Data Protection

Privacy Policy

GDPR Compliant Data Protection Declaration

Last updated on July 23, 2025

GDPR Compliance

This privacy policy complies with the EU General Data Protection Regulation (GDPR) and German data protection laws. We are committed to protecting your privacy and ensuring transparent data processing practices.

This privacy policy explains how SunsetPicnic UG (haftungsbeschränkt) ("GenProfile.ai", "we", "us", or "our") collects, uses, and protects your personal data when you use our AI-powered profile image generation service.

1Data Controller and Contact

Responsible Entity

SunsetPicnic UG (haftungsbeschränkt)
c/o Pawel Sawicki
Plantage 17
13597 Berlin, Germany

Data Protection Contact

Email: privacy@genprofile.ai
General Contact: support@genprofile.ai

2Data Collection and Processing

2.1 Personal Data We Collect

We collect and process the following categories of personal data:

  • Account Data: Email address, username, account preferences
  • Payment Data: Billing information, payment method details (processed securely via Stripe)
  • Usage Data: Service usage patterns, feature interactions, generation history
  • Technical Data: IP address, browser type, device information, session data
  • Communication Data: Support requests, feedback, correspondence

2.2 AI-Generated Content

All profile images generated through our service are synthetic and created by artificial intelligence. No real personal data is used in the generation process, and generated images do not represent real individuals.

3Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

  • Contract Performance (Art. 6(1)(b) GDPR): To provide our AI image generation services
  • Legitimate Interest (Art. 6(1)(f) GDPR): For service improvement, fraud prevention, and analytics
  • Consent (Art. 6(1)(a) GDPR): For marketing communications and optional features
  • Legal Obligation (Art. 6(1)(c) GDPR): For tax and accounting requirements

4Data Sharing and Third Parties

4.1 Service Providers

We work with trusted third-party providers who assist in delivering our services:

  • Stripe: Payment processing (PCI DSS compliant)
  • Clerk: Authentication and user management services
  • Firebase/Google Cloud: Database and cloud services
  • Vercel: Hosting and content delivery
  • Resend: Transactional email delivery

4.2 Data Protection Measures

All third-party processors are bound by data processing agreements (DPAs) and are required to maintain GDPR compliance standards. Data transfers outside the EU are protected by appropriate safeguards.

5Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access (Art. 15): Request information about your personal data
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Request deletion of your personal data
  • Right to Restrict Processing (Art. 18): Limit how we process your data
  • Right to Data Portability (Art. 20): Receive your data in a portable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent: Withdraw consent for consent-based processing

To exercise these rights, contact us at privacy@genprofile.ai. We will respond within 30 days.

6Data Retention and Deletion

6.1 Retention Periods

  • Account Data: Retained for the duration of your account plus 3 years for legal obligations
  • Generated Images: Stored for 90 days after generation, then automatically deleted
  • Payment Data: Retained for 10 years for tax and accounting purposes
  • Technical Logs: Retained for 12 months for security and performance monitoring

6.2 Secure Deletion

When data is deleted, we ensure secure removal from all systems, including backups, within a reasonable timeframe not exceeding 6 months.

7Cookies and Tracking

7.1 Essential Cookies

We use essential cookies for authentication, security, and basic functionality. These cookies are necessary for the service to function and are set based on legitimate interest.

7.2 Analytics and Optional Cookies

We use privacy-friendly analytics to improve our service. You can manage cookie preferences through your browser settings or contact us to opt out.

8Security Measures

We implement comprehensive security measures to protect your personal data:

  • Encryption: Data in transit and at rest is encrypted using industry-standard protocols
  • Access Control: Strict access controls and authentication for all systems
  • Regular Audits: Security assessments and vulnerability testing
  • Incident Response: Procedures for data breach detection and response
  • Staff Training: Regular data protection training for all personnel

9International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable
  • Additional safeguards as required by GDPR

10Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

11Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website and, where required by law, by sending you a notification. Your continued use of our service after such changes constitutes acceptance of the updated policy.

12Supervisory Authority and Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements. The relevant supervisory authority for our company is:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219
10969 Berlin, Germany
www.datenschutz-berlin.de