Privacy Policy

Last updated: March 2026

1. Data Controller

Alexander Zalana

Zalana-Mentaltraining

Am Steinbach 35, 84544 Aschau a. Inn, Germany

Phone: +49 8638 209 94 14

Email: info@zalana-mentaltraining.de

2. Our Promise: 100% Data Sovereignty

All your personal data is exclusively processed and stored on servers in Germany. We use the sovereign cloud infrastructure of STACKIT (Schwarz IT KG), a German provider with data centers in Germany.

We deliberately do not use any US cloud services (no AWS, no Google Cloud, no Microsoft Azure, no Cloudflare CDN). This ensures that your data is not subject to the US CLOUD Act or comparable access regulations.

This architectural decision is not a marketing claim but is technically anchored in our infrastructure: All website resources (CSS, JavaScript, images) are delivered from our own servers. No external CDNs or third-party scripts are loaded.

3. Data We Collect

3.1 When Visiting the Website (automatic)

Each time you access our website, the web server automatically collects the following data (so-called server log files):

  • IP address of the requesting device (not stored permanently)
  • Date and time of access
  • Name and URL of the requested file
  • Website from which access is made (referrer URL)
  • Browser and operating system used

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security and stability of the web server).

3.2 When Joining the VIP Waitlist

When you sign up for our VIP waitlist, we collect:

  • Your email address
  • Timestamp of consent
  • An anonymized hash of your IP address (for abuse protection)

Legal basis: Art. 6(1)(a) GDPR (your explicit consent). You may revoke your consent at any time. An informal message by email is sufficient. The lawfulness of processing carried out prior to revocation remains unaffected.

3.3 When Using the TMT Mentor (AI-Powered Coaching)

The TMT Mentor in our web and iOS app is an AI-powered coach (Large Language Model, LLM). When you chat with it, the following data is transmitted to our AI service provider to generate a coaching response:

  • Your chat messages (content of the current conversation)
  • Your first name and TMT archetype (from the onboarding assessment)
  • Relevant excerpts from our knowledge base (RAG context — no third-party user data)

AI Service Provider: STACKIT LLM Serving (Schwarz IT KG), Stiftsbergstraße 1, 74172 Neckarsulm, Germany. The language model runs on STACKIT infrastructure in German data centers. This is explicitly not OpenAI/ChatGPT, Anthropic, Google, or any other US-based provider. A data processing agreement pursuant to Art. 28 GDPR is in place.

No training with your data: Your messages are processed exclusively to generate the real-time coaching response. They are not used to train, improve, or fine-tune the language model. After the response, the transmitted data is not persisted by the service provider.

Storage on our side: Chat histories are stored AES-256-encrypted in our German database so you can continue your situation in later sessions. You can delete any individual situation and your entire account at any time in the Profile section of the app.

Legal basis: Art. 6(1)(b) GDPR (contract performance) in conjunction with Art. 9(2)(a) GDPR (your explicit consent for special categories of personal data, granted via our consent screen with digital signature). Without this consent, the TMT Mentor cannot be used.

4. Cookies and Tracking

This website does not use tracking cookies or web analytics tools. Neither Google Analytics nor comparable services are used.

We use only technically necessary functions (e.g., storing your cookie banner decision in your browser via localStorage). These do not require consent under applicable law.

5. Data Processing

For hosting our website and processing data submitted via our forms, we use the following data processor:

STACKIT (Schwarz IT KG)

Stiftsbergstraße 1, 74172 Neckarsulm, Germany

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded. STACKIT processes data exclusively in German data centers.

6. No Third-Country Transfers

No transfer of your personal data to countries outside the EU/EEA takes place. We exclusively use service providers that process data within Germany.

7. Data Retention

Server log files: automatically deleted after 7 days.

Email addresses (waitlist): stored until you revoke your consent, but no longer than 24 months after the last interaction.

8. Your Rights

You have the right at any time to:

  • a Access your stored personal data (Art. 15 GDPR)
  • b Rectification of inaccurate data (Art. 16 GDPR)
  • c Erasure of your data (Art. 17 GDPR)
  • d Restriction of processing (Art. 18 GDPR)
  • e Data portability (Art. 20 GDPR)
  • f Object to processing (Art. 21 GDPR)
  • g Lodge a complaint with a supervisory authority (Art. 77 GDPR)

Competent supervisory authority: The Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht).

9. Special Categories of Personal Data

In the context of our mental training services, information may be processed that qualifies as special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data).

Such processing occurs exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR) and only within the framework of direct collaboration. Visiting this website and joining the waitlist does not involve the collection of health data.

10. SSL/TLS Encryption

This website uses TLS encryption for security reasons. You can recognize an encrypted connection by the browser address bar changing from "http://" to "https://" and by the lock icon. When TLS encryption is active, the data you transmit to us cannot be read by third parties.