Product Pricing Documentation Log in Sign up
Cellm Logo Cellm
Product Pricing Documentation
Log in Sign up

Privacy Policy

We run a sustainable business funded solely by subscriber fees. Our business model relies entirely on maintaining your trust and we don't make money by selling or sharing your data. That is why we respect your privacy and do everything we can to protect the information passing through Cellm.

This document explains how Cellm ("we," "us," "our") handles your information when you use our website, Excel Add-in, and backend services (collectively, "Services").

1 Cellm and the GDPR

1.1 The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive EU data protection law effective since May 25, 2018. It sets rules for companies operating in the EU, like Cellm, on how to protect customer data.

This document explains in simple terms what we're doing in order to comply with GDPR.

1.2 How GDPR Applies to Cellm and You

GDPR defines three parties, which we will reference throughout this document:

  • Data Subject: This is the individual whose personal data is being processed. As a Cellm user, this is you.
  • Data Controller: This is the entity that determines the purposes and means of processing personal data. You are a Data Controller for the data you input into our Services (e.g., via the website, email, or prompts in the Add-in), as you decide what data to process using Cellm. We (Cellm) are a Data Controller for the information needed to manage your account (like your email address).
  • Data Processor: This is the entity that processes personal data on behalf of the Data Controller. We (Cellm) act as a Data Processor when we handle the data you provide through our Services.

Both Data Controllers and Data Processors have specific responsibilities under GDPR that we follow ensure that we are operating legally and ethically. This policy focuses on Cellm's responsibilities as a Data Processor and Controller. Please remember that you, as a Data Controller, are responsible for the data in your prompts and spreadsheets that you choose to process with Cellm.

1.3 Technical Security

We understand you entrust us with important data. Protecting your data's security and privacy is a top priority. That's why we carefully follow industry best practices to keep it safe. You can find more details on our Security page.

1.4 Data Processing and Transfers

How we handle your data:

  • Processing Location: We process data solely within the European Economic Area (EEA). Our servers are located in Germany and our model provider is located in Sweden.
  • Data Movement: We do not move or copy data from our production environment except as necessary for operational purposes like backups, disaster recovery, or maintenance.
  • Third-Party Sharing: We do not sell or trade your personal information. We only share limited information with trusted third-party service providers ("Subprocessors," listed in section 1.9) who help us operate our Services. These providers are equally bound by GDPR to protect your data.
  • Legal Obligations: We may disclose your personal information if required by law, regulation, legal process (like a court order), or enforceable governmental request, or when we believe disclosure is necessary to protect our rights or safety.

1.5 Data Processing Addendum (DPA)

GDPR requires that we have a contract, called a Data Processing Addendum, with our customers that specifies things like how we process your data data. In our case, our Data Processing Addendum is our standard Terms of Service, which applies to all of our customers, including you.

1.6 Standard DPA

To ensure consistency and avoid conflicting terms, we rely on our standard DPA incorporated into our Terms of Service. We do not sign individual customer DPAs.

1.7 Data Protection Officer (DPO)

We have appointed a Data Protection Officer who can be contacted regarding any privacy or data protection concerns at dpo@getcellm.com.

Every member of the company knows that any data protection issues should go directly to this person without any delay.

1.8 Data Breach Notification Plan

We work hard to keep our software secure so that there are no data breaches, but in the event that there is a one, we have a plan in place that fully complies with the requirements laid out by GDPR. Its steps depend on the specifics of the breach. For example, the breach can be the result of a technical or social failing on our end or can be the result of the customer being tricked into giving their login information to the attacker, in which case it is not a result of insecurity in the software at all.

You can read our full plan below, but the basic idea is that if we become aware of a data breach that affect you, we will notify you within 72 hours of awareness and provide relevant information to help you meet your own obligations as a Data Controller.

If we identify a potential breach or are alerted to one, we immediately take these actions:

1.8.1 Assigning Roles and Responsibilities

The DPO is responsible for overseeing the security incident response, coordinating efforts, and ensuring all necessary actions are taken.

1.8.2 Investigating the Breach

We must understand how the breach happened so we can decide how to respond to it, and try to answer these questions as quickly as possible:

  • How did the breach occurr (e.g., technical vulnerability, compromised credentials)?
  • What data was potentially accessed or affected?
  • What actions might have been taken with the data (e.g., viewed, copied, deleted)?
  • Which users were impacted?

1.8.3 Addressing Immediate Threats

If compromised user credentials are the cause, we will secure the affected account (e.g., disable API access) until access is restored to the rightful owner.

If the breach occured because of a vulnerability in our system, we will prioritize mitigating the vulnerability immediately to prevent further impact.

1.8.4 Addressing the Root Cause

After the immediate threat is negated, we will fix the underlying issue.

1.8.5 Notifying Affected Parties

Based on the investigation, we will notify negatively affected customers and provide details about the breach and steps they might need to take.

1.9 Trusted Third-Party Services (Subprocessors)

We may share limited data with third-parties, also known as Subprocessors under GDPR, so that we can offer our services to you, and so that we know how to improve it and remain valuable to you. We use the following third-party services:

  • Cloudflare: For DNS management and cybersecurity protection.
  • Stripe: For secure payment processing.
  • Sentry: For application monitoring, error tracking, and performance analysis.
  • Hetzner: For infrastructure hosting.
  • Mistral AI: For processing prompts on some subscription plans.

We carefully vet our subprocessors for their security and privacy practices.

1.10 Personal Information We Collect

We collect the following personal information to provide our Services:

  • Email address: To manage your account, communicate important service updates (like changes to Terms), and prevent abuse.
  • Unique Stripe Identifiers: If you subscribe, we store Stripe customer and subscription IDs to manage your payments.
  • Unique User ID: An internal identifier to manage your account within our systems.

Your email address and Stripe IDs are encrypted both at rest (when stored in our database) and in transit (when transmitted over networks).

1.11 Data Retention

We store your account information (email, User ID, Stripe IDs) for as long as you maintain an active account with Cellm. You can delete your account at any time, which will remove this information from our primary systems.

Inactive accounts will be automatically deleted after 1 year of inactivity.

Operational data, such as system logs, are retained for a limited period of up to 90 days for security, debugging, and operational continuity.

1.11.1 Stripe Webhook Data

When processing payments or subscription events via Stripe, we temporarily store data received from Stripe webhooks, which may contain your email address Stripe customer ID. We need to store this data to reliably process Stripe events, as Stripe does not guarantee the order of delivery. Webhook data is retained for a limited period of up to 90 days.

1.12 Your Data Subject Rights

Under GDPR, you have rights regarding your personal data, known as Data Subject Rights (DSRs). These include:

  • Right to Access: You can request access to the personal data we hold about you.
  • Right to Rectification: You can request correction of inaccurate personal data.
  • Right to Be Forgotten: You can request your personal data to be deleted by deleting your account.
  • Right to Data Portability: You can request a copy of your personal data in a portable format.

As a Data Processor, we will not modify or delete the data you process through our service unless instructed by you (the Data Controller), required by law, or outlined in our Terms of Service. We will assist you in fulfilling DSR requests related to the data you process using Cellm.

To exercise your rights regarding your account information held by Cellm, please contact our Data Protection Officer at dpo@getcellm.com. We aim to respond to DSR requests within 30 days, as required by GDPR.

1.13 Lawful Basis for Processing

GDPR requires that we establish a lawful basis for the data you input into the Service. Our primary basis for processing your data is based on "Legitimate Interests" (Article 6.1.f of GDPR). Our interpretation is that you, the data Controller, have legitimate interests in using our services to process your data, and we're assisting you in pursuing those interests. Keep in mind that your interests are legitimate only so long as you (the Data Controller) respects our Terms of Service.

For processing your account information (like your email address), our lawful basis includes the necessity to perform our contract with you (providing the service as per our Terms of Service) and our legitimate interest in managing accounts and communicating essential information.

1.14 Your Responsibilities as a Data Controller

You are responsible for ensuring your use of our Service complies with GDPR and other applicable data protection laws. This includes having a lawful basis for processing the data you input and respecting the rights of any individuals whose data you might include.

If you have concerns about your compliance obligations, we recommend seeking independent legal advice or researching GDPR requirements further.

1.15 Policy Review

We review and update this Privacy Policy at least once a year and revise when necessary.

2. General Information

2.1 Cookies

We use cookies to operate and improve our Services. Cookies are small text files stored on your device. Here's a summary of the cookies we set:

  • Essential Cookies: These are necessary for the website and services to function correctly (e.g., session cookies for login).
    • We set the session_id cookie when you sign in, in order to keep you authenticated.
    • We set the _cellm_session in order to keep track of temporary values like return-urls when signing in.

You can usually manage cookie preferences through your browser settings.

2.2 Third-Party Content and Cookies

Our website might display content hosted by third parties. These third parties may set their own cookies when you interact with their content. These cookies allow them to recognize your computer and compile information. This Privacy Policy only covers cookies set directly by Cellm; it does not cover cookies set by third-party content providers or partners.

2.3 Business Transfers

If Cellm is acquired, merges with another company, or in the unlikely event that we go out of business or enter bankruptcy, user information (including personal data) may be one of the assets transferred to or acquired by a third party. You acknowledge that such transfers may occur and that any acquirer may continue to use your personal information as described in this policy.

2.4 Privacy Policy Changes

We may update this Privacy Policy from time to time. We will post any changes on this page. If the changes are significant, we will provide a more prominent notice, such as sending an email notification.

We encourage you to review this policy periodically. We will keep prior versions available for review.

If you disagree with any changes to this policy, you must stop using Cellm and delete your account.

2.5 Terms of Service

Your use of Cellm is also governed by our Terms of Service, which includes important details about usage, disclaimers, and limitations of liability.

2.6 Contact Us

If you have any questions about this Privacy Policy, please contact us at legal@getcellm.com.

Cellm

Made and hosted in the 🇪🇺 EU.
Funded solely by subscribers.

Product

  • Features
  • Pricing

Support

  • Documentation
  • GitHub
  • Discord
  • Email
  • Refunds

Legal

  • Security
  • Privacy
  • Terms
© 2025 Cellm. All rights reserved.