Last updated: May 2026
The data controller within the meaning of the GDPR is:
Heey GmbH
Kurt-Huber-Str. 4a
82131 Gauting
Germany
E-Mail: hello@deep-ocr.com
When you access this website, the web server temporarily processes your IP address in order to deliver the requested content to your device. Beyond this transient processing, no access data is retained in persistent log files at the web server level. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure operation of this website).
Hosting and technical operations are carried out by us on infrastructure provided by Hetzner Online GmbH, located in Germany (processor). A data processing agreement pursuant to Art. 28 GDPR is in place with this provider. No transfer to third countries takes place.
Note: In addition to the pure web server operation, a separate, privacy-friendly analytics service runs on the same infrastructure. The data processed and its scope are transparently documented in Section 4.
You can send us an inquiry via the contact form. We process the fields you complete: name, email address, optionally phone number, and your message.
Mail delivery is handled via Google Workspace (Google Ireland Limited, Dublin). The corresponding data processing agreements and EU Standard Contractual Clauses for any third-country transfers are in place; Google Workspace is certified under the EU-US Data Privacy Framework.
The legal basis is Art. 6(1)(b) GDPR (steps prior to entering into a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding to your inquiry). Your inquiry and the related correspondence will be deleted once processing has been completed — at the latest upon expiry of statutory retention obligations (up to 10 years for contract-relevant content).
We use Rybbit, a privacy-friendly website analytics tool that runs on the same infrastructure as our website (see Section 2 on hosting). No cookies are set and no data is transmitted to third parties.
The following are collected: page views, time on page, referrer, browser and device information, and an approximate region at city level. To distinguish between returning and new visits, Rybbit derives a daily-rotating anonymous identifier from your IP address and browser fingerprint. The IP address itself is not persistently stored in clear text.
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in analyzing and optimizing our website as well as detecting errors and security incidents). You can object to web analytics at any time by enabling the “Do Not Track” setting in your browser — Rybbit respects this signal.
When you create an account and use our service (API and Developer Center), we process the following personal data to the extent necessary to provide and bill for the service:
The legal basis is Art. 6(1)(b) GDPR (performance of the user agreement) and Art. 6(1)(f) GDPR (legitimate interest in the secure and reliable provision of the service, including abuse and error detection).
Sign-in with Google or GitHub (optional). If you choose to sign in using Google or GitHub, we receive from that provider – via the OpenID Connect “openid”, “email” and “profile” scopes – your email address, your name and basic profile information, and the provider's unique account identifier. We use this data solely to authenticate you and to create and manage your Deep-OCR account; it is stored in our authentication system together with the account data described in this section (see also the processors in Section 6). We do not use this data for advertising, we do not sell it, and we do not share it beyond the processors named in this policy. We request no access to any other data in your Google or GitHub account (for example Google Drive, Gmail, Calendar, or your GitHub repositories) – sign-in identity only. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. You can revoke this access at any time in your Google Account (myaccount.google.com/permissions) or in your GitHub settings.
To provide the service, we engage the following providers as processors. Processors used for the operation of the website and for web analytics are listed in Sections 2 and 4.
Data processing agreements (DPAs) pursuant to Art. 28 GDPR are in place with all processors. Document processing takes place exclusively within the EU. Where processors are based outside the EEA, data processing is governed by EU Standard Contractual Clauses pursuant to Art. 46 GDPR.
Within the authenticated area we offer a live support chat. For this we operate our own instance of the open-source software Chatwoot on the same Hetzner infrastructure in Germany described in Section 2. The chat is not active on the public pages.
We process the messages you compose in the chat as well as the account and usage information already available to us from your use of the service (see Section 5), so that our support team can put your request into context. When our support staff are notified of new messages, push services located outside the EU may be used; only technical delivery metadata is transmitted, no message content. Insofar as third-country transfers occur, they are covered by appropriate safeguards under Chapter V GDPR.
The legal basis is Art. 6(1)(b) GDPR (support is part of the user agreement) and Art. 6(1)(f) GDPR (legitimate interest in efficient handling of support inquiries). Conversations are retained for as long as necessary for support purposes, at the latest until expiry of statutory retention periods.
Uploaded documents are used solely to perform the extraction you request and are deleted immediately after processing — we do not persistently store the document content. The structured extraction result remains retrievable via the API for up to 24 hours so you can fetch it, after which it is automatically and permanently deleted. Neither we nor our processors use your documents or extracted data to train, fine-tune, or improve AI models.
Our public website itself does not set any cookies and uses no comparable tracking technologies. Once you sign in to the service, your authentication token is stored in your browser's local storage (localStorage). Once you open the support chat in the authenticated area (see Section 7), the chat widget additionally creates technically necessary cookies and storage entries so that your conversation can be continued across page navigations. Both forms of storage are strictly necessary for the provision of the service you have explicitly requested (§ 25(2) no. 2 TDDDG) and are therefore not subject to consent requirements.
Personal data is deleted as soon as the purpose for processing no longer applies, at the latest upon expiry of the statutory retention periods (generally 6 or 10 years for tax-relevant data). Uploaded documents and extraction results are not subject to these periods; they are handled as described in Section 8 (the document is deleted immediately after processing, the result after at most 24 hours).
Under the GDPR, you have the right to:
To exercise your rights: hello@deep-ocr.com