The Listening Loft

Privacy Policy

Last updated: February 2026

Introduction

The Listening Loft ("we", "us", "our") takes the protection of your personal data very seriously. This privacy policy explains what data we collect, how we use it, and what rights you have regarding your personal information. We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for data processing on this website is: Michael Grundwürmer, Email: hello@listening-loft.com.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account Data: Email address (for authentication via Magic Link), profile information you provide during onboarding.
  • Quiz & Assessment Data: Your answers to the relationship quiz and discovery assessments (attachment style, love languages, conflict style). These are used to generate personalized AI-based recommendations.
  • Journal Data: Daily mood ratings (happiness, stress, connection) and optional notes you enter in the Journal feature.
  • Chat Data: Messages you send to the AI relationship guide, which are processed to provide personalized responses.
  • Usage Data: Pages visited, features used, session duration — collected via privacy-respecting analytics (see Section 6).
  • Contact & Feedback Data: Name, email address, and message content when you use the contact or feedback forms.

3. Legal Basis

  • Consent (Art. 6(1)(a) GDPR): For analytics cookies, AI data processing, and marketing communications.
  • Performance of a contract (Art. 6(1)(b) GDPR): For providing the core service (quiz analysis, journal, exercises, chat).
  • Legitimate interest (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvement.

4. AI Data Processing

Your quiz answers and chat messages are sent to OpenAI's API to generate personalized relationship insights and AI-guided conversations. OpenAI processes this data as a sub-processor and does not use it to train their models. Data is transmitted securely via encrypted connections. We do not send your name or email address to OpenAI — only anonymized quiz responses and chat message content.

5. Hosting & Infrastructure

  • Hosting: Our website is hosted on Vercel (Vercel Inc., San Francisco, USA). Vercel processes server logs containing IP addresses. Vercel is certified under the EU-U.S. Data Privacy Framework.
  • Database & Authentication: We use Supabase (Supabase Inc., San Francisco, USA) for user authentication (Magic Link email login) and data storage. Your data is stored in a PostgreSQL database with Row-Level Security enabled, ensuring you can only access your own data. Supabase processes data under standard contractual clauses.
  • Email Service: Contact form messages and feedback are sent via Resend (Resend Inc., San Francisco, USA). Resend processes the sender's email address and message content to deliver emails.

6. Cookies & Analytics

We use cookies and similar technologies grouped into the following categories:

  • Necessary Cookies: Essential for website functionality, including authentication session cookies set by Supabase. These cannot be disabled.
  • Analytics (requires consent): Google Tag Manager (Google LLC) loads analytics scripts only after you grant consent. Vercel Analytics and Speed Insights collect anonymized performance data without using cookies.
  • Marketing (requires consent): Currently, we do not use marketing cookies. This category is reserved for future use.

You can manage your cookie preferences at any time via the "Cookie Settings" link in the footer.

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about your stored personal data.
  • Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request deletion of your data. You can delete your account at any time via Settings in the dashboard.
  • Right to restriction (Art. 18 GDPR): You can request restriction of processing under certain conditions.
  • Right to data portability (Art. 20 GDPR): You can request your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to processing based on legitimate interest.
  • Right to withdraw consent: You can withdraw any consent given at any time with effect for the future.

To exercise any of these rights, please contact us at hello@listening-loft.com.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy or as required by law. When you delete your account, all associated data (profile, quiz responses, journal entries, chat history, exercise completions) is permanently deleted via cascading database deletion.

9. Third-Party Services

We use the following third-party services:

  • Vercel — Hosting, Analytics, Speed Insights (USA, EU-U.S. DPF certified)
  • Supabase — Database, Authentication (USA, Standard Contractual Clauses)
  • OpenAI — AI text generation for quiz analysis and chat (USA, Data Processing Agreement)
  • Resend — Transactional email delivery (USA)
  • Google Tag Manager — Analytics tag management (USA, EU-U.S. DPF certified)

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including: encrypted data transmission (TLS/HTTPS), Row-Level Security in the database ensuring data isolation between users, secure authentication via Magic Link (no passwords stored), and regular security updates.

11. Changes to This Policy

We may update this privacy policy from time to time. The current version is always available on this page. We will notify users of significant changes via the website.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for data protection issues is the data protection officer of the German state in which our company is registered.