Privacy Policy for svgapp.ai
Last updated: August 23, 2025
Effective date: August 23, 2025
Controller: Felix Mennen, Ostlandring 59, 31303 Burgdorf, Germany
Email: felix@svgapp.ai
This Privacy Policy explains how we (the “Controller”, “we”, “us”, “our”) process personal data when you visit svgapp.ai or use our services to generate and vectorize images.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable laws.
1) Who we are (Controller) & Contact
- Controller: Felix Mennen
Address: Ostlandring 59, 31303 Burgdorf, Germany
Email: felix@svgapp.ai - Data Protection Officer: Not required by law for our current processing activities. You can contact us at the email above for any privacy questions.
Supervisory authority (right to lodge a complaint):
Der Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany; Tel. +49 511 120-4500; Email: poststelle@lfd.niedersachsen.de. (lfd.niedersachsen.de, BfDI)
2) Scope
This policy covers:
- Visits to svgapp.ai (the “Website”).
- Use of our web application to generate images via fal.ai and to vectorize images via vectorizer.ai.
- Our backend hosted on Convex Cloud, and our frontend/content delivery and security services provided via Cloudflare.
- Payments and subscriptions processed via Polar.sh.
3) Categories of data we process
A) When you visit our Website
- Technical usage data: IP address, date/time, request/response headers, user agent, referrer, URL, basic device data, error logs.
Sources: your browser, our servers/CDN.
B) When you create or process content
- Prompt & content data: text prompts, uploaded images, generated images, vectorized outputs, job IDs, configuration parameters (e.g., model, size, palette settings), timestamps.
- Account data (if accounts are offered): email address, password hash or identity provider identifier, session tokens, basic profile, support messages.
- Operational metadata: internal IDs, status codes, performance metrics, fraud/security signals, and limited analytics on feature usage.
C) Communications
- Support and contact data: email content, attachments, and metadata when you contact us.
D) Billing and payments
- Billing and transaction data: billing contact details, billing address, tax/VAT IDs (if provided), transaction metadata, subscription status/plan, and payment method type as exposed by the payment provider. We do not receive or store full card numbers or CVV codes.
- Provider identifiers and documents: payment identifiers, receipts/invoices and related records from Polar.sh needed for payment processing, fraud prevention, and compliance.
We do not intentionally collect special categories of personal data (Art. 9 GDPR). Please avoid uploading such data.
4) Purposes and legal bases
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and operate the service | Process prompts, generate images, vectorize uploads, deliver outputs | Art. 6(1)(b) GDPR (contract) |
| Payments and billing | Process payments, manage subscriptions, invoicing, and tax/VAT calculation | Art. 6(1)(b) and (c) GDPR |
| Secure and deliver the Website & app | CDN, DDoS protection, rate limiting, bug/error logging | Art. 6(1)(f) GDPR (legitimate interests: security, availability, performance) |
| Improve and maintain | Troubleshooting, quality assurance, product development (in a privacy-respecting manner) | Art. 6(1)(f) GDPR |
| Communicate with you | Support responses, service notices | Art. 6(1)(b) and/or (f) GDPR |
| Comply with law | Record keeping, responding to lawful requests | Art. 6(1)(c) GDPR |
| Optional features (if any) | Marketing emails, non-essential cookies | Art. 6(1)(a) GDPR (consent; you may withdraw at any time) |
No decisions with legal or similarly significant effects are made solely by automated means (Art. 22 GDPR).
5) Cookies and similar technologies
We use essential cookies and comparable technologies to operate the site (e.g., session cookies, security cookies). If we introduce non-essential cookies (e.g., analytics/marketing), we will ask for your consent via a consent banner; you can withdraw consent at any time in the cookie settings.
6) Recipients and processors
We rely on carefully selected processors (Art. 28 GDPR). They process data only on our documented instructions and under a data processing agreement (DPA). Key processors:
- Cloudflare, Inc. – CDN, security (WAF/DDoS), DNS, edge caching (front-end delivery and security). Cloudflare participates in the EU-U.S. Data Privacy Framework and also offers SCCs/DPA for transfers. (Cloudflare, Data Privacy Framework, Cloudflare)
- Convex, Inc. (Convex Cloud) – managed backend/database, API hosting. (Convex provides compliance information and privacy documentation.) (Convex)
- fal – Features & Labels Inc. (fal.ai) – AI model APIs for image generation (processing of prompts, images, generated outputs as needed to provide the service). (Fal.ai)
- Cedar Lake Ventures, Inc. (vectorizer.ai) – vectorization API (processing of uploaded images and returning vectorized outputs). (Vectorizer.ai)
- Polar.sh – payment processing and subscription billing (processing of billing information and transaction metadata; acts as Merchant of Record). (Polar.sh)
- PostHog, Inc. – product analytics (privacy-respecting event collection; no third-party advertising; we configure PostHog to minimize personal data and honor consent where required). Transfers are safeguarded via SCCs/DPF as applicable and regional hosting options. (PostHog)
We may also engage standard ancillary service providers for email delivery, error monitoring, and backups under DPAs.
7) International data transfers
Some processors are located in, or process data from, third countries (notably the United States). Where such transfers occur, we use appropriate safeguards under Arts. 44–49 GDPR, including Standard Contractual Clauses (SCCs) and, where applicable, provider participation in recognized frameworks (e.g., Cloudflare’s DPF certification). Additional technical/organizational measures are applied as appropriate. (Cloudflare, Data Privacy Framework, Cloudflare)
8) Retention
We retain personal data only as long as necessary for the purposes above:
- Technical logs (Website/): retained for a short operational period (typically up to 30 days) unless needed longer for security/incident analysis.
- Prompt/uploads/outputs & job metadata: retained to provide the service (e.g., to view/regenerate/vectorize), and deleted or anonymized when no longer needed.
- Account & support records: for the life of the account plus customary limitation periods or as required by law.
- Billing and transaction records: retained for statutory commercial/tax retention periods (e.g., up to 10 years, jurisdiction-dependent).
- Backups: stored securely and purged on rolling cycles.
If statutory retention periods apply (e.g., for commercial/tax records), we retain relevant records for the legally required duration and restrict processing during that time.
Note on subprocessors’ retention: Our contracts require processors to delete or return data after the end of processing or upon our instruction, subject to legal obligations. For details on processor practices, consult their privacy documentation (e.g., fal.ai privacy policy; Vectorizer’s privacy policy). (Fal.ai, Vectorizer.ai)
9) Your rights (EU/EEA)
You have the following rights under Arts. 15–22 GDPR:
- Access to your personal data.
- Rectification of inaccurate data.
- Erasure (“right to be forgotten”), where applicable.
- Restriction of processing.
- Data portability (to another controller, where technically feasible).
- Object to processing based on legitimate interests (Art. 21 GDPR).
- Withdraw consent at any time for processing based on consent (without affecting prior lawful processing).
To exercise these rights, contact felix@svgapp.ai. You also have the right to lodge a complaint with the supervisory authority named in Section 1. (lfd.niedersachsen.de)
10) Children’s data
Our services are not directed to children. We do not knowingly process personal data of children under 16 without appropriate consent and safeguards.
11) Security
We implement appropriate technical and organizational measures to protect personal data (e.g., TLS in transit; access controls; least-privilege; logging; encryption where appropriate). We also rely on our processors’ certified security controls (e.g., Cloudflare network security, Convex platform safeguards). (Convex, Cloudflare)
12) Do we use your data to train models?
- Your prompts, uploads, and outputs may be used for training models.
- Our processors (fal.ai, vectorizer.ai) process your content solely to provide the requested functionality under our instructions and agreements. Please review their published privacy information for details of their processing practices. (Fal.ai, Vectorizer.ai)
13) Disclosures
We may disclose data to courts, law enforcement, or authorities where legally required (Art. 6(1)(c) GDPR), and to professional advisors (Art. 6(1)(f) GDPR). In case of corporate transactions, data may be transferred to involved parties subject to confidentiality and data protection safeguards.
14) Changes to this Policy
We may update this Policy to reflect changes in law or our services. The current version is shown at the top. Material changes will be communicated appropriately.
15) Contact
For any request or concern regarding privacy, please contact: felix@svgapp.ai
Postal: Felix Mennen, Ostlandring 59, 31303 Burgdorf, Germany
Annex: Overview of key processors
| Processor | Role | Typical data | Location/transfer basis |
|---|---|---|---|
| Cloudflare, Inc. | CDN, security, DNS | IP, request metadata, security signals | Global; transfers safeguarded via DPF and/or SCCs/DPA. (Cloudflare, Data Privacy Framework, Cloudflare) |
| Convex, Inc. | Backend platform (DB/API) | Any data stored within our service | Primarily U.S.; contractual safeguards/DPAs apply. (Convex) |
| fal – Features & Labels Inc. | Image generation API | Prompts, images, generation outputs/parameters | U.S.; contractual safeguards/SCCs; see privacy page. (Fal.ai) |
| Cedar Lake Ventures, Inc. (vectorizer.ai) | Vectorization API | Uploaded images, vectorization outputs/parameters | U.S.; contractual safeguards/SCCs; see privacy page. (Vectorizer.ai) |
| Polar.sh | Payments and billing | Billing contact details, transaction metadata, receipts/invoices | US; transfers safeguarded via SCCs/DPF as applicable. (Polar.sh) |
| PostHog, Inc. | Product analytics | Pseudonymous usage events (pages, clicks, feature usage), device/browser metadata; IP truncated or anonymized where configured | EU or US region; transfers safeguarded via SCCs/DPF as applicable. (PostHog) |