Privacy Policy

David Pogorzelski, Geisbergstraße 18, 10777 Berlin, Germany. Email: support@dpogoda.dev. This policy explains how we process personal data when you use the ALaaS website and API (the "Service") under the EU General Data Protection Regulation (GDPR).

Account data. When you sign in with Google, Apple or an email magic link, we store your email address and a user ID provided by the sign-in provider. We do not receive your password.

API keys and usage. We store your API keys in hashed form and record usage events (operation type, units, credits charged, timestamps) for billing, quota enforcement and abuse prevention.

Payment data. Purchases are processed by Paddle as Merchant of Record. Paddle collects and processes your payment details under its own privacy policy; we only receive transaction references, the purchased pack and your billing country. We never see your full payment details.

Server logs. Our infrastructure logs IP addresses, request metadata and error information for a short period to operate and secure the Service.

Cookies. We only use cookies that are strictly necessary for sign-in sessions. We do not use advertising or cross-site tracking cookies.

Usage statistics. We run a self-hosted instance of Umami, a privacy-friendly analytics tool, to count page views. It sets no cookies, stores no personal identifiers and does not track you across sites; the data is aggregated and cannot be traced back to you (legitimate interest, Art. 6(1)(f) GDPR).

Images sent to the upload endpoint are processed transiently and then discarded. We store compact numerical data derived from each image together with the identifiers you provide, not the images themselves.

If the images you submit contain personal data (for example, photos of people), you act as the data controller for that content and we act as your processor. You are responsible for having a legal basis to process such images. If you need a data processing agreement (Art. 28 GDPR), contact us at the address above.

We process data to provide the Service and manage your account (Art. 6(1)(b) GDPR), to secure the Service, prevent abuse and measure usage for billing (Art. 6(1)(b) and (f) GDPR), and to comply with legal obligations such as commercial record keeping (Art. 6(1)(c) GDPR).

We use the following categories of service providers under data processing agreements: website hosting (Vercel), database and authentication services (Supabase), cloud infrastructure for the API (Google Cloud, region US), specialized compute providers for image processing, and payment processing (Paddle, as an independent controller and Merchant of Record).

Some providers process data in the United States. Where data is transferred outside the EU/EEA, we rely on the EU Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework.

Account data is kept while your account exists and afterwards only as long as legally required. Data derived from your images is kept until you delete the pool or your account. Usage and purchase records are kept for the statutory retention periods (up to 10 years under German commercial and tax law). Server logs are deleted after a short period.

You have the right to access, rectification, erasure, restriction of processing, data portability and to object to processing based on legitimate interests (Art. 15-21 GDPR). You can lodge a complaint with a supervisory authority; the authority responsible for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

We do not use your personal data for automated decision-making or profiling within the meaning of Art. 22 GDPR.