Curlydots logoCurlyDots

Privacy Notice

Data protection information for Curlydots

Last updated: 5 April 2026

This privacy notice explains how Sopamo GmbH processes personal data when you visit the Curlydots marketing site at curlydots.com, use the Curlydots application, contact us, request beta access, or receive a team invitation.

The notice is written against the actual setup used for Curlydots today: DigitalOcean for infrastructure, Cloudflare for DNS, edge delivery and protection, OpenAI for AI-powered translation features, and an external Typeform page for beta intake.

1. Controller and contact details

Controller for the processing described on this page is Sopamo GmbH, Wilhelm-Sprott-Str. 23a, 24235 Laboe, Germany.

General contact: hallo@sopamo.de. Privacy-related inquiries: datenschutz@sopamo.de.

This notice covers in particular curlydots.com, www.curlydots.com, and app.curlydots.com.

2. Access to the website, delivery, and security

When you open our website or application, our systems and edge providers process connection and request data that usually includes IP address, date and time of the request, requested URL, host name, browser and operating-system information, referrer information, and technical log data.

We process this data to deliver the site, stabilize availability, defend against abuse, and investigate security incidents. The legal basis is Article 6(1)(f) GDPR. Our legitimate interests are secure and reliable operation, abuse prevention, and troubleshooting.

3. Contact requests and beta applications

If you contact us by email or use the beta request flow linked from the landing page, we process the information you submit to handle your request, continue the conversation, and document the status of the request.

The beta request form is hosted on a Typeform page. When you open that page, your browser connects directly to Typeform. Data you submit through the form is transmitted through Typeform to us for lead and request handling.

The legal basis is Article 6(1)(b) GDPR where your request is directed toward entering into a contract or taking pre-contractual steps, and otherwise Article 6(1)(f) GDPR based on our legitimate interest in responding to business inquiries.

4. Account registration, login, and account security

When you create or use a Curlydots account, we process account and authentication data such as name, email address, password hash, email-verification status, session data, CSRF/session cookies required for login, and security-related events.

If you use team functionality, we also process role assignments, membership information, invitation status, and related timestamps. Invitation flows process the invitee email address, invitation token data, inviter information, and expiry data.

The legal basis is Article 6(1)(b) GDPR for account operation and team access, Article 6(1)(c) GDPR where retention or security obligations apply, and Article 6(1)(f) GDPR for fraud prevention, account protection, and incident analysis.

5. Use of the Curlydots service and AI translation features

When you use Curlydots, we process project, team, and translation-workflow data needed to provide the service. Depending on how you use the product, this may include translation keys, source strings, translation context, translation examples, project rules, target language selections, formality settings, and related metadata.

For AI-supported translation features, relevant prompts and contextual translation data are transmitted to our AI provider OpenAI so the requested output can be generated. The legal basis is Article 6(1)(b) GDPR where the processing is necessary to provide the requested feature, and Article 6(1)(f) GDPR for product improvement, quality assurance, and misuse prevention in trial or evaluation contexts.

If you submit personal data to the service, you must ensure that you are entitled to do so and that the submission is necessary for your use case. You should avoid sending special-category or otherwise unnecessary personal data to AI features unless you have separately ensured a valid legal basis.

6. Cookies and similar technologies

The landing page currently does not use analytics or marketing cookies. The application uses technically necessary cookies and similar mechanisms for authentication, CSRF protection, session continuity, and security.

To the extent storage or access on your end device is required for strictly necessary technical operation, this takes place on the basis of Section 25(2) no. 2 TDDDG. Any downstream processing of personal data then takes place under the GDPR legal bases described in this notice.

7. Recipients and service providers

  • DigitalOcean: infrastructure hosting and system operation.
  • Cloudflare: DNS, edge delivery, caching, reverse proxy, and security services.
  • OpenAI: processing of prompts and translation context for AI-supported translation features.
  • Typeform: hosting of the external beta request form linked from the landing page.
  • Email transport providers used by us for transactional messages such as invitations or operational communication.

8. International data transfers

Some recipients may process data outside the European Union or the European Economic Area, especially in the United States. Where required, we rely on an adequacy decision under Article 45 GDPR or appropriate safeguards under Article 46 GDPR, in particular standard contractual clauses and supplementary measures where appropriate.

If you want more detail about the safeguards relevant to a specific processing activity, you can contact us at the addresses listed above.

9. Storage periods

We store personal data only for as long as necessary for the relevant purpose. Access and security logs are generally kept only for a limited period unless longer retention is needed for abuse investigation or legal defense.

Inquiry and beta-request data is stored for the duration of the communication and thereafter as long as follow-up, documentation, or legal defense requires. Account data is stored for the term of the user relationship and afterward only as long as statutory retention duties, open claims, or legitimate defense interests require.

Invitation data is typically stored until the invitation is accepted, expires, is withdrawn, or is no longer needed for proof and defense purposes.

10. Data sources where the data was not collected directly from you

If you receive a team invitation, we may not have obtained your data directly from you. In that case, the relevant data usually comes from the team administrator or inviter who entered your email address in order to invite you into a Curlydots workspace.

11. Your rights

Subject to the statutory requirements, you have the right of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing based on Article 6(1)(e) or (f) GDPR. Where processing is based on consent, you may withdraw that consent at any time with effect for the future.

Where we process data on the basis of legitimate interests, you have the right to object on grounds relating to your particular situation under Article 21 GDPR.

12. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. For Sopamo GmbH, the competent authority is generally the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Holstenstraße 98, 24103 Kiel, Germany.

13. Automated decision-making

We do not use automated decision-making within the meaning of Article 22 GDPR that produces legal effects concerning you or similarly significantly affects you.