Privacy Policy
Personal data processing policy under GDPR (Regulation 2016/679). Draft version — to be replaced by an iubenda-generated document.
Version: 2026-04-19-draft
Data controller
Data controller is the operator of fake.me (registered details to be filled after business registration). Contact: kontakt@fake.me.
Scope of processed data
- Customer email (order fulfillment, communication)
- Order data (tier, price, Stripe session id, IP and user-agent at time of consent)
- Reference photos (biometric data — GDPR Art. 9, basis: explicit consent)
- Brief, styling preset, destination
- IG / social handle (optional)
Legal basis
- Art. 6(1)(b) GDPR — contract performance (order, delivery, complaints)
- Art. 6(1)(c) GDPR — accounting and tax obligations (5 years, Polish accounting act)
- Art. 9(2)(a) GDPR — explicit consent for biometric data (reference photos)
- Art. 6(1)(f) GDPR — legitimate interest (moderation, abuse prevention)
Retention period
- Reference photos: 30 days after order delivery (auto-deletion)
- Character Bible (AI model parameters): 90 days after delivery, then deleted
- Order data and accounting documents: 5 years (statutory)
- Access logs and technical logs: 12 months
Data recipients
Data is shared only with processors essential to service delivery: Stripe (payments), Resend (transactional email), Uploadthing (reference photo hosting), Vercel (app hosting), Supabase (database). All processors are GDPR-compliant and bound by DPAs.
Transfers outside the EEA
Some processors (Stripe, Resend) have US servers. Transfer occurs under Standard Contractual Clauses (SCCs) and the Data Privacy Framework.
Your rights
- Right of access (kontakt@fake.me)
- Rectification
- Erasure ("right to be forgotten") — via /api/privacy/delete or email
- Restriction of processing
- Data portability (JSON export)
- Objection to processing based on legitimate interest
- Withdrawal of consent at any time (does not affect prior processing)
- Complaint to the competent data protection authority
Security
Data in transit and at rest is encrypted (TLS 1.3 in transit, AES-256 at rest via infrastructure providers). Access to customer personal data is restricted to the operator. Audit logs of administrative actions are retained.
Profiling and automated decisions
We do not use profiling or automated decision-making within the meaning of GDPR Art. 22. Brief moderation (keyword filter) is a preliminary screen only — every flagged brief is reviewed by a human operator.