1. Controller

The controller responsible for the processing of personal data in connection with On-Brand AI is:

We have not appointed a Data Protection Officer, as we are not required to do so under applicable law.

2. Scope and Purpose of this Policy

This Privacy Policy describes how MADEFUL GmbH collects, processes, and stores personal data in connection with the On-Brand AI platform ("Platform"), a business-to-business (B2B) SaaS application for AI-powered brand communication.

The Platform is intended exclusively for use by business customers (companies, agencies, and professional teams). Individual consumer use is not offered. Accordingly, the users whose personal data is processed under this Policy are primarily employees or representatives of our business clients.

By accessing or using the Platform, you acknowledge this Policy. If you use the Platform on behalf of a company, you represent that you have authority to bind that company.

3. Data We Collect and Why

3.1 Account Registration

When a user account is created, we process:

• Full name
• Business email address
• Company name

Purpose: Providing and managing access to the Platform; user authentication; communication regarding the contractual relationship.

3.2 Authentication Data

We use a passwordless authentication method (magic link via email). When you log in, a time-limited, single-use authentication link is sent to your registered email address. We process:

• Email address (to send the magic link)
• Session token (stored as a secure, httpOnly cookie in your browser after successful login — see Section 7)

No passwords are stored on our systems.

3.3 Brand Assets

Users may upload brand assets to configure the Platform for their organisation's brand, including:

• Logos and images
• Colour values and brand colours

These assets are stored to enable the core functionality of the Platform (brand-consistent AI content generation). They are not used for any other purpose, including AI model training.

3.4 AI-Generated Content

The Platform generates content (images, text, and other media) based on brand assets and user inputs. The resulting outputs ("generated content") are stored in your account to allow retrieval and reuse within the Platform.

We do not retain the prompts or instructions you send to AI models — only the generated outputs are stored.

3.5 Support Communications

If you contact us for support via email, we process:

• Your name and email address
• The content of your inquiry

This data is used solely to respond to and resolve your inquiry.

3.6 Credit and Usage Data

We track the number of AI credits consumed per user and per organisation account. This data is used exclusively for:

• Displaying usage to the account holder
• Enforcing plan limits

We do not create detailed behavioural profiles or use this data for advertising or analytics purposes.

4. Legal Bases for Processing

All processing of personal data is carried out on one of the following legal bases under Article 6 of the GDPR:

• Art. 6(1)(b) GDPR – Performance of a contract: Processing of account data, authentication data, brand assets, and generated content is necessary to provide the Platform and fulfil our service obligations.
• Art. 6(1)(f) GDPR – Legitimate interests: Processing of usage/credit data and support communications is based on our legitimate interest in operating the Platform securely, preventing abuse, and providing customer support. These interests are not overridden by your rights and freedoms.
• Art. 6(1)(c) GDPR – Legal obligation: Retention of data for the period required by applicable law (e.g., tax and commercial law obligations).

Where your organisation has entered into a data processing agreement (DPA) with MADEFUL GmbH as a data processor acting on your instructions, the legal basis for that processing is the contractual arrangement between the parties.

5. Sub-processors and Third-Party Services

To deliver the Platform, we engage third-party service providers (sub-processors) that may process personal data on our behalf. We have entered into data processing agreements with our sub-processors where required by the GDPR.

5.1 Hosting and Infrastructure

• Hetzner Online GmbH (Germany): Server infrastructure and application hosting. All application data is stored on servers located in Germany.

5.2 Database

• Supabase (Supabase Inc., via AWS eu-west-1, Ireland): Cloud database, authentication services, and file storage. Supabase operates within the European Economic Area (EEA). A Data Processing Agreement is in place.

5.3 AI Model Providers

The Platform routes AI generation requests (images, video, text, and other media) through third-party AI APIs. These services are accessed exclusively via API calls; we do not maintain a permanent relationship with a fixed set of providers, as the AI landscape evolves rapidly.

Current AI infrastructure is routed through:

• OpenRouter Inc. (USA): An API gateway that routes requests to various underlying AI models. OpenRouter may process prompt-related metadata and API request data. We have taken contractual steps with OpenRouter to limit data processing; however, as with all third-party AI APIs, we cannot independently verify the internal data handling practices of each underlying model provider.
• Other AI model providers (USA and internationally): Depending on the feature used, generation requests may be processed by other AI API providers. These providers are located primarily in the United States.

Users are solely responsible for ensuring that any content they upload or use as input to AI generation features does not contain personal data of third parties or other sensitive or confidential information.

6. International Data Transfers

Our core infrastructure (application hosting and database) is located within Germany and the European Economic Area (EEA). Personal data processed through Hetzner and Supabase therefore remains within the EEA.

AI model providers (including OpenRouter and other API providers) are primarily located in the United States. Transfers of data to these providers are made on the basis of:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, where a DPA is in place with the provider; or
• An adequacy decision or other appropriate safeguard under Article 46 GDPR.

Transfers to AI API providers in the United States are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission. Data Processing Agreements (DPAs) including SCCs have been concluded with the relevant providers where required.

7. Cookies and Session Tokens

The Platform uses only technically necessary cookies and tokens. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

7.1 Session Token (Authentication Cookie)

After you authenticate via magic link, a session token is stored in your browser as a secure, httpOnly cookie. This token is strictly necessary to maintain your authenticated session within the Platform.

• Type: First-party, httpOnly, Secure
• Purpose: Session management / authentication
• Duration: Valid for the duration of your session; refreshed automatically while you are active
• Legal basis: Art. 6(1)(b) GDPR (necessary to provide the service)

No consent is required for technically necessary cookies under applicable law.

7.2 No Consent Banner

Because the Platform uses only technically necessary cookies, no cookie consent banner is required. If we introduce any non-essential cookies or tracking in the future, this Policy will be updated and a consent mechanism will be implemented.

8. AI-Specific Processing

8.1 No Training on Customer Data

MADEFUL GmbH does not use your brand assets, uploaded content, or generated content to train, fine-tune, or improve any AI model operated by MADEFUL GmbH.

With respect to third-party AI model providers (see Section 5.3), we select providers whose terms of service represent that they do not train on customer API inputs. However, as noted in Section 5.3, we cannot independently verify or guarantee the practices of each underlying model provider. Users are advised accordingly.

8.2 No Automated Decision-Making

The Platform does not engage in automated decision-making within the meaning of Article 22 GDPR that produces legal effects or similarly significant impacts on individuals.

8.3 Prompts and Generated Outputs

Prompts and instructions entered by users to generate content are transmitted to AI model providers via API and are not persistently stored by MADEFUL GmbH. Only the resulting generated outputs (e.g., images or text) are stored in your account for retrieval.

8.4 User Responsibility for Input Content

Users are responsible for ensuring that inputs to AI generation features comply with applicable law and do not contain personal data of third parties, sensitive data (as defined by Art. 9 GDPR), confidential business information, or intellectual property belonging to others. The Platform is intended for use with publicly available brand communication materials.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law.

• Account data (name, email, company): Retained for the duration of the active account. Following account termination or deletion, account data is deleted within 30 days, unless a longer retention period is required by law.
• Brand assets: Retained for the duration of the account. Deleted promptly upon account deletion.
• AI-generated content: Retained for the duration of the account. Upon account deletion, all generated content is permanently deleted. Users are solely responsible for downloading and backing up any generated content they wish to retain before account deletion.
• Support communications: Retained for up to 3 years following resolution of the inquiry, based on our legitimate interest in maintaining records of support interactions.
• Usage and credit data: Retained for the duration of the account and for up to 12 months following account deletion, for accounting and dispute resolution purposes.

10. Your Rights as a Data Subject

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR): You may request confirmation of whether we process personal data about you and receive a copy of such data.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where the legal requirements are met.
• Right to restriction of processing (Art. 18 GDPR): You may request that processing of your personal data be restricted under certain circumstances.
• Right to data portability (Art. 20 GDPR): You may request a copy of personal data you have provided to us in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): You may object to processing of your personal data based on legitimate interests (Art. 6(1)(f) GDPR).

To exercise any of these rights, please contact us at privacy[at]madeful.de. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request.

Currently, data access, export, and deletion requests are handled manually through our support team. You can initiate a request by emailing privacy[at]madeful.de with the subject line "Data Subject Request".

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include:

• All data in transit is encrypted using TLS/HTTPS
• Data at rest is encrypted at the infrastructure level (Supabase / Hetzner)
• Passwordless authentication to eliminate credential-based attack vectors
• Row-level security (RLS) in our database to ensure organisational data isolation
• Access to production systems is restricted to authorised personnel

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or service features. We will notify registered users of material changes by email and will update the "Last updated" date at the top of this Policy.

Continued use of the Platform after a material change takes effect constitutes acceptance of the updated Policy.

13. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at: