Privacy Policy
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit this website.
2. Data Collection on This Website
Who is responsible for data collection?
Data processing on this website is carried out by the website operator:
RoofCheck.AI
Schäferstrasse 45
19053 Schwerin
Deutschland (EU)
E-Mail: support@roofcheck.ai
Data Protection Officer
The appointment of a Data Protection Officer is currently not required under §38 BDSG, as fewer than 20 persons are regularly involved in automated processing of personal data. For data protection inquiries, please contact: support@roofcheck.ai
3. Your Rights
Under the GDPR, you have the following rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). You may exercise these rights at any time free of charge by contacting us at support@roofcheck.ai. This is based on Art. 15–21 GDPR.
Use our GDPR Self-Service Portal to exercise your rights directly online: GDPR Self-Service Portal →
You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). Competent authority: The State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern, Werderstraße 74a, 19055 Schwerin, Germany.
4. Analytics and Third-Party Tools
Google Solar API
We use Google Solar API for roof surface and solar potential analysis. Location data is transmitted to Google. https://policies.google.com/privacy
Mapbox
We use Mapbox for map displays and geocoding. https://www.mapbox.com/legal/privacy
Sentry
We use Sentry for error logging (Art. 6(1)(f) GDPR). Provider: Functional Software, Inc., San Francisco, USA.
Plausible Analytics
We use Plausible Analytics for privacy-friendly analysis. Cookieless measurement, no IP storage. Provider: Plausible Insights OÜ, Estonia (EU). https://plausible.io/data-policy
Google Analytics
We use Google Analytics (Google Ireland Limited) for statistical analysis. Legal basis: consent (Art. 6(1)(a) GDPR). Google LLC is certified under the EU-U.S. Data Privacy Framework.
Google Gemini AI
We use Google Gemini API for AI-powered analyses. No personal data is transmitted — only technical analysis data (roof area, orientation, location). Art. 6(1)(f) GDPR. https://policies.google.com/privacy
Brevo (Email Delivery)
We use Brevo (formerly Sendinblue) for transactional emails. Provider: Sendinblue GmbH, Berlin, Germany (EU). Art. 6(1)(a)+(b) GDPR. https://www.brevo.com/legal/privacypolicy/
Gotenberg (Open-Source PDF Engine)
We use Gotenberg to generate the EU Protection Dossier as a PDF document. Analysis data is converted into PDF documents locally on the server. No external data transfer — Gotenberg runs as a Docker container on the same server. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Redis (Open-Source In-Memory Database)
We use Redis for temporary data storage: rate limiting, session management and caching. IP addresses and session data are stored temporarily (max. 24h). Redis runs as a Docker container on the same server — no external data transfer. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system security).
Funnel Analytics & Operational Telemetry
If you have consented to the "Analytics" cookie category, we record 9 anonymous funnel steps (e.g. WIZARD_START, SURFACE_SELECT, LEAD_SUBMIT, PDF_READY) for drop-off analysis. We store a random session identifier (`rc_session_id` in localStorage), the event, optionally country and surface type. We do NOT store name, email, IP address or street address.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with §25(1) TTDSG. You may withdraw consent at any time via the cookie banner — tracking stops immediately, stored funnel data is automatically deleted after 90 days (GDPR Art. 5(1)(e)).
rc_session_id (localStorage) — anonymous funnel session ID, 90 days; analytics consent only
Operational System Alerts via Telegram
For internal operational monitoring (job failures, container health, new lead alerts) we send identifier-only notifications to a private operator Telegram channel (Telegram FZ-LLC, United Arab Emirates). Lead notifications include ONLY id suffix, country, postal-area (3 chars), surface type, and status — never name, email or full address. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational reliability). Third-country transfer per Art. 49(1)(d) GDPR (overriding public interest in operational continuity) or pseudonymised identifiers only.
Mailbox Monitoring (IMAP)
Replies to support@roofcheck.ai are polled every 5 minutes via IMAP from Hostinger (NL/EU), categorised (carrier, media, partner) and the sender + subject is forwarded as an operational notification to our internal Telegram channel. Content remains in the Hostinger mailbox (EU). Legal basis: Art. 6(1)(f) GDPR (responsiveness to business-partner correspondence).
Data Processors (DPA Overview)
| Provider | Purpose | Location | DPA | Legal Basis |
|---|---|---|---|---|
| Google Cloud / Maps / Solar / Analytics | Geodata, AI Analysis & Web Analytics | USA (DPF) | Google Cloud DPA | Art. 6(1)(a)+(b)+(f) |
| Mapbox | Map Display | USA (DPF) | Mapbox DPA | Art. 6(1)(f) |
| Brevo (Sendinblue) | Email Delivery | DE (EU) | Brevo AVV | Art. 6(1)(a)+(b) |
| Sentry | Error Logging | USA (DPF) | Sentry DPA | Art. 6(1)(f) |
| Hostinger | Hosting & Infrastructure | NL (EU) | Hostinger DPA | Art. 6(1)(f) |
| Plausible Analytics | Website Statistics | EE (EU) | Plausible DPA | Art. 6(1)(f) |
| Gotenberg (Open-Source) | PDF Generation (EU Protection Dossier) | Lokal (Server) | Kein AVV (lokal) | Art. 6(1)(b) |
| Redis (Open-Source) | Rate Limiting, Session Management, Caching | Lokal (Server) | Kein AVV (lokal) | Art. 6(1)(f) |
| Google Gemini AI | AI-powered analyses (solar evaluation, damage detection, lead enrichment). Prompt content may include master data (postal code, email, damage description) and image data. | USA (EU-US DPF) | Google Cloud DPA + SCC | Art. 6(1)(f) |
| Mistral AI (Fallback Tier 1+2) | EU-first fallback during Gemini outage: Mistral Large 2512 (Tier 1) → Mistral Small 4 (Tier 2). Both hosted on Mistral.ai endpoint in France (no third-country transfer). Provider-pinning enforces EU routing — hard-fail on outage rather than USA failover. Prompt content may include master data (postal code, email, damage description) and image data. | FR (EU) | Mistral AI DPA + provider-pinning | Art. 6(1)(f) — kein Drittland |
| Anthropic Claude (Fallback Tier 3) | Last-resort fallback (Claude Opus 4.7) when both Mistral tiers are unavailable. Prompt content may include master data and image data — same data scope as the Gemini primary path. USA-hosted under SCC Module 2. | USA (SCC) | OpenRouter Terms + Anthropic DPA | Art. 6(1)(f) + Art. 46(2)(c) |
| OpenRouter (Routing-Vermittler) | Pure routing layer with no storage — forwards requests to the upper fallback tiers (Mistral / Anthropic). OpenRouter itself stores no prompt content (per OpenRouter Privacy Policy). Encrypted transmission via TLS. | USA | OpenRouter Terms | Art. 6(1)(f) — Routing-Layer ohne Speicherung |
| Telegram (FZ-LLC) | Operational system alerts to internal admin channel (identifier-only — no name/email/address) | AE (Art. 49 GDPR) | Pseudonymisierte Identifier — kein AVV mit Telegram | Art. 6(1)(f) + Art. 49(1)(d) |
Google Maps, Places and Solar API
We use Google Maps Platform for geolocation and analysis of roof surfaces and solar potential. The following data is transmitted to Google:
- User’s IP address
- Entered address and location data
- Geographic coordinates
Legal basis: Art. 6(1)(b)+(f) GDPR. Google is certified under the EU-U.S. Data Privacy Framework. Google Privacy Policy.
5. Hosting
This website is hosted externally. Personal data is stored on the host’s servers.
6. Contact
For data protection inquiries, please contact us at:
support@roofcheck.ai
Data Processing for Protection Status Check
If you consent to the protection status check in the analysis form, the following personal data will be processed for risk assessment:
- Name
- Email address
- Analysis key data (location, roof area, estimated capacity)
Recipients: GDPR-compliant solar specialist contractors and insurance partners, exclusively for protection status verification and risk assessment.
Legal basis: Art. 6(1)(a) GDPR (consent). Withdrawal: At any time by email to support@roofcheck.ai.
Note: Consent is not a prerequisite for using the free solar analyses or protection reports.
Data Retention
- Solar analyses: 24 months from creation, then automatically deleted.
- Lead data (with consent): Until withdrawal, maximum 36 months.
- Server logs: 30 days, then automatically deleted.
- Functional cookies: 12 months (language, country).
- Analytics cookies (Plausible): No persistent cookies — cookieless measurement.
Hosting and Infrastructure
This website runs on servers of Hostinger International Ltd., Netherlands. Data centre: Frankfurt am Main, Germany.
All personal data is processed and stored exclusively on servers within the European Union (Art. 44 ff. GDPR).
Data Quality & Continuous Improvement
RoofCheck.AI is a continuously evolving consumer protection tool. We continuously improve our analysis quality through direct connections to public institutions and recognised data providers — including EU PVGIS, Google Solar API and Eurostat.
As of: April 2026