Legal
Privacy Notice
We explain transparently which data we process, why we do so, and which rights you have.
Controller
The controller responsible for processing personal data in connection with The Last RAG (thelastrag.de) is Martin Gehrken, Angerstraße 23, 31020 Salzhemmendorf, Germany (“operator”). You can reach us at [email protected] or by phone at +49 155 62551659.
Data we collect and how we use it
We process personal data only for clearly defined purposes:
Account data
When you register we collect your email address and a password. We use this information to create and manage your account, authenticate you when you sign in, and contact you about important service information (for example password resets).
Chat content and memories
Your chat messages and any “memories” you save are stored to provide you with a personalised chat experience. The AI can reference previous conversations and saved facts to deliver contextual replies. We also use stored chat history to detect and prevent abuse (for example breaches of usage rules).
Usage and metadata
Technical data such as IP address, browser/device information, timestamps, and usage statistics (for example number of chats or response times) are recorded when you use the service. We rely on this data to protect the service (for example mitigating attacks, troubleshooting) and to improve it through aggregated analysis.
Payment data
If you purchase a Plus or Pro subscription, payment information is collected during checkout. Processing is handled by our payment provider Stripe (see below). Depending on the payment method this may include credit-card details (card number, expiry, CVC), cardholder name, and billing address. We use this data exclusively to process payments and for accounting. The Last RAG does not store complete payment card details—Stripe processes them directly.
Support requests
When you contact us (for example via [email protected]) we process the contact details and message content you provide to respond to your enquiry and to communicate with you.
Legal bases
We always process your data in line with the EU General Data Protection Regulation (GDPR). Depending on the type of data we rely on the following legal bases:
Consent (Art. 6(1)(a) GDPR)
We store and analyse chat content and saved memories based on your explicit consent, which we request during registration. You can withdraw consent at any time (for example by deleting your account or contacting us). Any processing carried out before the withdrawal remains lawful.
Performance of a contract (Art. 6(1)(b) GDPR)
Many processing operations are necessary to perform the contract with you, including account registration, providing the chat functionality, and handling payments for Plus/Pro subscriptions. Without these data we could not deliver the service as agreed.
Legitimate interests (Art. 6(1)(f) GDPR)
We process usage and metadata (such as IP addresses and log files) based on our legitimate interest in securing, maintaining, and optimising the service. We have balanced these interests against your rights and concluded that the processing is expected and necessary to operate a safe and reliable platform. You may object to processing on grounds relating to your particular situation (see “Your rights”).
Legal obligations (Art. 6(1)(c) GDPR)
In some cases we are legally required to retain or disclose data—for example to comply with tax retention duties for invoices and payment records. Such processing is based on statutory obligations.
Special categories of data
The Last RAG chat is not intended to collect special categories of personal data. Please avoid entering sensitive information (such as health data or political opinions) unless necessary. If you voluntarily share such data and we process it, this occurs under your explicit consent (Art. 9(2)(a) GDPR). You may withdraw that consent at any time by deleting the content or contacting us.
Storage periods and deletion
We retain personal data only for as long as necessary to fulfil the relevant purposes or as required by law.
Chat history and memories
Chat transcripts and memories remain stored until you delete them or delete your account. You can remove individual chats at any time. On request we will delete your entire account and all associated personal data (including chat content) unless legal retention duties prevent us from doing so.
Inactivity
If you do not use your account for more than 12 months (no logins or activity) we reserve the right to delete it for security and privacy reasons. We will notify you via the registered email address before deletion.
Subscription and payment data
Information relating to paid transactions is retained for the duration of the contractual relationship and thereafter in accordance with statutory obligations. Accounting records must typically be kept for six to ten years. After the contract ends we restrict such data and delete it once the retention periods expire.
Server logs
Technical log data (for example access logs) is stored temporarily for security and troubleshooting. These logs are routinely deleted or anonymised after no more than 90 days unless a security incident requires longer retention (for example to preserve evidence).
Withdrawal of consent
If processing is based on your consent and you withdraw it, we delete the affected data promptly unless another legal basis applies or statutory retention duties require us to keep it.
Sharing data with third parties
We handle your data confidentially and never sell it. Disclosure occurs only in the following situations: when we use processors, when payments are processed, to meet legal obligations, or when you have consented to sharing.
AI service (OpenRouter)
The Last RAG uses the OpenRouter platform to generate AI responses. Your prompts are transmitted to OpenRouter, Inc. so the connected model can produce an answer. According to OpenRouter your prompts and responses are not stored permanently (zero-data-retention policy); only anonymous metadata (for example token counts, response times) is recorded for statistics. Processing through OpenRouter may involve transfers to countries outside the EU (in particular the USA) because the linked AI models operate on international infrastructure. We configure OpenRouter to use providers that, according to their policies, do not train on your data. By consenting to chat storage you also consent to forwarding your prompts to OpenRouter and the respective model providers for processing. Nevertheless we recommend not entering highly sensitive information into the chat.
Payment processing (Stripe)
Paid subscriptions are billed via Stripe. Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA (or Stripe Payments Europe Ltd., Dublin, Ireland for EU customers) processes your payment data when you subscribe. You are redirected to Stripe’s secure payment page or submit data via an embedded Stripe form. We receive only confirmation of the payment and limited details (card type, last four digits, expiry date, amount, status, name, and email for invoicing). Stripe is certified under the EU–US Data Privacy Framework and relies on EU standard contractual clauses to ensure adequate protection when transferring data to the USA. See Stripe’s privacy policy for further information.
Hosting provider
The Last RAG platform runs on servers located in Germany that are operated by an external hosting provider. All data you provide (chats, account data, files) is therefore stored and processed within Germany. We have concluded a data-processing agreement pursuant to Art. 28 GDPR to ensure that the provider processes your data only according to our instructions and in compliance with the GDPR.
Email delivery
Transactional emails (for example verification, password reset, notifications) are sent either via our own mail server or a European email service. Your email address is used solely for delivering the respective message. We have agreements in place to prevent unauthorised access.
No other disclosure
Personal data is transmitted to public authorities only where required by mandatory legislation or court orders. Beyond that we do not share your data with third parties.
Data security
We implement technical and organisational measures to protect your personal data. Thelastrag.de uses SSL/TLS encryption so data you submit (such as login details and chat content) is transmitted securely. Server-side safeguards include firewalls and regular security updates. Access to personal data is limited to individuals who need it to perform their duties (need-to-know principle). Passwords are stored as cryptographic hashes—please choose a strong password and keep it secret. If a data breach occurs despite these precautions, we will notify you and the competent authorities without undue delay as required by law.
Your rights
As a data subject you have the following rights under the GDPR:
- Right of access (Art. 15 GDPR): You can request information about the personal data we store about you, including the purposes of processing and any recipients.
- Right to rectification (Art. 16 GDPR): You may have inaccurate or incomplete data corrected. For example, if your email address is incorrect you can ask us to update it (or update it yourself in your profile).
- Right to erasure (Art. 17 GDPR): You can request deletion of your personal data when the legal requirements are met—for example if the purpose of processing no longer applies or you withdraw consent. Some data may need to be retained temporarily if legal obligations require it.
- Right to restriction (Art. 18 GDPR): You can request that processing be restricted—for example while we verify contested data or if you prefer restriction instead of deletion.
- Right to data portability (Art. 20 GDPR): You may obtain the personal data you provided in a structured, commonly used, machine-readable format and request that we transmit it to another provider where technically feasible.
- Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent at any time. Processing that occurred before withdrawal remains lawful, but we will cease the processing that relied solely on your consent.
- Right to object (Art. 21 GDPR): Where we process data based on legitimate interests you may object to that processing. We will stop processing unless we can demonstrate compelling legitimate grounds or the processing serves the establishment, exercise, or defence of legal claims.
- Right to lodge a complaint (Art. 77 GDPR): If you believe that processing violates data-protection law you may complain to a supervisory authority.
To exercise your rights, contact us at [email protected]. We will review your request promptly and respond within the statutory deadlines. To prevent misuse we may need additional information to verify your identity before releasing or deleting data.
No automated decision-making
The Last RAG does not perform automated individual decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or significantly affects you in a similar manner. In particular we do not carry out fully automated profiling to make binding decisions about you. AI-generated responses are for information and entertainment purposes only.
Changes to this privacy notice
We may update this privacy notice when required—for example if we introduce new features or if legal requirements change. We will inform registered users of material changes by email or prominently during login. The latest version is always available on our website (see the date below). Please review the notice regularly.