Legal

Privacy Policy

Last updated: TODO — please update before going live. Applies to influencerforge.app and all associated services.

Not legal advice

This Privacy Policy is a GDPR-oriented template and does not constitute legal advice. Please have it reviewed by a lawyer before going live. All sections marked TODO must be replaced with real information.

1. Controller

TODO — Controller under GDPR

  • Name / company name / legal form
  • Full address
  • Represented by (management)
  • Email address for privacy inquiries
  • Phone number (optional but recommended)
  • Data Protection Officer (if appointed): name + contact

The controller responsible for processing personal data on this platform within the meaning of the General Data Protection Regulation (GDPR) is the entity listed above.

2. Data We Process

We process the following categories of personal and user-related data:

  • Account and authentication data: Email address, hashed password (via Supabase Auth), session tokens.
  • Payment data: Transaction IDs, credit balance, billing status — transmitted via Stripe. Payment details (card data, etc.) are stored and processed exclusively by Stripe; we have no direct access to them.
  • Uploaded reference images: Images you upload for AI model training are stored in Supabase Storage and transmitted to our AI compute provider for Forge Engine processing.
  • Generated content: AI-generated images and videos associated with your account are stored in Supabase Storage.
  • Technical log data: IP address, browser type, access times, pages visited — collected by Cloudflare (CDN/infrastructure) and Supabase.

3. Purposes & Legal Bases

We process your data for the following purposes on the basis of the stated legal grounds under Art. 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Providing platform features, processing payments, model training, and content generation.
  • Legitimate interests (Art. 6(1)(f) GDPR): Platform security, fraud prevention, technical improvements.
  • Consent (Art. 6(1)(a) GDPR): Non-essential cookies and optional communications, where you have given consent.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention of billing records in accordance with applicable tax law requirements.

4. Processors & Recipients

We engage the following processors. Data processing agreements (DPAs) pursuant to Art. 28 GDPR are in place or will be concluded with each of them.

Third-party data processors, their purpose, and data processing agreement status
ProviderPurposeDPA status
Supabase / Lovable CloudHosting, authentication, database, storageTODO: verify/sign DPA
StripePayment processingTODO: verify Stripe DPA
Higgsfield AI image/video inference compute for the Forge EngineTODO: verify DPA / data transfer
CloudflareCDN, infrastructure, DDoS protectionTODO: verify Cloudflare DPA

Some of these providers are located outside the EEA (e.g. USA). Transfers are carried out on the basis of appropriate safeguards (e.g. EU Standard Contractual Clauses). TODO: clarify specific transfer mechanisms with a lawyer.

5. Retention Periods

  • Account data: For as long as your account is active. After account deletion, account data is deleted within TODO (e.g. 30 days), unless statutory retention obligations apply.
  • Payment data & invoices: As required by statutory retention obligations (TODO: e.g. 10 years under applicable tax law).
  • Reference images & generated content: Until deleted by you or upon account deletion.
  • Technical log data: TODO (e.g. 90 days) via Cloudflare/Supabase.

6. Your Rights as a Data Subject

Under the GDPR you have the following rights against us:

  • Access (Art. 15 GDPR): You may request information about the personal data we process about you.
  • Rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected.
  • Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
  • Restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data.
  • Data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
  • Objection (Art. 21 GDPR): You may object to processing of your data based on legitimate interests.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time.
  • Complaint to a supervisory authority: You have the right to lodge a complaint with the competent data protection supervisory authority. TODO: specify the competent authority.

To exercise your rights, please contact us at: TODO: enter privacy email address.

7. Data Export & Account Deletion

You can download and export generated content (images, videos, collections) directly from your dashboard.

Account deletion is available in your account settings. Upon deletion, your profile data, models, and saved content will be removed from our active systems. Statutory retention obligations (e.g. tax-relevant billing records) remain unaffected.

TODO — Machine-readable data export

If a structured JSON/CSV export of all personal data (Art. 20 GDPR) is implemented, describe it here. Until then: submit requests by email to datenschutz@TODO.

8. Cookies

We use technically necessary cookies to operate the platform (session, authentication). These cookies cannot be disabled without impairing the functionality of the platform.

On your first visit you will be informed via the cookie banner and can set your preferences there. Your consent is stored locally.

For the full breakdown of what we store and why, see our Cookie Policy, which also explains how to change your preferences at any time.

9. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the law or changes to the platform. The current version is always available at influencerforge.app/datenschutz. We will notify you of material changes by email or by a notice on the platform.