Privacy Policy — zimpliScribe

This policy covers what we collect, why, who else processes it, and how long we keep it — specifically for the zimpliScribe plugin and the API service it talks to. ServerStage GmbH's broader hosting business is governed by its own German-language Datenschutzerklärung; this document does not replace it for those services.

Who we are

The data controller is ServerStage GmbH, Amtsgericht Darmstadt HRB 88860, USt-IdNr. DE271231103. zimpliScribe and zimplico.de are operated under this entity.

Contact for privacy matters

privacy@zimplico.de

Postal address

See serverstage.net/imprint.

What this covers

This policy applies to:

• The zimpliScribe WordPress plugin — the code that runs inside your WordPress site.
• The zimplico.de API service at api.zimplico.de that the plugin calls.
• The billing portal linked from the plugin for credit top-ups.

It does not cover other ServerStage products (hosting, domain registration, SSL services).

Data we collect, by action

1. Site registration (one-time, on your action)

When you click Register Site in the plugin, the following is sent to api.zimplico.de:

• Your site's public URL (e.g. https://example.com).
• A one-time, randomly-generated challenge token, which we then verify by calling back to your site's public REST endpoint.
• The technical request metadata that any HTTP server records (your server's outbound IP address, a timestamp, a User-Agent string).

We use this to issue you an opaque site_id and create a service record. We do not ask for any personal data — name, address, payment info — at registration. A free account with 25 credits per month is provisioned automatically.

2. AI requests (each time you submit one)

When you click Send to AI, Generate, or any equivalent action:

• The text content you submitted.
• Any images you attached.
• Your prompt / intent string.
• Your site_id (opaque, links the request to your credit balance).

We pass this content to our AI subprocessor (see below), record that one credit was consumed, and return the AI's response to your plugin. No personal data about your site's authors, users, or visitors is collected by us in this flow — only the content you explicitly submit through the plugin UI.

3. Billing (only if you top up)

If you add paid credits, you are redirected to Stripe to complete payment. Stripe collects payment information directly; we receive a confirmation that includes:

• The pack purchased and the amount.
• A Stripe customer ID and the email you provided to Stripe.
• Country and (where applicable for VAT) tax ID.
• We do not receive your card number or CVC.

We retain the invoice and confirmation as required for German accounting law (typically 10 years; see Retention below).

4. Support contact (only if you write to us)

If you use the Contact Us tab in the plugin or email us directly, we receive your message and the email address you sent from. We keep these long enough to handle the matter and our own quality records.

5. Server logs

Our API server keeps standard HTTP request logs for security and abuse-prevention purposes: timestamp, source IP, request path, response code, User-Agent. These are kept for 30 days, then rotated out.

Legal basis (GDPR Art. 6)

Performance of a contract (Art. 6(1)(b))

Site registration, AI request processing, billing, support.

Legitimate interest (Art. 6(1)(f))

Server logs, abuse prevention, fraud monitoring on billing.

Legal obligation (Art. 6(1)(c))

Invoice retention under §147 AO (German tax law).

Subprocessors

We use the following third parties to deliver the service. Each acts on our written instructions under a data-processing agreement (DPA) or equivalent.

xAI (Grok)

AI provider. Receives the text and images you submit so it can generate the response. Operated by X.AI Corp. (USA). Transfers to the US rely on Standard Contractual Clauses. x.ai/legal/privacy-policy

Stripe

Payment processor for credit top-ups. Operated by Stripe Payments Europe Ltd. (Ireland), with US sub-processing under SCCs. stripe.com/privacy

ServerStage GmbH hosting infrastructure

The zimplico.de API runs on infrastructure operated by ServerStage GmbH itself (the same legal entity as the data controller), located in Germany.

Retention

Site registration records

Kept for the life of your account. Deleted within 30 days of you deregistering (or earlier on request, subject to obligations below).

AI request content

Not retained by us beyond what is needed to return the response and log the credit consumption. We do not build a searchable archive of your inputs or outputs. Our AI subprocessor's own retention is governed by their policy.

Invoices and billing records

10 years, as required by §147 AO.

Server logs

30 days.

Support correspondence

Up to 2 years after the matter is closed.

International transfers

xAI is in the United States and Stripe processes some payment data in the US. Both transfers are covered by the European Commission's Standard Contractual Clauses (SCCs). We do not transfer your data to any other jurisdiction except via these named subprocessors.

Your rights

Under GDPR (and the German BDSG) you have the right to:

• Access the personal data we hold about you (Art. 15).
• Have it corrected (Art. 16).
• Have it erased, subject to retention obligations (Art. 17).
• Restrict processing (Art. 18).
• Receive a portable copy (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time, where consent is the basis (does not affect prior lawful processing).
• Lodge a complaint with the supervisory authority. Our lead authority is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (datenschutz.hessen.de).

To exercise any of these, write to privacy@zimplico.de. We respond within one month.

Security

All API traffic uses HTTPS. The plugin authenticates to the API using an opaque per-site token, validated server-side against the registered domain on every request. We do not store AI provider credentials in WordPress at any point; those live only on our server. Access to our infrastructure is limited to ServerStage personnel under contract.

Cookies

The plugin itself does not set cookies in the browser. The zimplico.de marketing site (this page) sets only the technical cookies necessary for the page to function — no analytics or advertising trackers. If that changes, this policy will be updated and a cookie notice added.

Children

The service is intended for use by adults operating a WordPress site. We do not knowingly collect data from anyone under 16.

Changes to this policy

We may update this policy as the service changes. Material changes will be notified via email to the address on file with your account (if any) and announced on this page at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance.

Contact

ServerStage GmbH
Privacy: privacy@zimplico.de
General: hi@zimplico.de
Imprint: serverstage.net/imprint