Data Protection

Privacy Policy

Last updated: 23 September 2025

Replace bracketed placeholders with accurate details, verify legal bases, and keep this statement aligned with your real processing activities.

1. Controller

Controller: Lucjan Grzegorzewski, Heussweg 83, 20255 Hamburg, Germany.
E-mail: grzegorzewski.lucjan@gmail.com
Phone: +49 176 99807033
Data Protection Officer (DPO): No DPO appointed (not legally required). Please use the contact details above for privacy inquiries.

2. Personal Data We Process

  • Uploaded images and prompts needed to generate CV photos.
  • Optional gender selection and customization preferences for styling.
  • Technical logs (IP address, timestamp, user agent) generated by our hosting platform for security and reliability.
  • Payment information is processed directly by Stripe; we do not store full card numbers. We may receive limited payment status metadata to fulfill your order.
  • Communications you send us (for example e-mails) for support purposes.

3. Purposes and Legal Bases

  • Provide and operate the service, including generating CV photos from your uploads (Article 6(1)(b) GDPR – contract performance).
  • Suggest a gender setting to prefill options (Article 6(1)(f) GDPR – legitimate interest; you can override this at any time).
  • Process payments and prevent fraud via Stripe (Article 6(1)(b) and 6(1)(f) GDPR).
  • Ensure security, troubleshoot, and maintain our platform (Article 6(1)(f) GDPR – legitimate interest).
  • Fulfil statutory obligations (for example tax and accounting) (Article 6(1)(c) GDPR).
  • Respond to your inquiries (Article 6(1)(b) or 6(1)(f) GDPR, depending on context).

4. Recipients and International Transfers

We share data with the following categories of recipients to provide our service:

  • Hosting & delivery: Vercel (EU region) serves the web application and manages serverless functions.
  • Storage: Vercel Blob and Postgres (EU region) retain generated assets and purchase metadata.
  • AI processing: Google AI (Gemini via Genkit) transforms your uploaded image into a CV photo and can suggest a gender option. Your image is transmitted to Google for this purpose.
  • Payments: Stripe (Stripe Payments Europe, Ltd.) processes your payment data as an independent controller. We do not store full card details.

Where data is transferred outside the EU/EEA (for example to Google or Stripe group companies), we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses in addition to technical and organisational measures.

5. Storage Period

Uploaded images are processed to generate outputs and are not permanently stored on our servers beyond what is technically necessary to provide the service. Outputs are delivered to you and are not retained server-side. Payment records are retained by Stripe in accordance with its retention periods. We retain tax-relevant records for up to ten years as required by German law.

  • Technical logs: typically up to 30 days (security and troubleshooting).
  • Support e-mails: up to 24 months after resolution.
  • Accounting/tax data: up to 10 years (legal obligation).

6. Data Subject Rights

  • Access, rectification, erasure, restriction, objection, and portability (Articles 15 to 21 GDPR).
  • Withdrawal of consent at any time without affecting prior processing.
  • Right to lodge a complaint with the competent supervisory authority. For Hamburg: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI).

7. Automated Decision-Making and Profiling

We do not make decisions that produce legal effects concerning you or similarly significantly affect you solely on the basis of automated processing. AI is used to transform images and to suggest a gender option for convenience; these outputs are not used to make decisions about you.

8. Cookies and Tracking

We currently do not use analytics or marketing cookies. Only strictly necessary cookies and similar technologies may be used to deliver the website’s core functionality. Stripe may set cookies on its checkout domain to facilitate secure payments.

9. Security Measures

We implement appropriate technical and organisational measures, including encryption in transit, access controls, least-privilege principles, regular dependency updates, and vendor due diligence. Access to production systems is restricted to authorised personnel.

10. Updates

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the “Last updated” date and, where appropriate, by additional notice. Please review this page periodically.

Reminder: ensure the policy reflects your actual data flows and have counsel review before publication. Maintain translation parity for multilingual versions.