Effective Date: January 11, 2026
This privacy policy provides information about the nature, scope, and purpose of the processing of personal data within the platform operated by Art of X UG (haftungsbeschränkt) (hereinafter "we" or "us").
The controller within the meaning of the GDPR and other national data protection laws is:
Art of X UG (haftungsbeschränkt)
Goethestr. 59
10625 Berlin
Germany
Email: [email protected]
The external Data Protection Officer can be reached as follows:
Prof. Dr. Norman Uhlmann
h3ko Innovations GmbH
Pappelallee 64
16359 Biesenthal
Germany
Email: [email protected]
The subject of data protection is personal data. This refers to all information relating to an identified or identifiable natural person (the "data subject"). Personal data of users is generally only processed to the extent necessary to provide a functional platform and its content and services.
The provision of personal data is neither legally nor contractually required. However, without providing the necessary data (such as email address and name for registration), we cannot offer you access to our services. Data marked as mandatory during registration or use is required for contract fulfillment. Failure to provide this data means the relevant services cannot be used. The provision of optional data is voluntary and does not affect your ability to use core services.
Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing computer. This data is stored in the server's logfiles. The following data is collected:
This data is processed to ensure smooth connection establishment and comfortable use of the website, as well as to evaluate system security and stability. The legal basis for data processing is Art. 6 Para. 1 S. 1 lit. f GDPR. The legitimate interest follows from the purposes for data collection listed above.
The services of DigitalOcean, LLC, 101 6th Ave, New York, NY 10013, USA, are used for website hosting. Our infrastructure is hosted in the Frankfurt (Germany) region within the EU. A data processing agreement (DPA) has been concluded with DigitalOcean. Through this agreement, DigitalOcean ensures that data is processed in accordance with the GDPR and that the rights of data subjects are guaranteed. Further information can be found in DigitalOcean's privacy policy: https://www.digitalocean.com/legal/privacy-policy.
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA, is used for content delivery (CDN), DNS management, DDoS protection, and web application security. When you access our website, your requests are routed through Cloudflare's network. In this process, Cloudflare may process your IP address, request headers, and other connection metadata to deliver content, protect against attacks, and optimize performance.
The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring the security, availability, and performance of our website. A data processing agreement (DPA) has been concluded with Cloudflare. Data transfer to the USA is covered by Cloudflare's participation in the EU-US Data Privacy Framework and supplemented by Standard Contractual Clauses (SCCs). Further information: https://www.cloudflare.com/privacypolicy/.
To use the platform, creating a user account is required. The following data is collected:
This data is necessary to manage the account and enable access to the services. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).
For authentication and user database management, the services of Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992, are used. Supabase provides the backend infrastructure for the platform. Data storage, including the database, authentication, storage, and AI-related embeddings, takes place in the Northern EU region (Stockholm, eu-north-1). A data processing agreement (DPA) has been concluded with Supabase. Further information on data protection at Supabase can be found here: https://supabase.com/privacy.
For the provision of AI-powered features, the following services are used:
OpenAI OpCo, LLC, 3180 18th St, San Francisco, CA 94110, USA, is used for text generation, creation of embeddings from user content, voice transcription (Whisper), and image analysis.
When these features are used, the relevant data (e.g., text inputs or content to be analyzed) is sent to OpenAI's servers for processing. We do not transmit any personal data to OpenAI beyond what is necessary for the function, and we store the results generated by OpenAI in our system hosted on Supabase (see above).
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with OpenAI. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at OpenAI can be found here: https://openai.com/policies/privacy-policy.
Anthropic PBC, 548 Market St, PMB 87430, San Francisco, CA 94104, USA, is used for advanced text generation using Claude AI models. When these features are used, your text inputs and prompts are transmitted to Anthropic's servers for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Anthropic. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Anthropic can be found here: https://www.anthropic.com/legal/privacy.
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, is used for text generation and AI-powered features using Gemini models. When these features are used, your text inputs and prompts are transmitted to Google's servers for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Google. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Google can be found here: https://policies.google.com/privacy.
ElevenLabs Inc., 20-22 Wenlock Road, London, N1 7GU, United Kingdom, is used for voice synthesis (text-to-speech) and voice transcription (Scribe v1). When you use voice features, audio data is transmitted to ElevenLabs for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). A data processing agreement has been concluded with ElevenLabs. Data transfer to the United Kingdom is covered by the EU Commission's adequacy decision for the UK (Decision 2021/1772), ensuring an adequate level of data protection. Further information: https://elevenlabs.io/privacy.
Black Forest Labs GmbH, services via api.bfl.ai, is used for AI image generation (Flux models). When you generate images, your text prompts are transmitted to BFL servers for processing. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As Black Forest Labs is based in Germany, data remains within the EU. A data processing agreement has been concluded with Black Forest Labs. Further information: https://blackforestlabs.ai/privacy-policy/.
Replicate, Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, is used as infrastructure for running AI image generation models (including Flux models from Black Forest Labs). When you generate images, your text prompts are transmitted to Replicate's servers for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with Replicate. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information on data protection at Replicate can be found here: https://replicate.com/privacy.
Langfuse GmbH, Residenzstraße 27A, 80333 München, Germany, is used for managing AI prompts, tracking AI interactions, and system observability. This helps us improve service quality and debug issues. Technical metadata about AI interactions is processed.
The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in ensuring service quality, debugging issues, and improving our AI features. As Langfuse is based in Germany, data remains within the EU. A data processing agreement has been concluded with Langfuse. Further information: https://langfuse.com/docs/data-security-privacy.
The heart of the platform is the processing of content created by users in "Flows" (collaborative workspaces) and shared with "Sparks" (AI assistants). This can include voice recordings, texts, images, or other creative works ("User Content").
This data is processed for the following purposes:
The processing of User Content for training personal AI models is based on Art. 6 Para. 1 lit. b GDPR (contract fulfillment). The processing for training general AI models is exclusively based on explicit consent in accordance with Art. 6 Para. 1 lit. a GDPR.
If paid services are used, payment data is processed for the purpose of contract fulfillment. Processing is based on Art. 6 Para. 1 lit. b GDPR.
Payment processing is carried out through the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. No credit card data is stored; it is directly forwarded to Stripe. Stripe is a certified partner and is subject to strict data protection and security standards. A data processing agreement has been concluded with Stripe. Further information on data protection at Stripe can be found at: https://stripe.com/privacy.
The platform uses additional specialized services to enhance functionality:
Tavily AI, services via api.tavily.com, is used to provide web search capabilities within the platform. When you use search features, your search queries are transmitted to Tavily for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as web search is a feature of the services offered. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information: https://tavily.com/privacy.
OCR.space API, operated by A9t9 software GmbH, Nordstr. 8, 87561 Oberstdorf, Germany, is used to extract text from uploaded images and documents when OCR functionality is required. Image data is transmitted for processing.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment). As A9t9 software GmbH is based in Germany, data remains within the EU. Further information: https://ocr.space/privacypolicy.
For sending platform-related emails (e.g., registration confirmations, password resets), the service Resend is used, offered by Resend Inc., 548 Market St PMB 95453, San Francisco, CA 94104-5401, USA. Resend processes the email address on our behalf.
The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment) for transactional emails. A data processing agreement (DPA) has been concluded with Resend. Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information can be found in Resend's privacy policy: https://resend.com/legal/privacy-policy.
Cookies are used on the website. These are small text files stored on the end device. Some of the cookies used are so-called "session cookies." They are automatically deleted after the visit ends. Other cookies remain stored on the end device until they are deleted. These cookies make it possible to recognize the browser on the next visit.
Processing is based on Art. 6 Para. 1 lit. f GDPR from the legitimate interest in user-friendly website design, as well as on Art. 6 Para. 1 lit. a GDPR if corresponding consent has been given (e.g., for analytics cookies). The browser can be configured to be informed about cookie placement and to allow cookies only on a case-by-case basis.
This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
The storage of Google Analytics cookies and the use of this analytics tool is based on your consent according to Art. 6 Para. 1 lit. a GDPR. You can change or revoke this consent at any time through our cookie settings.
We have activated IP anonymization on this website. As a result, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA.
We have concluded a data processing agreement with Google.
Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.
More information on Google Analytics' handling of user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.
We use the product analytics service PostHog, provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.
PostHog helps us understand how users interact with our platform (e.g., which features are used most frequently) and includes session replay capabilities to improve the user experience and product quality. We have configured PostHog to process data in a privacy-friendly manner, with data hosted in the EU region.
The legal basis for this processing is your consent according to Art. 6 Para. 1 lit. a GDPR. You can revoke this consent at any time by adjusting your preferences in the cookie settings (under "Analytics"). If you decline analytics cookies, PostHog tracking and session replay will be disabled.
We have concluded a data processing agreement with PostHog. Data is processed in the EU region. Further information can be found in PostHog's privacy policy: https://posthog.com/privacy.
Personal data is stored for the following periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email) | Duration of account + 30 days after deletion | Contract fulfillment and account recovery |
| User Content (Flows, Sparks) | Duration of account + 30 days after deletion | Contract fulfillment |
| Server logfiles | 90 days | Security and debugging |
| Payment records | 10 years after transaction | German tax law (§ 147 AO) |
| Consent records | 3 years after withdrawal | Proof of consent (Art. 7 GDPR) |
| Analytics data | 14 months | Service improvement |
| AI interaction logs | 90 days | Quality assurance and debugging |
| Backup data | 30 days after deletion from active systems | Disaster recovery |
Right to Deletion: The deletion of the account and all associated data can be requested at any time. This can be done directly in the settings under /settings/preferences. After such a request, personal data and user content are permanently removed from active systems within 30 days. Backup data is purged according to our backup retention schedule. The data will no longer be used for training new models, and all reasonable technical steps will be taken to remove it from existing models as well.
Our platform uses AI-powered features that may involve automated processing of your data:
When you use our AI features (Flows, Sparks), your inputs are processed by AI models to generate outputs. This processing:
If you create a personal AI model ("My Spark"), the system analyzes your uploaded content to create a personalized AI assistant. This is based on your explicit request and consent (Art. 6 Para. 1 lit. a and b GDPR). You can delete your personal model at any time.
We may use automated systems to detect content that violates our Terms of Service (e.g., harmful content, policy violations). Flagged content may be reviewed by our team. You have the right to contest any moderation decision by contacting us.
You have the right to:
To exercise these rights, contact us at [email protected].
Data subjects have the following rights regarding their personal data:
There is also the right to withdraw consent at any time with effect for the future (Art. 7 Para. 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
To exercise these rights, the contact address mentioned above can be contacted.
Without prejudice to any other administrative or judicial remedy, there is the right to lodge a complaint with a supervisory authority, in particular in the Member State of residence, place of work, or place of the alleged infringement, if it is believed that the processing of personal data violates the GDPR (Art. 77 GDPR).
All necessary technical and organizational security measures are taken to protect personal data from loss and misuse. Data is stored in a secure operating environment that is not accessible to the public. Data transmission is encrypted using SSL technology.
We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to future visits.
No account yet?