PRIVACY POLICY

1. Controller The controller responsible for the processing described in this Privacy Policy is: Michael Reimer Am Langenbach 10, 48308 Senden, Germany Email: info@reimgen.com Phone: not published

1.1 Data Protection Officer No data protection officer has been appointed.

1.2 EU representative Not applicable. The controller is established in the EU/EEA.

1.3 UK and Swiss representatives If a local representative becomes legally required in the United Kingdom, Switzerland or another jurisdiction, we will update this Privacy Policy with the relevant contact details. Currently, no such representative has been appointed.

2. Scope This Privacy Policy applies to: - visits to our website, - use of the Service, including account management, credits, AI generation and storage of uploads/results, - payment processing for subscriptions and top-ups, - newsletters or marketing communications if offered and subscribed to, - support requests and other communications.

3. Categories of personal data Depending on how you use the Service, we process the following categories of data in particular.

4. Purposes and legal bases We process personal data only where a legal basis applies. Depending on the context, we rely in particular on: - Article 6(1)(b) GDPR for contract performance and pre-contract steps, including account operation, generations, credits and access to your generation history, - Article 6(1)(f) GDPR for legitimate interests, including IT security, abuse and fraud prevention, troubleshooting, service stability and enforcement of claims, - Article 6(1)(c) GDPR for legal obligations, such as commercial and tax retention duties where applicable, - Article 6(1)(a) GDPR for consent, for example non-essential cookies/analytics and newsletter or marketing communications where used. You can withdraw consent at any time with effect for the future.

5. Recipients and categories of recipients We share personal data only where necessary for the stated purposes or where another legal basis applies. Recipients may include: - Vercel for hosting, delivery of the website, serverless or edge functions and technical logs, - Supabase/Postgres for account, contract, credit, generation and security data, - Render for asynchronous worker/backend processing, especially generation jobs and technical processing steps, - Cloudflare for R2 object storage, CDN/cache and Turnstile security checks, - Resend for transactional emails and, if offered, newsletter emails, - Stripe for payment processing, subscriptions, top-ups, invoices and fraud prevention, - OAuth providers Google, Apple and Microsoft if you use the relevant login option, - AI/generation providers, especially Google Cloud/Vertex AI/Gemini and external API providers for SeeDream and Nano Banana functions, - Google Analytics 4 only after consent, where activated, - Upstash if activated for rate limiting, queueing, caching or similar technical functions, - Sentry if activated for error analysis and monitoring, - authorities or public bodies where we are legally required to disclose data, - legal advisors, debt collection providers or auditors where necessary to establish, exercise or defend claims.

6. International transfers Some providers may process data outside the EU/EEA, for example in the United States, the United Kingdom or Switzerland. Where required, we use appropriate transfer safeguards, such as: - adequacy decisions, - EU Standard Contractual Clauses, - the EU-US Data Privacy Framework where the recipient is certified, - additional measures such as access restrictions and data minimisation where appropriate.

7. Retention and deletion We keep personal data only as long as necessary for the purposes described in this Privacy Policy or as required by legal retention obligations.

8. Account deletion and storage caveat If you delete your account, associated database records are removed or scheduled for deletion according to our technical processes. Files and objects in object storage, generated results, logs and backups may be deleted with delay for technical reasons. This means copies can remain in storage or backups until the relevant deletion or overwrite cycle completes.

9. Your rights Where the GDPR or similar data protection laws apply, you may have the following rights, depending on the requirements: - access, - rectification, - erasure, - restriction of processing, - data portability where applicable, - objection to processing based on legitimate interests, - withdrawal of consent with effect for the future.

10. Data required to use the Service Some data is required to use the Service: - without an email address and account data, we cannot provide an account, - without authentication data, we cannot provide login and security functions, - without required content data, such as uploaded images or prompts, we cannot perform a generation, - without payment processing through Stripe, paid plans and top-ups cannot be provided.

11. Automated decisions and profiling We do not generally make solely automated decisions that produce legal effects or similarly significant effects within the meaning of Article 22 GDPR. We do use automated security mechanisms, such as rate limiting, detection of suspicious login or reset attempts and blocking of certain disposable email domains. These measures can temporarily reject requests, for example after too many attempts, and are used for security and abuse prevention.

12. Children and minimum age The Service is not directed to children or minors. You may use the Service only if you are at least 18 years old and have reached the age of majority under the law of your place of residence. Minors are not permitted to use the Service.

13. Specific processing activities

13.1 Website access and server logs Data: IP address, date/time, requested URL, referrer, user agent, status codes and, where relevant, error or performance information. Purposes: operation and delivery of the website, IT security, abuse prevention and troubleshooting. Legal basis: Article 6(1)(f) GDPR, our legitimate interest in secure and stable operation and attack prevention. Recipients: Vercel for hosting and delivery, Cloudflare for CDN and security functions, Render for worker/backend processing and Supabase/Postgres for database functions where relevant. Retention: server and security logs are usually retained for up to 30 days unless longer retention is required due to a security incident, suspected abuse or legal obligation.

13.2 Account, login, email verification and password reset Data: email address, user ID, password hash, email verification status, technical security data such as IP address and user agent for authentication events, one-time codes/reset tokens stored as hashes, audit and rate-limiting records. If you sign in via OAuth, we also process data from Google, Apple or Microsoft, especially provider ID, email address and, if transmitted, name/profile image. Purposes: account management, authentication, account security and abuse prevention. Legal bases: Article 6(1)(b) GDPR for providing the account and Article 6(1)(f) GDPR for security and abuse prevention. Recipients: Google, Apple or Microsoft are involved only if you use the corresponding OAuth login. Auth sessions are managed with Auth.js/NextAuth. Session cookies can last up to 30 days.

13.3 Email delivery through Resend We send service emails such as verification codes and password reset links. Data: email address, email content and technical delivery metadata. Purposes: delivery of security and service communications. Legal bases: Article 6(1)(b) GDPR for account/service provision and Article 6(1)(f) GDPR for security and abuse prevention. Recipient: Resend as email delivery provider. International transfer: Resend may process data outside the EU/EEA, for example in the United States. Safeguards depend on the current setup and contracts, such as SCCs or DPF.

13.4 Stripe: subscriptions, top-ups, customer portal and webhooks If you subscribe or buy credits, payment processing is handled by Stripe. Data typically includes email address, Stripe customer ID, subscription status, product/plan information, payment status and invoice/receipt data. Payment details such as card or bank data are usually collected directly by Stripe. Purposes: payment processing, subscription management, fraud prevention, invoicing and customer portal functions. Legal bases: Article 6(1)(b) GDPR for contract/payment, Article 6(1)(c) GDPR for legal retention duties where applicable and Article 6(1)(f) GDPR for fraud prevention and documentation. Recipient: Stripe. Depending on the processing, Stripe may act as an independent controller for payment data and/or as a processor for certain processing steps. Retention: billing and documentation records may be retained according to statutory periods, in particular commercial or tax retention periods of up to 10 years.

13.5 Credit system Data: credit balance, plan status, transaction/ledger entries with time, amount, reason and module, and top-up buckets with expiry dates. Purposes: providing and billing usage quotas, abuse prevention and documentation. Legal bases: Article 6(1)(b) GDPR for contract performance and Article 6(1)(f) GDPR for fraud and abuse prevention and documentation. Top-up credits can expire after 180 days per bucket. Related transaction or billing records may be retained longer for proof and legal retention purposes.

13.6 Uploads, prompts and generated images Data: uploaded input images, prompt text, generation settings, generated results, file names, URLs, timestamps and possibly file metadata. Purposes: providing the requested generation/editing function, displaying history and enabling downloads or later access. Legal basis: Article 6(1)(b) GDPR, because you request the generation.

13.7 AI generation with external providers To perform generations, we use AI/generation infrastructure through APIs. Generation jobs may be prepared by our Render workers, transmitted to external providers and then documented in our database and Cloudflare R2 storage. Data transmitted to AI providers can include: - prompt text and settings, such as format, resolution and number of outputs, - reference images/uploads, - result URLs or result data, depending on the provider response.

13.8 Admin areas and internal access Depending on the case, internal access may cover catalog data, user or billing status, technical job information and content where necessary for support, moderation, billing or troubleshooting. Purposes: operation, maintenance, support, abuse prevention and billing/error clarification. Legal bases: Article 6(1)(b) GDPR for contract-related support and Article 6(1)(f) GDPR for security, support and abuse prevention. Access is role-based and restricted to people who need it for their tasks. If activated, Sentry may be used for error reports, stack traces and technical environment data, and Upstash may be used for rate limiting, queueing or cache status. These tools are not used for advertising purposes.

13.9 Support and contact Data: email address, message content, attachments/screenshots if provided and timestamps. Purposes: handling your request, troubleshooting and support. Legal bases: Article 6(1)(b) GDPR for contract-related support and/or Article 6(1)(f) GDPR for efficient support handling. Retention: support requests are generally retained for up to 12 months after closure unless legal retention duties, open contractual matters or legal defence interests require longer storage.

13.10 Newsletter and marketing communications, if offered If you subscribe to our newsletter, we process your data to send occasional emails about photo looks, features, tips or promotions. Subscription is voluntary and requires an active opt-in. For users in Germany, we use a double-opt-in process. We may use the same process in other countries. Data can include email address, consent status, proof of consent/confirmation, source/locale and, if used, interaction data such as opens or clicks. Legal basis: Article 6(1)(a) GDPR and applicable national rules for electronic marketing. You can unsubscribe at any time, for example through an unsubscribe link or account settings where available. Resend may be used for delivery and list management.

14. Cookies, similar technologies and consent management We use cookies and similar technologies.

14.1 Essential technologies Essential technologies are used without separate consent where legally permitted because they are necessary to provide the Service you request. Examples include: - the consent/preference cookie reimgen_cookie_consent, usually retained for 1 year, - Auth.js/NextAuth session and auth cookies, including session tokens with a lifetime of up to 30 days, CSRF cookies and PKCE/state/nonce/challenge cookies for OAuth logins, - the pending-login security cookie __Host-reimgen_pl or reimgen_pl outside production, with a short lifetime of about 10 minutes, - local storage mechanisms to sync your cookie choice between tabs, - reimgen_public_telemetry and related SessionStorage/LocalStorage entries for technical first-party telemetry, such as anonymous event IDs, consent status, debug/performance context and deduplicated client events, - Cloudflare Turnstile tokens and technical browser data for bot and abuse protection in protected forms and flows.

14.2 Analytics Where activated, we use Google Analytics 4 only after you opt in. Analytics is disabled by default and loaded only after consent. Google Consent Mode is used for analytics purposes. We do not set our own advertising or remarketing tags. We do not ask for consent to ad_storage, ad_user_data or ad_personalization through the current banner.

15. Changes to this Privacy Policy We may update this Privacy Policy if the law, the Service or our processing changes. The current version is available on our website. The date shown as "Last updated" indicates the latest update.

16. Users outside the EU/EEA If you live outside the EU/EEA, other privacy laws may apply. We nevertheless process your data according to the principles described here, including purpose limitation, data minimisation and security. Where local laws provide additional rights, we seek to respect them within the applicable legal framework.

16.1 United Kingdom If UK data protection law applies, the UK GDPR, the Data Protection Act 2018 and, for electronic marketing and cookies, PECR may apply. Your rights are broadly similar to those described above. The Information Commissioner's Office (ICO) is generally the competent supervisory authority. UK-specific transfer mechanisms may be used where required.

16.2 Switzerland If Swiss data protection law applies, the revised Swiss Federal Act on Data Protection (revFADP) may apply. Rights can include access, rectification and, depending on the requirements, deletion or objection to processing. The Federal Data Protection and Information Commissioner (FDPIC) is the Swiss supervisory authority.