Data Controller: bettermerch GbR Bayer u. Huber, Riegeläckerstraße 1, 71229 Leonberg, Germany
Privacy Contact (GDPR Requests): privacy@mangolix.com
Data Protection Officer: We have not appointed a DPO as we do not meet the statutory thresholds requiring one.
Language Clause
If you are a user or data subject located in Germany, the German version shall prevail. Otherwise, the English version shall prevail. View German version
1) Overview: What Data Do We Process?
We process personal data in the following categories:
- Account/Profile Data: e.g., name, email address (Google Login), User ID
- Usage/Log Data: e.g., IP address, timestamp, device/browser info, log files
- Content Data: uploaded images, generated results, metadata (e.g., filename)
- Payment/Contract Data: plan, status, billing info, transaction IDs (payment processing via Stripe)
- Newsletter Data: email address, consent and opt-in/opt-out records
2) Purposes and Legal Bases
We process data for the following purposes:
- Contract Initiation and Performance (Art. 6(1)(b) GDPR): Account, credits, tool usage, delivery of results, billing.
- Security and Fraud Prevention (Art. 6(1)(f) GDPR): Logging, fraud/attack prevention.
- Compliance with Legal Obligations (Art. 6(1)(c) GDPR): e.g., retention of tax-relevant documents.
- Newsletter/Marketing (Art. 6(1)(a) GDPR): Only with consent (double opt-in).
AI Processing
Your uploaded images and associated metadata are transferred to our AI providers (Google Gemini, Replicate) solely to generate and deliver the requested outputs. This processing is necessary for contract performance (Art. 6(1)(b) GDPR).
Analytics (Vercel Web Analytics)
Works without third-party cookies; visitors are identified via a hash from the incoming request, and sessions are discarded after 24 hours.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in reach measurement. You can object at any time (Art. 21 GDPR) via the cookie banner or by emailing privacy@mangolix.com. Analytics only loads after you give consent via our cookie banner.
3) Recipients / Service Providers
Depending on usage, we employ the following categories of processors/recipients:
- Hosting/Platform: Vercel (hosting, logs, analytics) — Processor
- Storage: Vercel Blob (storage of uploads/results) — Processor
- Database: PostgreSQL via Neon — Processor
- Auth: Google OAuth (login) — Independent Controller for Google account data
- Payments: Stripe (subscription and one-time payments) — Independent Controller for payment processing
- AI Providers: Google (Gemini API), Replicate (Upscaler) — Processors
Data Processing Agreements (DPAs) are in place with our processors. Sub-processors may be used by our processors; details are available in their respective DPAs and privacy notices.
4) Third Country Transfers (Outside EU/EEA)
Depending on provider location, data may be transferred to third countries (e.g., USA). The following transfer mechanisms apply where the recipient is located outside the EU/EEA:
| Provider | Country | Transfer Mechanism |
|---|---|---|
| Vercel | USA | EU-US Data Privacy Framework (DPF certified) |
| Stripe | USA | DPF (certified) + SCCs |
| Google (OAuth/Gemini) | USA | EU-US Data Privacy Framework (DPF certified) |
| Replicate | USA | Standard Contractual Clauses (SCCs) |
If any chosen transfer mechanism becomes unavailable (e.g., due to legal developments), we will implement an alternative lawful transfer mechanism without undue delay.
5) Retention Periods
We retain data only as long as necessary for the respective purpose:
| Data Type | Retention Period |
|---|---|
| Account Data | Until account deletion; backups may persist up to 30 days and are overwritten in the normal backup cycle |
| Uploads/Results | Until deletion by user; max. 90 days after account deletion (includes references in support tickets and logs) |
| Server Logs | 90 days |
| Invoice/Transaction Records | 10 years (German statutory retention for tax records under § 147 AO; does not include full payment card data) |
| Consent Records | 3 years after withdrawal (for documentation purposes) |
6) Your Rights
Under the GDPR, you have (subject to conditions) the right to:
- Access your personal data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure (“right to be forgotten”) (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing based on legitimate interest (Art. 21 GDPR)
- Withdraw given consents (e.g., newsletter) with effect for the future (Art. 7(3) GDPR)
- Lodge a complaint with a data protection supervisory authority (Art. 77 GDPR)
How to Exercise Your Rights
- Contact: privacy@mangolix.com (for all GDPR requests)
- Identity Verification: We may request additional information necessary to verify your identity. If an ID document is required, only a redacted copy will be requested, and only if strictly necessary.
- Processing Time: 1 month from receipt, extendable to 3 months in complex cases (with notification)
- Format: Electronic (JSON/CSV) or PDF, as requested
Supervisory Authority
You have the right to lodge a complaint with any EU supervisory authority. The competent authority for our location is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de
7) Obligation to Provide Data
Without certain data (e.g., login email, necessary log data, uploads for processing), the platform cannot be used. Provision of this data is a contractual requirement.
8) No Use for Model Improvement
Your uploads and results are not used for improving or training AI models by us (beyond pure technical execution to deliver your requested outputs).
9) Automated Decision-Making
We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.
10) Newsletter
- Sent only with consent (Art. 6(1)(a) GDPR).
- Unsubscribe possible at any time (unsubscribe link or email to privacy@mangolix.com).
11) Cookies and Tracking
Necessary Cookies
Session and authentication cookies are required for the platform to function. No consent is required for these strictly necessary cookies (Art. 5(3) ePrivacy Directive).
Analytics (Optional)
Vercel Web Analytics is cookie-less but still noted here for transparency. Analytics only loads after you give consent via our cookie banner.
Consent Management
- Analytics loads only after explicit consent via our cookie banner
- You can withdraw or change your preferences at any time via the cookie banner or by emailing privacy@mangolix.com
| Cookie Name | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication session | 30 days (persistent) |
| authjs.csrf-token | CSRF protection | Session |
| authjs.callback-url | Redirect after login | Session |
| cookie-consent | Store cookie preferences | 1 year |
Contact
For privacy questions and GDPR requests, contact us at: privacy@mangolix.com