Privacy Policy
In accordance with the EU General Data Protection Regulation (GDPR) and German law
1. Controller
The controller responsible for data processing on this website is:
Fritz Gnad
Vogelsanger Str. 193, 50825 Cologne, Germany
E-mail: legal@nebulavision.net
2. Data we collect and why
Account & authentication
Your e-mail address, collected when you sign in via magic link or Google OAuth. Used solely to authenticate you and associate your exports with your account. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Generated exports
The inputs you provide (topic, niche, style) and the resulting thumbnail images are stored per export for authenticated users. This lets you access your history and lets us enforce your export quota. Legal basis: Art. 6(1)(b) GDPR.
Payment data
When you purchase a Credit Pack, Stripe collects and processes your payment details directly. We receive only a confirmation token, the charged amount, your e-mail, and a Stripe session ID — no card data ever reaches our servers. Legal basis: Art. 6(1)(b) GDPR.
IP addresses (anonymous users)
To enforce rate limits for unauthenticated requests, your IP address is hashed and stored temporarily in a rolling 60-minute window. It is not linked to any personal profile and is purged automatically. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).
Prompt content
The text prompts you submit are forwarded to our AI providers (OpenAI / OpenRouter) to generate thumbnail images. We do not store prompts beyond what is retained in your export record. Legal basis: Art. 6(1)(b) GDPR.
3. Third-party processors
We use the following sub-processors under data processing agreements (Art. 28 GDPR). All transfers to the US rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms.
| Provider | Purpose | Privacy |
|---|---|---|
| Supabase | Database & authentication | supabase.com |
| Stripe | Payment processing | stripe.com |
| OpenAI | AI image generation | openai.com |
| OpenRouter | AI image generation (product image path) | openrouter.ai |
4. Data retention
Account & exports
Retained until you request deletion. To delete your account and all associated data, contact us at legal@nebulavision.net.
Payment records
Stripe session IDs and payment confirmations are retained for up to 10 years to comply with German commercial and tax record-keeping obligations (§ 147 AO, § 257 HGB).
IP-based rate limit data
Automatically deleted after each 60-minute rate-limit window expires.
5. Your rights under GDPR
You have the right to:
- Access (Art. 15):Request a copy of the personal data we hold about you.
- Rectification (Art. 16):Ask us to correct inaccurate data.
- Erasure (Art. 17):"Right to be forgotten" — request deletion of your data.
- Restriction (Art. 18):Ask us to limit how we use your data.
- Portability (Art. 20):Receive your data in a structured, machine-readable format.
- Objection (Art. 21):Object to processing based on legitimate interest.
To exercise any of these rights, contact us at legal@nebulavision.net. We will respond within 30 days.
6. Supervisory authority
You have the right to lodge a complaint with the supervisory authority responsible for our location:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf, Germany
ldi.nrw.de
7. Cookies & local storage
This service uses browser localStorage to temporarily hold pending thumbnail generations across authentication flows. No tracking cookies or third-party advertising pixels are used.
Supabase Auth stores session tokens in a short-lived browser cookie strictly necessary for authentication. No consent is required for this under TTDSG § 25 Abs. 2 Nr. 2.
8. Changes to this policy
We may update this policy as the service evolves. Material changes will be communicated via a notice on the site. The date below reflects the most recent revision.
Last updated: May 2025