Privacy Policy

Controller for the processing of personal data on this website and within the Service within the meaning of Art. 4 No. 7 GDPR:

Propaganda Solutions GmbH
Managing director: Thorsten Nolte
Uhlandstraße 53
10719 Berlin
Germany
Phone: +49 (0) 30 92103672
Email for privacy enquiries: info@propaganda-solutions.com
Internal responsibility: Thorsten Nolte

The appointment of a data protection officer is only legally required under certain conditions (in particular § 38 BDSG).

Propaganda Solutions GmbH does not meet these conditions. A data protection officer is therefore not legally required and has not been appointed. Enquiries on data protection matters should be directed to the controller named above.

We process personal data of our users only insofar as this is necessary to provide a functional website, our content and our services.

The following categories of data are processed depending on how the Service is used:

• Account and master data (name, business email address, possibly phone, role).
• Brand data and uploaded marketing assets (logos, colours, imagery, copy).
• Content uploads for ad orders (briefings, product information, reference ads).
• Billing data (invoice address, tax ID, payment metadata via Stripe).
• Platform usage data (which features are used when, errors, performance).
• Server log files (IP address, user-agent, timestamps) to ensure stable operations.

When you visit our website, technical data is automatically transmitted to our server, including IP address, time of access, user-agent, referrer and HTTP status code.

Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in stable, secure operation).

Log files are stored for a maximum of 30 days and then deleted or anonymized, unless security-relevant events require longer retention.

To create a customer account and to perform the contract, we process the data provided during the order flow.

Legal basis is Art. 6 (1) (b) GDPR (contract performance) and additionally Art. 6 (1) (c) GDPR (legal obligations, e.g. commercial and tax retention obligations).

Account and contract data is retained for the duration of the business relationship and beyond within the statutory retention periods (typically 6 to 10 years under German Commercial Code / Tax Code).

We host our application data and file uploads with Supabase, Inc. (USA) on infrastructure operated in an EU region for our project.

Hosting region: EU (Irland · eu-west-1). Data is processed exclusively within this region.

A data-processing agreement under Art. 28 GDPR is in place with Supabase. Despite the EU region, there may be cases of access by the US parent company; corresponding safeguards (standard contractual clauses, technical measures) are contractually agreed.

Payment processing is handled by Stripe Payments Europe Ltd. (Ireland) or the responsible Stripe group entity. When you select a payment method, the data required for processing (name, billing address, payment instrument data) is transmitted to Stripe.

In individual cases Stripe may transfer data to its US parent. Stripe is certified under the EU-US Data Privacy Framework; standard contractual clauses also apply.

We ourselves do not store full payment data (e.g. credit-card numbers). From Stripe we only receive billing metadata (payment status, invoice receipt ID).

Stripe privacy notice: https://stripe.com/de/privacy.

To create the ad creatives we engage specialised AI providers. Content required to fulfil the order (briefing text, brand assets, product imagery) is transmitted to the respective services.

• Anthropic PBC, USA — Language model (Claude) for briefing analysis, copywriting and compliance review.
• Higgsfield AI, USA — Image and motion-image generation for ad visuals.
• Sync Labs (sync.so), USA — Lip-sync for voice-over videos.
• ElevenLabs Inc., USA — Text-to-speech generation for voice-over tracks.
• OpenAI, USA — Additional language and image models for selected pipeline steps.
• Google LLC, USA — Generative image and model features (e.g. Gemini) for selected pipeline steps.

All providers named above are based in the USA. The transfer takes place on the basis of the EU-US Data Privacy Framework (where certified) and/or standard contractual clauses under Art. 46 GDPR. A data-processing agreement under Art. 28 GDPR is in place with — or will be concluded before going live with — each provider.

We rely on each provider's published data-processing agreement (Art. 28 GDPR) as part of their standard terms of service. The full list of subprocessor DPAs and certifications is available on request to info@propaganda-solutions.com.

To improve the product and user experience we use PostHog. We collect, among other things, visited pages, triggered events, device and browser information and a pseudonymized identifier.

Legal basis is Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TTDSG (consent through the cookie banner). Without consent no collection beyond what is technically necessary takes place.

Hosting region: EU (Frankfurt · eu.i.posthog.com).

PostHog's standard retention applies. Pseudonymized profiles can be deleted on request.

We use Google Tag Manager (Google Ireland Ltd.) for the central management of tracking tags. Tag Manager itself does not collect personal data but enables the embedding of further services.

Status: Tag Manager and Google Analytics 4 are wired in the codebase but are not active in production at this time. Once activated, the GTM container ID, GA4 property ID, the cookie list (e.g. _ga, _gid) and the retention periods will be disclosed here.

Legal basis for non-essential tags is Art. 6 (1) (a) GDPR in conjunction with § 25 (1) TTDSG. Tags are only fired after consent has been granted through the cookie banner.

Transactional emails (confirmations, status updates, invoices) are sent via Resend (Resend Inc., USA).

Legal basis for transactional emails is Art. 6 (1) (b) GDPR (contract performance).

Promotional emails are sent only to recipients who have expressly consented (Art. 6 (1) (a) GDPR). Consent can be withdrawn at any time, e.g. via the unsubscribe link in every email.

Detailed information on the cookies in use, retention periods and opt-out options is available in our cookie policy.

We transfer personal data to third countries (in particular the USA) where this is necessary to provide the services described above.

Where no adequacy decision of the European Commission applies, we base the transfer on standard contractual clauses under Art. 46 (2) (c) GDPR and supplementary technical and organisational measures.

For providers certified under the EU-US Data Privacy Framework (DPF), the DPF certification serves as the legal basis for the transfer to the USA.

Personal data is retained only as long as necessary for the respective purposes or as required by statutory retention periods.

• Customer data: duration of the business relationship plus statutory retention periods (typically 6 to 10 years).
• Order-related content (uploads, ad output): until deleted by the Customer or at the latest 36 months after the last login, unless extended on request.
• Server log files: maximum 30 days.
• Invoicing and accounting documents: 10 years (§ 147 German Tax Code).
• Analytics data: 12 months or per the provider's defaults, then pseudonymized / aggregated.

As a data subject you are entitled to the following rights under the GDPR:

• Access (Art. 15 GDPR) — You may request information on which personal data we process about you.
• Rectification (Art. 16 GDPR) — You may request the correction of inaccurate or the completion of incomplete data.
• Erasure (Art. 17 GDPR) — You may request the deletion of your data insofar as no retention obligations apply.
• Restriction of processing (Art. 18 GDPR) — You may request restriction of processing where the conditions are met.
• Data portability (Art. 20 GDPR) — You may request the transfer of data you have provided in a structured, common, machine-readable format.
• Objection (Art. 21 GDPR) — You may object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7 (3) GDPR) — You may withdraw any consent given at any time with effect for the future.
• Complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a data protection supervisory authority — typically the one responsible for your place of residence or the one responsible for us.

To exercise your rights an informal email to info@propaganda-solutions.com is sufficient. We respond within the statutory deadlines, generally within 30 days.

The supervisory authority competent for us follows from our place of business:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
https://www.datenschutz-berlin.de

Data transmitted between your browser and our servers is encrypted via TLS (HTTPS).

At server level, data in the database and file storage is encrypted at rest in accordance with the standards of our hosting provider.

Access to personal data is limited to what is technically and organisationally necessary and is logged.

Automated processes (AI-supported content generation) are used as part of order fulfilment. These processes do not produce legal or similarly significant effects vis-à-vis the Customer within the meaning of Art. 22 GDPR.

The Customer retains at all times the ability to review, change or discard results manually.

The Service is directed at businesses and adult users. We do not knowingly collect data from persons under 16 years of age.

We adjust this privacy policy when the legal situation, our processes or the services we use change. The current version is always available on this page.