Privacy Policy

1. Privacy at a glance

The following notes give an overview of what happens to your personal data when you use this service. Personal data is any data that can personally identify you.

2. Controller

The controller for data processing on this service is:

Contaxx GmbH
An de Dreew 19, 47839 Krefeld, Germany
Managing Director: Andreas Habeck
Phone: +49 (2151) 328 - 110
E-Mail: info@contaxx.net

3. Data Processors

To operate this service, we use the following data processors (Art. 28 GDPR). With all providers we have data processing agreements or Standard Contractual Clauses (SCC) in place for transfers to third countries:

• Vercel Inc. – Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA — hosting of the web application. Processes IP address, browser and device information, time of access (server logs).
• Supabase Inc. – Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 — database, authentication and file storage. Processes email address, uploaded photos, generated images, session data.
• Google Ireland Ltd. – Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland — AI model Gemini 3.1 Flash Image. Your uploaded photo and the textual prompt are transmitted for image generation. According to Google, the data is processed exclusively to fulfill the API request; no storage beyond the processing duration takes place (see Google Cloud Data Processing Addendum for confirmation).
• Stripe Payments Europe Ltd. – Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland — payment processing (card, Apple Pay, Google Pay, PayPal). For an order, the order amount, payment method and data necessary for payment processing are transmitted to Stripe. We do not store complete card or account details ourselves.
• Twilio Inc. – Twilio Inc., 101 Spear Street, Floor 1, San Francisco, CA 94105, USA — sending SMS codes (phone OTP login), if you sign in by phone number.

4. Data processed and purposes

a) Account / Login

When you sign in, we store your email address or phone number. Authentication is passwordless via magic link or SMS code. Legal basis: contract performance (Art. 6 (1) (b) GDPR).

b) Uploaded photos

The photos you upload are stored in your account (Supabase Storage) and transmitted to Google for AI image generation. You can delete uploaded photos from your account at any time (Generator → Photo overview → ✕ icon). Legal basis: contract performance and your consent upon upload (Art. 6 (1) (b) and (a) GDPR).

c) Generated images

AI-generated images are stored in your account so you can download them again later. Deletion is also possible at any time. Legal basis: contract performance (Art. 6 (1) (b) GDPR).

d) Payment and order data

When you purchase a credit bundle, we store the order number, the chosen bundle, the amount and the Stripe transaction ID. Legal basis: contract performance and tax retention obligations (Art. 6 (1) (b) and (c) GDPR).

e) Server logs

The host (Vercel) automatically collects IP address, browser type, operating system, referrer and time of access. Legal basis: legitimate interest in stable operation (Art. 6 (1) (f) GDPR).

5. Your rights

• Information about the data stored about you (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Deletion of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Withdrawal of consent (Art. 7 (3) GDPR)
• Objection to processing based on legitimate interest (Art. 21 GDPR)
• Complaint to the supervisory authority: State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2–4, 40213 Düsseldorf

For any concerns please contact us at info@contaxx.net.

6. Retention periods in detail

We retain personal data only for as long as it is necessary for the respective purposes or as statutory retention obligations require:

• Uploaded photos (source photos): until you delete them yourself or until account deletion — you can remove them at any time.
• Generated images: until you delete them yourself or until account deletion.
• Account data (email, login): until account deletion. Inactive accounts without credit balance are automatically removed after 24 months following prior notice (min. 30 days).
• Order and payment data: 10 years pursuant to § 257 HGB / § 147 AO (statutory retention obligation).
• Server logs (Vercel): typically 14–30 days, then automatically deleted.
• Quality-check results (score, traffic light, issue list): as metadata on the respective photo — removed with the photo.
• Voucher visit tracking (influencer program): 12 months from last visit for campaign analysis, then anonymised / deleted.

7. Automated decision-making (Art. 22 GDPR)

On every upload of a source photo, the Provider runs an automated AI-based quality check. The vision model from the Google Gemini family is used; it evaluates framing, lighting, background, face visibility, sharpness and resolution, and assigns one of three traffic-light statuses:

• Green – photo is approved, generation possible.
• Yellow – photo has detected flaws; generation is only possible if you explicitly confirm the reclamation waiver (see § 7c of the Terms).
• Red – photo is not released for generation by the system (legal effect within the meaning of Art. 22 (1) GDPR).

Legal basis for processing: contract performance under Art. 6 (1) (b) GDPR and your consent upon upload under Art. 6 (1) (a) / Art. 9 (2) (a) GDPR (biometric features). Processor: Google Ireland Ltd. (see section 3).

You have the right to object to a rejection by the automated quality check and to request a manual review by a natural person (Art. 22 (3) GDPR). Please send an email with the photo ID to support@aiprofilestudio.de.

8. Labelling of AI-generated content (EU AI Act)

Our generated images carry invisible watermarks (so-called SynthID) and metadata flags wherever the AI model used supports this technically. In addition, you receive a clear visible notice in the application that the image is AI-generated. This implements the transparency obligations under Art. 50 EU AI Act.

9. Cookies

We only use technically necessary cookies to maintain your login session. We do not use tracking or analytics cookies. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR, § 25 (2) TDDDG).