← Back

Privacy Policy

Last updated: March 2026

1. Data Controller

The entity responsible for data processing via this platform under Article 4(7) of the General Data Protection Regulation (GDPR) is:

The Pending GmbH
Arthur-Müller-Straße 24
12487 Berlin, Germany

Charlottenburg HR-Nr.: HRB250720B
USt.-ID: DE360039760
Geschäftsführung: Tim Kriegler

Phone: +49 176 4726 8780
Email: info@thepending.app

2. About This Service

The Pending Portfolio is a platform that enables registered users to create and publish personal portfolio websites. These portfolios are publicly accessible and may be used by their owners as personal or professional websites.

This privacy policy applies to visitors of portfolio pages as well as registered users of the platform.

3. Data We Collect

3.1 Portfolio Visitor Analytics

When you visit a public portfolio page, we collect the following anonymous analytics data:

  • Approximate geographic location (country, city, region)
  • Device type (desktop, mobile, tablet)
  • Browser name
  • Referrer (the website you came from)
  • Date and time of the visit

To determine your approximate location, your IP address is temporarily sent to a geolocation service (ip-api.com) during the request. Your IP address is never stored in our database. Only the resulting geographic information (e.g., "Germany, Berlin") is retained.

No tracking cookies are used. No fingerprinting techniques are employed. Each page visit is recorded independently and cannot be linked to identify individual visitors across sessions.

This analytics data is available to the portfolio owner to understand how their portfolio is being viewed. The legal basis for this processing is Article 6(1)(f) GDPR (legitimate interest in providing portfolio owners with anonymous visitor statistics).

3.2 Authentication Cookies

If you are a registered user and log in to the platform, we set the following cookies:

  • id-token — Identifies your session
  • access-token — Authorizes API requests
  • refresh-token — Renews expired sessions

These cookies are strictly necessary for the login functionality and are set as HttpOnly (not accessible to JavaScript). They are not used for tracking or advertising. No consent is required for strictly necessary cookies under the ePrivacy Directive.

3.3 User Account Data

When you register, we process your name and email address via AWS Cognito (our authentication provider). This data is necessary to create and manage your account. The legal basis is Article 6(1)(b) GDPR (performance of a contract).

3.4 Portfolio Content

All content you add to your portfolio (text, images, links, social media profiles, calendar availability) is stored on our servers. This data is processed to provide the service you requested. The legal basis is Article 6(1)(b) GDPR (performance of a contract).

As a portfolio owner, you are responsible for the personal data of third parties that you include in your portfolio content. By publishing such content, you confirm that you have the necessary rights and permissions to do so.

4. AI-Assisted Features

The platform offers optional AI-powered features to help you build your portfolio, including bio suggestions, portfolio evaluation, and autofill from uploaded documents or links.

When you use an AI feature, relevant profile data (such as your name, profession, location, and portfolio content) is sent to AWS Bedrock (powered by Anthropic Claude models) for processing. If you upload a file or provide a link, the extracted text or image content is also sent to the AI model.

AI processing occurs in the EU region (eu-central-1). Your data is not used to train AI models and is not retained by the AI provider after the request is completed.

AI features are entirely optional — no data is sent to AI services unless you explicitly trigger an AI action. The legal basis for this processing is Article 6(1)(a) GDPR (consent through explicit user action).

5. Third-Party Services

We use the following third-party services in the operation of this platform:

  • Amazon Web Services (AWS) — Hosting and infrastructure. Data is processed on servers in the EU.
  • AWS Cognito — User authentication and account management.
  • ip-api.com — IP geolocation for anonymous visitor analytics. IP addresses are sent transiently and not stored by us.
  • Google Fonts — Web fonts are loaded from Google servers. Google may receive your IP address when fonts are requested. See Google's Privacy Policy.
  • TikTok — If a portfolio includes TikTok content, the TikTok embed script is loaded. See TikTok's Privacy Policy.
  • Instagram, Spotify, SoundCloud — If a portfolio includes social media integrations, we request public data from their APIs to display previews. No visitor data is shared with these services.
  • AWS Bedrock (Anthropic Claude) — Used for optional AI-assisted features. Profile data is sent for processing only when you explicitly use an AI feature. Data is processed in the EU and not retained by the provider.

Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place (e.g., EU Standard Contractual Clauses).

6. Data Retention

  • Analytics data is retained for the lifetime of the portfolio. Portfolio owners can delete all analytics data at any time from their analytics dashboard.
  • Account data is retained as long as the account is active. Upon account deletion, all personal data is removed.
  • Portfolio content is retained until deleted by the user or upon account closure.

7. Your Rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where applicable)

To exercise these rights, contact us at info@thepending.app.

If you believe your rights have been violated, you may lodge a complaint with the Berlin data protection authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin
Phone: +49 (0)30 13889-0
Email: mailbox@datenschutz-berlin.de

8. Portfolio Owners' Responsibility

If you use your portfolio page as a personal or professional website, you may be considered a data controller for the content you publish. Depending on your jurisdiction and the nature of your use, you may be required to provide your own imprint or additional privacy disclosures. The Pending GmbH is not liable for content published by portfolio owners.

9. Changes to This Policy

We may update this privacy policy periodically. The current version is always available at this URL.

10. AI Consent & Profile Analysis

10.1 What Requires Consent

The following features require your explicit consent before use, as they involve sending personal data to an AI model for processing:

  • AI Field Suggestions — generates bio, project, or material text based on your profile data
  • Portfolio Evaluation — analyses your full portfolio and provides improvement feedback
  • Autofill & Extend — extracts profile information from uploaded files or website links
  • Show in Agency — lists your profile in our talent agency, which uses AI-powered profile matching

10.2 What Data Is Processed

Depending on the feature used, the following data may be sent to AWS Bedrock for processing:

  • Your name, profession, pronouns, location, and bio text
  • Portfolio content (work entries, press items, further materials)
  • Profile and portfolio images (for visual analysis)
  • Uploaded documents or website content (for autofill/extend)

10.3 How the AI Processes Your Data

AI processing is carried out exclusively via AWS Bedrock using Anthropic Claude models deployed in the EU region (eu-central-1). This means your data never leaves the European Union during AI processing.

Your data is protected as follows:

  • No model training — your data is never used to train or fine-tune AI models
  • No retention — AWS Bedrock does not store your data after the request is completed
  • Request-scoped only — data is sent solely to fulfil the specific action you triggered

10.4 Legal Basis

The legal basis for this processing is Article 6(1)(a) GDPR (consent). You are asked to give consent once — when you first log in or finish initial onboarding. You may change your preference at any time.

10.5 Withdrawing or Changing Consent

You can change your AI consent preference at any time from the Privacy & AI Settings section at the bottom of your profile editor (Edit Profile).

If you withdraw consent:

  • All AI features are immediately disabled
  • Your profile is removed from the agency listing
  • No further data is sent to AI services

Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.

10.6 Questions

If you have questions about AI processing or wish to exercise your rights regarding data processed via AI features, contact us at info@thepending.app.