diff --git a/DEPLOY.md b/DEPLOY.md
new file mode 100644
index 0000000..6b604f3
--- /dev/null
+++ b/DEPLOY.md
@@ -0,0 +1,130 @@
+# Privacy Gateway - Deployment Anleitung
+
+## Übersicht
+- **Container:** CT150
+- **IP:** 192.168.0.150
+- **Services:** PostgreSQL, Ollama (Anonymisierung), Redis, Backend, Frontend, Portainer Agent
+
+## Schnellstart
+
+### 1. CT auf Proxmox erstellen
+```bash
+# Auf Proxmox Host ausführen:
+bash deploy-ct150.sh
+```
+
+### 2. Projekt kopieren
+```bash
+# Vom Workspace aus:
+scp -r /root/.openclaw/workspace/privacy-gateway/* root@192.168.0.150:/opt/privacy-gateway/
+```
+
+### 3. Setup abschließen
+```bash
+ssh root@192.168.0.150
+chmod +x /opt/privacy-gateway/setup-ct150.sh
+bash /opt/privacy-gateway/setup-ct150.sh
+```
+
+## Manuelle Installation (falls nötig)
+
+### Schritt 1: CT erstellen
+```bash
+pct create 150 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \
+  --hostname privacy-gateway \
+  --storage local-zfs \
+  --rootfs 32G \
+  --memory 8192 \
+  --cores 4 \
+  --net0 name=eth0,bridge=vmbr0,ip=192.168.0.150/22,gw=192.168.0.1 \
+  --unprivileged 1 \
+  --features nesting=1
+
+pct start 150
+```
+
+### Schritt 2: Docker installieren
+```bash
+pct exec 150 -- bash -c "
+  apt-get update
+  apt-get install -y curl git ca-certificates
+  install -m 0755 -d /etc/apt/keyrings
+  curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+  echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable' > /etc/apt/sources.list.d/docker.list
+  apt-get update
+  apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+"
+```
+
+### Schritt 3: Projekt deployen
+```bash
+mkdir -p /opt/privacy-gateway
+cd /opt/privacy-gateway
+# Kopiere alle Dateien...
+docker compose -f docker-compose.ct150.yml up -d
+```
+
+## URLs nach Deployment
+- **Web UI:** http://192.168.0.150
+- **API:** http://192.168.0.150:3000
+- **Health:** http://192.168.0.150:3000/health
+- **Portainer Agent:** Port 9001 (für externen Portainer)
+
+## Konfiguration
+
+### Environment-Variablen
+```bash
+# In /opt/privacy-gateway/.env:
+DB_PASSWORD=dein-sicheres-passwort
+OLLAMA_TARGET_HOST=192.168.2.122  # Dein Ollama Server
+CHAT_MODEL=llama3.2:latest
+```
+
+### Modelle
+Das System braucht:
+1. **Gemma4** (im Anonymizer-Container) - für PII-Erkennung
+2. **Externes Modell** (z.B. auf 192.168.2.122) - für Antworten
+
+## Troubleshooting
+
+### Logs ansehen
+```bash
+docker compose logs -f [service-name]
+```
+
+### Services neu starten
+```bash
+docker compose restart
+```
+
+### Modelle laden
+```bash
+docker exec ollama-privacy ollama pull gemma4:latest
+```
+
+## Architektur
+```
+┌─────────────┐     ┌──────────────┐     ┌──────────────┐     ┌─────────────┐
+│   Browser   │────▶│   Frontend   │────▶│    Backend   │────▶│  Postgres   │
+│             │◄────│    (Nginx)   │◄────│   (Node.js)  │◄────│             │
+└─────────────┘     └──────────────┘     └──────┬───────┘     └─────────────┘
+                                                 │
+                       ┌─────────────────────────┼─────────────────────────┐
+                       │                         │                         │
+                       ▼                         ▼                         ▼
+               ┌──────────────┐          ┌──────────────┐          ┌──────────────┐
+               │    Redis     │          │  Anonymizer  │          │   Externes   │
+               │   (Cache)    │          │   (Ollama)   │          │    Ollama    │
+               └──────────────┘          └──────────────┘          └──────────────┘
+```
+
+## Git Repository
+Nach erfolgreichem Test:
+```bash
+cd /opt/privacy-gateway
+git init
+git remote add origin http://192.168.0.146:3000/peter/privacy-gateway.git
+git add .
+git commit -m "Initial deployment CT150"
+git push -u origin master
+```
diff --git a/deploy-ct150.sh b/deploy-ct150.sh
new file mode 100644
index 0000000..9950165
--- /dev/null
+++ b/deploy-ct150.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# CT150 Privacy Gateway Deployment Script
+# Ausführen auf Proxmox Host: bash deploy-ct150.sh
+
+set -e
+
+CTID=150
+HOSTNAME="privacy-gateway"
+IP="192.168.0.150/22"
+GW="192.168.0.1"
+
+echo "=== CT150 Privacy Gateway Deployment ==="
+
+# Prüfe ob CT existiert
+if pct status $CTID >/dev/null 2>&1; then
+    echo "CT $CTID existiert bereits. Lösche..."
+    pct stop $CTID 2>/dev/null || true
+    pct destroy $CTID
+fi
+
+# Lade Debian 12 Template falls nicht vorhanden
+TEMPLATE="local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
+if ! pveam list local | grep -q "debian-12"; then
+    echo "Lade Debian 12 Template..."
+    pveam download local debian-12-standard_12.7-1_amd64.tar.zst
+fi
+
+# Erstelle CT
+echo "Erstelle Container $CTID..."
+pct create $CTID $TEMPLATE \
+    --hostname $HOSTNAME \
+    --storage local-zfs \
+    --rootfs 32G \
+    --memory 8192 \
+    --cores 4 \
+    --net0 name=eth0,bridge=vmbr0,ip=$IP,gw=$GW \
+    --unprivileged 1 \
+    --features nesting=1 \
+    --onboot 1
+
+# Starte CT
+echo "Starte Container..."
+pct start $CTID
+sleep 5
+
+# Warte auf Netzwerk
+until pct exec $CTID -- ping -c 1 192.168.0.1 >/dev/null 2>&1; do
+    echo "Warte auf Netzwerk..."
+    sleep 2
+done
+
+# Installiere Basis-Pakete
+echo "Installiere Pakete..."
+pct exec $CTID -- bash -c "
+    apt-get update
+    apt-get install -y curl wget git nginx ca-certificates gnupg
+    
+    # Docker installieren
+    install -m 0755 -d /etc/apt/keyrings
+    curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+    chmod a+r /etc/apt/keyrings/docker.gpg
+    
+    echo \"deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable\" > /etc/apt/sources.list.d/docker.list
+    
+    apt-get update
+    apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+    
+    # Docker Compose (Plugin)
+    apt-get install -y docker-compose-plugin
+"
+
+# Erstelle Verzeichnis
+echo "Erstelle Projekt-Verzeichnis..."
+pct exec $CTID -- mkdir -p /opt/privacy-gateway
+echo "Container $CTID bereit. Kopiere jetzt das Projekt:"
+echo "  scp -r privacy-gateway/* root@192.168.0.150:/opt/privacy-gateway/"
+echo ""
+echo "Dann starte mit:"
+echo "  ssh root@192.168.0.150 'cd /opt/privacy-gateway && docker compose up -d'"
diff --git a/docker-compose.ct150.yml b/docker-compose.ct150.yml
new file mode 100644
index 0000000..f658af6
--- /dev/null
+++ b/docker-compose.ct150.yml
@@ -0,0 +1,138 @@
+version: '3.8'
+
+services:
+  # PostgreSQL
+  postgres:
+    image: postgres:15-alpine
+    container_name: pg-privacy
+    environment:
+      POSTGRES_DB: privacy_gateway
+      POSTGRES_USER: pguser
+      POSTGRES_PASSWORD: ${DB_PASSWORD:-pgsecret150}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+      - ./init.sql:/docker-entrypoint-initdb.d/init.sql:ro
+    networks:
+      - privacy-net
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U pguser -d privacy_gateway"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+
+  # Ollama für Anonymisierung
+  ollama-anonymizer:
+    image: ollama/ollama:latest
+    container_name: ollama-privacy
+    volumes:
+      - ollama_models:/root/.ollama
+    environment:
+      - OLLAMA_KEEP_ALIVE=24h
+    networks:
+      - privacy-net
+    # GPU Support falls vorhanden:
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #         - driver: nvidia
+    #           count: 1
+    #           capabilities: [gpu]
+    restart: unless-stopped
+    command: >
+      sh -c "
+        ollama serve &
+        sleep 10
+        ollama pull gemma4:latest || true
+        wait
+      "
+
+  # Redis
+  redis:
+    image: redis:7-alpine
+    container_name: redis-privacy
+    volumes:
+      - redis_data:/data
+    networks:
+      - privacy-net
+    restart: unless-stopped
+
+  # Backend API
+  backend:
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    container_name: privacy-api
+    environment:
+      - NODE_ENV=production
+      - PORT=3000
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_NAME=privacy_gateway
+      - DB_USER=pguser
+      - DB_PASSWORD=${DB_PASSWORD:-pgsecret150}
+      - REDIS_HOST=redis
+      - REDIS_PORT=6379
+      - OLLAMA_HOST=ollama-anonymizer
+      - OLLAMA_PORT=11434
+      - ANONYMIZATION_MODEL=gemma4:latest
+      - OLLAMA_TARGET_HOST=${OLLAMA_TARGET_HOST:-192.168.2.122}
+      - OLLAMA_TARGET_PORT=11434
+      - CHAT_MODEL=${CHAT_MODEL:-llama3.2:latest}
+      - CORS_ORIGIN=http://192.168.0.150
+    ports:
+      - "3000:3000"
+    networks:
+      - privacy-net
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_started
+      ollama-anonymizer:
+        condition: service_started
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Frontend
+  frontend:
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile
+    container_name: privacy-ui
+    environment:
+      - REACT_APP_API_URL=http://192.168.0.150:3000
+    ports:
+      - "80:80"
+    networks:
+      - privacy-net
+    depends_on:
+      - backend
+    restart: unless-stopped
+
+  # Portainer Agent (optional - für Management)
+  portainer-agent:
+    image: portainer/agent:latest
+    container_name: portainer-agent
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker/volumes:/var/lib/docker/volumes
+    networks:
+      - privacy-net
+    ports:
+      - "9001:9001"
+    restart: unless-stopped
+
+volumes:
+  postgres_data:
+  ollama_models:
+  redis_data:
+
+networks:
+  privacy-net:
+    driver: bridge
diff --git a/setup-ct150.sh b/setup-ct150.sh
new file mode 100644
index 0000000..7637e4a
--- /dev/null
+++ b/setup-ct150.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# Post-Install Setup auf CT150
+# Ausführen NACHDEM das Projekt kopiert wurde
+
+cd /opt/privacy-gateway
+
+echo "=== Privacy Gateway Setup ==="
+
+# Environment erstellen
+cp backend/.env.example backend/.env 2>/dev/null || cat > backend/.env << 'EOF'
+NODE_ENV=production
+PORT=3000
+
+# Database
+DB_HOST=postgres
+DB_PORT=5432
+DB_NAME=privacy_gateway
+DB_USER=pguser
+DB_PASSWORD=pgsecret150
+
+# Redis
+REDIS_HOST=redis
+REDIS_PORT=6379
+
+# Anonymizer (local)
+OLLAMA_HOST=ollama-anonymizer
+OLLAMA_PORT=11434
+ANONYMIZATION_MODEL=gemma4:latest
+
+# Target Ollama (external AI)
+OLLAMA_TARGET_HOST=192.168.2.122
+OLLAMA_TARGET_PORT=11434
+CHAT_MODEL=llama3.2:latest
+
+# CORS
+CORS_ORIGIN=http://192.168.0.150
+EOF
+
+# Docker Netzwerk
+docker network create privacy-net 2>/dev/null || true
+
+# Starte Services
+echo "Starte Docker Services..."
+docker compose pull
+docker compose up -d
+
+# Warte auf Datenbank
+echo "Warte auf Datenbank..."
+sleep 10
+
+# Prüfe Health
+echo "Prüfe Services..."
+curl -s http://localhost:3000/health || echo "API noch nicht bereit"
+
+echo ""
+echo "=== Setup abgeschlossen ==="
+echo "Privacy Gateway läuft auf: http://192.168.0.150"
+echo "API: http://192.168.0.150:3000"
+echo ""
+echo "Logs: docker compose logs -f"
+echo "Stop: docker compose down"