AUTODIGITAL

Privacy Policy (GDPR)

Last updated: 2026-02-07

This Privacy Policy explains how we process personal data when you use the Autodigital website and SaaS product (the "Service").

1. Controller

Chatbyte GmbH Gertigstraße 69, 22303 Hamburg, Germany

Commercial register: HRA 128461, Amtsgericht Hamburg Represented by: Rodrigo Ehlers and Kevin Moisch

E-mail: support@autodigital.io

Chatbyte GmbH is not required to appoint a Data Protection Officer under § 38 BDSG. For any data protection inquiries, please contact us at the e-mail address above.

2. Overview of Processing

We process personal data to:

  • provide and secure user accounts and sessions,
  • deliver the Service (including AI-assisted features),
  • process payments and manage subscriptions,
  • send transactional and (with your consent) marketing communications,
  • measure and improve the Service (only where permitted / with consent),
  • comply with legal obligations.

3. Categories of Personal Data

Depending on how you use the Service, we may process:

  • Account data: e-mail address, name (if provided), hashed password, account identifiers, session data, accepted-terms timestamp, referral information.
  • Billing data: billing address, subscription status, plan and credit balance, invoice-related information; payment details are processed by our payment provider.
  • Service content: prompts, messages, drafts, outline data, ebook content, image requests, and other inputs/outputs you create in the Service.
  • Files: uploaded or generated files (e.g. images, exports), stored for providing features.
  • Usage and device data: log data (IP address and technical identifiers), browser/device information, page views, events, error and performance data.
  • Communication data: support inquiries, marketing consent status, and related correspondence.
  • Consent data: your cookie/consent preferences (necessary to respect your choices).

4. Purposes and Legal Bases (Art. 6 GDPR)

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): account creation and management, core Service delivery, customer support, subscription and credit administration.
  • Legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, abuse prevention, service reliability, basic server-side analytics, referral tracking, enforcing our Terms of Service.
  • Consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG where applicable): optional cookies/technologies (e.g. measurement/marketing), marketing e-mails, where required by law.
  • Legal obligation (Art. 6(1)(c) GDPR): tax/accounting retention (§ 257 HGB, § 147 AO) and other statutory duties.

5. Cookies and Similar Technologies (§ 25 TTDSG)

We use cookies and similar technologies:

  • Necessary: required for the Service to function (e.g. security, authentication, consent preferences).
  • Measurement / analytics: used to measure usage and improve the Service (activated only with consent in GDPR regions, unless an exception applies).
  • Marketing: used only if enabled and you consent.

You can change or withdraw your consent at any time via the cookie/consent settings in the Service.

5.1 Specific cookies and technologies

| Name / Pattern | Category | Purpose | Duration | |---|---|---|---| | Session cookie (Better Auth) | Necessary | Authentication and session management | 24 hours | | Consent preferences (c15t) | Necessary | Stores your cookie/consent choices | 1 year | | ad_referral | Necessary | Tracks referral codes for attribution | 30 days | | sidebar:state | Necessary | Remembers sidebar open/closed preference | 7 days | | ph_* (PostHog) | Measurement | Product analytics and diagnostics | Varies (set only with consent) |

6. AI Processing and User Content

To provide AI features, we may transmit the prompts/messages and relevant context you submit to AI providers (see Section 10). AI outputs may be generated outside the EEA depending on provider configuration.

Please avoid entering special categories of personal data (Art. 9 GDPR), confidential information, or third-party personal data unless you have a lawful basis to do so.

We do not use your User Content to train our own or third-party AI models. Processing is limited to generating the requested output for you.

7. Marketing Communications

  1. We send marketing e-mails (e.g. product updates, tips, promotions) only if you have given explicit consent during sign-up or in your account settings.
  2. You can withdraw consent at any time by using the unsubscribe link in any marketing e-mail or updating your preferences in the Service.
  3. Legal basis: Art. 6(1)(a) GDPR; § 7(2) UWG.
  4. Transactional e-mails necessary for the performance of the contract (e.g. verification, billing, security notices) are not marketing and will be sent regardless of your marketing preferences.

8. Children / Minimum Age

The Service is intended for users aged 16 or older. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

9. File Storage and Retention

9.1 File retention (60-day policy)

  1. Files (uploaded or generated) may be stored to provide editing/export features.
  2. Deletion after 60 days: We may delete stored files 60 days after upload or creation (whichever is later). You should download and back up files you want to keep.

9.2 General data retention schedule

We delete or anonymize personal data when it is no longer necessary for the purposes described above, unless retention is required by law. The following periods apply as a guideline:

| Data category | Retention period | Basis | |---|---|---| | Account data | Duration of account + 30 days after deletion | Contract performance | | Billing and tax records | 10 years after end of fiscal year | § 257 HGB, § 147 AO | | Session and log data | 90 days | Legitimate interest (security) | | Files (uploads/exports) | 60 days after creation | Contract performance | | Communication data (support) | 3 years or until matter is resolved | Legitimate interest / legal claims | | Analytics data | Anonymized after 24 months | Consent / legitimate interest | | Consent records | 3 years after last interaction | Accountability (Art. 5(2) GDPR) |

Specific retention periods may differ where required to establish, exercise, or defend legal claims.

10. Recipients / Categories of Processors

We use processors (Art. 28 GDPR) to operate the Service. Depending on your use, data may be shared with:

  • hosting/infrastructure providers,
  • email delivery providers,
  • payment providers,
  • analytics providers (subject to consent where required),
  • AI and image generation providers,
  • database hosting providers,
  • file storage providers,
  • consent management (client-side, offline).

We conclude data processing agreements where required and select providers with appropriate safeguards.

11. Specific Third-Party Providers We Use

The following providers are used to operate the Service (non-exhaustive; may change as the Service evolves):

11.1 Hosting / Infrastructure

  • Vercel (hosting / edge and related infrastructure).

11.2 Background Jobs

  • Trigger.dev (background job processing for long-running tasks).

11.3 Authentication

  • Better Auth (authentication framework). Authentication data is stored in our database; session/cookie handling is required for login.

11.4 Payments and Billing

  • Stripe (subscription payments, invoicing and billing operations). We receive status and tokenized payment information; full payment card details are processed by Stripe.

11.5 Email Delivery

  • Amazon Web Services (AWS) Simple Email Service (SES) (transactional email delivery, e.g. verification and password reset emails).

11.6 Analytics (EU endpoints)

  • PostHog (product analytics and error/event capture). We use EU ingestion endpoints and respect consent settings for measurement/marketing. Basic server-side analytics (pseudonymized, without cookies) may be processed under legitimate interest (Art. 6(1)(f) GDPR) for security and fraud prevention.

11.7 AI (Text)

  • OpenAI (text generation and AI assistance).

11.8 AI (Images)

  • Replicate (image generation).

11.9 Database Hosting

  • PlanetScale (database hosting).

11.10 File Storage

  • Cloudflare (file storage / object storage for uploads and generated files; EU storage region).

11.11 Consent Management

  • c15t (client-side consent management). Consent preferences are stored locally on your device and are not transmitted to a third-party server.

12. International Transfers

Some providers may process data outside the EEA (e.g. in the United States). Where required, we rely on appropriate safeguards such as:

  • the EU–US Data Privacy Framework (for certified US recipients),
  • EU Standard Contractual Clauses (Art. 46(2)(c) GDPR),
  • additional technical and organizational measures where appropriate (e.g. encryption, pseudonymization).

You may request a copy of the relevant safeguards by contacting us.

13. Security

We use appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest where applicable, access controls, and security monitoring. No method of transmission or storage is completely secure; please use the Service responsibly.

14. Automated Decision-Making and Profiling (Art. 22 GDPR)

We do not carry out automated decision-making or profiling that produces legal effects or similarly significant effects on you. AI features in the Service are tools under your control — the final use of any output is your decision.

15. Your Rights (Art. 12–22 GDPR)

You have the right to:

  • access your personal data (Art. 15),
  • rectification of inaccurate data (Art. 16),
  • erasure ("right to be forgotten") (Art. 17),
  • restriction of processing (Art. 18),
  • data portability (Art. 20),
  • object to processing based on Art. 6(1)(e) or (f) (Art. 21),
  • withdraw consent at any time with effect for the future (Art. 7(3)).

To exercise your rights, contact us at support@autodigital.io. We will respond within one month (Art. 12(3) GDPR). In complex cases, the period may be extended by two further months, and we will inform you of any extension.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay (Art. 33 GDPR) and, where required, inform affected individuals (Art. 34 GDPR).

17. Complaint to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For Hamburg, Germany, this is typically:

Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany Phone: +49 40 428 544 040 E-mail: mailbox@datenschutz.hamburg.de

18. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, providers, or the Service. Where changes materially affect you, we will provide notice in the Service and/or by e-mail.