Privacy Policy

Last updated: December 26, 2025

1. Data Controller

The data controller responsible for your personal data is:

Mario Ottmann
Sperberkamp 12a
22175 Hamburg
Germany
Email: historicalreels@marioottmann.com

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided via OAuth)
  • Profile picture (if provided via OAuth)
  • Authentication provider information (Google)

2.2 Usage Data

When you use our Service, we automatically collect:

  • Credit balance and transaction history
  • Service usage logs (processing requests, timestamps)
  • Technical data (browser type, device information, IP address)

2.3 User Content

When you use our image processing service, we temporarily store:

  • Uploaded images
  • Generated colorized images and videos

Important: All uploaded images and generated content are automatically deleted within 24-48 hours after processing.

Biometric data disclaimer: The Service is not intended for the unique identification of natural persons (biometric identification). Users are prohibited from uploading images for the purpose of identifying individuals.

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your payment card details. We only receive:

  • Transaction confirmation and amount
  • Last four digits of your card (for reference)
  • Billing country

3. Purposes and Legal Bases

We process your personal data for the following purposes under the indicated legal bases (GDPR Article 6):

3.1 Contract Performance (Art. 6(1)(b) GDPR)

  • Providing and maintaining the Service
  • Processing your image colorization requests
  • Managing your account and credit balance
  • Processing payments and transactions
  • Providing customer support

3.2 Legitimate Interests (Art. 6(1)(f) GDPR)

  • Improving and optimizing the Service
  • Preventing fraud and ensuring security
  • Analyzing usage patterns to enhance user experience

3.3 Legal Obligations (Art. 6(1)(c) GDPR)

  • Retaining transaction records for tax and accounting purposes
  • Responding to lawful requests from authorities

4. Cookies and Tracking

We use the following types of cookies:

  • Authentication cookies: Maintain your login session (Supabase Auth)
  • Session cookies: Remember your preferences within a session
  • Analytics cookies: Privacy-friendly usage statistics (Umami Analytics)

About our analytics: We use Umami, a privacy-focused analytics tool that does not use cookies for tracking, does not collect personal data, and is fully GDPR compliant. Umami only collects anonymous, aggregated data such as page views and referrer information. No personal identifiers are stored.

We do not use advertising or behavioral tracking cookies.

5. Third-Party Services

We use the following third-party services to provide our Service:

5.1 Supabase (EU - Frankfurt)

Purpose: Authentication, database, and temporary file storage
Data processed: Account information, credit balance, uploaded images (temporary)
Location: European Union (Frankfurt, Germany)
Privacy Policy: https://supabase.com/privacy

5.2 Stripe (USA)

Purpose: Payment processing
Data processed: Payment card details, billing information, transaction data
Location: United States (with EU Standard Contractual Clauses)
Privacy Policy: https://stripe.com/privacy

5.3 Google Cloud Vertex AI (USA)

Purpose: Image colorization and video generation
Data processed: Uploaded images (temporarily for processing)
Location: United States (with EU Standard Contractual Clauses)
Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

We use Google Cloud Vertex AI, Google's enterprise AI platform, which provides enhanced privacy and security guarantees. Under the Vertex AI terms, Google does not use customer data to train its models.

5.4 Umami Analytics (EU - Umami Cloud)

Purpose: Privacy-friendly website analytics
Data processed: Anonymous page views, referrer URLs, browser type, country (no personal data)
Location: European Union (Umami Cloud hosted service)
Privacy Policy: https://umami.is/privacy

We use Umami Cloud, the hosted version of Umami Analytics. Umami is a privacy-focused analytics solution that does not use cookies, does not track users across websites, and does not collect any personally identifiable information. All data is anonymized and aggregated. A Data Processing Agreement (DPA) has been accepted through the Umami Cloud dashboard.

6. International Data Transfers

Some of our third-party service providers are located in the United States. When we transfer your personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs): We use EU-approved contractual clauses with our US-based providers. These SCCs are incorporated into the standard Data Processing Agreements (DPAs) we have accepted with Google Cloud and Stripe through their respective online dashboards.
  • Data Processing Agreements: All processors are bound by data protection agreements that include appropriate safeguards for international transfers.

You can request a copy of the safeguards in place by contacting us.

7. Data Retention

We retain your data for the following periods:

  • Uploaded images and generated content: 24-48 hours (automatically deleted)
  • Account data: Until account deletion, plus 30 days
  • Transaction/billing records: 10 years (legal requirement under German tax law)
  • Server logs: 90 days

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your personal data
  • Right to restriction (Art. 18): Request restriction of processing
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7): Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at historicalreels@marioottmann.com. We will respond within 30 days.

9. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection laws, you have the right to lodge a complaint with a supervisory authority.

For Germany, the competent authority is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg
https://datenschutz-hamburg.de

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure authentication mechanisms
  • Regular security assessments
  • Access controls and audit logging

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the “Last updated” date
  • Sending you an email notification for significant changes

We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Mario Ottmann
Sperberkamp 12a
22175 Hamburg, Germany
Email: historicalreels@marioottmann.com