Privacy Policy
Personal data processing policy under GDPR (Regulation 2016/679), reflecting EU AI Act (Regulation 2024/1689) requirements for AI-generated content and the ePrivacy Directive 2002/58/EC.
Version: 1.0
Data controller
Data controller is the operator of fakesme (registered details to be filled after business registration). Contact: kontakt@fakesme.com.
Scope of processed data
- Customer email (order fulfillment, communication)
- Order data (tier, price, Stripe session id, IP and user-agent at time of consent)
- Reference photos (biometric data — GDPR Art. 9, basis: explicit consent)
- Brief, styling preset, destination
- IG / social handle (optional)
Legal basis
- Art. 6(1)(b) GDPR — contract performance (order, delivery, complaints)
- Art. 6(1)(c) GDPR — accounting and tax obligations (5 years, Polish accounting act)
- Art. 9(2)(a) GDPR — explicit consent for biometric data (reference photos)
- Art. 6(1)(f) GDPR — legitimate interest (moderation, abuse prevention)
Retention period
- Reference photos: 30 days after order delivery (auto-deletion)
- Character Bible (AI model parameters): 90 days after delivery, then deleted
- Order data and accounting documents: 5 years (statutory)
- Access logs and technical logs: 12 months
Data recipients
Data is shared only with processors essential to service delivery: Stripe (payments), Resend (transactional email), Uploadthing (reference photo hosting), Vercel (app hosting), Supabase (database). All processors are GDPR-compliant and bound by DPAs.
Data processing agreements (DPA) — public links
- Stripe — https://stripe.com/legal/dpa
- Resend — https://resend.com/legal/dpa
- Uploadthing — https://uploadthing.com/legal/dpa
- Vercel — https://vercel.com/legal/dpa
- Supabase — https://supabase.com/legal/dpa
Transfers outside the EEA
Some processors (Stripe, Resend) have US servers. Transfer occurs under Standard Contractual Clauses (SCCs of June 2021) and the EU-US Data Privacy Framework (Commission decision 2023/1795 of 10.07.2023). Providers hold DPF certification (verify at dataprivacyframework.gov).
Your rights
- Right of access (kontakt@fakesme.com)
- Rectification
- Erasure ("right to be forgotten") — via /api/privacy/delete or email
- Restriction of processing
- Data portability (JSON export)
- Objection to processing based on legitimate interest
- Withdrawal of consent at any time (does not affect prior processing)
- Complaint to the competent data protection authority
Security
Data in transit and at rest is encrypted (TLS 1.3 in transit, AES-256 at rest via infrastructure providers). Access to customer personal data is restricted to the operator. Audit logs of administrative actions are retained.
Profiling and automated decisions
We do not use profiling or automated decision-making within the meaning of GDPR Art. 22. Brief moderation (keyword filter) is a preliminary screen only — every flagged brief is reviewed by a human operator.