Privacy Policy

1. INTRODUCTION

This Privacy Policy explains how Matti Schulz ("we," "us," "our") operating iken, an AI-powered 3D icon generation platform, collects, uses, stores, and protects your personal data when you use our services at iken.app.

Data Controller: Matti Schulz, Bertolt-Brecht-Straße 43, 18507 Grimmen, Germany

This policy complies with the EU General Data Protection Regulation (GDPR), Digital Services Act (DSA), and applicable German data protection laws.

2. LEGAL BASIS FOR DATA PROCESSING

We process your personal data based on the following legal grounds under GDPR Article 6:

• Consent (Art. 6(1)(a)): Marketing communications (where applicable)
• Contract Performance (Art. 6(1)(b)): Account management, service delivery, subscription billing
• Legitimate Interest (Art. 6(1)(f)): Service improvement, fraud prevention, security measures, usage analytics
• Legal Obligation (Art. 6(1)(c)): Tax records, compliance with law enforcement requests

3. PERSONAL DATA WE COLLECT

3.1 Data Collected Directly from You

• Account information (email address, display name) via Clerk authentication
• Payment information (processed by Stripe, not stored by us)
• Icon generation prompts and preferences
• Support communications and feedback

3.2 Data Collected Automatically

• Technical data: IP address, browser type and version, device information
• Usage data: Pages visited, time spent, click patterns, feature usage
• Performance data: Error logs, loading times, system performance metrics
• Analytics data: User behavior patterns (anonymized where possible)

3.3 Generated Content

• AI-generated icons and associated metadata
• Generation history and usage statistics
• Download and usage preferences

4. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

• Service Provision: Account management, icon generation, download delivery
• Billing and Payments: Subscription management, invoice generation, payment processing
• Customer Support: Responding to inquiries, troubleshooting, technical assistance
• Service Improvement: Analytics, performance optimization, feature development
• Security: Fraud prevention, abuse detection, system security monitoring
• Legal Compliance: Meeting regulatory requirements, responding to legal requests
• Marketing: Service updates, feature announcements (with consent)

5. DATA SHARING AND THIRD PARTIES

5.1 Service Providers

We share data with trusted third-party processors under data processing agreements:

• Clerk: User authentication and account management (GDPR compliant)
• Firebase (Google): Database storage for user data and icons (EU servers)
• Replicate: AI model processing for icon generation (data minimization applied)
• Stripe: Payment processing (PCI DSS compliant, data not stored by us)
• Vercel: Application hosting and blob storage (EU/US with SCCs)

5.2 Legal Disclosures

We may disclose data when required by law, court order, or to protect our legal rights, but only to the minimum extent necessary and with appropriate legal safeguards.

6. INTERNATIONAL DATA TRANSFERS

Some of our service providers operate outside the EU/EEA. We ensure adequate protection through:

• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Standard Contractual Clauses (SCCs): EU-approved contracts for secure transfers
• Additional Safeguards: Encryption, access controls, and data minimization

Countries involved: United States (Replicate, Vercel), with SCCs and supplementary measures in place.

7. DATA RETENTION

We retain personal data only as long as necessary for the stated purposes:

• Account Data: Until account deletion + 30 days for backup deletion
• Generated Icons: 90 days after generation for download purposes
• Payment Records: 10 years (German tax law requirement)
• Support Communications: 3 years for quality and legal purposes
• Marketing Consents: Until withdrawal + 30 days for processing
• Security Logs: 12 months for incident investigation

8. DATA SECURITY

We implement comprehensive security measures including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication for admin accounts
• Infrastructure Security: Secure hosting with regular security updates and monitoring
• Regular Audits: Security assessments and vulnerability testing
• Incident Response: Documented procedures for security breaches

9. YOUR GDPR RIGHTS

Under GDPR, you have the following rights regarding your personal data:

9.1 Access and Portability

• Right of Access (Art. 15): Request copies of your personal data and information about processing
• Data Portability (Art. 20): Receive your data in a structured, machine-readable format

9.2 Correction and Deletion

• Rectification (Art. 16): Correct inaccurate or incomplete data
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Restriction (Art. 18): Limit how we process your data in certain circumstances

9.3 Control and Objection

• Object to Processing (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent (Art. 7(3)): Withdraw consent for consent-based processing
• Automated Decision-Making (Art. 22): Not be subject to solely automated decisions

9.4 How to Exercise Your Rights

To exercise these rights, contact us at privacy@matti-schulz.de. We will respond within 30 days and verify your identity before processing requests.

10. COOKIES AND TRACKING

We use cookies and similar technologies for:

• Essential Cookies: Authentication, security, basic functionality (no consent required)
• Analytics Cookies: Usage statistics and performance monitoring (with consent)
• Preference Cookies: Saving your settings and preferences (with consent)

You can manage cookie preferences through your browser settings or our cookie banner. Essential cookies cannot be disabled as they are necessary for service functionality.

11. AI AND ALGORITHMIC PROCESSING

Our service uses AI for icon generation. Important information about AI processing:

• AI Models: We use third-party AI models (Replicate) for image generation
• Input Processing: Your prompts are processed to generate icons but not used for model training
• Data Minimization: Only necessary prompt data is sent to AI processors
• Human Oversight: Content moderation and quality control processes in place
• No Profiling: We do not use AI for automated decision-making about individuals

12. CHILDREN'S PRIVACY

Our service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data promptly and may require parental consent for continued use.

13. DATA BREACH NOTIFICATION

In case of a data breach that poses high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay
• Provide clear information about the breach and response measures
• Document the incident and take steps to prevent future breaches

14. SUPERVISORY AUTHORITY

You have the right to lodge a complaint with a data protection supervisory authority. For complaints regarding our German operations, contact:

Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern
Lenné-Straße 1, 19053 Schwerin, Germany
Email: info@datenschutz-mv.de
Phone: +49 385 59494-0

15. POLICY UPDATES

We may update this Privacy Policy to reflect legal changes or service improvements. For material changes, we will provide 30 days' notice via email and prominent website notification. Continued use after notice constitutes acceptance of updated terms.

16. CONTACT INFORMATION