Back to homepage

Privacy Policy

The legally binding version of this document is the German original.

GDPR-Compliant

All data on EU servers

Encrypted

SSL/TLS encryption

Transparency

Information available at any time

Deletion

Upon request at any time

Last updated: February 2026

1. Privacy at a glance

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified.

Responsible party

Crelvo
Konrad Reyhe
c/o MDC Management#6099
Welserstraße 3
87463 Dietmannsried
Deutschland

Email: kreyhe@yahoo.com

2. What data do we collect?

Email addresses

We store your email address when you place an order in order to inform you about the status of your headshots and to provide the finished photos.

Legal basis: Contract performance pursuant to Art. 6(1)(b) GDPR
Retention period: For the duration of the storage period of your photos (30–90 days depending on package)

Uploaded photos (biometric data)

When you upload selfies, these photos are processed to train an AI model that learns your facial features. Photos of faces may be classified as biometric data pursuant to Art. 9 GDPR.

Legal basis: Explicit consent pursuant to Art. 9(2)(a) GDPR (by uploading photos and confirming the order)
Retention period: Uploaded photos are automatically deleted after 7 days. Generated headshots are deleted after 30–90 days (depending on package).
Storage location: Supabase (EU servers, PostgreSQL database)
Security: Photos are re-encoded via Sharp (EXIF data removed) and stored in private buckets with signed URLs.

AI processing (Replicate)

For AI processing we use the service Replicate (Replicate, Inc., USA). Your photos are transmitted to Replicate to train a personalised AI model and generate headshots.

Legal basis: Contract performance pursuant to Art. 6(1)(b) GDPR; consent for biometric data pursuant to Art. 9(2)(a) GDPR
Data transfer to USA: On the basis of Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR
Deletion: Trained AI models are deleted from Replicate after generation is complete.

Payment processing (Stripe)

Payment processing is handled by Stripe (Stripe, Inc., USA). We do not store credit card data. All payment data is processed directly by Stripe.

Legal basis: Contract performance pursuant to Art. 6(1)(b) GDPR
Data transfer to USA: On the basis of Standard Contractual Clauses (SCC)
Stripe privacy policy: stripe.com/de/privacy

Server log files

The provider of these pages (Hetzner) automatically collects and stores information in server log files that your browser transmits automatically. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of server request
  • IP address (anonymised)

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR to ensure the trouble-free operation and improvement of our service.

3. Analytics (Umami)

We use Umami Analytics, a privacy-friendly web analysis service that is fully GDPR-compliant.

Benefits of Umami:

  • Server location: EU (full GDPR compliance)
  • No cookies required
  • No cross-site tracking
  • No personal data stored
  • Aggregated statistics only (page views, device types)
  • IP addresses are not stored

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the statistical analysis of user behaviour)

More information: https://umami.is/privacy

4. Your rights

You have the right at any time to:

  • 1
    Right of access (Art. 15 GDPR)

    Obtain information about your stored data

  • 2
    Right to rectification (Art. 16 GDPR)

    Request correction of inaccurate data

  • 3
    Right to erasure (Art. 17 GDPR)

    Request deletion of your stored data

  • 4
    Right to restriction (Art. 18 GDPR)

    Request restriction of the processing of your data

  • 5
    Right to object (Art. 21 GDPR)

    Object to the processing of your data

  • 6
    Right to data portability (Art. 20 GDPR)

    Request transfer of your data to you or a third party

  • 7
    Right of withdrawal (Art. 7(3) GDPR)

    Withdraw your consent at any time

  • 8
    Right to lodge a complaint (Art. 77 GDPR)

    Lodge a complaint with a supervisory authority

Contact for data protection enquiries:

Email: kreyhe@yahoo.com
We respond within 48 hours.

5. Cookies

This website does not use tracking cookies. Umami Analytics works entirely without cookies.

Only technically necessary cookies may be used (e.g. session cookies after login). These are required for the functionality of the website and are automatically deleted at the end of your browser session.

6. Security

We use SSL/TLS encryption for the secure transmission of your data. You can recognise an encrypted connection by the padlock symbol in your browser address bar.

Our security measures:

  • SSL/TLS encryption (HTTPS)
  • Secure password hashing (after launch)
  • Regular security updates
  • Access control and logging
  • Data minimisation (only necessary data)

7. Supervisory authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

Saxon Data Protection Commissioner (Sächsischer Datenschutzbeauftragter)
Devrientstraße 1, 01067 Dresden, Germany

Phone: +49 351 85471-101
Email: saechsdsb@slt.sachsen.de
Web: www.saechsdsb.de

8. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to ensure it always meets current legal requirements or to reflect changes to our services. The updated Privacy Policy will apply to your next visit.

Last updated: February 2026