Trust & Security
Your data stays in Germany. Your buyers get the receipts.
Lovelaice is built by a German company, hosted on AWS Frankfurt, and covered by GDPR from day one — so regulated buyers can green-light you without a six-week procurement review.
Data residency
Where your data lives
All customer data — evaluations, test cases, prompts, model outputs, uploads — is stored in AWS eu-central-1 in Frankfurt, Germany. Backups are encrypted and remain within the same EU region.
Traffic is served via AWS's EU points of presence. Customer data never leaves the EU during normal operation.
Subprocessors
Who touches your data
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Application hosting, storage, backups | EU (Frankfurt) |
| HubSpot | Sales & support communications | EU |
| Model providers | LLM inference (OpenAI, Anthropic, others as configured by customer) | Provider-dependent |
Full, versioned list is included with the DPA. We notify customers in writing before adding a new subprocessor.
Data handling
Retention, deletion, and model training
Retention
Customer data is retained for the life of the subscription. On-request deletion is available at any time and completes within 30 days.
Deletion on termination
On contract termination, all customer data is deleted within 30 days unless a longer retention period is required by law.
No training on your data
Your prompts, test cases, and outputs are never used to train Lovelaice or third-party models. Zero-retention endpoints are used with model providers where available.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS-managed keys).
Legal entity
Who you're actually contracting with
Cata Creative Software UG (haftungsbeschränkt)
Kemptener Straße 64, 87600 Kaufbeuren, Germany
Amtsgericht Kempten · HRB 17896
Full company details on the Impressum. Data protection details in the Privacy policy.
Certifications
What's live, what's on the roadmap
GDPR + BDSG compliance, EU data residency, standard DPA
ISO 27001 certification — kickoff Q4 2026
Reach out if you need certification evidence for procurement — we can share the timeline in writing.
FAQ
Common procurement questions
Where is my Lovelaice data stored?
All customer data is stored in AWS eu-central-1 (Frankfurt, Germany). Data never leaves the EU during normal operation.
Is Lovelaice GDPR-compliant?
Yes. Lovelaice is operated by Cata Creative Software UG, a German legal entity subject to the GDPR and the German BDSG. We sign a Data Processing Agreement (DPA) with every customer on request.
Can I get a signed Data Processing Agreement (DPA)?
Yes. Email contact@lovelaice.com and we will send you our standard DPA — signed and ready to countersign — within one business day. Custom terms can be negotiated for enterprise contracts.
What is your subprocessor policy?
We publish our full up-to-date subprocessor list inside the DPA and notify customers in writing before adding a new subprocessor. Contact contact@lovelaice.com for the current list.
How long do you retain customer data?
Customer data (evaluations, test cases, prompts, model outputs) is retained for the life of your subscription. On termination, data is deleted within 30 days unless a longer retention period is required by law. On-request deletion is available at any time.
Do you train models on my data?
No. Your prompts, test cases, and evaluation outputs are never used to train Lovelaice models or third-party models. Model providers (e.g. OpenAI, Anthropic) are contractually bound to the same terms via zero-retention API endpoints where available.
Are you SOC 2 / ISO 27001 certified?
Certification is on the roadmap for late 2026. In the meantime, our GDPR posture, EU-only hosting, and DPA cover the compliance requirements of most European buyers. Speak to us if you need certification evidence for procurement.
Need a signed DPA or a security review?
Email contact@lovelaice.com and we'll come back within one business day.