Skip to content
ProductPolishProductPolish
← Home

Legal

Privacy Policy

1. Data Controller

Data controller within the meaning of the GDPR:

GPS Konzept e.U. (Owner: Georg Pauli)
Birkengasse 5, 3442 Asparn, Österreich
E-Mail: support@productpolish.ai
Telefon: +43 664 344 7733

2. Overview of Processing Activities

We process personal data only to the extent necessary to provide our services. Below we inform you about the nature, scope, and purpose of data processing.

Categories of Data Subjects

  • Website visitors
  • Registered users
  • Paying subscribers
  • API users

Categories of Personal Data

  • Email address, password (hashed)
  • Payment data (processed via Stripe)
  • Uploaded product photos
  • Generated texts and images
  • IP address, browser and device information
  • Usage data (generation counter, timestamps)

3. Legal Basis for Processing

We process your data on the following legal bases:

  • Art. 6(1)(b) GDPR – Contract performance: registration, account management, generation of product texts and images, payment processing
  • Art. 6(1)(a) GDPR – Consent: setting of non-essential cookies, waitlist registration
  • Art. 6(1)(f) GDPR – Legitimate interest: IT security, abuse prevention, error analysis
  • Art. 6(1)(c) GDPR – Legal obligation: retention of tax-relevant data

4. Recipients and Data Processors

For the provision of our services we use the following third-party providers as data processors:

ProviderPurposeLocation
Supabase Inc.Authentication, database, file storageUSA (EU-US DPF)
Stripe Inc.Payment processing, subscription managementUSA (EU-US DPF)
Vercel Inc.Hosting, CDNUSA (EU-US DPF)

Data processing agreements (DPAs) pursuant to Art. 28 GDPR have been concluded with all data processors.

5. International Data Transfers

Some of our data processors are based in the USA. The transfer of personal data to the USA is based on the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR. Where providers are not covered by the DPF, we have agreed standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

6. Payment Processing via Stripe

For payment processing we use Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA). During a purchase, the following data is transmitted to Stripe:

  • E-Mail-address
  • Payment card data (entered directly at Stripe, does not touch our servers)
  • IP address and device data (for fraud prevention)
  • Billing address (if provided)

Stripe processes this data both as an independent controller and as a data processor. Stripe's privacy policy can be found at: stripe.com/privacy

7. Cookies and Local Storage

We use the following cookies and local storage values:

NamePurposeTypeDuration
sb-*-auth-tokenSupabase authentication (session)EssentialSession
cookie-consentStoring cookie consentEssentialPersistent
themeColour scheme preferenceFunctionalPersistent
ui-langUI languageFunctionalPersistent
default-gen-langDefault generation languageFunctionalPersistent

Non-essential cookies are only set after your explicit consent (Art. 6(1)(a) GDPR, TKG 2021 §165). You may withdraw your consent at any time.

8. AI-Generated Content

ProductPolish uses artificial intelligence to generate product texts and images. Your product data (title, description, photo) is transmitted to our AI service provider. The generated content is stored in your account.

Note: All texts and images created by ProductPolish are AI-generated and should be reviewed before publication. From August 2026, extended labelling obligations will apply under EU AI Act Art. 50.

9. Retention Periods

  • Account data: Until account deletion by the user or upon request
  • Generated content: Until account deletion
  • Uploaded photos: Until account deletion
  • Payment data: 7 years (statutory retention obligation under BAO §132)
  • Server logs: 30 days

10. Your Rights as a Data Subject

You have the following rights under the GDPR:

  • Right of access (Art. 15) – What data we hold about you
  • Right to rectification (Art. 16) – Correction of inaccurate data
  • Right to erasure (Art. 17) – Deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18) – Restriction of processing
  • Right to data portability (Art. 20) – Export of your data in machine-readable format
  • Right to object (Art. 21) – Objection to processing based on legitimate interests
  • Withdrawal of consent (Art. 7(3)) – At any time without giving reasons

To exercise your rights, please contact us at: support@productpolish.ai

11. Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien
Telefon: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
Website: www.dsb.gv.at

Last updated: February 2026