Data Protection

Privacy Policy

GDPR-oriented data protection notice

Last updated on April 8, 2026

How to read this policy

This policy explains what personal data we process, which vendors help us run the service, where uploaded images are stored, and what rights you have in relation to your data and image files.

1Controller and contact

SunsetPicnic UG (haftungsbeschränkt)
c/o Pawel Sawicki
Plantage 17
13597 Berlin, Germany

Privacy contact: privacy@genprofile.ai
General support: support@genprofile.ai

2Data we process

  • Account data: account identifier, email address, authentication state, and related profile data from Clerk.
  • Billing data: customer, subscription, invoice, and payment event data from Stripe.
  • Uploaded images: source image files you upload or select for transformation.
  • Generated images: output images produced by the service.
  • Image metadata: file name, MIME type, size, image URL, detected face count, quality flags, transform settings, collection mappings, and job status.
  • Support and notification data: email delivery details and support correspondence.
  • Technical and analytics data: basic device, request, session, and usage information, including Vercel Analytics events.
  • Security audit data: consent timestamp, request IP address, user agent, and related audit metadata for AI-processing actions.

3AI processing and service providers

When you use AI photo workflows, your uploaded image may be sent to Google Gemini for validation, visual analysis, and image transformation. Generated outputs are then returned to us so they can be presented in your account.

  • Google Gemini: AI validation, analysis, and transformation.
  • Vercel Blob: file storage for uploaded and generated images.
  • Vercel: app hosting and analytics.
  • Clerk: sign-in, session handling, and account identity.
  • Stripe: billing and subscription processing.
  • Resend: transactional email delivery.
  • Prisma-backed database infrastructure: operational storage of user, job, consent, collection, and metadata records.

4Where images are stored

Uploaded and generated images are stored in Vercel Blob. In the current product design, those files are stored at URLs associated with your account and may be publicly retrievable by any person who knows the exact URL.

The application also stores references to those file URLs and related metadata in our database. This includes upload records, transform jobs, generated image variants, collection relationships, and notification references.

5Legal bases for processing

  • Art. 6(1)(b) GDPR: processing necessary to provide the service you requested, including account access, image processing, and delivery.
  • Art. 6(1)(a) GDPR: consent for AI processing of uploaded real images where we request it in-product.
  • Art. 6(1)(f) GDPR: legitimate interests in platform security, abuse prevention, diagnostics, audit logging, and service analytics.
  • Art. 6(1)(c) GDPR: compliance with legal obligations, including tax, accounting, and law-enforcement requests where applicable.

6Retention and deletion

We retain account and image-related data for as long as reasonably necessary to provide the service, maintain your account, investigate abuse, comply with legal obligations, and resolve disputes.

AI-processing security audit logs, including timestamp, IP address, and user agent, are retained for a limited period of up to 180 days unless a longer retention period is required to investigate suspected abuse, fraud, or legal claims.

You may request deletion of your account and associated content. Where legally possible, we will delete or anonymize the relevant data. Some payment, transaction, security, and backup records may need to be retained for limited periods after deletion requests.

7International data transfers

Some of our providers process data outside the European Economic Area. Where this happens, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, and additional contractual or technical measures where required.

8Your rights

  • Right of access to the personal data we hold about you.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure, subject to legal and operational exceptions.
  • Right to restrict processing in certain circumstances.
  • Right to data portability where applicable.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time for future processing.
  • Right to lodge a complaint with a supervisory authority.

To exercise your rights, email privacy@genprofile.ai.

9Security

We use reasonable technical and organizational safeguards to protect personal data. No system is perfectly secure, and we cannot guarantee absolute security. You should avoid uploading sensitive images or information unless strictly necessary for your use case.

10Complaints and supervisory authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219
10969 Berlin, Germany
www.datenschutz-berlin.de