Legal
Privacy Policy
Effective date: 20 May 2026
This Policy explains how outpoof (Erik Drennan, Einzelunternehmer)("we", "us") processes personal data when you use outpoof.com. We act as the data controller under the EU General Data Protection Regulation (GDPR). For company details, see our Imprint.
1.Controller and contact
outpoof (Erik Drennan, Einzelunternehmer)
Quellenweg 11, 52074 Aachen, Germany
Email: hi@outpoof.com
Data protection enquiries: hi@outpoof.com
2.Personal data we process
| Category | Purpose | Legal basis |
|---|---|---|
| Email address | Account, login OTP, transactional notifications | Contract (Art. 6(1)(b) GDPR) |
| Account & credit balance | Service delivery, billing integrity | Contract |
| Payment metadata (Stripe customer ID, pack, amounts) | Payments, fraud prevention, tax | Contract / Legal obligation |
| Job briefs (niche, sayings, style notes) | Design generation | Contract |
| Generated files & previews | Delivery of the Service | Contract |
| IP address, user agent (autorefill consent logs) | Security, dispute evidence | Legitimate interest / Legal obligation |
| Technical logs (timestamps, job IDs, errors) | Operations, abuse prevention | Legitimate interest |
3.Processors and international transfers
We use carefully selected subprocessors under data processing terms:
- Supabase — authentication and database (EU-hosted project region where configured)
- Stripe — payments and invoicing
- Cloudflare R2 — private object storage for design files
- Resend — transactional email delivery
- Hetzner — worker hosting (Germany)
- Vercel — web application hosting
- OpenAI / Replicate — model inference for generation (may process in the United States under SCCs / DPAs)
- Cloudflare Turnstile — bot protection on login (when enabled)
We do not sell personal data. Transfers outside the EU/EEA rely on Standard Contractual Clauses or adequacy decisions where applicable.
5.Retention
- Account data: until deletion request, then erased within 30 days where possible.
- Tax and payment records: up to 10 years per German commercial/tax law (§ 147 AO).
- Design files: until you delete them or your account is removed; bucket lifecycle may purge old objects.
- Operational logs: typically 90 days unless needed for security investigations.
- Autorefill consent events: retained with your account for chargeback and compliance evidence.
6.Your rights
Under GDPR you may request:
- Access to personal data we hold about you
- Rectification of inaccurate data
- Erasure ("right to be forgotten") subject to legal retention duties
- Restriction of processing
- Data portability in a machine-readable format
- Objection to processing based on legitimate interests
- Withdrawal of consent where processing is consent-based (without affecting prior lawful processing)
Contact hi@outpoof.com. We respond within one month. You may lodge a complaint with your local supervisory authority; in Germany, the authority for your place of residence applies.
7.Security measures
TLS encryption in transit, row-level security on user data, private storage with short-lived signed URLs, no password storage (email OTP login), least-privilege API keys on servers, and separation between webapp and worker credentials.
8.Children
The Service is not directed at persons under 18. We do not knowingly collect children's data.
9.Changes to this Policy
We may update this Policy. Material changes will be communicated by email at least 14 days before they take effect where required. The effective date above reflects the current version.
10.Contact
Privacy requests: hi@outpoof.com. Legal notice: Imprint.