ProductPolish1. Data Controller
Data controller within the meaning of the GDPR:
GPS Konzept e.U. (Owner: Georg Pauli)
Birkengasse 5, 3442 Asparn, Österreich
E-Mail: support@productpolish.ai
Telefon: +43 664 344 7733
2. Overview of Processing Activities
We process personal data only to the extent necessary to provide our services. Below we inform you about the nature, scope, and purpose of data processing.
Categories of Data Subjects
- Website visitors
- Registered users
- Paying subscribers
- API users
Categories of Personal Data
- Email address, password (hashed)
- Payment data (processed via Stripe)
- Uploaded product photos
- Generated texts and images
- IP address, browser and device information
- Usage data (generation counter, timestamps)
3. Legal Basis for Processing
We process your data on the following legal bases:
- Art. 6(1)(b) GDPR – Contract performance: registration, account management, generation of product texts and images, payment processing
- Art. 6(1)(a) GDPR – Consent: setting of non-essential cookies, waitlist registration
- Art. 6(1)(f) GDPR – Legitimate interest: IT security, abuse prevention, error analysis
- Art. 6(1)(c) GDPR – Legal obligation: retention of tax-relevant data
4. Recipients and Data Processors
For the provision of our services we use the following third-party providers as data processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Authentication, database, file storage | USA (SCCs) |
| Stripe Inc. | Payment processing, subscription management | USA (EU-US DPF) |
| Vercel Inc. | Hosting, CDN | USA (EU-US DPF) |
| OpenAI Ireland Ltd. | AI text and image generation, Conversion Audit | Ireland / USA |
| Google Ireland Ltd. | Google Analytics, Google Ads (only with analytics consent) | Ireland / USA (EU-US DPF) |
Data processing agreements (DPAs) pursuant to Art. 28 GDPR have been concluded with all data processors.
5. International Data Transfers
Some of our data processors are based in the USA. The transfer of personal data to the USA is based on the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR. Where providers are not covered by the DPF, we have agreed standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
6. Payment Processing via Stripe
For payment processing we use Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). During a purchase, the following data is transmitted to Stripe:
- E-Mail-address
- Payment card data (entered directly at Stripe, does not touch our servers)
- IP address and device data (for fraud prevention)
- Billing address (if provided)
Stripe processes this data both as an independent controller and as a data processor. Stripe's privacy policy can be found at: stripe.com/privacy
7. Cookies and Local Storage
We use the following cookies and local storage values:
| Name | Purpose | Type | Duration |
|---|---|---|---|
| sb-*-auth-token | Supabase authentication (session) | Essential | Session |
| cookie-consent | Storing cookie consent | Essential | Persistent |
| theme | Colour scheme preference | Functional | Persistent |
| ui-lang | UI language | Functional | Persistent |
| default-gen-lang | Default generation language | Functional | Persistent |
| lang | Language detection per subdomain (www. = EN, de. = DE) | Essential | 1 year |
| lang_override | Manual language preference (set via language switcher) | Functional | 1 year |
| _ga, _gid | Google Analytics 4 — visitor identification, session tracking | Analytics | Up to 2 years |
| _gcl_au | Google Ads — conversion linking | Marketing | 90 days |
Local Storage
We also store the following values in your browser's local storage. These never leave your device and are not sent to our servers.
pp_notify_banner_dismissed— remembers the dismissed notification bannerpp_last_connection_id— last selected shop connection for faster publishingaudit-tab,default-platform— remembered tab and platform selections
Non-essential cookies are only set after your explicit consent (Art. 6(1)(a) GDPR, TKG 2021 §165). You may withdraw your consent at any time.
8. AI-Generated Content
ProductPolish uses OpenAI Ireland Ltd. for AI text and image generation as well as for the Conversion Audit feature. Your product data (title, description, photo) is transmitted to OpenAI for processing. OpenAI processes this data on our behalf as a data processor and, according to its policy, does not use API data to train models. The generated content is stored in your account on Supabase.
Note: All texts and images created by ProductPolish are AI-generated and should be reviewed before publication. From August 2026, extended labelling obligations will apply under EU AI Act Art. 50.
9. Retention Periods
- Account data: Until account deletion by the user or upon request
- Generated content: Until account deletion
- Uploaded photos: Until account deletion
- Payment data: 7 years (statutory retention obligation under BAO §132)
- Server logs: 30 days
10. Your Rights as a Data Subject
You have the following rights under the GDPR:
- Right of access (Art. 15) – What data we hold about you
- Right to rectification (Art. 16) – Correction of inaccurate data
- Right to erasure (Art. 17) – Deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) – Restriction of processing
- Right to data portability (Art. 20) – Export of your data in machine-readable format
- Right to object (Art. 21) – Objection to processing based on legitimate interests
- Withdrawal of consent (Art. 7(3)) – At any time without giving reasons
To exercise your rights, please contact us at: support@productpolish.ai
11. Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Wien
Telefon: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
Website: www.dsb.gv.at
Last updated: May 2026