Legal

Data Residency & GDPR Notice

Where Anna stores your data, the current hosting region, and what it means for EU customers.

Last reviewed: 2026-07-16

1. Scope of this notice

This page is maintained by FreeSma GmbH to answer common data-residency and privacy questions about Anna (the freesma.app / freesma.de web application). It describes app-visible controls and current operational choices. It is not a certification, audit report, or legal advice, and does not replace our Terms or Privacy Policy.

Where we describe features of the underlying hosting platform (Lovable Cloud, which runs on Supabase infrastructure), we describe enabled capabilities factually. Certification-style claims about the platform are not made here.

2. Current hosting region

Primary database regionAWS ap-northeast-1 (Tokyo, Japan). All Anna application data — user accounts, chat conversations, uploaded documents, risk assessments, courses, skills library and the Anna knowledge base — is stored at rest in this region.

Authentication dataEmail addresses, hashed passwords, OAuth identities (Google), sessions and refresh tokens are stored inside the managed auth database in the same Tokyo region.

Application edge / server functionsThe Anna web app and its server functions run on Cloudflare's global edge network. Requests are routed to the nearest edge location and then to the Tokyo database. No customer records are persisted at the edge.

AI processingChat, embedding and RAG requests are sent to the Lovable AI Gateway (Google Gemini for chat, OpenAI text-embedding-3-small for the knowledge base). Prompts and completions are processed to answer your request; FreeSma does not authorise these providers to train models on your content.

3. What this means for EU customers under the GDPR

The Tokyo region is outside the EU/EEA. Storing personal data there is a transfer of personal data to a third country within the meaning of Chapter V GDPR.

Adequacy decision (Japan)The European Commission has adopted an adequacy decision for Japan (Commission Implementing Decision (EU) 2019/419). Personal data transferred from the EU/EEA to commercial operators in Japan covered by that decision benefits from a level of protection recognised as essentially equivalent to EU law. The AWS Tokyo region is operated by Amazon Web Services, Inc. and its affiliates; where transfers fall outside the strict scope of that decision, we rely on Standard Contractual Clauses (SCCs) as an additional safeguard.

Access from third countriesCloud providers with US ownership (AWS, Cloudflare, OpenAI, Google) may in principle be subject to foreign lawful-access requests. We rely on the safeguards and public transparency reports of these subprocessors and do not proactively transfer personal data outside the contracted regions.

Data subject rightsEU/EEA data subjects retain their full GDPR rights (access, rectification, erasure, restriction, objection, portability, and to lodge a complaint with a supervisory authority). Requests can be sent to i.ismail-martens@freesma.de.

4. Data controller and contact

ControllerFreeSma GmbH, Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany.

Privacy & data-protection contacti.ismail-martens@freesma.de

Competent supervisory authority (Germany)Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden.

5. Subprocessors currently in use

Lovable Cloud (Supabase infrastructure)Application database, authentication, storage — AWS ap-northeast-1 (Tokyo).

CloudflareGlobal edge network, TLS termination, DDoS protection, execution of stateless server functions.

Lovable AI GatewayRouting layer for AI model calls (chat completions, embeddings) used by Anna.

Google (Gemini)LLM provider used for Anna's chat responses via the Lovable AI Gateway.

OpenAIEmbedding provider (text-embedding-3-small) used to index the Anna knowledge base.

Google IdentityOptional Google sign-in (OAuth) for account authentication.

6. Data minimisation and retention

Anna stores only the data needed to operate the service: account profile, roles, conversations you create with Anna, documents you upload, risk assessments and course/skill progress.

Deletion on requestAccount deletion can be requested at i.ismail-martens@freesma.de. Related conversations, documents and risk assessments are removed from the primary database; residual copies in encrypted backups age out according to the platform's rolling backup schedule.

BackupsManaged encrypted backups are performed by the hosting platform in the same region as the primary database.

7. Security controls in place

Transport encryptionAll customer traffic is served over HTTPS/TLS. Internal traffic between the edge and the database uses TLS.

Encryption at restPrimary database and managed backups are encrypted at rest by the hosting platform.

Access controlRow-Level Security (RLS) is enabled on all user-data tables so users can only access their own records. Administrative roles are stored in a separate table and checked via a security-definer function; server-side privileged operations are limited to explicit, audited code paths.

AuthenticationEmail + password (with leaked-password protection against the HaveIBeenPwned database) and Google OAuth. Passwords are never stored in plaintext.

Automated policy testsA Vitest suite exercises RLS policies for user-data tables and premium gates on every change.

8. Options for EU customers who require EU-only storage

If your organisation's policy requires personal data to remain inside the EU/EEA, contact us at i.ismail-martens@freesma.de before creating production accounts. We can discuss migrating your workspace to an EU region of Lovable Cloud, or a dedicated deployment, subject to a separate agreement.

This notice will be updated when the primary region changes. The date below reflects the last review.

© 2026 FreeSma GmbH — This notice is maintained by the app owner and may be updated as infrastructure evolves.