letsbe/LetsBeBiz-Redesign
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit: LetsBe Biz project with openclaw source

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt
2026-02-27 16:24:23 +01:00
commit 14ff8fd54c
93 changed files with 31651 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
docs/legal/LetsBe_Biz_Cookie_Policy.md Normal file
View File

@@ -0,0 +1,187 @@
# LetsBe Biz — Cookie Policy
**Version:** 1.0
**Date:** February 26, 2026
**Authors:** Matt (Founder), Claude (Drafting)
**Status:** Draft — Requires Legal Review Before Publication
**Companion docs:** Privacy Policy v1.0, Terms of Service v1.0
> **Important:** This Cookie Policy is a comprehensive draft covering the LetsBe Biz website and Hub application. It must be reviewed by qualified legal counsel before publication. It is not legal advice.
---
## 1. What Are Cookies?
Cookies are small text files that websites store on your device (computer, tablet, or phone) when you visit them. They serve various purposes — from keeping you logged in to helping us understand how visitors use our website. Similar technologies include local storage, session storage, and tracking pixels; this policy covers all of these.
---
## 2. How We Use Cookies
LetsBe uses a minimal, privacy-first approach to cookies. We categorize cookies into three groups, and only one group is set without your consent.
### 2.1 Strictly Necessary Cookies
These cookies are essential for the website and Hub to function. They cannot be disabled.
| Cookie | Purpose | Duration | Set By |
|--------|---------|----------|--------|
| Session cookie | Keeps you logged into the Hub | Session (expires when you close the browser) | LetsBe |
| CSRF token | Protects against cross-site request forgery attacks | Session | LetsBe |
| Authentication state | Maintains your login across page loads in the Hub | Session or persistent (up to 30 days if "remember me" selected) | LetsBe |
| Cookie consent preference | Remembers your cookie consent choice | 12 months | LetsBe |
| Region preference | Remembers your selected data center region | 12 months | LetsBe |
**Legal basis:** Strictly necessary for the provision of the service you requested (GDPR Art. 6(1)(b); ePrivacy Directive Art. 5(3) exemption).
### 2.2 Analytics Cookies
These cookies help us understand how visitors interact with our website. They are only set with your explicit consent.
| Cookie | Purpose | Duration | Set By |
|--------|---------|----------|--------|
| Analytics session | Tracks page views and visitor behavior within a session | Session | Self-hosted analytics (Umami or equivalent) |
| Analytics visitor ID | Distinguishes unique visitors (anonymized) | 12 months | Self-hosted analytics |
**What we use:** We use self-hosted, privacy-focused analytics (planned: Umami). Unlike Google Analytics, our analytics tool:
- Runs on our own infrastructure (no data sent to third parties)
- Does not use fingerprinting
- Does not track across websites
- Anonymizes visitor data by default
- Complies with GDPR without requiring consent in some configurations — but we ask for consent anyway as a matter of respect
**Legal basis:** Consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3)).
### 2.3 Marketing Cookies
These cookies help us measure the effectiveness of our email campaigns and marketing content. They are only set with your explicit consent.
| Cookie | Purpose | Duration | Set By |
|--------|---------|----------|--------|
| Email campaign tracking | Identifies which email campaign brought you to the website | Session | LetsBe (via UTM parameters) |
**What we do NOT use:**
- No third-party advertising cookies
- No social media tracking pixels (Facebook, LinkedIn, Twitter/X, etc.)
- No retargeting or remarketing cookies
- No cross-site tracking of any kind
- No data management platforms or ad exchanges
**Legal basis:** Consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3)).
---
## 3. Your Choices
### 3.1 Cookie Consent Banner
When you first visit the LetsBe website, a cookie consent banner will appear with three options:
- **Accept all** — Enables all cookie categories (strictly necessary + analytics + marketing)
- **Reject all** — Only strictly necessary cookies are set (analytics and marketing are blocked)
- **Customize** — Opens a panel where you can enable or disable each category individually
Your choice is saved for 12 months. You can change your preferences at any time.
### 3.2 Changing Your Preferences
You can update your cookie preferences at any time by:
- Clicking the **"Cookie Settings"** link in the website footer
- Clearing your browser cookies (which resets the consent banner)
- Using your browser's built-in cookie management tools
### 3.3 Global Privacy Control (GPC)
We honor the **Global Privacy Control** signal. If your browser sends a GPC signal (supported in Firefox, Brave, DuckDuckGo, and others), we treat it as an opt-out of all non-essential cookies, consistent with CCPA requirements and emerging EU regulatory guidance.
### 3.4 "Do Not Track" (DNT)
We also honor the **"Do Not Track"** browser header. When detected, non-essential cookies are not set, regardless of any prior consent.
### 3.5 Browser-Level Controls
Most browsers allow you to block or delete cookies through their settings. Note that blocking strictly necessary cookies may prevent the Hub from functioning correctly. Here are links to cookie settings for major browsers:
- [Chrome](https://support.google.com/chrome/answer/95647)
- [Firefox](https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox)
- [Safari](https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac)
- [Edge](https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09)
---
## 4. Third-Party Cookies
**We do not use third-party cookies.** All cookies set on the LetsBe website and Hub are first-party cookies set by LetsBe. We do not embed third-party scripts, ad networks, social media widgets, or tracking pixels that would set their own cookies.
The only external service involved in payment processing (Stripe) operates on its own domain during checkout and sets its own cookies there — not on the LetsBe website.
---
## 5. Cookies in the Hub Application
When you are logged into the Hub (the LetsBe Biz application interface), the following cookies are used:
| Cookie | Purpose | Duration |
|--------|---------|----------|
| Session token | Maintains your authenticated session | Session or up to 30 days ("remember me") |
| CSRF protection | Prevents cross-site request forgery | Session |
| UI preferences | Stores display preferences (theme, sidebar state) | Persistent (12 months) |
These are all strictly necessary or functional cookies and do not require consent. No analytics or tracking cookies are set within the Hub application.
---
## 6. Data Retention for Cookie Data
| Data | Retention |
|------|-----------|
| Cookie consent preference | 12 months, then re-prompted |
| Analytics data (if consented) | 24 months, then automatically purged |
| Session cookies | Deleted when browser session ends |
| Persistent cookies | Expire per the durations listed above |
Analytics data is stored on our own infrastructure (self-hosted) and is never shared with third parties.
---
## 7. Changes to This Policy
We may update this Cookie Policy from time to time. When we make changes, we will update the "Version" and "Date" at the top of this document. For material changes (e.g., introducing new cookie categories or third-party cookies), we will reset the consent banner so you can make a fresh choice.
---
## 8. Contact
If you have questions about our use of cookies, contact us at:
- Email: privacy@letsbe.solutions
- Or use the contact form on our website
For broader privacy questions, see our [Privacy Policy](LetsBe_Biz_Privacy_Policy.md).
---
## 9. Open Questions (Internal — Remove Before Publication)
| # | Question | Status | Notes |
|---|----------|--------|-------|
| 1 | Analytics tool confirmation | Open | Planned: Umami (self-hosted). Confirm before publication. |
| 2 | Privacy/contact email | Open | Same as Privacy Policy — fill in when decided |
| 3 | Cookie banner implementation | Open | Choose provider: custom-built, Klaro, Cookiebot, or similar GDPR-compliant consent manager |
| 4 | GPC technical implementation | Open | Verify that the website and Hub respect `Sec-GPC: 1` header |
| 5 | Stripe checkout cookies | Open | Verify whether Stripe Elements (embedded checkout) sets any cookies on letsbe.solutions domain or only on Stripe's domain |
---
## 10. Changelog
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-26 | Initial draft. Three cookie categories (strictly necessary, analytics, marketing). Self-hosted analytics (Umami planned). No third-party cookies. GPC and DNT honored. Consent-first model with accept all / reject all / customize. Aligned with Privacy Policy v1.0 §12. |
---
*This document is a draft requiring legal review. It should not be published or relied upon as legal advice.*

609
docs/legal/LetsBe_Biz_Data_Processing_Agreement.md Normal file
View File

@@ -0,0 +1,609 @@
# LetsBe Biz — Data Processing Agreement (DPA)
**Version:** 1.0
**Date:** February 26, 2026
**Authors:** Matt (Founder), Claude (Drafting)
**Status:** Draft — Requires Legal Review Before Publication
**Companion docs:** Terms of Service v1.0, Privacy Policy v1.0, Security & GDPR Framework v1.1
> **Important:** This Data Processing Agreement is a comprehensive draft based on GDPR Article 28 requirements and LetsBe's platform architecture. It must be reviewed by qualified legal counsel before being made available to customers. It is not legal advice.
---
## 1. Parties and Background
### 1.1 Parties
This Data Processing Agreement ("DPA") is entered into between:
- **The Customer** ("Controller," "you," "your") — the individual or entity that subscribes to the LetsBe Biz service; and
- **LetsBe Solutions LLC** ("Processor," "LetsBe," "we," "us," "our") — the provider of the LetsBe Biz platform.
### 1.2 Background
This DPA forms part of the Terms of Service ("Agreement") between the Controller and the Processor and supplements the Agreement with respect to the processing of personal data.
The Controller uses the LetsBe Biz platform, which includes a dedicated virtual private server (VPS), open-source business tools, and AI agents. In providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the parties' obligations and rights regarding that processing.
### 1.3 Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of any conflict between this DPA and the Standard Contractual Clauses (Annex IV), the Standard Contractual Clauses shall prevail.
---
## 2. Definitions
In this DPA:
- **"Data Protection Laws"** means all applicable legislation relating to data protection and privacy, including GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), CCPA/CPRA, PIPEDA, and any applicable US state privacy laws, in each case as amended from time to time.
- **"GDPR"** means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
- **"Personal Data"** means any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in connection with the Service, as further described in Annex I.
- **"Processing"** has the meaning given in GDPR Article 4(2) — any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.
- **"Subprocessor"** means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- **"Data Subject"** means an identified or identifiable natural person to whom the Personal Data relates.
- **"Personal Data Breach"** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- **"SCCs"** means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, as may be amended or replaced.
- **"Hub"** means LetsBe's centralized platform for account management, billing, and monitoring, hosted in the EU (Germany).
- **"VPS"** means the dedicated virtual private server provisioned for the Controller, running containerized business tools and AI agents.
- **"Safety Wrapper"** means the LetsBe security extension that redacts credentials and (optionally) PII from data before transmission to LLM providers.
---
## 3. Scope and Duration of Processing
### 3.1 Scope
This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in the course of providing the LetsBe Biz service. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in **Annex I**.
### 3.2 Duration
The Processor shall process Personal Data for the duration of the Agreement (the Controller's active subscription), plus the post-termination data retention periods described in Section 11 of this DPA.
---
## 4. Controller Obligations
The Controller:
4.1. Is responsible for ensuring that its use of the Service complies with Data Protection Laws, including having a valid legal basis for processing Personal Data.
4.2. Determines what Personal Data enters the platform, which tools are activated, what data is imported, and how AI agents are configured (including autonomy levels, data access scope, and PII scrubbing settings).
4.3. Is responsible for the lawfulness of the instructions it gives to the Processor. If the Processor reasonably believes an instruction infringes Data Protection Laws, it will notify the Controller without undue delay.
4.4. Shall ensure that Data Subjects have been informed about the processing of their Personal Data by the Processor, to the extent required by Data Protection Laws (e.g., GDPR Articles 13 and 14).
4.5. Is responsible for responding to Data Subject requests. The Processor will assist the Controller in fulfilling these requests as described in Section 8.
---
## 5. Processor Obligations
The Processor shall:
### 5.1 Processing on Instructions
Process Personal Data only on the documented instructions of the Controller, unless required to do so by EU or Member State law to which the Processor is subject — in which case, the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law from doing so).
The Controller's documented instructions include: (a) processing in accordance with the Agreement and this DPA; (b) processing initiated by the Controller through use of the Service (including AI agent configuration and tool operation); and (c) processing to comply with other reasonable instructions provided by the Controller where consistent with the terms of this DPA.
### 5.2 Confidentiality
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall limit access to Personal Data to those employees, contractors, and agents who need access to perform their duties.
### 5.3 Security (GDPR Art. 32)
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in **Annex II**. These measures include:
- Encryption of Personal Data at rest and in transit
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of security measures
### 5.4 Subprocessing
Not engage any Subprocessor without the prior written authorization of the Controller, subject to the general authorization procedure described in Section 7.
### 5.5 Assistance with Data Subject Rights
Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests, as described in Section 8.
### 5.6 Assistance with Controller Obligations
Assist the Controller in ensuring compliance with the obligations under GDPR Articles 3236 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
### 5.7 Data Return and Deletion
At the choice of the Controller, return or delete all Personal Data after the end of the provision of the Service, as described in Section 11.
### 5.8 Audit Rights
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections, as described in Section 10.
---
## 6. Details of Processing
The details of the processing activities are set out in **Annex I**, which includes:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Types of Personal Data processed
- Categories of Data Subjects
- The Controller's obligations and rights
---
## 7. Subprocessors
### 7.1 General Authorization
The Controller provides **general written authorization** for the Processor to engage Subprocessors for the purposes described in this DPA. The current list of authorized Subprocessors is set out in **Annex III**.
### 7.2 Notification of Changes
The Processor shall notify the Controller of any intended addition or replacement of a Subprocessor at least **30 days** before the new Subprocessor begins processing Personal Data. Notification will be provided via email and published on the LetsBe subprocessor changelog page.
### 7.3 Objection Right
The Controller may object to a new Subprocessor on reasonable data protection grounds within the 30-day notice period. If the Controller objects:
1. The Processor will make reasonable efforts to address the Controller's objection, including offering an alternative Subprocessor or configuration that avoids data processing by the objected-to Subprocessor.
2. If the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected subscription without penalty by providing written notice within the objection period.
### 7.4 Subprocessor Obligations
The Processor shall:
- Impose data protection obligations on each Subprocessor by way of a written contract that provides at least the same level of protection as this DPA (GDPR Art. 28(4))
- Verify that each Subprocessor has appropriate technical and organizational measures in place
- Remain fully liable to the Controller for the performance of its Subprocessors' obligations
### 7.5 LLM Provider Vetting
Before authorizing a new LLM provider as a Subprocessor, the Processor verifies:
- Contractual prohibition on training models using Controller data
- Data retention limited to the inference request (or a short, documented window for abuse monitoring only)
- Valid international transfer mechanism (adequacy decision, DPF certification, or SCCs)
- Security certifications (SOC 2, ISO 27001, or equivalent)
- Commitment to notify the Processor of breaches without undue delay
---
## 8. Data Subject Rights
### 8.1 Assistance
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access (GDPR Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Rights related to automated decision-making (Art. 22)
### 8.2 Implementation
The LetsBe Biz platform supports Data Subject rights as follows:
- **Access and Portability:** The Controller has full access to all data on their VPS, including SSH access. All tools support standard export formats (CSV, JSON, MBOX, CalDAV, WebDAV). AI conversation history is exportable as JSON/Markdown. Hub account data is accessible via the customer portal.
- **Rectification:** The Controller has full administrative access to edit any data in their tools and Hub account.
- **Erasure:** The Controller can delete specific data within tools. Full account deletion follows the procedure in Section 11.
- **Restriction:** The Controller can disable individual AI agents, restrict tool access, or freeze their account (stopping all AI processing).
- **Objection to AI processing:** The Controller can configure the Safety Wrapper to exclude specific data categories from AI context. Individual agents can be disabled.
### 8.3 Direct Requests
If a Data Subject contacts the Processor directly with a request, the Processor shall promptly redirect the request to the Controller (unless the request relates to the Processor's own controller activities, such as Hub account data).
### 8.4 Costs
Assistance with Data Subject requests is included in the subscription at no additional charge for a reasonable volume of requests. For requests that are manifestly unfounded, excessive, or require significant manual effort beyond what the platform provides self-service, the Processor may charge a reasonable fee based on administrative costs, with prior notice to the Controller.
---
## 9. Personal Data Breach
### 9.1 Notification to Controller
The Processor shall notify the Controller of a Personal Data Breach **without undue delay** after becoming aware of it, and in any event within **48 hours** of confirmation. The notification shall include:
- A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
### 9.2 Notification to Supervisory Authority
The Processor shall assist the Controller in notifying the relevant supervisory authority within **72 hours** of the Controller becoming aware of the breach (GDPR Art. 33), by providing all necessary information and cooperation.
### 9.3 Notification to Data Subjects
Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Processor shall assist the Controller in communicating the breach to affected Data Subjects (GDPR Art. 34).
### 9.4 Breach Response
The Processor maintains a documented breach response plan (see Security & GDPR Framework §3.7) that includes:
1. **Contain** — Isolate affected VPS, revoke compromised credentials
2. **Assess** — Determine scope, data categories affected, number of Data Subjects
3. **Notify** — Supervisory authority (72 hours), Controller (without undue delay), Data Subjects (if high risk, as directed by Controller)
4. **Remediate** — Patch vulnerability, rotate affected credentials, update security measures
5. **Document** — Full incident report with timeline, impact assessment, remediation steps
6. **Review** — Post-incident review within 14 days, update security procedures
### 9.5 Breach Detection
Breach detection mechanisms include:
- Safety Wrapper audit logs (all tool executions, credential accesses)
- Hub monitoring (tenant health, connectivity)
- Anomaly detection (mass data export, credential access spikes, unauthorized API calls)
- Uptime Kuma monitoring on each VPS
- Netcup infrastructure-level monitoring
---
## 10. Audit Rights
### 10.1 Information and Evidence
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including:
- Security & GDPR Framework documentation
- Technical and organizational measures (Annex II)
- Current subprocessor list (Annex III)
- Records of processing activities (ROPA)
- SOC 2 report (when available)
- Penetration test results (summary, when available)
### 10.2 Audits and Inspections
The Controller may conduct an audit or appoint a qualified third-party auditor (subject to reasonable confidentiality obligations) to verify the Processor's compliance with this DPA. Audits are subject to the following conditions:
- The Controller shall provide at least **30 days' written notice** before an audit
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
- The Controller is entitled to **one audit per 12-month period** (additional audits may be requested in the event of a breach or regulatory investigation)
- The Controller bears the cost of audits, unless the audit reveals material non-compliance, in which case the Processor bears the cost
- The Processor may offer an equivalent assessment (SOC 2 report, third-party certification) in lieu of an on-site audit, provided it is reasonably sufficient to verify compliance
### 10.3 Cooperation
The Processor shall cooperate with the Controller and any supervisory authority in the performance of audits or investigations, to the extent required by Data Protection Laws.
---
## 11. Data Return and Deletion
### 11.1 During the Subscription
The Controller can export all Personal Data at any time during the subscription period, using:
- Tool-native export functions (CRM export, file download, email export, calendar export)
- Direct SSH access to the VPS
- Hub customer portal (for account data)
All tools on the VPS are open-source with standard export formats, ensuring full data portability consistent with the EU Data Act.
### 11.2 Upon Termination
Upon termination or expiration of the Agreement:
1. **48-hour cooling-off period:** After the billing period ends, the Controller's account is marked for deletion and a confirmation email is sent. The Controller has 48 hours to reverse the cancellation.
2. **30-day export window:** After the cooling-off period, the Controller has 30 days to export all data from the VPS. During this period, the VPS remains accessible (tools may be in read-only mode).
3. **Secure deletion:** After the 30-day export window, the Processor securely deprovisions the VPS: disk overwrite via hosting provider API, VPS instance deletion, all snapshots deleted.
4. **Hub data:** Account record is soft-deleted. Billing records are retained for 7 years per German tax law (HGB §257). All other data is purged. Soft-deleted records are hard-deleted after backup rotation (90 days).
### 11.3 Certification of Deletion
Upon request, the Processor shall provide written confirmation that Personal Data has been deleted in accordance with this Section, except for data retained under legal obligations (which will be specified in the confirmation).
---
## 12. International Data Transfers
### 12.1 Controller's VPS Region
The Controller selects a data center region at signup:
- **EU region:** Netcup data centers in Nuremberg, Germany / Vienna, Austria. Personal Data does not leave the EU.
- **NA region:** Netcup data center in Manassas, Virginia, USA. Personal Data is stored in the US.
### 12.2 Hub Data
The Hub always operates in the EU (Germany), regardless of the Controller's VPS region. Account and billing data is processed within the EU.
### 12.3 LLM Inference Transfers
Redacted AI prompts are transferred to third-party LLM providers for inference. Before transfer, the Safety Wrapper strips all credentials and (if enabled) PII. Transfer mechanisms:
| Provider | Location | Transfer Mechanism |
|----------|----------|-------------------|
| Anthropic | US | EU-US Data Privacy Framework + SCCs |
| Google | EU + US | EU-US Data Privacy Framework + SCCs |
| DeepSeek | China | SCCs + supplementary measures + mandatory enhanced redaction |
| OpenRouter | US | EU-US Data Privacy Framework + SCCs |
### 12.4 Standard Contractual Clauses
Where Personal Data is transferred from the EU/EEA to a country without an adequacy decision, the parties agree to the Standard Contractual Clauses (2021 version) as set out in **Annex IV**. The SCCs are incorporated into this DPA by reference.
For transfers where the Controller is established in the EU/EEA and the Processor processes data outside the EU/EEA:
- **Module Two** (Controller to Processor) of the SCCs applies
- The governing law is that of the EU Member State where the Controller is established, or Germany if the Controller is not established in the EU/EEA
- Disputes shall be resolved before the courts of the same jurisdiction
### 12.5 Supplementary Measures
For transfers to jurisdictions where the legal framework may not provide equivalent protection (e.g., China for DeepSeek), the Processor implements supplementary technical measures:
- Mandatory maximum PII scrubbing before transmission
- Credential redaction (always on, non-bypassable)
- Customer opt-in required (not enabled by default)
- Transparent disclosure of hosting jurisdiction in the UI
- Ability for the Controller to block specific providers entirely
---
## 13. Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) required under GDPR Article 35, and in any subsequent consultations with supervisory authorities under Article 36, to the extent that the Controller does not otherwise have the information and the assistance is required due to the nature of the processing.
---
## 14. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service §8), except that:
- The limitations of liability do not apply to either party's obligations under this DPA with respect to Personal Data Breaches (Section 9)
- Each party is liable for damages caused by processing that infringes Data Protection Laws, to the extent required by those laws (GDPR Art. 82)
---
## 15. Term and Termination
### 15.1 Term
This DPA takes effect on the date the Controller accepts the Agreement and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
### 15.2 Survival
Sections 9 (Breach Notification), 10 (Audit Rights), 11 (Data Return and Deletion), 12 (International Transfers), and 14 (Liability) survive termination of this DPA to the extent necessary.
---
## 16. Miscellaneous
### 16.1 Amendments
This DPA may be amended by the Processor with at least 30 days' written notice to the Controller. If the Controller does not object within the notice period, the amendments are deemed accepted. If the Controller objects, the existing DPA remains in force, and the Controller may terminate the Agreement if the amendments are material and the parties cannot reach agreement.
### 16.2 Governing Law
This DPA is governed by the law that governs the Agreement, except that the SCCs (Annex IV) are governed as specified therein.
### 16.3 Entire DPA
This DPA (including its Annexes) constitutes the complete agreement between the parties regarding data processing and supersedes all prior agreements on this subject.
---
## Annex I — Details of Processing
### A. List of Parties
**Controller (Data Exporter):**
- Name: [Customer name — populated at signup]
- Address: [Customer address — populated at signup]
- Contact: [Customer email — populated at signup]
- Role: Data controller for all personal data stored in their LetsBe Biz VPS tools
**Processor (Data Importer):**
- Name: LetsBe Solutions LLC
- Address: 221 North Broad Street, Suite 3A, Middletown, DE 19709, USA
- Contact: privacy@letsbe.solutions
- Role: Data processor providing managed VPS, tool deployment, and AI agent services
### B. Description of Processing
| Element | Description |
|---------|-------------|
| **Subject matter** | Processing of personal data through AI-powered management of open-source business tools deployed on a dedicated VPS |
| **Duration** | For the duration of the Controller's subscription, plus post-termination retention periods (Section 11) |
| **Nature of processing** | Storage, retrieval, organization, structuring, consultation, use (including AI-assisted analysis and automation), disclosure by transmission (redacted prompts to LLM providers), restriction, erasure |
| **Purpose of processing** | To provide the LetsBe Biz service: hosting and managing business tools on the Controller's VPS, enabling AI agents to operate those tools on the Controller's behalf, maintaining platform security, and facilitating data portability |
### C. Types of Personal Data
The specific types of personal data processed depend on the Controller's tool selection and use. They may include:
- **Contact data:** Names, email addresses, phone numbers, postal addresses, job titles, company names
- **Communication data:** Email content (subject, body, attachments), chat messages, calendar event details
- **Financial data:** Invoice details, payment amounts, client billing records, expense data
- **Project data:** Task descriptions, project notes, team assignments, comments, time tracking entries
- **File data:** Documents, images, spreadsheets, and other files uploaded to file storage tools
- **Website analytics data:** Visitor IP addresses, page views, referral sources (if website analytics tools are used)
- **AI interaction data:** Conversation transcripts between the Controller's users and AI agents, agent action logs
- **Authentication data:** Usernames and hashed passwords for tool access (managed via Keycloak SSO)
### D. Categories of Data Subjects
The categories of Data Subjects depend on the Controller's use of the platform and may include:
- The Controller's employees and team members
- The Controller's clients and customers
- The Controller's business contacts, leads, and prospects
- Website visitors (if analytics tools are used)
- Email correspondents
- Any other individuals whose data the Controller imports into or creates within the platform tools
### E. Special Categories of Data
The Service is not designed to process special categories of data (GDPR Art. 9) or criminal conviction data (Art. 10). If the Controller stores such data in their tools, the Controller is solely responsible for ensuring a valid legal basis and appropriate safeguards.
### F. Frequency and Retention
- **Frequency:** Processing is continuous for the duration of the subscription (tools and AI agents operate on an ongoing basis)
- **Retention:** Personal data is retained on the Controller's VPS for the duration of the subscription. Upon termination, the data retention schedule in Section 11 applies.
---
## Annex II — Technical and Organizational Measures (TOMs)
The Processor implements the following measures pursuant to GDPR Article 32. These measures apply to all Personal Data processed under this DPA.
### 1. Encryption
| Scope | Measure |
|-------|---------|
| Data at rest (VPS disk) | Netcup full-disk encryption (provider-managed) |
| Secrets registry | AES-256-CBC with scrypt key derivation; key stored on VPS filesystem, never in AI context |
| Data in transit (user ↔ Hub) | TLS 1.3 (HTTPS); Let's Encrypt certificates, auto-renewed |
| Data in transit (user ↔ VPS) | TLS 1.3 via nginx reverse proxy; Let's Encrypt certificates, auto-renewed |
| Data in transit (Safety Wrapper ↔ LLM) | TLS 1.3 (HTTPS via OpenRouter) |
| Backups (Netcup snapshots) | Provider-encrypted snapshots |
| SSH access | ED25519 keys, port 22022; key-only authentication, no password login |
### 2. Access Control
| Scope | Measure |
|-------|---------|
| Customer access to VPS tools | Keycloak SSO — single sign-on across all deployed tools |
| Customer access to Hub | Email + password, session-based authentication |
| Admin access to Hub | Role-based access control (Prisma + middleware) |
| SSH access to VPS | Key-only authentication, non-standard port (22022), fail2ban (5 attempts → 300s ban) |
| AI agent access to tools | Per-agent tool allow/deny lists (OpenClaw configuration) |
| AI agent operational scope | Three-tier autonomy levels with command gating (Safety Wrapper) |
| Inter-tenant isolation | Separate VPS per customer — no shared infrastructure beyond the Hub |
| Tool container isolation | Per-tool Docker networks with fixed subnets (172.20.X.0/28) |
### 3. Secrets Management and AI Data Protection
| Scope | Measure |
|-------|---------|
| Credential generation | 50+ unique credentials per tenant generated at provisioning |
| Credential storage | Encrypted SQLite registry on VPS — never transmitted to LLM providers |
| Outbound redaction | Four-layer redaction of all LLM-bound data: (1) registry match, (2) placeholder substitution, (3) regex safety net, (4) heuristic detection |
| Transcript redaction | Hooks strip secrets from stored session transcripts before persistence |
| Side-channel credential exchange | User-provided secrets exchanged via direct Safety Wrapper API, never entering AI conversation |
| Configurable PII scrubbing | Optional scrubbing of email addresses, phone numbers, addresses, financial data, and names before LLM transmission |
| External Communications Gate | All AI-initiated outbound external communications require human approval |
### 4. Network Security
| Scope | Measure |
|-------|---------|
| Firewall | UFW — only ports 80, 443, 22022 open |
| OpenClaw binding | Localhost only — not accessible from outside VPS |
| Safety Wrapper binding | Localhost only — only OpenClaw and Hub (via nginx) can reach it |
| Container networking | Per-tool isolated Docker networks (172.20.X.0/28), exposed via 127.0.0.1:30XX |
| SSRF protection | Browser tool has configurable domain allowlists |
| Rate limiting | OpenClaw: 10 attempts/60s with 300s lockout; Hub API rate-limited |
| DDoS protection | Netcup infrastructure-level protection + nginx rate limiting |
### 5. Monitoring and Audit
| Scope | Measure |
|-------|---------|
| Audit log | Append-only log of all AI agent actions on tenant VPS |
| Token metering | Per-agent, per-model token counts reported to Hub |
| Backup monitoring | Automated backup status monitoring with alerting |
| Uptime monitoring | Uptime Kuma on each VPS + Hub-level health checks |
| Hub telemetry | Aggregated metrics (no PII) — uptime, error rates, usage patterns |
### 6. Physical Security
Delegated to hosting provider (Netcup GmbH):
- ISO 27001 certified data centers in Germany, Austria, and Manassas, Virginia (US)
- TÜV Rheinland annual security audits
- Controlled physical access, CCTV, security personnel
- Redundant power supply, climate control, fire suppression
- Multiple redundant network connections
### 7. Organizational Measures
| Scope | Measure |
|-------|---------|
| Confidentiality | All personnel with access to Personal Data are bound by confidentiality obligations |
| Incident response | Documented breach response plan with detection, containment, notification, remediation, review phases |
| Vendor assessment | All Subprocessors vetted for data protection compliance with DPAs in place |
| Privacy by design | Architecture decisions (isolated VPS, secrets redaction, local storage) embedded from inception |
| Data minimization | Hub stores only account management data; all business data remains on tenant VPS |
---
## Annex III — Authorized Subprocessors
The following Subprocessors are authorized as of the date of this DPA:
| Subprocessor | Purpose | Data Processed | Location | DPA Status |
|-------------|---------|---------------|----------|------------|
| **Netcup GmbH** | VPS hosting | All tenant data (encrypted at rest) | Germany, Austria (EU region); Manassas, Virginia (NA region) | DPA via Netcup CCP |
| **OpenRouter** | LLM API aggregation | Redacted AI prompts (transit only) | US | DPA required — DPF certified |
| **Anthropic** | LLM inference (Claude models) | Redacted AI prompts (transit only) | US | No-training API terms; DPA available |
| **Google** | LLM inference (Gemini models) | Redacted AI prompts (transit only) | EU + US | No-training API terms (paid tier); DPA available |
| **DeepSeek** | LLM inference (DeepSeek models) | Redacted AI prompts (transit only, max redaction, opt-in only) | China | DPA + SCCs + supplementary measures |
| **Stripe** | Payment processing | Customer name, email, payment method | EU (for EU customers), US (for NA customers) | DPA included in Stripe Terms |
| **Poste Pro** (self-hosted) | System emails from Hub | Customer email address, email content | Self-hosted on LetsBe infrastructure (Hub server) | N/A — no third-party subprocessor. If a third-party relay service is adopted in the future, it will be added here with 30 days' advance notice per §9. |
**Subprocessor changelog:** Changes to this list are published at https://letsbe.biz/legal/subprocessors and notified to the Controller via email at least 30 days in advance.
---
## Annex IV — Standard Contractual Clauses (SCCs)
The parties agree that, for international data transfers subject to GDPR where the receiving country does not have an adequacy decision, the Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 shall apply.
**Module Two** (Controller to Processor) applies to transfers from the Controller to the Processor (or its Subprocessors) where the Processor processes data outside the EU/EEA.
The SCCs are incorporated into this DPA by reference. The completed SCC annexes correspond to the Annexes of this DPA:
| SCC Annex | DPA Annex |
|-----------|-----------|
| Annex I (Details of transfer) | This DPA, Annex I |
| Annex II (Technical and organizational measures) | This DPA, Annex II |
| Annex III (List of subprocessors) | This DPA, Annex III |
**SCC-specific selections:**
- **Clause 7 (Docking clause):** Included — additional parties may accede to the SCCs
- **Clause 9(a) (Subprocessor authorization):** Option 2 — General written authorization (with 30-day notice)
- **Clause 11 (Redress):** The optional clause on independent dispute resolution is not included
- **Clause 13 (Supervision):** The competent supervisory authority is determined by the Controller's establishment. For Controllers established in Germany, the BfDI (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) applies. For Controllers established in other EU member states, the supervisory authority of their establishment applies. Where the Controller is not established in the EU, the German supervisory authority (BfDI) applies as the Processor's Hub infrastructure is located in Germany.
- **Clause 17 (Governing law):** Option 1 — the law of the State of Delaware, USA (consistent with the Agreement/ToS). For EU data subjects, the mandatory provisions of GDPR and applicable member state law continue to apply.
- **Clause 18 (Choice of forum):** The courts of Delaware, USA (consistent with the Agreement/ToS). EU data subjects retain their right to lodge complaints with their local supervisory authority.
> **Note for legal counsel:** The full text of the SCCs should be appended to this DPA as a separate document. The 2021 SCCs are available from the European Commission. This Annex documents the module selection and variable choices; the full SCC text is not reproduced here but is incorporated by reference.
---
## 17. Open Questions (Internal — Remove Before Publication)
| # | Question | Status | Notes |
|---|----------|--------|-------|
| 1 | LetsBe registered address | **Resolved** | 221 North Broad Street, Suite 3A, Middletown, DE 19709, USA |
| 2 | Privacy/DPO contact email | **Resolved** | privacy@letsbe.solutions |
| 3 | Lead supervisory authority | **Resolved** | Determined by Controller's establishment; default BfDI (Germany) given Hub location. See SCC Clause 13 selections. |
| 4 | Governing law and forum selection | **Resolved** | Delaware, USA (matches ToS). EU data subjects retain GDPR rights. |
| 5 | Full SCC text appendix | Open | 2021 SCCs should be appended as a separate document; consider providing as a downloadable PDF alongside this DPA |
| 6 | Email service provider | **Resolved** | Poste Pro (self-hosted). Not a third-party subprocessor — no Annex III entry needed. If a relay service is adopted, add to Annex III with 30-day notice per §9. |
| 7 | Subprocessor changelog URL | Open | Needs a page on the website before launch |
| 8 | Enterprise DPA negotiation process | Open | Standard DPA is self-service via dashboard; enterprise customers may request custom terms. Define process and contact. |
| 9 | UK Addendum | Open | If serving UK customers post-Brexit, an International Data Transfer Addendum (UK IDTA) may be needed alongside or instead of SCCs |
---
## 18. Changelog
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-26 | Initial draft. Full GDPR Art. 28 DPA with four annexes: processing details (Annex I), TOMs (Annex II), subprocessor list (Annex III), SCC framework (Annex IV). Covers: processor obligations, subprocessor management with 30-day notice, data subject rights assistance, breach notification (48h to controller, 72h to authority), audit rights, data return/deletion with 48h cooling-off + 30-day export window, international transfers, DPIA assistance. Aligned with Security & GDPR Framework v1.1, Terms of Service v1.0, and Privacy Policy v1.0. |
---
*This document is a draft requiring legal review. The Standard Contractual Clauses referenced in Annex IV should be appended in full before this DPA is made available to customers. Qualified legal counsel should review this DPA before publication.*

275
docs/legal/LetsBe_Biz_Open_Source_Compliance_Check.md Normal file
View File

@@ -0,0 +1,275 @@
# LetsBe Biz — Open Source & Legal Compliance Check
**Date:** February 26, 2026
**Prepared by:** Claude (AI-assisted analysis)
**Status:** REQUIRES LEGAL COUNSEL REVIEW
**Scope:** Open source license compliance for managed service model, website/sales pitch accuracy, ToS/Privacy Policy gaps
> **Disclaimer:** This is an AI-assisted compliance analysis, not legal advice. All findings should be reviewed by qualified legal counsel before acting on them. Open source licensing has limited case law and reasonable attorneys may disagree on interpretations.
---
## Executive Summary
**Overall Assessment: PROCEED WITH CONDITIONS**
LetsBe's open source licensing posture is strong — you've already done the hard work of identifying and removing tools with incompatible licenses (n8n, Windmill, Typebot, Invoice Ninja, Akaunting, Twenty, Outline, Poste.io). The remaining tool stack is composed of genuinely open-source licenses (AGPL-3.0, MIT, Apache-2.0, GPL-2.0, LGPL-3.0, MPL-2.0, BSD-2-Clause, Zlib) that permit commercial hosting.
However, there are **7 action items** across three categories that need attention before launch:
| Priority | Category | Count |
|----------|----------|-------|
| **Critical** (fix before launch) | License compliance gaps | 3 |
| **Important** (fix before launch) | Website/sales copy inaccuracies | 2 |
| **Recommended** (fix soon after) | Legal document gaps | 2 |
---
## 1. Open Source License Audit — Current 28-Tool Stack
### 1.1 License Inventory
| License | Tools | Commercial Hosting Allowed | Key Obligations |
|---------|-------|---------------------------|-----------------|
| **AGPL-3.0** (11 tools) | Stalwart Mail, Listmonk, Nextcloud, MinIO, Documenso, Vaultwarden, NocoDB, Cal.com, Plane (expansion) | ✅ Yes | Source code disclosure if modified; network copyleft |
| **MIT** (8 tools) | Chatwoot, Activepieces, Gitea, Umami, GlitchTip, Uptime Kuma, Diun, LibreChat, Ghost, Squidex, BookStack (expansion) | ✅ Yes | Include license/copyright notice |
| **Apache-2.0** (2 tools) | Keycloak, Drone CI | ✅ Yes | Include license/copyright; note changes; patent grant |
| **GPL-2.0** (1 tool) | WordPress | ✅ Yes | Source code disclosure if modified and distributed |
| **LGPL-3.0** (1 tool) | Odoo (Community Edition) | ✅ Yes | Source code of LGPL portions if modified |
| **MPL-2.0** (1 tool) | Penpot | ✅ Yes | Source code of MPL files if modified |
| **BSD-2-Clause** (1 tool) | Redash | ✅ Yes | Include license/copyright notice |
| **Zlib** (1 tool) | Portainer CE | ✅ Yes | Cannot misrepresent origin |
| **Proprietary** (2 tools) | Orchestrator, SysAdmin Agent | N/A | Your own code |
**Verdict: All 28 tools in the current stack have licenses compatible with your managed service model.** No tool prohibits commercial hosting, managed service provision, or deployment on customer servers.
### 1.2 AGPL-3.0 — Your Primary Compliance Obligation
11 of your 28 tools use AGPL-3.0. This is the most important license to get right.
**What AGPL-3.0 requires:**
The AGPL's "network copyleft" provision (Section 13) requires that if you **modify** AGPL software and make it available to users over a network, you must provide the corresponding source code. Two conditions must BOTH be met:
1. You've **modified** the program (configuration changes are generally not considered modifications)
2. You make the modified program **available over a network**
**Your current posture is good:**
- You deploy **unmodified upstream Docker images** (stated in ToS §2.3 and §7.2)
- You do not create derivative works of the open-source tools
- Each tool runs on the **customer's dedicated server** (not LetsBe's infrastructure)
**However, there are two risk areas:**
---
### 🔴 CRITICAL ACTION ITEM #1: AGPL Source Code Access Mechanism
**The issue:** Even when deploying unmodified AGPL software, best practice (and some legal interpretations) require that you provide users with a way to access the corresponding source code. Several AGPL tools (Nextcloud, Cal.com, Stalwart Mail, etc.) include an "about" page or source code link in their UI, but not all do.
**Your ToS §7.2 says:** "You are the licensee — each tool runs under its upstream open-source license on your dedicated server."
**What's missing:** A practical mechanism for customers to access source code for all AGPL tools. While customers have SSH access to their VPS (and can inspect Docker images), this may not satisfy the AGPL's requirement that source code be "available" through the same network interface.
**Recommendation:**
1. Add a page in the Hub or on each customer VPS that links to the upstream source repository for every deployed tool, along with the exact Docker image tag/version deployed
2. Add a statement to the Open-Source Tools page on your website: "Source code for all tools is available from the upstream projects linked above. We deploy unmodified releases. The exact versions deployed on your server are listed in your dashboard."
3. If you ever contribute patches upstream or make any modifications (even configuration patches baked into Docker images), you must make those available under the same AGPL license
**Effort:** Low (a few hours of development + copy updates)
---
### 🔴 CRITICAL ACTION ITEM #2: n8n Listed on Website But Removed from Stack
**The issue:** Your website copy (Open-Source Tools page, Page 6) **still lists n8n** under Automation alongside Activepieces:
> | **n8n** | Advanced workflow automation | Sustainable Use License | n8n.io |
This is a significant problem for two reasons:
1. **n8n's Sustainable Use License explicitly prohibits** hosting n8n as part of a paid service. Listing it implies you deploy it on customer servers as part of the managed service
2. **Your Tool Catalog v2.2** explicitly marks n8n as REMOVED with the note: "Sustainable Use License prohibits hosting as part of a paid service"
3. Your objection handling guide (§4.2) also references n8n as "included in LetsBe" — this needs to be corrected
**Additionally:** Your Foundation Document §3.1 still lists n8n under the Automation category alongside Activepieces. This internal inconsistency could lead to accidental deployment or continued marketing of the tool.
**Recommendation:**
1. Remove n8n from the website copy immediately
2. Remove n8n from the Foundation Document tool table
3. Remove the n8n reference from the Objection Handling Guide (§3.4 and §4.2)
4. Audit all customer-facing materials for any remaining n8n references
5. If you want to reference n8n anywhere, explicitly note it's available for internal/personal use only, not deployed on customer servers
**Effort:** Low (text edits across 3-4 documents)
---
### 🔴 CRITICAL ACTION ITEM #3: Odoo Community vs. Enterprise Clarity
**The issue:** Odoo Community Edition is LGPL-3.0, which is fine for your model. However, Odoo also has an Enterprise Edition under a proprietary license. Your website copy and sales materials reference "Odoo" without distinguishing which edition.
Specific risks:
- If customers expect Enterprise-level features (e.g., advanced manufacturing, accounting localizations, HR payroll) that aren't in Community Edition, this could be a misrepresentation
- The website pricing comparison says "CRM (HubSpot / Salesforce) €20-150 → Included" — but Odoo Community CRM has materially different capabilities than HubSpot or Salesforce
- Your Tool Catalog lists Odoo as LGPL-3.0, which is correct for Community only
**Recommendation:**
1. Clarify in website copy and the Open-Source Tools page that you deploy "Odoo Community Edition (LGPL-3.0)"
2. In the pricing comparison table, be careful not to imply feature parity with commercial CRM/ERP tools — consider adding a footnote: "Open-source alternatives to these tools are included. Feature sets differ from commercial equivalents."
3. Your ToS §2.3 already has good language about enterprise licenses being purchased separately — make sure this is visible on the website too
**Effort:** Low (copy edits)
---
## 2. Website Copy & Sales Pitch Compliance
### 2.1 Claims That Need Attention
#### 🟡 IMPORTANT ACTION ITEM #4: "Your data never touches our systems" — Partially Inaccurate
**The claim (Homepage):** "Your data never touches our infrastructure or anyone else's."
**The reality:**
- The Hub (hosted on LetsBe's EU infrastructure) processes account data, billing data, and aggregated telemetry
- AI prompts (redacted) transit through OpenRouter to LLM providers — these pass through third-party infrastructure
- Stripe processes payment data
**Your Privacy Policy and ToS correctly distinguish these data flows**, but the marketing copy oversimplifies. In a regulatory enforcement context, this kind of absolute claim could be problematic.
**Recommendation:**
- Revise to: "Your business data stays on your server. Account management runs on our EU infrastructure. AI prompts are redacted before reaching any third party." or similar
- The Privacy Policy's §4.4 "Data We Do Not Collect" section does this well — mirror that nuance on the website
- Keep the strong privacy messaging, just avoid absolute claims that the legal docs then qualify
**Effort:** Low (copy edits on 2-3 pages)
---
#### 🟡 IMPORTANT ACTION ITEM #5: "28+ tools" Count Accuracy
**The claim:** "28+ tools" appears throughout the website, pricing, and marketing materials.
**The reality:** Your Tool Catalog lists exactly 28 tools (including 3 core infrastructure tools — Orchestrator, SysAdmin Agent, Portainer — that aren't really "business tools" a customer would think of). The customer-facing tool count should reflect tools they'll actually interact with.
Also, the "+" in "28+" implies more than 28, but the catalog lists exactly 28.
**Recommendation:**
- Either use "25+ business tools" (excluding core infrastructure) or "28 tools" (exact, no "+")
- Alternatively, keep "28+ tools" but ensure the Open-Source Tools page actually lists 28+ distinct tools (which it currently does, though some like Static HTML hosting are thin)
- Be consistent — the Foundation Document says 28, the website says "28+", and the tool grid on the Features page lists about 16 categories, not 28 individual tools
**Effort:** Low (decide on a number and update)
---
## 3. Legal Document Gaps
### 3.1 What You Have (and it's solid)
Your existing legal documents are remarkably thorough for a pre-launch startup:
- **Terms of Service v1.1** — Comprehensive, covers the infrastructure-provider positioning well, good AI disclaimers, proper EU consumer protections, EU AI Act section
- **Privacy Policy v1.0** — Detailed GDPR legal bases, CCPA disclosures, AI data flow transparency, subprocessor list
- **Data Processing Agreement** — Referenced but not yet finalized (noted as open in ToS §14)
- **Cookie Policy** — Drafted
- **Security & GDPR Framework** — Thorough technical security documentation
### 3.2 Remaining Gaps
#### 🟢 RECOMMENDED ACTION ITEM #6: Open Source License Disclosure Page
**The gap:** Your ToS §2.3 promises: "A complete list of deployed tools, their roles, and their licenses is published on our website." Your website copy (Page 6) has this list, but it currently lives in a Markdown doc, not a published web page. Before launch, this needs to be a live, maintained page.
**What it should include:**
- Each tool name, description, license (with link to license text), link to upstream project, and the exact Docker image/tag deployed
- A statement that you deploy unmodified upstream releases
- Information on how to access source code (important for AGPL compliance — see Action Item #1)
- Date of last update
**Effort:** Medium (requires building a page and a process to keep it updated)
---
#### 🟢 RECOMMENDED ACTION ITEM #7: EU Representative (GDPR Art. 27)
**The gap:** Your Privacy Policy §1 notes this: "EU Representative (Art. 27): To be appointed before serving EU customers."
This is **required before you serve your first EU customer**. As a US-based LLC offering services to EU residents, you must designate an EU representative. Several services offer this (DataRep, MCF Technology Solutions, etc.) for a few hundred euros per year.
**Effort:** Low-medium (select a provider, update legal docs)
---
## 4. Additional Compliance Observations
### 4.1 Things You're Doing Right
These deserve acknowledgment because many startups miss them:
1. **License vetting is thorough.** You caught and removed n8n, Windmill, Typebot, Invoice Ninja, Akaunting, Twenty, Outline, and Poste.io — all for legitimate license incompatibilities. Your selection criteria (§1 of Tool Catalog) explicitly excludes BSL, Sustainable Use, and similar source-available licenses.
2. **Infrastructure-provider positioning is smart.** Your ToS §2.3 positions LetsBe as deploying upstream software on customer-owned servers, not as a software vendor. This is the correct legal framing for AGPL compliance — the customer is the licensee, running the software on their infrastructure.
3. **"Unmodified upstream Docker images" claim is important.** If true (and maintained), this significantly reduces AGPL source code obligations. Make sure this is enforced in engineering — any LetsBe-specific patches baked into Docker images would change the calculus.
4. **AI data flow transparency is excellent.** The Privacy Policy's §6 (AI and Your Privacy) and the four-layer Safety Wrapper are documented with more rigor than most enterprise SaaS companies manage.
5. **DeepSeek opt-in with enhanced redaction** addresses the China data transfer concern proactively.
6. **EU AI Act section (ToS §12)** positions you ahead of most competitors on transparency.
### 4.2 Future Risks to Monitor
1. **Odoo LGPL-3.0 and custom modules:** If you ever build Odoo modules or customize Odoo code (not just configuration), those modifications must be released under LGPL-3.0. This is worth discussing with counsel before your engineering team starts building Odoo integrations that go beyond API calls.
2. **Expansion catalog tools:** As you add P1/P2 tools from the expansion catalog, re-verify licenses at integration time. Licenses can change between versions (as you discovered with Typebot's switch from AGPL to FSL).
3. **AGPL "modification" boundary:** The AGPL community generally considers configuration changes and API calls to not be "modifications" that trigger source code obligations. However, if you ever ship custom Docker images that bundle LetsBe-specific code with AGPL tools, that could be interpreted as creating a derivative work. Keep the Safety Wrapper and tool adapters architecturally separate from the tools themselves.
4. **Ghost's MIT license and content:** Ghost is MIT-licensed, which is the most permissive. However, Ghost's default themes may have different licenses. Verify that any themes deployed are also properly licensed.
5. **Cal.com's AGPL and API usage:** Cal.com's AGPL-3.0 license means that if you modify Cal.com's code (not just use its API), you must share the modifications. Your adapter-based approach (calling APIs without modifying source) should be fine.
### 4.3 Sales Pitch Observations
Your Objection Handling Guide is generally well-aligned with your legal docs, with one exception already noted (n8n reference in §3.4 and §4.2). Two additional notes:
1. **§2.4 ("Is this GDPR compliant?")** — The response says "Yes — by design, not by checkbox." This is good but should add the qualifier that full GDPR compliance also depends on the customer's use (they're the data controller). Your ToS §12.2 covers this well — consider referencing it.
2. **§2.3 ("How do I know my data won't be used to train AI models?")** — The response says "Your documents, emails, and CRM data stay on your server." This is correct for storage, but redacted prompts containing business context do reach LLM providers. The response later addresses this, but leading with "data stays on your server" and then qualifying it could feel misleading. Consider leading with the nuanced version.
---
## 5. Summary Action Items
| # | Priority | Action | Owner | Effort |
|---|----------|--------|-------|--------|
| 1 | 🔴 Critical | Add source code access mechanism for AGPL tools (Hub page + website statement) | Engineering + Legal | Low |
| 2 | 🔴 Critical | Remove n8n from website copy, Foundation Doc, and Objection Handling Guide | Matt | Low |
| 3 | 🔴 Critical | Clarify Odoo = Community Edition (LGPL-3.0) in all customer-facing materials | Matt | Low |
| 4 | 🟡 Important | Revise "data never touches our systems" claims to match Privacy Policy nuance | Matt | Low |
| 5 | 🟡 Important | Standardize "28+ tools" count across all materials | Matt | Low |
| 6 | 🟢 Recommended | Build and publish the Open-Source Tools page as a live web page with version info | Engineering | Medium |
| 7 | 🟢 Recommended | Appoint EU Representative per GDPR Art. 27 before serving EU customers | Matt + Legal | Low-Med |
---
## 6. Counsel Review Recommendations
Before launch, we recommend qualified legal counsel review the following specific questions:
1. **AGPL hosting model validation:** Does deploying unmodified AGPL Docker images on customer-owned VPS instances, managed by LetsBe as a service, constitute "conveying" under AGPL §2? Does the infrastructure-provider positioning hold up?
2. **"Customer is the licensee" framing:** Your ToS §2.3 and §7.2 say the customer is the licensee of the open-source tools. Is this legally defensible given that LetsBe provisions, configures, and maintains the deployments?
3. **AI prompt data and GDPR:** Redacted AI prompts transit to US-based LLM providers. Is the EU-US Data Privacy Framework + SCCs transfer mechanism sufficient, particularly given the business context that may remain in redacted prompts?
4. **EU consumer protection specifics:** German Widerrufsbelehrung format requirements, button labeling for orders (noted as open in ToS §14, item #6)
5. **Liability cap adequacy:** €500/12-month-fees cap (ToS §8.2) given the scope of data processed and AI-driven operations
---
*This document should be treated as a working compliance checklist and updated as items are resolved. It is not legal advice and should be supplemented by review from qualified legal counsel familiar with open source licensing, GDPR, and EU/US commercial law.*

466
docs/legal/LetsBe_Biz_Privacy_Policy.md Normal file
View File

@@ -0,0 +1,466 @@
# LetsBe Biz — Privacy Policy
**Version:** 1.0
**Date:** February 26, 2026
**Authors:** Matt (Founder), Claude (Drafting)
**Status:** Draft — Requires Legal Review Before Publication
**Companion docs:** Terms of Service v1.0, Security & GDPR Framework v1.1, Data Processing Agreement (forthcoming)
> **Important:** This document is a comprehensive draft intended to serve as the public-facing privacy policy for the LetsBe Biz platform. It must be reviewed by qualified legal counsel (EU and US) before publication. It is not legal advice.
---
## 1. Who We Are
**LetsBe Solutions LLC** ("LetsBe," "we," "us," "our") operates the LetsBe Biz platform — a managed service that provides small and medium-sized businesses with a dedicated virtual private server (VPS) running open-source business tools, powered by AI agents.
**Contact for privacy inquiries:**
- Email: privacy@letsbe.solutions
- Postal address: 221 North Broad Street, Suite 3A, Middletown, DE 19709, USA
**Data Protection Officer:** Matt Ciaccio (Founder), serving as interim DPO. Contact: privacy@letsbe.solutions. Formal DPO appointment will be assessed at approximately 100 customers per GDPR Art. 37 requirements.
**EU Representative (Art. 27):** To be appointed before serving EU customers, as required for non-EU established entities offering services to EU residents. Contact details will be published here once appointed. In the interim, privacy inquiries from EU residents may be directed to privacy@letsbe.solutions.
---
## 2. Scope of This Policy
This Privacy Policy applies to:
- The **LetsBe Biz website** (letsbe.solutions and related domains)
- The **Hub** (our centralized platform for account management, billing, and monitoring)
- The **LetsBe Biz service** (your dedicated VPS, the AI agents that operate on it, and all associated tools)
- **Marketing and sales communications** (emails, newsletters, contact forms)
This policy does **not** cover the personal data you or your end users store inside the business tools on your VPS (e.g., CRM contacts, client emails, invoices). For that data, you are the data controller, and LetsBe acts as your data processor under the terms of the Data Processing Agreement (DPA). The DPA governs how we handle your business data and is available in your account dashboard.
---
## 3. Our Role Under Data Protection Law
LetsBe plays two distinct roles depending on the type of data:
**Data Controller** — for data we collect directly from you in connection with running the LetsBe platform:
- Account registration data (name, email, business name)
- Billing and payment data (processed via Stripe)
- Website usage data (cookies, analytics)
- Support and communication records
- Aggregated telemetry (token usage, error rates — no PII)
**Data Processor** — for business data stored on your VPS:
- CRM records, emails, files, calendar events, invoices, AI conversation transcripts, and all other data in your tools
- For this data, you (the customer) are the controller, and our processing is governed by the DPA
This Privacy Policy primarily describes our activities as a data controller. For our processing activities as a data processor, please refer to the DPA.
---
## 4. What Data We Collect
### 4.1 Data You Provide Directly
| Data | When Collected | Purpose |
|------|---------------|---------|
| **Name and email address** | Account registration | Account creation, authentication, communications |
| **Business name, industry, team size** | Onboarding wizard | Service customization, tool recommendations |
| **Billing address** | Subscription checkout | Tax calculation, invoicing, legal compliance |
| **Payment method** | Subscription checkout | Recurring billing (processed by Stripe — we do not store card numbers) |
| **Data center region preference** | Onboarding | VPS provisioning in your chosen region (EU or NA) |
| **Support messages** | When you contact us | Providing assistance, improving the service |
| **Feedback and survey responses** | When you participate | Product improvement |
### 4.2 Data We Collect Automatically
| Data | How Collected | Purpose |
|------|-------------|---------|
| **IP address** | Web server logs | Security, abuse prevention, approximate geolocation for compliance |
| **Browser type and operating system** | HTTP headers | Website compatibility, analytics |
| **Pages visited and time spent** | Website analytics (cookie-based, consent required) | Understanding usage patterns, improving the website |
| **Referral source** | HTTP referrer header | Understanding how visitors find us |
| **Token usage metrics** | Hub telemetry | Billing accuracy, service optimization |
| **Error rates and uptime data** | Hub monitoring | Service reliability, incident detection |
| **Agent activity counts** | Hub telemetry (aggregated, no PII) | Capacity planning, product improvement |
### 4.3 Data from Third Parties
| Source | Data | Purpose |
|--------|------|---------|
| **Stripe** | Payment confirmation, subscription status | Billing management |
| **Poste Pro** (self-hosted) | Delivery receipts, bounce notifications | Ensuring communications reach you. Self-hosted on LetsBe infrastructure; no third-party data sharing for email delivery. |
### 4.4 Data We Do Not Collect
We want to be clear about what we do **not** collect or have access to in our role as controller:
- **Your business tool data** — CRM contacts, client emails, files, invoices, and other data inside your VPS tools. This data stays on your VPS and is controlled by you. We access it only as a processor under the DPA.
- **Raw AI conversation content** — AI session transcripts are stored on your VPS, not on the Hub. We do not read or analyze your AI conversations.
- **Credentials and secrets** — Passwords, API keys, and OAuth tokens generated for your tools are stored encrypted on your VPS. They are never transmitted to the Hub or to AI providers.
---
## 5. How We Use Your Data
### 5.1 Legal Bases for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis | Explanation |
|---------------------|------------|-------------|
| Account creation and management | **Contract performance** (Art. 6(1)(b)) | Necessary to deliver the LetsBe Biz service you subscribed to |
| Payment processing via Stripe | **Contract performance** (Art. 6(1)(b)) | Necessary for billing your subscription |
| Server provisioning and maintenance | **Contract performance** (Art. 6(1)(b)) | Core service delivery |
| Sending transactional emails (invoices, password resets, service notifications) | **Contract performance** (Art. 6(1)(b)) | Necessary for operating your account |
| Token usage metering and billing | **Contract performance** (Art. 6(1)(b)) + **Legitimate interest** (Art. 6(1)(f)) | Billing accuracy and abuse prevention |
| Error and performance monitoring | **Legitimate interest** (Art. 6(1)(f)) | Service reliability and incident response. Our interest: maintaining platform stability. Balanced against: data is aggregated and contains no PII. |
| Website analytics (cookie-based) | **Consent** (Art. 6(1)(a)) | Understanding how visitors use our website. Collected only with your explicit consent via cookie banner. |
| Marketing emails and newsletters | **Consent** (Art. 6(1)(a)) | Keeping you informed about product updates, tips, and offers. Opt-in only. You can unsubscribe at any time. |
| Fraud prevention and security | **Legitimate interest** (Art. 6(1)(f)) | Protecting our platform and customers from abuse. Our interest: security. Balanced against: limited data used (IP address, access patterns). |
| Compliance with legal obligations | **Legal obligation** (Art. 6(1)(c)) | Tax records (HGB §257), responding to lawful authority requests |
### 5.2 What We Do NOT Do With Your Data
- **We do not sell your personal data.** Ever. To anyone. For any reason.
- **We do not share your data with advertisers** or data brokers.
- **We do not use your data for profiling** or targeted advertising.
- **We do not train AI models on your data.** We use API-tier access to LLM providers with contractual prohibitions on training. Your business data never enters any AI training pipeline.
- **We do not monetize your data** in any way beyond providing the service you pay for.
---
## 6. AI and Your Privacy
LetsBe Biz uses AI agents powered by third-party large language models (LLMs) to operate business tools on your behalf. This section explains the data flows involved and the protections we implement.
### 6.1 How AI Data Flows Work
When an AI agent performs a task on your VPS (e.g., drafting an email, updating a CRM record, generating a report), the following occurs:
1. **On your VPS (local):** The agent reads data from your tools and writes results back. This data stays on your server.
2. **Outbound to LLM provider (external):** The agent sends a prompt — containing task context and relevant tool outputs — to a third-party LLM provider for inference. **Before transmission**, the prompt passes through the Safety Wrapper (see §6.2).
3. **Response from LLM provider:** The model's response is returned to your VPS and applied to the relevant tool.
### 6.2 The Safety Wrapper — How We Protect Your Data
Before any data leaves your VPS for AI inference, the Safety Wrapper applies a four-layer redaction process:
1. **Registry match** — All 50+ provisioned credentials on your VPS are registered. Any credential value found in the prompt is replaced with a deterministic placeholder (e.g., `[REDACTED:postgres_password]`).
2. **Placeholder substitution** — Ensures all known secrets are consistently replaced.
3. **Regex safety net** — Pattern matching catches credential-like strings the registry might miss (API keys, tokens, connection strings).
4. **Heuristic detection** — Additional checks for common credential formats.
Additionally, **configurable PII scrubbing** is available. You can enable scrubbing for email addresses, phone numbers, physical addresses, financial data, and names before they are sent to AI providers. Credential scrubbing (layer 1-4) is always on and cannot be disabled.
### 6.3 LLM Providers and Training
We route AI requests through OpenRouter to the following LLM providers:
- **Anthropic** (Claude models) — US-based
- **Google** (Gemini models) — EU and US infrastructure
- **DeepSeek** (DeepSeek models) — China-based (opt-in only, maximum redaction applied)
All providers are contractually prohibited from using your data for model training. We use paid API-tier access, which uniformly comes with no-training guarantees. See our Subprocessor List (§9) for details.
### 6.4 DeepSeek — Enhanced Protections
Given the sensitivity of data transfers to China, DeepSeek models require explicit opt-in and automatically apply the maximum redaction level (mandatory PII scrubbing). The model selection UI transparently discloses the hosting jurisdiction. You can block specific providers entirely via your account settings.
---
## 7. Data Sharing and Recipients
We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
| Recipient | Data Shared | Purpose | Location |
|-----------|------------|---------|----------|
| **Netcup GmbH** | Server infrastructure data | VPS hosting | Germany/Austria (EU) or Manassas, Virginia (US) — per your region choice |
| **Stripe** | Name, email, billing address, payment method | Payment processing | EU entity for EU customers, US entity for NA customers |
| **OpenRouter** | Redacted AI prompts (transit only) | LLM API aggregation | US |
| **Anthropic** | Redacted AI prompts (transit only) | LLM inference | US |
| **Google** | Redacted AI prompts (transit only) | LLM inference | EU + US |
| **DeepSeek** | Redacted AI prompts (transit only, maximum redaction, opt-in) | LLM inference | China |
| **Poste Pro** (self-hosted) | Email address, email content | Transactional emails (system notifications, invoices, password resets) and marketing emails (with your consent) | Self-hosted on LetsBe infrastructure (no third-party transfer) |
We do not share your data with any other third parties. We do not use ad networks, social media pixels, or data brokers.
**Legal disclosures:** We may disclose personal data if required by law, regulation, legal process, or governmental request — for example, in response to a valid court order. We will notify you of such requests to the extent legally permitted.
---
## 8. International Data Transfers
### 8.1 Your VPS Data
Your VPS is provisioned in the data center region you choose at signup:
- **EU region** (Netcup — Nuremberg, Germany / Vienna, Austria): Your business data does not leave the EU. GDPR applies natively.
- **NA region** (Netcup — Manassas, Virginia, USA): Your business data stays in the US. CCPA and applicable US state privacy laws apply.
### 8.2 Hub Data
The Hub (account management, billing, monitoring) always operates in the EU (Germany), regardless of your VPS region. Your account data is always GDPR-protected.
### 8.3 AI Inference — Cross-Border Transfers
The only data that regularly crosses borders is **redacted AI prompts** sent to LLM providers. These prompts have all credentials stripped and may have PII scrubbed (configurable). Transfer mechanisms:
| Provider | Location | Transfer Mechanism |
|----------|----------|-------------------|
| Anthropic | US | EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) |
| Google | EU + US | EU-US Data Privacy Framework (DPF) + SCCs |
| DeepSeek | China | SCCs + supplementary measures + mandatory enhanced redaction |
| OpenRouter | US | EU-US Data Privacy Framework (DPF) + SCCs |
| Stripe | EU / US | EU-US Data Privacy Framework (DPF) + SCCs |
All subprocessor DPAs include the 2021 Standard Contractual Clauses as a fallback mechanism. We verify DPF certification for US-based subprocessors.
---
## 9. Subprocessors
We maintain a current list of subprocessors who process personal data on our behalf:
| Subprocessor | Purpose | Data Processed | Location | DPA Status |
|-------------|---------|---------------|----------|------------|
| **Netcup GmbH** | VPS hosting | All tenant data (encrypted at rest) | Germany, Austria (EU); Manassas, Virginia (US) | DPA via Netcup CCP |
| **OpenRouter** | LLM API aggregation | Redacted AI prompts (transit only) | US | DPA required — DPF certified |
| **Anthropic** | LLM inference (Claude models) | Redacted AI prompts (transit only) | US | No-training API terms; DPA available |
| **Google** | LLM inference (Gemini models) | Redacted AI prompts (transit only) | EU + US | No-training API terms (paid tier); DPA available |
| **DeepSeek** | LLM inference (DeepSeek models) | Redacted AI prompts (transit only, max redaction) | China | DPA + SCCs + supplementary measures |
| **Stripe** | Payment processing | Name, email, payment method | EU / US | DPA included in Stripe Terms |
| **Poste Pro** (self-hosted) | System emails | Email address, email content | Self-hosted on LetsBe infrastructure (Hub server) | N/A — no third-party subprocessor |
**Changes to subprocessors:** We provide at least 30 days' advance notice before adding a new subprocessor, via our subprocessor changelog page and email notification. You may object to a new subprocessor on reasonable data protection grounds within the notice period. If we cannot accommodate your objection, you may terminate your subscription without penalty.
---
## 10. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy or as required by law.
| Data | Retention Period | Reason |
|------|-----------------|--------|
| Active account data (name, email, business profile) | Duration of your subscription | Service delivery |
| Billing records (invoices, payment history) | 7 years after creation | German tax law (HGB §257) |
| Hub account record after cancellation | 90 days (soft-delete + backup rotation) | Operational cleanup |
| Website analytics data | 24 months | Website improvement |
| Token usage telemetry (aggregated, no PII) | 24 months | Service optimization |
| Support tickets | 24 months after resolution | Operational reference |
| Marketing consent records | Duration of consent + 3 years | Demonstrating lawful consent |
| Server access logs (IP addresses) | 90 days | Security and abuse prevention |
**Your VPS data** (all business tool data, AI conversations, credentials) is retained for the duration of your subscription. Upon cancellation, a 48-hour cooling-off period applies, followed by a 30-day data export window. After the export window, your VPS is securely wiped (disk overwrite, snapshots deleted, instance removed). See the Terms of Service §10 for full details.
---
## 11. Your Rights
### 11.1 Rights Under GDPR (EU/EEA Residents)
If you are in the EU or EEA, you have the following rights regarding the personal data we process as a controller:
**Right of Access (Art. 15)** — You can request a copy of the personal data we hold about you. We will respond within 30 days. Account data is also visible in your Hub customer portal at any time.
**Right to Rectification (Art. 16)** — You can correct inaccurate personal data. You have full administrative access to edit data in your Hub customer portal (name, email, business details) and all data in your VPS tools. If you encounter data you cannot self-edit, contact us for assistance.
**Right to Erasure (Art. 17)** — You can request deletion of your personal data. Account deletion triggers VPS deprovisioning after the export window. Billing records are retained for 7 years per legal obligation. We will clearly explain any data we cannot delete and the legal basis for retention.
**Right to Restriction of Processing (Art. 18)** — You can request that we limit how we process your data (for example, while a rectification request is being assessed). During restriction, we store the data but do not process it further.
**Right to Data Portability (Art. 20)** — You can request your account data in a structured, machine-readable format (JSON). Your VPS tool data is already fully portable via open-source export formats (CSV, JSON, MBOX, CalDAV, WebDAV) and direct SSH access.
**Right to Object (Art. 21)** — You can object to processing based on legitimate interest (Art. 6(1)(f)). We will stop processing unless we demonstrate compelling legitimate grounds. You can always object to marketing communications — one-click unsubscribe in every email.
**Automated Decision-Making (Art. 22)** — LetsBe's AI agents propose actions but do not make binding decisions without human oversight. Autonomy levels ensure human approval for consequential actions. No fully automated decisions affect your legal rights or similarly significant interests.
### 11.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following additional rights:
**Right to Know** — You can request disclosure of the categories and specific pieces of personal information we collect, the sources, the business purposes, and the third parties with whom we share it.
**Right to Delete** — You can request deletion of personal information we collected from you, subject to certain exceptions (legal obligations, security, completing transactions).
**Right to Opt-Out of Sale/Sharing****LetsBe does not sell or share your personal information** as defined by the CCPA. There is nothing to opt out of. We do not engage in data sales, data brokering, cross-context behavioral advertising, or any other form of data monetization.
**Right to Non-Discrimination** — We will not discriminate against you for exercising your privacy rights.
**Right to Correct** — You can request correction of inaccurate personal information.
**Right to Limit Use of Sensitive Personal Information** — You can limit the use of sensitive personal information to what is necessary for providing the service. LetsBe's architecture already limits data use to service delivery by design.
### 11.3 Rights Under Canadian PIPEDA
Canadian customers have rights to access, correct, and delete personal information under PIPEDA. Our GDPR-compliant practices meet or exceed PIPEDA requirements. You can exercise these rights through the same channels described below.
### 11.4 How to Exercise Your Rights
You can exercise any of your privacy rights by:
- **Self-service:** Edit your profile, export data, or delete your account via the Hub customer portal
- **Email:** Contact us at privacy@letsbe.solutions
- **In-app:** Use the privacy settings in your account dashboard
We will respond to all rights requests within 30 days (GDPR) or 45 days (CCPA). If we need more time (up to an additional 30/45 days respectively), we will explain why and keep you informed.
We do not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request, with explanation).
### 11.5 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. For EU customers, this is typically the authority in your country of residence. The German federal authority is:
- **BfDI** (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit)
- Website: https://www.bfdi.bund.de
For California residents, you may contact the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov.
---
## 12. Cookies and Website Tracking
### 12.1 Our Approach
We use cookies and similar technologies on the LetsBe website. We respect your choice and follow a consent-first model. For the full details of every cookie we set, see our [Cookie Policy](LetsBe_Biz_Cookie_Policy.md).
### 12.2 Cookie Categories
| Category | Consent Required | Examples | Purpose |
|----------|-----------------|----------|---------|
| **Strictly necessary** | No | Session cookies, CSRF tokens, authentication state | Essential for the website and Hub to function |
| **Analytics** | Yes | Self-hosted analytics (Umami or equivalent) | Understanding how visitors use the website |
| **Marketing** | Yes | Email campaign tracking pixels | Measuring marketing effectiveness |
We do **not** use:
- Third-party advertising cookies
- Social media tracking pixels (Facebook, LinkedIn, etc.)
- Cross-site tracking cookies
- Fingerprinting technologies
### 12.3 Cookie Consent
When you first visit our website, a cookie banner will ask for your consent to non-essential cookies. You can:
- **Accept all** — enables analytics and marketing cookies
- **Reject all** — only strictly necessary cookies are set
- **Customize** — choose which categories to allow
You can change your preferences at any time via the cookie settings link in the website footer.
### 12.4 Global Privacy Control (GPC)
We honor the Global Privacy Control signal. If your browser sends a GPC signal, we treat it as an opt-out of non-essential cookies and data sharing, consistent with CCPA requirements and emerging regulatory standards.
### 12.5 "Do Not Track"
We also honor the "Do Not Track" browser signal. When detected, non-essential cookies are not set.
---
## 13. Children's Privacy
LetsBe Biz is a business platform designed for professional use. We do not knowingly collect personal data from children under the age of 16 (or the applicable age in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
---
## 14. Security
We take the security of your personal data seriously. Our technical and organizational measures include:
- **Encryption at rest:** Full-disk encryption on all VPS instances (Netcup infrastructure)
- **Encryption in transit:** TLS 1.3 for all connections (website, Hub, VPS, LLM providers)
- **Access controls:** Keycloak SSO for tool access, role-based access for the Hub, SSH key-only authentication (port 22022, fail2ban enabled)
- **Secrets management:** AES-256-CBC encrypted secrets registry, four-layer outbound redaction
- **Network security:** UFW firewall (ports 80, 443, 22022 only), localhost-bound internal services, per-tool Docker network isolation
- **Monitoring:** Append-only audit logs, Uptime Kuma monitoring, anomaly detection
- **Physical security:** Netcup ISO 27001 certified data centers with controlled access, CCTV, redundant power, and TÜV Rheinland audited facilities
For the complete security architecture, see our [Security & GDPR Framework](../technical/LetsBe_Biz_Security_GDPR_Framework.md) and the published security page on our website.
---
## 15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
1. Update the "Version" and "Date" at the top of this document
2. Notify you via email at least 30 days before the changes take effect
3. Post the updated policy on our website with a clear summary of what changed
4. For significant changes, display an in-app notification in the Hub
Minor changes (formatting, clarifications that do not affect your rights) may be made without advance notice but will always be reflected in the version history.
Your continued use of the Service after the effective date of an updated policy constitutes acceptance. If you do not agree to the updated policy, you may cancel your subscription before the effective date.
---
## 16. California-Specific Disclosures
This section provides additional disclosures required by the CCPA/CPRA for California residents.
### 16.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information:
| CCPA Category | Examples | Collected | Source |
|--------------|---------|-----------|--------|
| Identifiers | Name, email, IP address, account ID | Yes | Directly from you, automatically |
| Commercial information | Subscription plan, payment history, token usage | Yes | Directly from you, Stripe |
| Internet activity | Pages visited, browser type, referral source | Yes (with consent) | Automatically via website cookies |
| Geolocation | Approximate location from IP address | Yes | Automatically |
| Professional information | Business name, industry, team size | Yes | Directly from you |
| Sensitive personal information | Account credentials (hashed) | Yes | Directly from you |
### 16.2 Business Purposes
We collect and use personal information for the business purposes described in §5 of this policy: providing and maintaining the Service, processing payments, communicating with you, website analytics (with consent), and security.
### 16.3 Sale and Sharing
**We do not sell personal information.** We have not sold personal information in the preceding 12 months. We do not sell the personal information of consumers under 16 years of age.
**We do not share personal information** for cross-context behavioral advertising as defined by the CCPA.
### 16.4 Retention
We retain personal information as described in §10 of this policy.
### 16.5 Right to Opt-Out
Because we do not sell or share personal information, no opt-out is necessary. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link on our website.
---
## 17. EU AI Act Transparency
In accordance with the EU AI Act (Regulation 2024/1689), we disclose that the LetsBe Biz platform deploys general-purpose AI models provided by third-party companies (Anthropic, Google, DeepSeek, and others). LetsBe is a **deployer** of these AI systems, not a provider of the underlying models.
AI-generated content is labeled as such within the platform. Human oversight is available through configurable autonomy levels, the External Communications Gate (which requires approval for outbound messages), and per-agent permission settings. For more detail, see the Terms of Service §12.
---
## 18. Open Questions (Internal — Remove Before Publication)
| # | Question | Status | Notes |
|---|----------|--------|-------|
| 1 | Privacy email address | **Resolved** | privacy@letsbe.solutions |
| 2 | Registered address / postal address | **Resolved** | 221 North Broad Street, Suite 3A, Middletown, DE 19709, USA |
| 3 | DPO appointment | **Resolved (interim)** | Matt Ciaccio serves as interim DPO. Formal appointment at ~100 customers per GDPR Art. 37. |
| 4 | EU Representative (Art. 27) | **Partially resolved** | Required before serving EU customers. Placeholder language added; appointment needed (consider services like DataRep, MCF Technology Solutions, or a local EU contact). |
| 5 | Website analytics tool | Open | Likely Umami (self-hosted, already in tool stack). Confirm before publication. |
| 6 | Email service provider | **Resolved** | Poste Pro (self-hosted on LetsBe infrastructure). Not a third-party subprocessor. If a relay service is adopted in the future, update subprocessor tables and provide 30-day notice. |
| 7 | Cookie policy as separate document? | Open | Could be a standalone page or kept as §12 of this policy. Simpler to keep integrated. |
| 8 | CCPA threshold applicability | Open | Currently below $26.6M revenue threshold, but building for compliance proactively |
| 9 | Lead supervisory authority | Open | Likely BfDI (Germany) given Hub hosting and Netcup infrastructure. Depends on corporate establishment. |
---
## 19. Changelog
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-26 | Initial draft. Covers: controller/processor roles, data collection and use with GDPR legal bases, AI-specific privacy protections (Safety Wrapper, four-layer redaction, PII scrubbing, LLM provider data flows), data sharing and subprocessors, international transfers (EU-US DPF, SCCs), data retention, full rights sections (GDPR, CCPA/CPRA, PIPEDA), cookies and GPC, children's privacy, security overview, California-specific CCPA disclosures, EU AI Act transparency. Aligned with Security & GDPR Framework v1.1 and Terms of Service v1.0. |
---
*This document is a draft requiring legal review. It should not be published or relied upon as legal advice. Qualified legal counsel in both the EU and the customer's jurisdiction should review this Privacy Policy before publication.*

507
docs/legal/LetsBe_Biz_Terms_of_Service.md Normal file
View File

@@ -0,0 +1,507 @@
# LetsBe Biz — Terms of Service
**Version:** 1.1
**Date:** February 26, 2026
**Authors:** Matt (Founder), Claude (Drafting)
**Status:** Draft — Requires Legal Review Before Publication
**Companion docs:** Security & GDPR Framework v1.1, Pricing Model v2.2, Privacy Policy v1.0, DPA v1.0
> **Important:** This document is a comprehensive draft intended to capture all necessary terms based on LetsBe's architecture, pricing, and compliance posture. It must be reviewed by qualified legal counsel (EU and US) before publication. It is not legal advice.
---
## 1. Introduction and Acceptance
### 1.1 Parties
These Terms of Service ("Terms") constitute a legally binding agreement between:
- **LetsBe Solutions LLC** ("LetsBe," "we," "us," "our"), a limited liability company registered in the State of Delaware, USA, with its principal office at 221 North Broad Street, Suite 3A, Middletown, DE 19709, operating the LetsBe Biz platform; and
- **The Customer** ("you," "your"), the individual or entity that creates an account and subscribes to the Service.
### 1.2 Acceptance
By creating an account, subscribing to a plan, or using any part of the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and our Data Processing Agreement (DPA). If you are accepting these Terms on behalf of an organization, you represent that you have the authority to bind that organization.
### 1.3 Eligibility
You must be at least 18 years old and capable of entering into a binding contract in your jurisdiction. The Service is designed for business use. If you are a consumer in the EU, mandatory consumer protection laws of your country of residence apply to the extent they cannot be waived by contract.
### 1.4 Changes to Terms
We may update these Terms from time to time. We will notify you of material changes at least 30 days before they take effect, via email and an in-app notification. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree to updated Terms, you may cancel your subscription before the effective date and receive a pro-rata refund for the remaining billing period.
---
## 2. The Service
### 2.1 Description
LetsBe Biz is a managed platform that provides:
- A **dedicated virtual private server (VPS)** provisioned in your chosen data center region, running containerized open-source business tools (CRM, email, file storage, invoicing, project management, and others);
- **AI agents** powered by third-party large language models (LLMs) that operate those tools on your behalf; and
- A **centralized Hub** for account management, billing, provisioning, and monitoring.
### 2.2 Data Center Regions
At signup, you choose a data center region for your VPS:
- **EU region:** Netcup data centers in Nuremberg, Germany or Vienna, Austria.
- **NA region:** Netcup data center in Manassas, Virginia, USA.
Your VPS region determines the jurisdiction governing your business data at rest. The Hub always operates in the EU (Germany) regardless of your VPS region. Your region selection is made at provisioning and cannot be changed without re-provisioning your server (data migration assistance is available).
### 2.3 Tools, Software, and Licensing
**LetsBe is an infrastructure management and AI orchestration provider, not a software vendor.** The tools deployed on your VPS are open-source software maintained by their respective upstream communities. Each tool is subject to its own open-source license (e.g., AGPL-3.0, MIT, Apache 2.0, GPL). LetsBe does not develop, modify, or sublicense these tools — we deploy unmodified upstream releases, configure them for your environment, integrate them with our AI orchestration layer, and manage ongoing updates and maintenance on your behalf.
**You are the licensee.** Each tool runs on your dedicated server under its original open-source license, as if you had installed it yourself. You have full SSH access to your server and all credentials for every deployed tool. LetsBe's service covers the infrastructure management, deployment, integration, and AI-assisted operation of these tools — not the software itself.
**Enterprise licenses.** Some tools offer paid enterprise editions with additional features (e.g., advanced dashboards, multi-tenancy, premium support). If you wish to use enterprise features for any tool, you purchase the enterprise license directly from the tool vendor. LetsBe will assist with deployment and configuration of enterprise-licensed tools on your server at no additional charge.
**No modification of open-source tools.** LetsBe deploys unmodified upstream Docker images. We do not create derivative works of the open-source tools. If we contribute patches upstream, those contributions follow the upstream project's contribution guidelines and license.
We do not guarantee compatibility with future upstream releases or third-party integrations. A complete list of deployed tools, their roles, and their licenses is published on our website.
### 2.4 AI Agents and Models
AI agents operate your tools by sending instructions through the platform's tool registry. Agent behavior is governed by configurable personality files (SOUL.md) and permission files (TOOLS.md) that you can customize.
AI inference is provided by third-party LLM providers routed through OpenRouter. The specific models available are listed in your account settings and may change over time. We do not develop the underlying AI models — we deploy and route them.
**Important limitations of AI agents:**
- AI agents may produce incorrect, incomplete, or inappropriate outputs. You are responsible for reviewing agent actions that affect your business operations, particularly external communications (emails, published content, customer-facing messages).
- AI agents operate within configurable autonomy levels and permission boundaries, but no AI system is infallible. Critical business decisions should involve human review.
- LetsBe implements a four-layer security architecture — (1) **Sandbox** (container isolation), (2) **Tool Policy** (per-agent allow/deny lists), (3) **Command Gating** (autonomy-level approval for sensitive operations), and (4) **Secrets Redaction** (credential stripping before any data reaches an LLM provider) — plus an **External Communications Gate** requiring human approval for outbound messages. These are designed to minimize risk but do not eliminate it entirely.
### 2.5 Service Availability
We target 99.5% uptime for the Hub and provisioned VPS infrastructure. This is a goal, not a guarantee. We do not offer a formal Service Level Agreement (SLA) at this time. Scheduled maintenance windows will be communicated at least 48 hours in advance. Emergency maintenance may occur without notice.
---
## 3. Account and Access
### 3.1 Account Registration
You must provide accurate, complete, and current information when creating your account. You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account.
### 3.2 Administrative Access
LetsBe maintains SSH access to your VPS for the purposes of:
- Service delivery, maintenance, and updates
- Security patching and incident response
- Customer support (when requested)
- Monitoring and backup operations
This access is logged and auditable. We will not access your data for purposes other than service delivery and support. Advanced users may request to manage their own SSH access (at which point LetsBe support capabilities will be limited).
### 3.3 Account Security
You are responsible for:
- Keeping your login credentials secure
- Notifying us immediately if you suspect unauthorized access
- Ensuring that any users you invite to your server comply with these Terms
---
## 4. Subscription, Pricing, and Payment
### 4.1 Subscription Plans
LetsBe Biz offers tiered subscription plans (currently: Lite, Build, Scale, Enterprise) that differ in server resources and included AI token allotments. Plan details, pricing, and feature comparisons are published on our website and may be updated from time to time. The plan in effect at the time of your subscription or renewal governs your entitlements for that billing period.
### 4.2 Pricing
Current subscription prices are:
| Plan | VPS (Shared Cores) | RS (Dedicated Cores) |
|------|-------------------|---------------------|
| Lite (available during onboarding only) | €29/mo | €35/mo |
| Build | €45/mo | €55/mo |
| Scale | €75/mo | €89/mo |
| Enterprise | €109/mo | €149/mo |
Prices are in Euros (€). Applicable taxes (VAT, sales tax) are added at checkout based on your billing address. Prices may vary slightly by data center region (approximately ±€1-2/mo). An annual billing option is available at a 15% discount, paid upfront.
### 4.3 AI Token Usage
Each plan includes a monthly pool of AI tokens for use with included models. Token usage is pooled across all agents and does not roll over between billing periods.
**Premium AI models** (e.g., Claude Sonnet, GPT 5.2, Claude Opus) are metered separately and billed to your payment method at published per-token rates. Premium model usage requires a credit card on file. Current premium pricing is displayed in your account settings.
**Overage on included models:** When your included token pool is exhausted, included model usage either pauses until the next billing cycle or, if you have opted into overage billing, continues at a marked-up per-token rate.
### 4.4 Payment Terms
Payments are processed by Stripe. By subscribing, you authorize recurring charges to your payment method. Subscriptions are billed monthly (or annually, if selected) in advance. Premium AI usage and overage charges are billed monthly in arrears.
If a payment fails, we will attempt to charge your payment method up to three times over seven days. If all attempts fail, your account may be suspended. You will be notified before suspension and given the opportunity to update your payment method.
### 4.5 Price Changes
We may change subscription prices with at least 60 days' written notice. Price changes take effect at your next renewal date after the notice period. If you do not agree to a price change, you may cancel before the renewal date.
### 4.6 Refunds
Monthly subscriptions may be cancelled at any time. No refunds are provided for partial billing periods, except where required by applicable law (see §4.7).
Annual subscriptions may be cancelled at any time. If cancelled within the first 14 days, you receive a full refund. After 14 days, the subscription continues until the end of the annual term and is not renewed.
### 4.7 EU Consumer Right of Withdrawal
If you are a consumer in the European Union, you have the right to withdraw from this contract within 14 days of purchase without giving any reason ("cooling-off period"), in accordance with EU Directive 2011/83/EU. To exercise this right, notify us at [support email] with a clear statement of your decision. We will reimburse all payments within 14 days.
If you have expressly requested that the Service begin during the withdrawal period (by using your provisioned VPS), you acknowledge that you may lose the right of withdrawal once the Service has been fully performed, and you may be liable for charges proportional to the service provided up to the point of withdrawal.
### 4.8 Founding Member Program
The Founding Member Program offers enhanced terms (currently: 2× included AI token allotment) for a limited number of early customers. Founding member benefits are valid for 12 months from the date of enrollment. Founding member pricing (subscription rate) is locked for the duration of the founding period. Specific founding member terms are communicated at enrollment and supplement these Terms.
---
## 5. Data Ownership, Processing, and Privacy
### 5.1 Your Data
**You own your data.** All business data stored on your VPS — including but not limited to CRM records, emails, files, invoices, project data, AI conversation transcripts, and tool configurations — belongs to you. LetsBe does not claim any ownership, license, or interest in your data.
### 5.2 Data Processing
LetsBe processes your data as a **data processor** (GDPR Art. 28) acting on your instructions. The specific terms of data processing are governed by the Data Processing Agreement (DPA), which is incorporated into these Terms by reference. The DPA covers:
- Categories of data processed
- Purposes and legal bases for processing
- Subprocessor list and change notification process
- Technical and organizational security measures
- Data subject rights support
- Breach notification procedures
- Data return and deletion upon termination
The DPA is available in your account dashboard and is accepted as part of signup.
### 5.2a Breach Notification
In the event of a personal data breach affecting your data, LetsBe will:
1. Notify you (the customer) **without undue delay**, and in any event within **48 hours** of confirming the breach
2. Assist you in notifying the relevant supervisory authority **within 72 hours** of becoming aware of the breach (GDPR Art. 33)
3. Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
4. Cooperate with you in meeting your own notification obligations as data controller
Breach detection is supported by the Safety Wrapper audit logs, Hub monitoring, and anomaly detection (see Security & GDPR Framework §3.7 for the full breach response plan).
### 5.3 AI and Data Privacy
When AI agents operate your tools, the following data flows occur:
- **On your VPS (local):** Agents read and write data in your tools. This data stays on your server.
- **To LLM providers (external):** Agent prompts — containing task context and tool outputs — are sent to third-party LLM providers for inference. Before transmission, the **Safety Wrapper** strips all credentials, API keys, and secrets from the prompts. Configurable PII scrubbing is also available.
- **LLM providers do not train on your data.** We use API-tier access with contractual prohibitions on training. See the DPA and our Subprocessor List for details.
### 5.4 Subprocessors
We use third-party subprocessors to deliver the Service. The current list includes:
- **Netcup GmbH** — VPS hosting (EU and US regions)
- **OpenRouter** — LLM API aggregation
- **Anthropic** — LLM inference (Claude models)
- **Google** — LLM inference (Gemini models)
- **DeepSeek** — LLM inference (DeepSeek models; opt-in only with mandatory enhanced redaction due to China data transfer requirements — see DPA §12.5)
- **Stripe** — Payment processing
- **Poste Pro** (self-hosted) — Delivery of system emails from the Hub. Self-hosted on LetsBe infrastructure; not a third-party subprocessor. If a third-party relay service is adopted in the future, it will be added to this list with 30 days' advance notice.
The complete, current subprocessor list is published in our Security documentation and updated with at least 30 days' notice before adding a new subprocessor. You may object to a new subprocessor within that notice period; if we cannot accommodate your objection, you may terminate your subscription.
### 5.5 Data Portability and Export
You can export your data at any time using the tools directly (e.g., CRM export, file download) or via SSH access to your VPS. LetsBe does not impose technical barriers to data portability. Upon termination, you have 30 days to export your data before your VPS is deprovisioned (see §10).
This is consistent with the requirements of the EU Data Act regarding SaaS data portability and switching.
### 5.6 Privacy Policy
Our processing of personal data is further governed by our Privacy Policy, which is incorporated into these Terms by reference. The Privacy Policy describes how we collect, use, and protect personal data in connection with the Service, including the Hub (account data, billing, telemetry).
---
## 6. Acceptable Use
### 6.1 Permitted Use
The Service is intended for lawful business purposes. You may use the Service to operate your business tools, communicate with your customers and contacts, store business data, and leverage AI agents to automate business operations.
### 6.2 Prohibited Use
You may not use the Service to:
- Violate any applicable law, regulation, or third-party right
- Send spam, phishing emails, or other unsolicited bulk communications
- Host or distribute malware, exploit kits, or other malicious software
- Engage in cryptocurrency mining, brute-force attacks, or other resource-abusive activities
- Store or process illegal content (as defined by the law of your VPS region's jurisdiction and the law of Germany, where the Hub operates)
- Attempt to circumvent the Safety Wrapper, secrets firewall, or other security controls
- Resell, sublicense, or white-label the Service without our prior written consent
- Use the AI agents to generate content that violates the acceptable use policies of the underlying LLM providers (Anthropic, Google, DeepSeek, etc.)
- Interfere with the operation of the Service or other customers' servers
### 6.3 Enforcement
If we reasonably determine that you are violating this section, we may:
1. Issue a warning with a deadline to cure the violation
2. Suspend your account pending investigation
3. Terminate your account (see §10)
We will make reasonable efforts to contact you before taking action, except where immediate action is necessary to protect the integrity of the Service, other customers, or comply with legal obligations.
---
## 7. Intellectual Property
### 7.1 LetsBe IP
The LetsBe platform — including the Hub, Safety Wrapper, agent framework, provisioning system, and all associated software, documentation, and branding — is owned by LetsBe Solutions LLC and its licensors. These Terms grant you a limited, non-exclusive, non-transferable license to use the platform for the duration of your subscription. You do not acquire any ownership interest in the platform.
### 7.2 Open-Source Tools
The business tools deployed on your VPS are open-source software, each subject to its own license (e.g., AGPL-3.0, MIT, Apache 2.0, GPL-2.0). LetsBe does not claim ownership of, modify, or sublicense these tools. As described in §2.3, you are the licensee — each tool runs under its upstream open-source license on your dedicated server. Your rights under those licenses (including the right to inspect source code, modify tools, and use them independently of LetsBe) are not restricted by these Terms. LetsBe deploys unmodified upstream Docker images and does not create derivative works of the deployed tools.
### 7.3 Your Content
You retain all rights to content you create, upload, or generate using the Service. LetsBe does not claim any license to your content beyond what is necessary to provide the Service (e.g., storing data on your VPS, transmitting redacted prompts to LLM providers).
### 7.4 AI-Generated Content
Content generated by AI agents on your behalf is your responsibility. You are the publisher and controller of AI-generated content. LetsBe does not guarantee that AI-generated content is accurate, original, non-infringing, or fit for any particular purpose. You are responsible for reviewing AI-generated content before publication or external use.
---
## 8. Limitation of Liability
### 8.1 Disclaimer of Warranties
**To the maximum extent permitted by applicable law,** the Service is provided "AS IS" and "AS AVAILABLE." We disclaim all warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and accuracy of AI outputs.
We do not warrant that:
- The Service will be uninterrupted, error-free, or completely secure
- AI agent outputs will be accurate, complete, or appropriate
- The tools deployed on your VPS will be compatible with all data formats, third-party services, or future upstream releases
- Your data will be preserved against all possible loss scenarios
### 8.2 Limitation of Liability
**To the maximum extent permitted by applicable law,** LetsBe's total aggregate liability to you for all claims arising out of or relating to these Terms or the Service shall not exceed the greater of:
- The total fees you paid to LetsBe in the 12 months preceding the claim; or
- €500.
This limitation applies to all causes of action, whether in contract, tort (including negligence), strict liability, or otherwise.
### 8.3 Exclusion of Consequential Damages
**To the maximum extent permitted by applicable law,** neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, loss of data, loss of business opportunity, or reputational harm, regardless of whether such damages were foreseeable.
### 8.4 Exceptions
The limitations in §8.2 and §8.3 do not apply to:
- Liability that cannot be limited by applicable law (including, for EU consumers, liability for intentional misconduct or gross negligence)
- Your payment obligations under these Terms
- Either party's indemnification obligations under §9
- Breaches of confidentiality obligations
- LetsBe's obligations under the DPA with respect to data breaches
### 8.5 AI-Specific Disclaimers
You acknowledge that:
- AI agents are probabilistic systems that may produce unexpected, incorrect, or inconsistent results
- The Safety Wrapper and security layers are defense-in-depth measures, not absolute guarantees
- AI agents may take actions within their permitted scope that have unintended business consequences (e.g., sending an email with incorrect information, categorizing a lead incorrectly)
- You are responsible for configuring appropriate autonomy levels, permissions, and review gates for your AI agents
- The External Communications Gate is a safety feature, not a compliance tool — regulatory responsibility for communications sent by AI agents on your behalf remains with you
---
## 9. Indemnification
### 9.1 Your Indemnification
You agree to indemnify, defend, and hold harmless LetsBe, its officers, employees, and agents from and against any claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising out of:
- Your use of the Service in violation of these Terms
- Your violation of any applicable law or third-party right
- Content you create, store, or transmit through the Service
- Actions taken by AI agents that you configured, authorized, or failed to adequately supervise
- Your failure to comply with data protection obligations as a data controller
### 9.2 LetsBe Indemnification
LetsBe will indemnify, defend, and hold harmless the Customer from and against claims that the LetsBe platform (excluding open-source tools and third-party LLM outputs) infringes a third party's intellectual property rights, provided that you: (a) promptly notify us of the claim, (b) give us sole control of the defense, and (c) cooperate with our defense. If a claim is made or is likely, we may, at our option, modify the Service, obtain a license, or terminate your subscription with a pro-rata refund.
---
## 10. Term and Termination
### 10.1 Term
These Terms are effective from the date you create your account and continue until your subscription is terminated by either party.
### 10.2 Cancellation by You
You may cancel your subscription at any time through your account settings or by contacting support. Upon cancellation:
1. Your subscription remains active until the end of the current billing period
2. No further charges are made (except outstanding premium AI usage or overage charges)
3. After the billing period ends, your account is marked for deletion and a confirmation email is sent. A **48-hour cooling-off period** begins, during which you may reverse the cancellation
4. After the cooling-off period, a **30-day data export window** begins
5. During the export window, your VPS remains accessible for data retrieval (tools may be in read-only mode)
6. After the 30-day window, your VPS is securely deprovisioned: disk wiped, snapshots deleted, instance removed
### 10.3 Termination by LetsBe
We may terminate your account:
- **For cause:** If you materially breach these Terms and fail to cure the breach within 14 days of written notice
- **For prohibited use:** Immediately, if your use poses an imminent threat to the Service, other customers, or legal compliance (with notice as soon as practicable)
- **For non-payment:** If payment is not received after the seven-day retry period described in §4.4
Upon termination by LetsBe, the same 30-day data export window applies, except in cases of illegal activity where we may be required to preserve or disclose data to authorities.
### 10.4 Termination for Convenience by LetsBe
We may discontinue the Service entirely with at least 90 days' written notice. In this case, you will receive a pro-rata refund for any prepaid period remaining after the discontinuation date, and the 30-day data export window applies.
### 10.5 Effect of Termination
Upon termination and expiration of the data export window:
- Your VPS is securely wiped and deleted
- All snapshots and backups of your VPS are deleted
- Your Hub account data is soft-deleted and permanently purged after backup rotation (90 days)
- Billing records are retained for 7 years per German tax law (HGB §257)
- These Terms survive only to the extent necessary: §5.1 (data ownership), §7 (IP), §8 (liability), §9 (indemnification), §11 (governing law), and this §10.5
### 10.6 Data Retention After Termination
| Data | Retained For | Reason |
|------|-------------|--------|
| VPS and all tool data | Deleted after 30-day export window | Service termination |
| Hub account record | 90 days (soft-delete + backup rotation) | Operational cleanup |
| Billing records | 7 years | German tax law (HGB §257) |
| Aggregated telemetry (no PII) | 24 months | Service improvement |
| Support tickets | 24 months after resolution | Operational reference |
---
## 11. Governing Law and Disputes
### 11.1 Governing Law
These Terms are governed by the laws of the State of Delaware, USA, without regard to conflict of laws principles.
**For EU customers:** If you are a consumer habitually resident in the EU, you additionally benefit from the mandatory consumer protection provisions of the law of your country of residence, to the extent those provisions offer greater protection than the governing law of these Terms.
**For US customers:** These Terms are subject to applicable US federal law and the laws of the State of Delaware.
### 11.2 Dispute Resolution
**Informal Resolution First:** Before initiating formal proceedings, both parties agree to attempt to resolve disputes through good-faith negotiation for a period of 30 days after written notice of the dispute.
**EU Customers:** If informal resolution fails, disputes may be submitted to the courts of your country of residence in the EU, or to the courts of [LetsBe jurisdiction]. You may also use the European Commission's Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr.
**Non-EU Customers:** If informal resolution fails, disputes shall be resolved through binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, except that either party may seek injunctive relief in a court of competent jurisdiction. The arbitration shall take place in Wilmington, Delaware, or remotely at the parties' election.
### 11.3 Class Action Waiver (US Customers)
To the extent permitted by law, you agree to resolve disputes with LetsBe on an individual basis and waive any right to participate in a class action, class arbitration, or representative proceeding. This waiver does not apply where prohibited by law.
---
## 12. EU AI Act Transparency
### 12.1 AI Disclosure
In accordance with the EU AI Act (Regulation 2024/1689), LetsBe discloses that:
- The Service uses **general-purpose AI models** provided by third parties (Anthropic, Google, DeepSeek, and others) for natural language processing, task execution, and content generation.
- LetsBe is a **deployer** of AI systems, not a provider of the underlying models.
- AI-generated content is labeled as such within the platform interface.
- Human oversight is available through configurable autonomy levels, the External Communications Gate, and per-agent permission settings.
### 12.2 Your Obligations as Deployer
If you use the Service in a context that qualifies as "high-risk" under the EU AI Act (e.g., AI-assisted decision-making affecting individuals' rights), you are responsible for:
- Conducting your own conformity assessment as required by the Act
- Ensuring human oversight appropriate to the risk level
- Maintaining records of AI system usage as required
- Complying with transparency obligations toward individuals affected by AI decisions
LetsBe provides tools (audit logs, autonomy levels, communications gates) to support these obligations but does not assume your regulatory responsibilities.
---
## 13. General Provisions
### 13.1 Entire Agreement
These Terms, together with the Privacy Policy, DPA, and any order forms or founding member agreements, constitute the entire agreement between you and LetsBe regarding the Service. They supersede all prior agreements, representations, and understandings.
### 13.2 Severability
If any provision of these Terms is found to be invalid or unenforceable, that provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.
### 13.3 Waiver
Our failure to enforce any provision of these Terms is not a waiver of our right to enforce that provision in the future.
### 13.4 Assignment
You may not assign or transfer these Terms or your subscription without our prior written consent. LetsBe may assign these Terms in connection with a merger, acquisition, or sale of substantially all of its assets, with notice to you.
### 13.5 Force Majeure
Neither party is liable for failure to perform due to events beyond reasonable control, including but not limited to natural disasters, war, terrorism, pandemics, government actions, internet or infrastructure failures, or hosting provider outages. If a force majeure event continues for more than 60 days, either party may terminate the affected subscription.
### 13.6 Notices
Notices under these Terms may be sent by email to the address associated with your account (for notices to you) or to legal@letsbe.solutions (for notices to LetsBe). Notices are effective when sent.
### 13.7 Language
These Terms are drafted in English. If translated into any other language, the English version shall prevail in the event of any inconsistency.
---
## 14. Open Questions (Internal — Remove Before Publication)
| # | Question | Status | Notes |
|---|----------|--------|-------|
| 1 | LetsBe corporate jurisdiction and registered entity | **Resolved** | LetsBe Solutions LLC, registered in Delaware. 221 North Broad Street, Suite 3A, Middletown, DE 19709. Governing law: Delaware. |
| 2 | Arbitration body for non-EU disputes | **Resolved** | AAA (American Arbitration Association), Commercial Arbitration Rules. Venue: Wilmington, DE or remote. |
| 3 | Support email and legal email addresses | **Resolved** | legal@letsbe.solutions (notices), privacy@letsbe.solutions (privacy/DPO), matt@letsbe.solutions (support). |
| 4 | DPA finalization | Open | DPA template referenced throughout — must be completed and available in dashboard before ToS goes live. |
| 5 | SLA formalization | Open | Currently no formal SLA. Consider adding a basic SLA (99.5% uptime commitment with service credits) for Scale/Enterprise tiers. |
| 6 | Consumer protection review (EU) | Open | German/EU consumer protection law may require additional provisions (e.g., Widerrufsbelehrung format, button labeling for orders). Requires legal counsel review. |
| 7 | CCPA-specific disclosures | Open | CCPA requires specific disclosure language for California consumers. May be better placed in Privacy Policy. |
| 8 | Domain reselling terms | Open | If domain reselling via Netcup is offered, separate terms or an addendum may be needed. |
| 9 | Insurance and liability cap adequacy | Open | €500 / 12-month fees liability cap is standard for SaaS but should be reviewed by counsel given the scope of data processed. |
---
## 15. Changelog
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-26 | Initial draft. Covers: service description with dual-region data centers, subscription/pricing/payment, data ownership and processing, AI transparency and disclaimers, acceptable use, IP, liability, termination with 30-day export window, EU AI Act compliance, governing law (placeholder). Aligned with Security & GDPR Framework v1.1 and Pricing Model v2.2. Post-draft consistency fixes: expanded subprocessor list to individual entries, added 48-hour cooling-off period to termination flow (§10.2), added breach notification section (§5.2a) with 72-hour timeline per GDPR Art. 33, clarified four-layer security architecture naming in §2.4. |
---
*This document is a draft requiring legal review. It should not be published or relied upon as legal advice. Qualified legal counsel in both the EU and the customer's jurisdiction should review these Terms before they are made binding.*