Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
shiftbloom studio.
Fabian Zimber
Up de Worth 6a, 22927 Großhansdorf, Germany
Email: hi@shiftbloom.studio

(Note: If a Data Protection Officer has been appointed, please add the contact details.)

2. Overview: What Data Do We Process?

Depending on the use of the Service, we process in particular:

• Inventory data (e.g., email, account ID)
• Usage/metadata (e.g., login status, token balance, technically required identifiers)
• Content data that you enter/upload in the Service (e.g., texts for analysis)
• Payment/transaction data (in connection with Stripe checkout)
• Log data (e.g., IP address, timestamp, request information in server logs)
• Communication data (e.g., email content for support inquiries)

3. Purposes and Legal Bases

We process personal data only to the extent permitted. Typical purposes and legal bases are:

• Contract performance and pre-contractual measures (Art. 6(1)(b) GDPR), e.g., registration, login, provision of the Service, token crediting.
• Legal obligations (Art. 6(1)(c) GDPR), e.g., commercial/tax law retention requirements.
• Legitimate interests (Art. 6(1)(f) GDPR), e.g., IT security, fraud prevention, error analysis, operation and optimization.
• Consent (Art. 6(1)(a) GDPR), for analytics cookies and optional tracking. We use Vercel Analytics with your consent to understand how visitors use our website.

4. Hosting (Vercel) and Server Logs

Our website is hosted on Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When visiting the website, Vercel processes technically necessary data and stores it in log files (e.g., IP address, date/time, page accessed, referrer URL, user agent, status codes). Processing occurs for website delivery, IT security, and error analysis.

Legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation). Vercel may transfer data to the USA. Transfer occurs under appropriate safeguards (e.g., Standard Contractual Clauses and the EU-U.S. Data Privacy Framework). For details, please refer to Vercel's privacy policy at https://vercel.com/legal/privacy-policy.

5. Authentication and User Account (Supabase)

For registration/login, we use Supabase. This involves processing your email address, technical identifiers, and session information. To maintain your login, Supabase sets technically necessary cookies/tokens (session cookies).

Legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (security and fraud prevention).

Recipients: Supabase (depending on configuration, potentially in third countries). If transfer to a third country occurs, it is based – where required – on appropriate safeguards (e.g., Standard Contractual Clauses). For details, please refer to Supabase's privacy notices.

6. Payment Processing (Stripe)

For the purchase of token packages, we use Stripe as payment service provider. When you make a purchase, you will be redirected to Stripe checkout. Stripe processes payment data (e.g., card details) that we do not fully access.

We transmit to Stripe in particular:

• Email address (for assignment/receipt communication)
• Technical identifiers (e.g., session/transaction data)
• Metadata for assignment in the Service (e.g., user ID, package ID)

Legal basis is Art. 6(1)(b) GDPR (payment processing/contract performance) and, where applicable, Art. 6(1)(c) GDPR (retention requirements).

Stripe may transfer data to third countries (e.g., USA). Where required, transfer occurs under appropriate safeguards (e.g., Standard Contractual Clauses). For details, please refer to Stripe's privacy notices.

7. Database / Storage

To provide the Service, we store data in a database (e.g., user account, token balance, settings). Storage occurs as long as required for contract performance or as long as statutory retention obligations exist.

8. Cookies

We use cookies to the extent they are technically necessary (e.g., for login/session). Technically necessary cookies are required for the Service to function.

For analytics cookies (Vercel Analytics), we obtain your consent before setting them. You can manage your cookie preferences at any time using our cookie consent banner. For detailed information about the cookies we use, please see our Cookie Policy.

Legal basis for necessary cookies is Art. 6(1)(f) GDPR (legitimate interest). For optional/analytics cookies, the legal basis is Art. 6(1)(a) GDPR (consent).

8a. Web Analytics (Vercel Analytics)

With your consent, we use Vercel Analytics to analyze website usage. Vercel Analytics is a privacy-focused analytics service that collects anonymous, aggregated data about page views, user flows, and website performance.

Data collected: Page URL, referrer, browser type, device type, country (derived from IP, but IP is not stored), screen size, and interaction events. No personal data such as IP addresses or user identifiers are stored.

Purpose: Understanding how visitors use our website, improving user experience, and optimizing our services.

Legal basis: Art. 6(1)(a) GDPR (your consent). You can withdraw your consent at any time by adjusting your cookie preferences.

Recipient: Vercel Inc., USA. Data transfer to the USA occurs under appropriate safeguards (EU-U.S. Data Privacy Framework, Standard Contractual Clauses).

For more information, see Vercel's privacy policy at https://vercel.com/legal/privacy-policy.

9. Contact

When you contact us by email, we process your information to handle the inquiry. Legal basis is Art. 6(1)(b) GDPR (initiation/performance) or Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

10. Recipients, Processors

We use service providers who process personal data on our behalf. With these service providers, we conclude – where required – data processing agreements (Art. 28 GDPR).

• Vercel Inc. (USA) – Hosting and analytics
• Supabase Inc. – Authentication and database
• Stripe Inc. (USA) – Payment processing

For transfers to third countries (e.g., USA), we rely on appropriate safeguards such as Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.

11. Retention Period

We store personal data only as long as required for the respective purposes. Beyond this, we store data to the extent statutory retention obligations exist (e.g., tax/commercial law).

12. Your Rights

Depending on legal requirements, you are entitled to the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)
• Withdrawal of consent (Art. 7(3) GDPR) with effect for the future
• Complaint to a supervisory authority (Art. 77 GDPR)

To exercise your rights, a message to hi@shiftbloom.studio is sufficient.

13. Obligation to Provide Data

For registration and use of the Service, the provision of certain data (e.g., email) is required. Without this data, the Service cannot be used or can only be used to a limited extent.

14. Changes to This Privacy Policy

We may update this Privacy Policy if legal requirements, services, or data processing change. The current version applies.