Yahoo Finance (https://finance.yahoo.com): price and chart data for indices (DAX 40, S&P 500), commodity futures (Brent, gold), cryptocurrencies (Bitcoin), and FX pairs (EUR/USD, EUR/GBP). Server-side retrieval via the public chart API without an API key.

International Transfers

Hosting, Datenbank-Betrieb und SMTP-Versand erfolgen ausschließlich auf Servern in Deutschland/EU. KI-Inferenz erfolgt teilweise im EU-Raum (OpenAI Ireland Ltd. mit Unterauftragsverarbeitung durch OpenAI L.L.C. USA sowie Google Ireland Ltd. mit Unterauftragsverarbeitung durch Google LLC USA — jeweils auf Basis von Standardvertragsklauseln gem. Art. 46(2)(c) DSGVO und ergänzendem EU-DPF) und teilweise direkt in den USA (Anthropic PBC) bzw. Singapur (Manus AI / Butterfly Effect Pte Ltd) auf Basis von Standardvertragsklauseln gem. Art. 46(2)(c) DSGVO. Cloudflare Inc. (USA) ist EU-DPF-zertifiziert und ergänzend mit EU-Standardvertragsklauseln abgesichert.

Retention and Deletion

Personenbezogene Daten werden nur so lange gespeichert wie für die Leistungserbringung oder die Erfüllung gesetzlicher Aufbewahrungspflichten erforderlich. Briefing-Verläufe und zugehörige Nutzungs-/Kostendaten werden nach Kontoschließung gelöscht oder anonymisiert; handels- und steuerrechtlich relevante Unterlagen bleiben für die gesetzlichen Aufbewahrungsfristen erhalten.

Deletion requests are handled via support at support@kirla-webservices.com.

  • Account data: until account deletion; followed by a 14-day grace period.
  • Billing metadata and tax-relevant records: 10 years (§ 257 HGB, § 147 AO).
  • Purchase consent evidence (digital content): at least 3 years (§ 195 German Civil Code).
  • Security and audit logs: 365 days.
  • AI processing metadata (tokens, costs, model, provider, cost category): 365 days.
  • Topic profiles and AI-assisted summaries: until withdrawal of Analytics consent or pause/deletion via Settings → Privacy.
  • Aufbewahrungsausnahmen ergeben sich aus handels- und steuerrechtlichen Pflichten (10 Jahre Billing-Metadaten gem. § 257 HGB / § 147 AO), aus Kaufzustimmungs-Nachweisen (mindestens 3 Jahre gem. § 195 BGB) sowie aus Sicherheits-Logs (365 Tage). Personenbezogene Daten ohne gesetzliche Aufbewahrungspflicht werden mit Kontolöschung gelöscht oder anonymisiert.
  • Security and abuse-prevention records may be retained for legitimate interests and legal obligations.
  • Anonymization vs deletion policy: Wo eine vollständige Löschung wegen gesetzlicher Aufbewahrungspflichten nicht möglich ist (insbesondere Billing- und Kaufzustimmungs-Daten), werden personenbezogene Bezüge entfernt oder durch pseudonymisierte Surrogate ersetzt. Die so anonymisierten Daten lassen keinen Rückschluss auf die betroffene Person mehr zu.

Data Subject Rights

Users may request access, rectification, deletion, restriction, objection, and data portability where applicable under law.

Requests can be submitted via support contact channels listed on the contact page.

Cookies and Consent Categories

Strictly necessary cookies serve authentication and session security as well as storage of the cookie consent including version state.

A preference cookie stores the selected interface language — and only after an explicit language switch and consent to the preferences category.

Cloudflare Turnstile is used as a technically necessary anti-bot security control for login, registration, contact, and password-reset forms.

One or more optional consent categories are available in this deployment and controlled through cookie settings.

Consent can be updated or withdrawn at any time via the “Cookie settings” link in the footer.

  • Necessary: always enabled for core security and sign-in behavior.
  • Preferences: available by consent (currently used for locale persistence).
  • External services: available by consent (currently not required for Turnstile).
  • Analytics: configured as inactive in this deployment.
  • Marketing: configured as inactive in this deployment.

Security, Logging, Account, Billing, and Email Flows

Security events, account recovery, verification, billing reconciliation, and delivery operations generate operational logs and metadata required to run and secure the service.

  • Password reset and account security events.
  • Rate-limit and abuse prevention telemetry.
  • Billing wallet and reconciliation event metadata.
  • Email verification and delivery status records.

Complaints and Supervisory Authority

Supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden

Inquiries can alternatively be directed first to the controller or to support.