Privacy Policy
Last updated: February 22, 2026
1. Controller Identity and Contact
The data controller for the purposes of the EU General Data Protection Regulation (GDPR) is:
BirdFlai UG (haftungsbeschränkt)
Tarpenbekstraße 13
22848 Norderstedt
Germany
Commercial Register: Amtsgericht Kiel, HRB 28353 KI
VAT ID: DE455732685
Managing Directors: Pascal Meger, Jan Christiansen
Privacy contact: jan@birdflai.com
Market Eagle ("we", "us", "our") is a product of BirdFlai UG. This policy explains how we collect, use, and protect your personal data when you use our competitive intelligence platform at www.market-eagle.com (the "Service").
2. Privacy Contact
BirdFlai UG is not required to appoint a Data Protection Officer under § 38 BDSG (fewer than 20 employees regularly involved in automated processing of personal data). For all privacy inquiries, please contact:
3. Data We Collect
We collect the following categories of data:
- Account data: Email address and password (hashed) when you register
- Analysis data: Competitive analyses, data points, sources, insights, SWOT entries, and changelog entries you or your AI agents create within workspaces
- Documents: User-uploaded files (PDF, Excel, Word, CSV, images) stored in Supabase Storage, used as sources for competitive analyses
- Payment data: Billing information (name, address, payment method details) processed by Stripe for paid subscriptions. We do not store full credit card numbers on our servers.
- Email communication data: Email address and interaction data (opens, clicks) for transactional and marketing emails sent via Resend
- Usage data: Log data including IP addresses, browser type, and access timestamps for security and debugging purposes
- Analytics data (with consent): If you consent to analytics cookies, we collect anonymized usage data via Google Analytics 4, including pages visited, session duration, and general interaction patterns. No personally identifiable information is collected through analytics.
Source of data: Data may be provided directly by you, collected automatically when you use the Service, or submitted by AI agents acting on your behalf via MCP (Model Context Protocol) within your authorized workspace.
4. Purposes and Legal Basis
We process your personal data for the following purposes, each mapped to a legal basis under Art. 6(1) GDPR:
| Purpose | Legal Basis |
|---|---|
| Service delivery, account management | Art. 6(1)(b) – contract performance |
| Payment processing (Stripe) | Art. 6(1)(b) – contract performance |
| Transactional emails (Resend) | Art. 6(1)(b) – contract performance |
| Marketing emails (Resend) | Art. 6(1)(a) – consent |
| Analytics (Google Analytics 4, with consent) | Art. 6(1)(a) – consent |
| Security, fraud prevention, debugging | Art. 6(1)(f) – legitimate interest |
| Tax/billing record retention | Art. 6(1)(c) – legal obligation |
| Consent record keeping | Art. 6(1)(c) – legal obligation |
5. Legitimate Interests (Art. 13(1)(d))
Where we rely on Art. 6(1)(f) GDPR (legitimate interest), our interests are: security monitoring, fraud prevention, service debugging, infrastructure stability, and abuse prevention. We have assessed that these interests are not overridden by your rights and freedoms, as processing is limited to technical data and serves to protect both us and our users.
6. AI Agent Integration and Data Processing
Market Eagle is designed to work with AI agents (e.g., Claude, ChatGPT) that conduct competitive research on behalf of workspace members. Here is how this works:
- Authorization: You authorize an AI client to access your workspace via OAuth 2.1. The AI agent then calls Market Eagle tools on your behalf using your permissions.
- Data flow: The AI provider sends data to Market Eagle (e.g., research results, data points, insights). Market Eagle does not send your workspace data to AI providers.
- No AI training: Market Eagle does not use your data to train AI models. Your competitive intelligence remains in your workspace.
- Stored content: AI-generated content (data points, insights, SWOT entries) is stored in our database and attributed via the changelog, which tracks whether an action was performed by an "agent" or a "user".
- Your responsibility: You are responsible for your choice of AI provider and its data handling practices. Third-party AI providers (e.g., Anthropic, OpenAI) have their own privacy policies governing how they process prompts and responses.
7. Data Sharing and Sub-Processors (Art. 13(1)(e))
We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is shared only with the following processors, each bound by data processing agreements (DPAs):
| Processor | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | All app data, authentication | EU (Ireland) | No transfer (EU) |
| Vercel Inc. | HTTP requests, frontend hosting | US + Edge | EU-US DPF |
| Railway Corp. | API requests, server logs | US | EU-US DPF / SCCs |
| Stripe Inc. | Payment data | US | EU-US DPF |
| Google LLC | Analytics (consent only) | US | EU-US DPF |
| Usercentrics A/S (Cookiebot) | Consent records | EU (Denmark) | No transfer (EU) |
| Resend Inc. | Email addresses, email content | US | EU-US DPF / SCCs |
8. International Data Transfers (Art. 13(1)(f))
Your data is primarily stored in the EU (Supabase, Ireland). Some sub-processors (Vercel, Railway, Stripe, Google, Resend) process data in the United States. These transfers are protected by:
- EU-US Data Privacy Framework (DPF): The primary transfer mechanism for US-based processors certified under the DPF, based on the European Commission's adequacy decision of July 10, 2023.
- Standard Contractual Clauses (SCCs): Used as a supplementary or alternative safeguard where applicable (Railway, Resend).
Should the DPF adequacy decision be invalidated, we will rely on Standard Contractual Clauses as a fallback mechanism for all affected transfers.
9. Cookies and Consent Management
We use cookies and similar technologies on our marketing website. We distinguish between the following categories:
- Strictly necessary cookies: Required for core functionality such as authentication, session management, and consent storage. These cookies do not require your consent.
- Analytics cookies: Used to understand how visitors interact with our website (Google Analytics 4). These cookies are only set after you give explicit consent.
Cookie Details
| Cookie | Provider | Duration | Category | Purpose |
|---|---|---|---|---|
CookieConsent | Cookiebot | 12 months | Necessary | Stores your cookie consent preferences |
sb-* | Supabase | Session | Necessary | Authentication and session management |
_ga | 2 years | Analytics (consent) | Distinguishes unique users | |
_ga_2XKZDHP68Z | 2 years | Analytics (consent) | Persists session state for GA4 |
Consent Management (Cookiebot)
We use Cookiebot by Usercentrics as our Consent Management Platform (CMP). When you first visit our marketing website, a cookie banner allows you to accept or reject non-essential cookies by category. Your consent choice is stored in a cookie and applies across the entire website. Cookiebot is used only on our marketing pages; no analytics cookies are set on authenticated application pages.
You can change or withdraw your consent at any time by clicking the cookie settings icon on our website.
Google Consent Mode v2
We use Google Consent Mode v2 to ensure that Google Analytics respects your cookie preferences. If you do not consent to analytics cookies, no analytics cookies are set and no personally identifiable data is collected. However, Google may still receive anonymized, cookieless pings (e.g., consent state signals) that do not identify individual users. Google may use privacy-safe modeling to estimate aggregated trends based on consenting users' data.
10. Email Communications
We use Resend Inc. as our email service provider for the following types of communication:
- Transactional emails: Account confirmation, password reset, and service updates. These are sent as part of our contract with you (Art. 6(1)(b) GDPR) and cannot be unsubscribed from while your account is active.
- Marketing emails: Product updates, tips, and promotional content. These are only sent with your explicit consent (Art. 6(1)(a) GDPR). Every marketing email contains an unsubscribe link.
You can unsubscribe from marketing emails at any time via the one-click unsubscribe link in every email or by contacting us at jan@birdflai.com.
11. Data Retention
We retain your data only as long as necessary for the purposes described. Specific retention periods per data category:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data | Active account + 30 days after deletion | Art. 6(1)(b) |
| Analysis/workspace data | Active account + 30 days after deletion | Art. 6(1)(b) |
| Documents (uploads) | Active analysis + 30 days after deletion | Art. 6(1)(b) |
| Billing/invoice records | 8 years (§ 147 AO) | Art. 6(1)(c) |
| Server/error logs | 90 days | Art. 6(1)(f) |
| Changelog/audit trail | Active analysis + 30 days after deletion | Art. 6(1)(b)/(f) |
| Consent records | 3 years | Art. 6(1)(c) |
| Analytics data (GA4) | 14 months (Google default) | Art. 6(1)(a) |
12. Your Rights Under GDPR
Under GDPR, you have the following rights:
- Right of access (Art. 15) – obtain a copy of your personal data
- Right to rectification (Art. 16) – correct inaccurate data
- Right to erasure (Art. 17) – request deletion of your data
- Right to restriction of processing (Art. 18) – limit how we use your data
- Right to data portability (Art. 20) – receive your data in a machine-readable format
- Right to object (Art. 21) – object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) – withdraw consent at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint (Art. 77) – file a complaint with a supervisory authority (see Section 13)
To exercise any of these rights, contact us at jan@birdflai.com. We will respond within 30 days.
13. Right to Lodge a Complaint (Art. 77)
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for BirdFlai UG is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel, Germany
www.datenschutzzentrum.de
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work.
14. Automated Decision-Making (Art. 13(2)(f))
We do not use automated decision-making or profiling as defined in Art. 22 GDPR. While AI agents may assist in generating competitive intelligence data, all such data is created at the explicit direction of users and does not result in automated decisions with legal or similarly significant effects.
15. Obligation to Provide Data (Art. 13(2)(e))
The provision of certain personal data is required for us to fulfill our contractual obligations:
- Account data (email, password): Required for registration and use of the Service (contractual requirement)
- Payment data: Required for paid subscriptions (contractual requirement)
- Analysis data: Voluntary – you decide what competitive intelligence data to create
If you do not provide the required data (account, payment), we cannot provide the Service or process your subscription.
16. Security Measures (Art. 32)
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Row-Level Security (RLS) at the database level ensuring data isolation between workspaces
- JWT-based authentication with ES256 algorithm and JWKS key rotation
- Hashed passwords (via Supabase Auth, bcrypt)
- Role-based access control (owner, admin, editor, viewer) within workspaces
17. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
18. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the changes take effect. The date at the top of this page indicates the latest revision.
19. Contact
For privacy-related questions, contact us at jan@birdflai.com.
For our full legal details, see our Imprint.