Privacy Policy for svgapp.ai
Last updated: June 8, 2026
Effective date: June 8, 2026
Controller: Felix Mennen, Ostlandring 63, 31303 Burgdorf, Germany
Email: felix@svgapp.ai
This Privacy Policy explains how we (the “Controller”, “we”, “us”, “our”) process personal data when you visit svgapp.ai or use our services to generate and vectorize images.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable laws.
1) Who we are (Controller) & Contact
- Controller: Felix Mennen
Address: Ostlandring 63, 31303 Burgdorf, Germany
Email: felix@svgapp.ai - Data Protection Officer: Not required by law for our current processing activities. You can contact us at the email above for any privacy questions.
Supervisory authority (right to lodge a complaint):
Der Landesbeauftragte für den Datenschutz Niedersachsen, Prinzenstraße 5, 30159 Hannover, Germany; Tel. +49 511 120-4500; Email: poststelle@lfd.niedersachsen.de. (lfd.niedersachsen.de, BfDI)
2) Scope
This policy covers:
- Visits to svgapp.ai (the “Website”).
- Use of our web application to generate images via fal.ai and to vectorize images via vectorizer.ai.
- Our backend hosted on Convex Cloud, and our frontend/content delivery and security services provided via Cloudflare.
- Payments and subscriptions processed via Polar.sh.
3) Categories of data we process
A) When you visit our Website
- Technical usage data: IP address, date/time, request/response headers, user agent, referrer, URL, basic device data, error logs.
Sources: your browser, our servers/CDN. - Marketing attribution data: advertising click identifiers (for example
fbclid), Meta browser/click cookies (_fbp,_fbc), UTM parameters, landing page URL, referrer, timestamps, and browser user agent. We use this to understand whether a user came from an advertisement and to measure ad conversions.
B) When you create or process content
- Prompt & content data: text prompts, uploaded images, generated images, vectorized outputs, job IDs, configuration parameters (e.g., model, size, palette settings), timestamps.
- Account data (if accounts are offered): email address, password hash or identity provider identifier, session tokens, basic profile, support messages.
- Operational metadata: internal IDs, status codes, performance metrics, fraud/security signals, and limited analytics on feature usage.
C) Communications
- Support and contact data: email content, attachments, and metadata when you contact us.
D) Billing and payments
- Billing and transaction data: billing contact details, billing address, tax/VAT IDs (if provided), transaction metadata, subscription status/plan, and payment method type as exposed by the payment provider. We do not receive or store full card numbers or CVV codes.
- Provider identifiers and documents: payment identifiers, receipts/invoices and related records from Polar.sh needed for payment processing, fraud prevention, and compliance.
We do not intentionally collect special categories of personal data (Art. 9 GDPR). Please avoid uploading such data.
4) Purposes and legal bases
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide and operate the service | Process prompts, generate images, vectorize uploads, deliver outputs | Art. 6(1)(b) GDPR (contract) |
| Payments and billing | Process payments, manage subscriptions, invoicing, and tax/VAT calculation | Art. 6(1)(b) and (c) GDPR |
| Secure and deliver the Website & app | CDN, DDoS protection, rate limiting, bug/error logging | Art. 6(1)(f) GDPR (legitimate interests: security, availability, performance) |
| Improve and maintain | Troubleshooting, quality assurance, product development (in a privacy-respecting manner) | Art. 6(1)(f) GDPR |
| Advertising attribution and conversion measurement | Store ad click IDs, attribute registrations and purchases, send selected conversion events to Meta where attribution data indicates a Meta ad interaction | Art. 6(1)(f) GDPR (legitimate interests: measuring ad effectiveness) and, where required for non-essential browser tracking, Art. 6(1)(a) GDPR |
| Communicate with you | Support responses, service notices | Art. 6(1)(b) and/or (f) GDPR |
| Comply with law | Record keeping, responding to lawful requests | Art. 6(1)(c) GDPR |
| Optional features (if any) | Marketing emails, non-essential cookies | Art. 6(1)(a) GDPR (consent; you may withdraw at any time) |
No decisions with legal or similarly significant effects are made solely by automated means (Art. 22 GDPR).
5) Cookies and similar technologies
We use essential cookies and comparable technologies to operate the site (e.g., session cookies, security cookies).
The browser-based Meta Pixel is only initialized after you accept analytics/marketing cookies in the consent banner. You can withdraw consent at any time in the cookie settings. Server-side conversion measurement via the Meta Conversions API may use attribution data to send selected registration and purchase conversion events where Meta ad attribution is present.
6) Recipients and processors
We rely on carefully selected processors (Art. 28 GDPR) and selected service recipients for specific features. Processors process data only on our documented instructions and under a data processing agreement (DPA). Key processors/recipients:
- Cloudflare, Inc. – CDN, security (WAF/DDoS), DNS, edge caching (front-end delivery and security). Cloudflare participates in the EU-U.S. Data Privacy Framework and also offers SCCs/DPA for transfers. (Cloudflare, Data Privacy Framework, Cloudflare)
- Convex, Inc. (Convex Cloud) – managed backend/database, API hosting. (Convex provides compliance information and privacy documentation.) (Convex)
- fal – Features & Labels Inc. (fal.ai) – AI model APIs for image generation (processing of prompts, images, generated outputs as needed to provide the service). (Fal.ai)
- Cedar Lake Ventures, Inc. (vectorizer.ai) – vectorization API (processing of uploaded images and returning vectorized outputs). (Vectorizer.ai)
- Polar.sh – payment processing and subscription billing (processing of billing information and transaction metadata; acts as Merchant of Record). (Polar.sh)
- PostHog, Inc. – product analytics (privacy-respecting event collection; no third-party advertising; we configure PostHog to minimize personal data and honor consent where required). Transfers are safeguarded via SCCs/DPF as applicable and regional hosting options. (PostHog)
- Resend – transactional email delivery (processing recipient email addresses, email content, delivery metadata, and related diagnostics as needed to send account, workspace, invite, support, and service emails). (Resend)
- OpenRouter, Inc. – AI model routing/API access for text-generation features such as prompt refinement, onboarding, style analysis, and pose suggestions (processing prompts, related context, model responses, and request metadata as needed to provide these features). (OpenRouter)
- Meta Platforms Ireland Limited / Meta Platforms, Inc. – advertising attribution and conversion measurement through Meta Pixel and Meta Conversions API. We may send event data such as page views, completed registrations, purchases, event IDs, event source URLs, user agent, Meta browser/click identifiers, and hashed matching identifiers such as email address or internal user ID. Meta may process Business Tools data under its own terms and policies. (Meta, Meta Business Tools, Meta Conversions API)
We may also engage standard ancillary service providers for error monitoring and backups under DPAs.
7) International data transfers
Some processors are located in, or process data from, third countries (notably the United States). Where such transfers occur, we use appropriate safeguards under Arts. 44–49 GDPR, including Standard Contractual Clauses (SCCs) and, where applicable, provider participation in recognized frameworks (e.g., Cloudflare’s DPF certification). Additional technical/organizational measures are applied as appropriate. (Cloudflare, Data Privacy Framework, Cloudflare)
8) Retention
We retain personal data only as long as necessary for the purposes above:
- Technical logs (Website/): retained for a short operational period (typically up to 30 days) unless needed longer for security/incident analysis.
- Prompt/uploads/outputs & job metadata: retained to provide the service (e.g., to view/regenerate/vectorize), and deleted or anonymized when no longer needed.
- Account & support records: for the life of the account plus customary limitation periods or as required by law.
- Billing and transaction records: retained for statutory commercial/tax retention periods (e.g., up to 10 years, jurisdiction-dependent).
- Marketing attribution records: retained for a limited attribution period, typically up to 90 days, unless needed longer for fraud prevention, billing reconciliation, legal claims, or aggregated reporting.
- Backups: stored securely and purged on rolling cycles.
If statutory retention periods apply (e.g., for commercial/tax records), we retain relevant records for the legally required duration and restrict processing during that time.
Note on subprocessors’ retention: Our contracts require processors to delete or return data after the end of processing or upon our instruction, subject to legal obligations. For details on processor practices, consult their privacy documentation (e.g., fal.ai privacy policy; Vectorizer’s privacy policy). (Fal.ai, Vectorizer.ai)
9) Your rights (EU/EEA)
You have the following rights under Arts. 15–22 GDPR:
- Access to your personal data.
- Rectification of inaccurate data.
- Erasure (“right to be forgotten”), where applicable.
- Restriction of processing.
- Data portability (to another controller, where technically feasible).
- Object to processing based on legitimate interests (Art. 21 GDPR).
- Withdraw consent at any time for processing based on consent (without affecting prior lawful processing).
To exercise these rights, contact felix@svgapp.ai. You also have the right to lodge a complaint with the supervisory authority named in Section 1. (lfd.niedersachsen.de)
10) Children’s data
Our services are not directed to children. We do not knowingly process personal data of children under 16 without appropriate consent and safeguards.
11) Security
We implement appropriate technical and organizational measures to protect personal data (e.g., TLS in transit; access controls; least-privilege; logging; encryption where appropriate). We also rely on our processors’ certified security controls (e.g., Cloudflare network security, Convex platform safeguards). (Convex, Cloudflare)
12) Do we use your data to train models?
- Your prompts, uploads, and outputs may be used for training models.
- Our processors (fal.ai, vectorizer.ai) process your content solely to provide the requested functionality under our instructions and agreements. Please review their published privacy information for details of their processing practices. (Fal.ai, Vectorizer.ai)
13) Disclosures
We may disclose data to courts, law enforcement, or authorities where legally required (Art. 6(1)(c) GDPR), and to professional advisors (Art. 6(1)(f) GDPR). In case of corporate transactions, data may be transferred to involved parties subject to confidentiality and data protection safeguards.
14) Changes to this Policy
We may update this Policy to reflect changes in law or our services. The current version is shown at the top. Material changes will be communicated appropriately.
15) Contact
For any request or concern regarding privacy, please contact: felix@svgapp.ai
Postal: Felix Mennen, Ostlandring 63, 31303 Burgdorf, Germany
Annex: Overview of key processors
| Processor | Role | Typical data | Location/transfer basis |
|---|---|---|---|
| Cloudflare, Inc. | CDN, security, DNS | IP, request metadata, security signals | Global; transfers safeguarded via DPF and/or SCCs/DPA. (Cloudflare, Data Privacy Framework, Cloudflare) |
| Convex, Inc. | Backend platform (DB/API) | Any data stored within our service | Primarily U.S.; contractual safeguards/DPAs apply. (Convex) |
| fal – Features & Labels Inc. | Image generation API | Prompts, images, generation outputs/parameters | U.S.; contractual safeguards/SCCs; see privacy page. (Fal.ai) |
| Cedar Lake Ventures, Inc. (vectorizer.ai) | Vectorization API | Uploaded images, vectorization outputs/parameters | U.S.; contractual safeguards/SCCs; see privacy page. (Vectorizer.ai) |
| Polar.sh | Payments and billing | Billing contact details, transaction metadata, receipts/invoices | US; transfers safeguarded via SCCs/DPF as applicable. (Polar.sh) |
| PostHog, Inc. | Product analytics | Pseudonymous usage events (pages, clicks, feature usage), device/browser metadata; IP truncated or anonymized where configured | EU or US region; transfers safeguarded via SCCs/DPF as applicable. (PostHog) |
| Resend | Transactional email delivery | Recipient email addresses, email content, delivery metadata, bounce/open/click or diagnostic events where enabled | U.S.; contractual safeguards/SCCs as applicable. (Resend) |
| OpenRouter, Inc. | AI model routing/API access | Prompts, related context, model responses, request metadata, token counts, and diagnostics for text-generation features | U.S.; contractual safeguards/SCCs as applicable; provider routing may involve additional model providers according to selected models and settings. (OpenRouter) |
| Meta Platforms Ireland Limited / Meta Platforms, Inc. | Advertising attribution and conversion measurement | Page views after consent, registration and purchase events, event IDs, event source URLs, user agent, Meta browser/click identifiers, hashed email/internal user identifiers, campaign attribution metadata | EU/US; transfers and processing governed by Meta terms, privacy policy, and applicable safeguards. (Meta, Meta Business Tools, Meta Conversions API) |