AUTODIGITAL

Privacy Policy (GDPR)

Last updated: 2026-01-29

This Privacy Policy explains how we process personal data when you use the Autodigital website and SaaS product (the "Service").

1. Controller

Chatbyte GmbH E-mail: contact@autodigital.io

2. Overview of Processing

We process personal data to:

  • provide and secure user accounts and sessions,
  • deliver the Service (including AI-assisted features),
  • process payments and manage subscriptions,
  • send transactional communications,
  • measure and improve the Service (only where permitted / with consent),
  • comply with legal obligations.

3. Categories of Personal Data

Depending on how you use the Service, we may process:

  • Account data: e-mail address, name (if provided), hashed password (if applicable), account identifiers, session data.
  • Billing data: billing address, subscription status, invoice-related information; payment details are processed by our payment provider.
  • Service content: prompts, messages, drafts, outline data, ebook content, image requests, and other inputs/outputs you create in the Service.
  • Files: uploaded or generated files (e.g. images, exports), stored for providing features.
  • Usage and device data: log data (IP address and technical identifiers), browser/device information, page views, events, error and performance data.
  • Communication data: support inquiries and related correspondence.

4. Purposes and Legal Bases (Art. 6 GDPR)

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): account, core Service delivery, customer support, subscription administration.
  • Legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, abuse prevention, service reliability, basic analytics where permitted.
  • Consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG where applicable): optional cookies/technologies (e.g. measurement/marketing), where required by law.
  • Legal obligation (Art. 6(1)(c) GDPR): tax/accounting retention and other statutory duties.

5. Cookies and Similar Technologies (§ 25 TTDSG)

We use cookies and similar technologies:

  • Necessary: required for the Service to function (e.g. security, authentication).
  • Measurement / analytics: used to measure usage and improve the Service (activated only with consent in GDPR regions, unless an exception applies).
  • Marketing: used only if enabled and you consent.

You can change or withdraw your consent at any time via the cookie/consent settings in the Service.

6. AI Processing and User Content

To provide AI features, we may transmit the prompts/messages and relevant context you submit to AI providers (see Section 9). AI outputs may be generated outside the EEA depending on provider configuration.

Please avoid entering special categories of personal data (Art. 9 GDPR), confidential information, or third-party personal data unless you have a lawful basis to do so.

7. File Storage and Retention (including 60-day deletion)

  1. Files (uploaded or generated) may be stored to provide editing/export features.
  2. Deletion after 60 days: We may delete stored files 60 days after upload or creation (whichever is later). You should download and back up files you want to keep.
  3. Other retention: We delete or anonymize personal data when it is no longer necessary for the purposes described above, unless we must retain it for legal reasons (e.g. invoices and business records under § 257 HGB and § 147 AO) or to establish, exercise, or defend legal claims.

8. Recipients / Categories of Processors

We use processors (Art. 28 GDPR) to operate the Service. Depending on your use, data may be shared with:

  • hosting/infrastructure providers,
  • email delivery providers,
  • payment providers,
  • analytics providers (subject to consent where required),
  • AI and image generation providers,
  • database hosting providers,
  • file storage providers.

We conclude data processing agreements where required and select providers with appropriate safeguards.

9. Specific Third-Party Providers We Use

The following providers are used to operate the Service (non-exhaustive; may change as the Service evolves):

9.1 Hosting / Infrastructure

  • Vercel (hosting / edge and related infrastructure).

9.1.1 Background Jobs

  • Trigger.dev (background job processing for long-running tasks).

9.2 Authentication

  • Better Auth (authentication framework). Authentication data is stored in our database; session/cookie handling is required for login.

9.3 Payments and Billing

  • Stripe (subscription payments, invoicing and billing operations). We receive status and tokenized payment information; full payment card details are processed by Stripe.

9.4 Email Delivery

  • Amazon Web Services (AWS) Simple Email Service (SES) (transactional email delivery, e.g. verification and password reset emails).

9.5 Analytics (EU endpoints)

  • PostHog (product analytics and error/event capture). We use EU ingestion endpoints and respect consent settings for measurement/marketing.

9.6 AI (Text)

  • OpenAI (text generation and AI assistance).

9.7 AI (Images)

  • Replicate (image generation).

9.8 Database Hosting

  • PlanetScale (database hosting).

9.9 File Storage

  • Cloudflare (file storage / object storage for uploads and generated files).

10. International Transfers

Some providers may process data outside the EEA (e.g. in the United States). Where required, we rely on appropriate safeguards such as:

  • EU Standard Contractual Clauses (Art. 46 GDPR),
  • additional technical and organizational measures where appropriate.

11. Security

We use appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), access controls, and security monitoring. No method of transmission or storage is completely secure; please use the Service responsibly.

12. Your Rights (Art. 12–22 GDPR)

You have the right to:

  • access (Art. 15),
  • rectification (Art. 16),
  • erasure (Art. 17),
  • restriction (Art. 18),
  • data portability (Art. 20),
  • object to processing based on Art. 6(1)(e) or (f) (Art. 21),
  • withdraw consent at any time with effect for the future (Art. 7(3)).

To exercise your rights, contact us at contact@autodigital.io.

13. Complaint to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For Hamburg, Germany, this is typically:

Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany
Phone: +49 40 428 544 040
E-mail: mailbox@datenschutz.hamburg.de

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, providers, or the Service.