Privacy Policy

The party responsible for processing your personal data (the "controller" under Art. 4(7) GDPR) is Peakure, operating the Vistwerk service.

Operator: Peakure (sole operator: Mert Can Vural).

Registered address: [Registered address].

VAT identification number: [VAT ID].

Email for all privacy matters: hello@vistwerk.com.

If you have questions about this policy or wish to exercise your rights, please contact us using the email above. We do not currently maintain a separately appointed Data Protection Officer; where one becomes legally required, contact details will be published here.

This policy applies to the Vistwerk website, the authenticated application, and the messaging-based intake channels through which field data reaches us.

Vistwerk is built for German fiber-optic and civil-engineering (Tiefbau) contractors. In practice, two groups of people interact with our service: account holders (the contractor organisations and their administrators who sign up and log in) and field personnel (construction crews who send updates from the worksite).

Where our business customers upload or transmit data about their own staff, subcontractors, or third parties, that customer is the controller of such data and Vistwerk acts as a processor on their behalf. In those cases, the customer's own privacy notices and our data-processing agreement govern the relationship, and this policy describes our practices as a processor.

Account and contact data: name, business email address, company name, role, login credentials, and billing details necessary to operate your subscription.

Field documentation data ingested via WhatsApp: voice recordings, photographs, and text messages sent by construction crews from the worksite. These messages may incidentally contain personal data such as voices, names mentioned in speech, faces or identifiable persons captured in photos, and location references.

Derived data: text transcriptions generated from voice recordings, structured records and documents produced by our AI processing, and metadata such as timestamps and message identifiers.

Technical and usage data: IP address, browser and device information, log entries, and basic interaction events needed to keep the service secure and functioning.

Payment data: handled by our payment provider; we receive confirmation and limited billing metadata but do not store full card numbers ourselves.

To provide the service (Art. 6(1)(b) GDPR — performance of a contract): creating and maintaining your account, ingesting field messages, transcribing voice, analysing photos and text, and generating the documents you request.

To bill and administer subscriptions (Art. 6(1)(b) and 6(1)(c) GDPR): processing payments and meeting bookkeeping and tax-retention obligations under German law.

To secure and improve the platform (Art. 6(1)(f) GDPR — legitimate interests): preventing abuse, diagnosing faults, and maintaining reliability. We balance these interests against your rights and limit processing to what is necessary.

To communicate with you (Art. 6(1)(b) and 6(1)(f) GDPR): sending transactional notices such as account, security, and billing messages.

Where we ever rely on consent (Art. 6(1)(a) GDPR) — for example for any non-essential analytics or marketing — we will ask for it clearly, and you may withdraw it at any time with effect for the future.

A core function of Vistwerk is turning raw field input into structured documentation. Voice recordings sent from the field are transcribed to text, and photographs and text are analysed to extract relevant details automatically.

This involves automated processing by AI systems operated by our sub-processors. The processing is instructional in nature — it organises and reformats the content you submit; it does not produce legal decisions about individuals that would have legal or similarly significant effects on them within the meaning of Art. 22 GDPR.

Because field messages can capture other people, we ask customers to inform their crews and any identifiable individuals about this processing and to ensure they have a proper legal basis before sending data into Vistwerk. We process this data only to deliver the documentation service and on the instructions of our customer.

We rely on carefully selected service providers to operate Vistwerk. Each is engaged under a data-processing agreement and is permitted to process data only on our instructions. We keep data within the European Union wherever possible.

• Supabase — database and file storage, hosted in an EU region.

• Vercel — application hosting and content delivery.

• 360dialog — WhatsApp Business connectivity provider, based in Berlin / EU.

• Groq — speech-to-text transcription of voice recordings.

• Anthropic and OpenAI — AI text and vision processing for document generation.

• Resend — delivery of transactional email.

• Stripe — payment and subscription processing.

Where a provider processes data outside the EU/EEA, we rely on appropriate safeguards such as EU Standard Contractual Clauses and additional technical measures. We will provide further detail on request to hello@vistwerk.com.

Our priority is to keep personal data within the EU/EEA. Some of our AI and infrastructure providers may, however, process data in or from countries outside the EU/EEA.

Whenever such a transfer occurs, we ensure it is covered by a valid transfer mechanism under Chapter V GDPR — typically the European Commission's Standard Contractual Clauses, supported by supplementary safeguards appropriate to the type of data involved.

You may request information about the specific safeguards applied to a given transfer by contacting us.

We retain account data for as long as your subscription is active and for a reasonable period afterwards to handle wind-down, disputes, and legal obligations.

Field messages, transcriptions, and generated documents are retained for as long as needed to provide the service to the relevant customer, or according to the retention terms agreed with that customer. On termination, customer data is deleted or returned in line with our data-processing agreement, subject to mandatory retention periods.

Billing and tax records are kept for the periods required by German commercial and tax law. When data is no longer needed, we delete it or irreversibly anonymise it.

We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, the principle of least privilege, and reliance on EU-based infrastructure where feasible.

No system can be guaranteed completely secure, but we work continuously to reduce risk and to respond promptly to any incident. In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where required, affected individuals in accordance with Art. 33 and 34 GDPR.

Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:

• Access — to obtain confirmation of, and a copy of, the data we hold about you (Art. 15).

• Rectification — to have inaccurate or incomplete data corrected (Art. 16).

• Erasure — to have your data deleted where the legal conditions are met (Art. 17).

• Restriction — to limit how we process your data in certain situations (Art. 18).

• Portability — to receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible (Art. 20).

• Objection — to object to processing based on legitimate interests, and to object to any direct marketing at any time (Art. 21).

• Withdrawal of consent — to withdraw consent at any time where processing is based on it, without affecting prior lawful processing.

To exercise any of these rights, email hello@vistwerk.com. Where you are a member of a customer's crew or staff, we may direct your request to the relevant customer, who is the controller of that data.

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

In Germany, the competent authority depends on the controller's location. We will assist you in identifying the appropriate authority on request.

We use only the cookies and storage strictly necessary to operate the website and keep you logged in securely. These do not require consent under applicable rules.

If we ever introduce non-essential cookies — for example for analytics — we will request your consent through a clear banner before they are set, and you will be able to manage your choices.

You can also control cookies through your browser settings, though disabling essential cookies may break parts of the service.

We may update this Privacy Policy to reflect changes in our service, our providers, or the law. The "last updated" date at the top indicates when the current version took effect.

Where changes are material, we will take reasonable steps to inform account holders. We encourage you to review this page periodically.