GainPilot.net Privacy Policy

1. Controller (Art. 4(7) GDPR)

We are the controller for processing personal data on and in connection with GainPilot.net and our SaaS platform.

2. Data Protection Officer

We are currently not required to appoint a Data Protection Officer under Art. 37 GDPR. For any privacy questions, contact: legal@gainpilot.net.

3. Scope, Categories of Data, Sources

We process personal data when you visit our website, create an Account, use the Service, contact us, or receive communications from us. Categories include:

• Master/Account data (name, email, password hash, company, role, plan).
• Contract & billing data (address, VAT ID, payment identifiers from providers, invoice data).
• Usage data & technical logs (IP address, device/browser, timestamps, pages/functions used, error logs).
• Content you upload/provide (texts, images, prompts) and Outputs generated by the Service.
• Support/communications data (tickets, emails, chat transcripts).
• Marketing preferences (newsletter opt-ins/opt-outs, campaign attribution).

We usually obtain data directly from you; in B2B contexts, we may receive limited business contact data from public sources or partners (Art. 14 GDPR).

4. Purposes and Legal Bases (Art. 6 GDPR)

We process data for the following purposes and bases:

• Contract performance and pre-contractual steps (Art. 6(1)(b)): registration, authentication, provision of features, billing, support.
• Legal obligations (Art. 6(1)(c)): tax/commercial retention, consumer rights handling.
• Consent (Art. 6(1)(a)): marketing emails/newsletters, non-essential cookies/trackers, optional research features.
• Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, product improvement, analytics with privacy safeguards, enforcement of rights, B2B outreach within legal boundaries. We balance these interests against your rights and freedoms.
• TDDDG/Consent for cookies and similar technologies: We use essential cookies strictly necessary for providing the service (§ 25(2) TDDDG). Any non-essential storage or access to information on your device (e.g., analytics/marketing cookies) occurs only with your consent (§ 25(1) TDDDG), which you can withdraw at any time via Cookie Settings.

5. Cookies, Tracking & Consent Management

We use a consent management mechanism to obtain, store, and document your choices. You can change or withdraw consent at any time via a persistent Cookie Settings or "Manage Cookies" link in the footer. Withdrawal does not affect the lawfulness of processing before withdrawal (Art. 7(3) GDPR). Browser-level Do Not Track may not be reliably honored by all third parties, but we are working to respect browser privacy signals where feasible.

6. AI Processing, Automated Decisions & Profiling

• Content & Outputs: Your inputs (e.g., prompts, uploads) are processed to generate Outputs (AI images/short videos/text). We may scan inputs/outputs automatically for abuse prevention and to meet legal obligations.
• Model training: We do NOT use your Content to train models unless you explicitly opt in or a clear legal basis exists. You can opt out/withdraw at any time.
• Automated decisions: We do not make solely automated decisions producing legal effects concerning you within the meaning of Art. 22 GDPR. Limited profiling may occur for security/abuse detection or direct marketing segmentation (if you consent to marketing). You have the right to object to profiling for direct marketing at any time (Art. 21(2) GDPR).

7. Recipients & Categories of Recipients (Art. 13(1)(e))

We share data with:

• Processors (Art. 28 GDPR): hosting/CDN, AI model providers, storage/transcoding, email & support tools, payment processors, analytics vendors, logging/monitoring providers.
• Professional advisors (legal/tax), where necessary.
• Authorities/courts where legally required.

All processors are bound by contracts ensuring GDPR-compliant processing. A current sub-processor list is available on request or in your dashboard/account area (where provided).

8. International Data Transfers (Art. 44 et seq. GDPR)

Where providers are located outside the EU/EEA, we ensure an adequate level of protection via appropriate safeguards (e.g., EU Standard Contractual Clauses and supplementary measures). Copies of key safeguards are available upon request, subject to confidentiality.

9. Retention (Art. 5(1)(e) GDPR)

We retain personal data only as long as necessary for the purposes stated or as required by law:

• Account & contract data: for the contract term; invoices and relevant records up to 10 years (HGB/AO).
• Support tickets/communications: typically 3–36 months, depending on context and limitation periods.
• Technical logs: typically 7–90 days unless required longer for security or incident investigations.
• Marketing data: until you withdraw consent or object; we may keep minimal suppression records to honor your choices.
• Content & Outputs: for the duration of your plan and as you manage in-app; backups may persist briefly per our backup policy.

10. Security Measures (Art. 32 GDPR)

We implement appropriate technical and organizational measures, including access control (MFA/RBAC), encryption in transit and at rest, secure software development practices, logging/monitoring, backups and disaster recovery, environment separation, least-privilege access, staff confidentiality and training, and regular reviews.

11. Your Rights (Art. 15–21 GDPR)

You have the following rights under GDPR, subject to conditions: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Data portability (Art. 20), and Objection (Art. 21). For processing based on consent, you may withdraw consent at any time (Art. 7(3)). To exercise rights, email legal@gainpilot.net. We may need to verify your identity. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

12. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us to delete it.

13. Required/Optional Data

Where we request data, we indicate if it is required for contract performance or optional. Without required data, we may be unable to provide the Service.

14. Social Logins, Payments & Communications

If you choose a third-party login (e.g., a social sign-in), the provider may send us basic profile data needed for authentication. Payment providers receive necessary billing data and may act as independent controllers for their own fraud checks and legal obligations. For marketing communications, we use double opt-in where required and provide an unsubscribe option in every message.

15. Notice & Action; User Reports

For notices alleging illegal content or rights infringement, contact legal@gainpilot.net with details. We review and, where required, remove or restrict access. We may notify affected users and competent authorities if appropriate.

16. Changes to this Privacy Policy

We may update this Policy to reflect legal/technical changes. We will notify you of material changes in advance where appropriate. The current version and effective date are shown at the top of this document.

17. Contact

Additional Information for Business Customers (Transparency Note)

Where we act as a processor (Auftragsverarbeiter) for business customers, our Data Processing Agreement (DPA) applies and forms part of the contract. It describes processing details, TOMs, subprocessors and international transfers.