Legal

Privacy Policy

Last updated: 2026-07-01. Applies to influencerforge.app and all associated services. Provided for transparency — this is general information, not legal advice.

1. Controller

The controller responsible for processing personal data on this platform within the meaning of the General Data Protection Regulation (GDPR) is Tim Geithner, the provider named in our Legal Notice.

A Data Protection Officer has not (yet) been appointed. Where the scale or nature of our processing — in particular processing of facial imagery from reference uploads — comes to require one under Art. 37 GDPR, we will appoint one and update this section accordingly.

For any privacy-related inquiries, please contact us at: privacy@influencerforge.app.

2. Data We Process

We process the following categories of personal and user-related data:

  • Account and authentication data: Email address, hashed password (via Supabase Auth), session tokens.
  • Payment data: Transaction IDs, credit balance, billing status — transmitted via Stripe. Payment details (card data, etc.) are stored and processed exclusively by Stripe; we have no direct access to them.
  • Uploaded reference images: Images you upload for AI model training are stored in Supabase Storage and transmitted to our AI compute provider for Forge Engine processing. Reference images may contain facial imagery, which — where processed in a way that uniquely identifies a natural person — constitutes special-category biometric data under Art. 9 GDPR. See §3 below for the legal basis that applies to this category.
  • Generated content: AI-generated images and videos associated with your account are stored in Supabase Storage.
  • Technical log data: IP address, browser type, access times, pages visited — collected by Cloudflare (CDN/infrastructure) and Supabase.

3. Purposes & Legal Bases

We process your data for the following purposes on the basis of the stated legal grounds under Art. 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Providing platform features, processing payments, model training, and content generation.
  • Legitimate interests (Art. 6(1)(f) GDPR): Platform security, fraud prevention, technical improvements.
  • Consent (Art. 6(1)(a) GDPR): Non-essential cookies and optional communications, where you have given consent.
  • Legal obligation (Art. 6(1)(c) GDPR): Retention of billing records in accordance with applicable tax law requirements.
  • Explicit consent for biometric data (Art. 6(1)(a) and Art. 9(2)(a) GDPR): Where reference-image processing amounts to special-category biometric data (see §2), we rely additionally on your explicit consent, captured separately at upload. You may withdraw this consent at any time, which will not affect the lawfulness of processing carried out before withdrawal. Whether our pipeline in fact "uniquely identifies" a person (triggering Art. 9) as opposed to using faces only as a stylistic reference is an assessment we keep under review; our default posture is to obtain explicit consent regardless.

We do not use fully automated decision-making producing legal or similarly significant effects on you (Art. 22 GDPR) for image or video generation. Where automated moderation or fraud-prevention checks are used, they inform human review rather than making binding decisions about you on their own.

4. Processors & Recipients

We engage the following processors. Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR are in place with each of them.

Third-party data processors, their purpose, and data processing agreement status
ProviderPurposeDPA status
Supabase / Lovable CloudHosting, authentication, database, storageData Processing Agreement in place
StripePayment processingData Processing Agreement in place
Higgsfield AI image/video inference compute for the Forge EngineData Processing Agreement in place
CloudflareCDN, infrastructure, DDoS protectionData Processing Agreement in place

Some of these providers are located outside the European Economic Area, in particular in the United States. Where a recipient is self-certified under the EU–U.S. Data Privacy Framework (DPF), transfers rely on that adequacy mechanism; otherwise (or as a fallback) we rely on the EU Standard Contractual Clauses (2021 SCCs) together with supplementary measures. There is no general EU adequacy decision for the United States outside the DPF. You can request a copy of the relevant safeguards by emailing privacy@influencerforge.app.

5. Retention Periods

  • Account data: For as long as your account is active. After account deletion, account data is deleted within 30 days, unless statutory retention obligations apply.
  • Payment data & invoices: Retained for up to 10 years as required by German statutory retention obligations (§147 AO, §257 HGB).
  • Reference images & generated content: Until deleted by you or upon account deletion. Because reference images may contain biometric special-category data, we aim to keep this retention to the shortest period justifiable for operating the service and do not retain it longer than necessary for that purpose.
  • Technical log data: Retained for up to 90 days via Cloudflare/Supabase.

6. Your Rights as a Data Subject

Under the GDPR you have the following rights against us:

  • Access (Art. 15 GDPR): You may request information about the personal data we process about you.
  • Rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected.
  • Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
  • Restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data.
  • Data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
  • Objection (Art. 21 GDPR): You may object to processing of your data based on legitimate interests.
  • Withdrawal of consent: Where processing is based on consent — including explicit consent for biometric data from reference uploads — you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Complaint to a supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular the Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (competent for the provider's place of establishment; see our Legal Notice), or the authority in your own EU member state.

To exercise your rights, please contact us at: privacy@influencerforge.app.

7. Data Export & Account Deletion

You can download and export generated content (images, videos, collections) directly from your dashboard.

Account deletion is available in your account settings. Upon deletion, your profile data, models, and saved content will be removed from our active systems. Statutory retention obligations (e.g. tax-relevant billing records) remain unaffected.

For a structured export of your personal data under Art. 20 GDPR beyond what is available in your dashboard, submit a request by email to privacy@influencerforge.app.

8. Cookies

We use technically necessary cookies to operate the platform (session, authentication). These cookies cannot be disabled without impairing the functionality of the platform.

On your first visit you will be informed via the cookie banner and can set your preferences there, in line with the German TDDDG (Telekommunikation-Digitale-Dienste- Datenschutz-Gesetz). Your consent is stored locally.

For the full breakdown of what we store and why, see our Cookie Policy, which also explains how to change your preferences at any time.

9. Children / 18+ Platform

The platform is intended solely for users who are 18 years of age or older. We do not knowingly collect or process personal data of persons under 18. If we become aware that we have inadvertently processed such data, we will delete it promptly.

10. Digital Services Act — Point of Contact

For privacy and data-subject-rights inquiries, use privacy@influencerforge.app. Our single point of contact for authorities and users under the EU Digital Services Act is legal@influencerforge.app; see our Legal Notice for details.

11. UK GDPR

For users in the United Kingdom, we process personal data in accordance with the UK GDPR, which largely mirrors the rights and obligations described above. Where we transfer personal data from the UK to a recipient outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or (where applicable) the UK–US Data Bridge. UK data subjects may lodge a complaint with the Information Commissioner's Office (ICO).

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives you additional rights over your personal information.

Categories collected: identifiers (email, IP address), financial/transaction information (via Stripe), and — where reference images are used to identify a person — biometric information, which is treated as sensitive personal information (SPI) under the CPRA.

Your rights: to know/access the personal information we hold about you, to delete it, to correct inaccurate information, to opt out of "sale" or "sharing" of personal information, to limit use of sensitive personal information, and to not be discriminated against for exercising these rights.

We do not "sell" personal information. We only "share" personal information (as CPRA defines that term, e.g. for cross-context behavioral advertising) if optional advertising/analytics tools are enabled and you have consented to them; our default analytics setup is privacy-friendly and opt-in (see our Cookie Policy). Where applicable, we honor the Global Privacy Control (GPC) signal as a valid opt-out request. To exercise any of these rights, contact privacy@influencerforge.app.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the law or changes to the platform. The current version is always available at influencerforge.app/privacy. We will notify you of material changes by email or by a notice on the platform.