Privacy Policy

The controller responsible for the processing of your personal data under the GDPR is:

2.1 When Visiting Our Website

When you access our website, your browser automatically transmits technical information to our servers, which is stored temporarily:

• IP address of the requesting device
• Date and time of access
• URLs accessed and volume of data transferred
• Referrer URL
• Browser type, operating system, and language

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security). Log files are automatically deleted after 30 days.

2.2 Registration and Account Use

• Email address (mandatory)
• Password (stored encrypted, not in plain text)
• First and last name (optional)
• Company name and industry (optional)
• Profile picture (optional)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.3 AI Generation and Platform Use

• Text prompts and inputs: Your instructions for AI generation
• Uploaded reference files: Images, logos, fonts, audio files
• Generated content: Images, videos, audio, and other AI outputs
• Brand assets: Logos, colors, typography you save in the Studio
• Usage history: Generations, projects, favorites, credit consumption
• Payment data: Subscription status, billing information (no credit card data)

Important: Your uploaded and generated content is accessible only to you. We do not use your content to train our own AI models. Legal basis: Art. 6(1)(b) GDPR.

2.4 Instagram and Meta Integration

freycreate offers Instagram automation (Comment-to-DM funnel and DM auto-responder) on the freycreate operators' own Instagram Business accounts. If, as a third-party user, you message a freycreate-linked account on Instagram or comment on a post there, the following data is processed in accordance with the principles set out below:

Data Minimization Principles

• No full-text storage: The content of incoming direct messages (DMs) is processed exclusively in volatile memory to generate an automated reply, and discarded immediately afterwards. There is no persistent storage of the full DM text in our database.
• Metadata only: Only metadata is stored in our database — specifically the Meta-internal sender ID, timestamps, event type ("message" / "comment"), keyword rule match (e.g., "tier_beta"), and the success status of the outgoing reply. No profile pictures, phone numbers, email addresses, or similar personal data are stored.
• Comment text: For Instagram comments, a keyword analysis of the comment text is performed solely for tier classification; the full text is not persisted either — only the comment ID and media reference for reply delivery.
• Retention period: The above metadata is automatically deleted after a maximum of 30 days via TTL index. No retention beyond that takes place.
• No cold outreach: freycreate only sends replies within the official Meta 24-hour reply window or as a direct response to a public comment under one of our own posts. No unsolicited messages are sent to users who have not contacted us themselves.

Purpose of processing: Automated replies to third-party user interactions (DMs, comments on ads / posts) with relevant onboarding links, as well as conversion tracking (anonymized via Meta IDs) for funnel optimization.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in an automated, timely initial response to contact initiated by users themselves. Data processing is limited to the absolute minimum (anonymous sender ID + success metadata); no full-text processing of message content takes place.

Data deletion & access: You can request deletion of your meta data (sender ID + funnel metadata) at any time. Since no message full-text is stored, the deletion request is technically limited to the funnel lead entries associated with the sender ID. Requests to: [email protected] or via the Data Deletion endpoint. Via the official Instagram Privacy Center, you can also end the connection to freycreate at any time — we will then no longer receive any webhook events on your part.

Technical safeguards: Incoming webhook requests are cryptographically verified via X-Hub-Signature-256 HMAC-SHA256 (shared key with Meta), rate-limited to 100 requests/minute per IP, and transmitted exclusively over HTTPS with an up-to-date TLS certificate.

Note: freycreate uses the official Meta Graph API. The privacy policies of Meta Platforms Ireland Ltd. additionally apply: facebook.com/privacy/policy

To provide our services, we transmit your inputs (text prompts, reference images) to the AI providers listed below. The legal basis for transfers to third countries is Art. 46(2)(c) GDPR (Standard Contractual Clauses, SCCs) unless otherwise stated.

Providers in Germany / EU (no third-country transfer)

Providers in the USA (SCCs in place)

Providers based in China – Notice on Third-Country Transfer

Infrastructure and Data Storage

5. Cookies and Tracking

We use only technically necessary cookies (session cookies for authentication). Currently, no tracking, analytics, or marketing cookies are used. Should this change, you will be informed in advance via a cookie consent banner and may grant or refuse your consent.

6. Your Rights

Under the GDPR, you have the following rights:

To delete your data please use our deletion form.

To exercise your other rights, please contact: [email protected] – we will respond within 30 days.

Competent supervisory authority: State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart, www.baden-wuerttemberg.datenschutz.de

7. Retention Period

8. Data Security

We implement technical and organizational security measures:

• TLS/SSL encryption for all data transmissions (HTTPS)
• Encrypted password storage (bcrypt hashing)
• Cookie-based session authentication (no localStorage for tokens)
• Data stored exclusively in EU data centers (Supabase EU West-1, MongoDB EU)
• Access control on a least-privilege basis
• Regular security updates of the infrastructure
• Separate database instances per user

9. Account Deletion and Data Export

9.1 Account Deletion

You may delete your account at any time via your account settings. After deletion:

• Immediately: Your account is deactivated and all sessions become invalid
• 30-day grace period: Your data is retained for 30 days (recovery period)
• After 30 days: Permanent, irreversible deletion of all personal data

Technical implementation: Deletion is performed automatically by MongoDB TTL indexes and daily cleanup jobs. Payment data is archived in accordance with statutory retention obligations (10 years).

9.2 Data Export

For a data export (access pursuant to Art. 20 GDPR), please contact: [email protected] – you will receive your data within 30 days in machine-readable JSON format.

10. Children and Minors

freycreate is intended exclusively for persons aged 18 or older, or for businesses. We do not knowingly collect personal data from minors. Should such data be reported to us, we will delete it without undue delay.

12. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes to our services or legal requirements. Material changes will be communicated to you by email or upon your next login. The date of the most recent change is always shown at the top.