Privacy policy herobooks.de

The controller within the meaning of the General Data Protection Regulation (GDPR) is: FriendBooks GbR Represented by: Marco Hasselmann and Michael Kofler-Hofer Lindenstr. 33a 12555 Berlin Germany Email: info@herobooks.de VAT ID: DE460620086

We process personal data only insofar as this is necessary to provide our platform, its functions, and to perform our services, or another legal basis permits this. Personal data means any information relating to an identified or identifiable person, e.g. name, email address, postal address, payment data, or uploaded photos. Our platform enables the collaborative creation of photo books, in particular for sports teams and comparable groups.

Our platform is aimed exclusively at adult users, in particular team leads, parents, guardians, coaches, or other persons with organisational responsibility. Direct use of the platform by minors is not intended by us. Where personal data of minors is processed in the context of a photo book project, this is done exclusively through the respective responsible adult users who upload, enter, or provide content for a project. Anyone who uploads, enters, releases, or otherwise provides content via our platform is responsible for ensuring that the necessary rights, consents, and other legal authorisations exist. This applies in particular to photos and other information about minors. As a rule, we do not verify in advance whether content may be uploaded. If we receive concrete indications that content is being processed without authorisation, we may review, block, or remove such content. Before uploading content, users expressly confirm that they are entitled to use and provide the uploaded content.

Our website and frontend are provided via Vercel Inc. (USA). Vercel provides hosting and technical delivery of the web application. Backend, database, and file storage are operated via Amazon Web Services (AWS) in the eu-central-1 region (Frankfurt). The following technically necessary data may be processed in particular: • IP address • date and time of access • browser type and version • operating system • referrer URL • pages and files accessed • other technical connection data Processing is carried out to provide, stabilise, and secure the platform. Legal basis: Art. 6(1)(f) GDPR Our legitimate interest lies in the secure and functional provision of our online offering. 4.1 Service providers: 4.1.1 Vercel Our websites and the frontend of our platform are provided via Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. We use Vercel in particular for frontend hosting, server-side rendering, and middleware functions for the technical provision of our website and platform. Under our current technical setup, user-uploaded images are not separately optimised or CDN-cached via Vercel. In particular, technical connection data may be processed, such as IP address, date and time of retrieval, browser and device information, pages and files accessed, and other technically necessary log data. In the protected user interface, session and authentication information may also be processed via Vercel where this is necessary for delivering the application, access control, language handling, and account functions. Not handled via Vercel, however, are direct backend communication with api.herobooks.de, file uploads to S3 storage, the actual authentication flows via Clerk, and payment flows via Stripe, in each case where these occur directly between the browser and the respective service. Processing is carried out for the secure and functional provision of our website and platform and – where user accounts and protected areas are concerned – for performing the user relationship. The legal basis is Art. 6(1)(f) GDPR and, where necessary for use of our service, Art. 6(1)(b) GDPR. We do not use Vercel Analytics or Vercel Speed Insights. Further information on any transfers to third countries can be found in Section 18. 4.1.2 Amazon Web Services Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (Amazon Web Services, Inc., USA) Services used: EC2 (application servers), RDS (database), S3 (file storage), ELB (load balancing), WAF (Web Application Firewall), CloudWatch (logging) Server location: eu-central-1 (Frankfurt, Germany) Privacy policy: https://aws.amazon.com/privacy/ Our infrastructure is operated via Amazon Web Services EMEA SARL based in Luxembourg. The services we use (including EC2, RDS, S3, ELB, WAF, CloudWatch) are configured in the eu-central-1 region (Frankfurt am Main, Germany). Personal data is generally processed within the European Union. AWS ensures that data actively processed and stored by us (“data at rest”) remains in the selected region.

User management and authentication are provided via Clerk. Service provider: Clerk, Inc., 660 King Street, Unit 345, San Francisco, CA 94107, USA EU representative: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland As a processor on our behalf, Clerk processes: • first name, last name, email address • password (only as a cryptographic hash) • language preference • IP address and approximate location • device and browser information • login times, session data • essential cookies (__session, __client_uat) for session management Clerk is certified under the EU-US Data Privacy Framework. Privacy policy: https://clerk.com/legal/privacy. GDPR supplement: https://clerk.com/legal/gdpr. Data processing agreement (DPA): https://clerk.dev/data-processing-agreement Legal basis: Art. 6(1)(b) GDPR Processing is necessary to take steps prior to entering into a contract or to perform the user agreement. 5.1 Social login You may also register and sign in via external identity providers. When using social login, we receive the information required to create an account from the respective provider via our authentication service Clerk. 5.1.1 Google When signing in via Google, the following data is transmitted: • name (first and last name) • email address • profile image URL • language preference Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Privacy policy: https://policies.google.com/privacy 5.1.2 Apple (“Sign in with Apple”) When signing in via Apple, the following data is transmitted: • name (first and last name, editable by the user before release) • email address or private relay address (Apple offers the option to “Hide My Email”, creating a unique forwarding address @privaterelay.appleid.com) • provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland Privacy policy: https://www.apple.com/legal/privacy/ Legal basis: Art. 6(1)(b) GDPR

In the course of using our platform, we process personal data required to create and manage photo book projects. This includes in particular: • project data • team or group names • roles and permissions within a project • content entered by users • uploaded photos and image files • texts, comments, and other project content • information on invitations and collaboration within a project A photo book project is generally accessible only to authorised and invited persons. 6.1 Invitation links and access to projects Access to a photo book project is generally limited to authorised persons. Joining may occur either via an individual invitation or via an invitation link generated by the manager. Such links may be created by the manager for participants and helpers and passed on to the intended recipients. Anyone in possession of a valid invitation link may join the respective project within the technical and organisational boundaries of the project. Users, in particular managers, are therefore responsible for sharing invitation links only with persons entitled to participate in the project. Sharing with unauthorised third parties is not permitted. 6.2 Roles and permissions Depending on the role within a project, different access and editing rights apply: Manager (project lead / creator) The manager creates the photo book project and has extensive administrative rights. The manager may: • view all content entered in the project • view and use all uploaded images in the shared image pool • edit, adjust, or delete content • add further persons (helpers) to the project • initiate the payment process • finally approve and order the photo book • view the final print preview Helpers (project contributors, max. 4 persons) Helpers support the manager in creating the photo book. They may: • view all content entered in the project • access the entire image pool and use images for content • edit and adjust content • view the print preview for review Participants (max. 50 persons per project) Participants are invited members of a photo book project. They may: • view and edit only their own content and personal pages • view and manage only images they uploaded themselves • delete their content and uploaded data at any time In addition, participants may view aggregated information on project progress in the project overview (e.g. overall progress, number of answered questions, or general activity over time). This information is not attributed to identifiable individuals. Payment information Information on individual participants’ payment status is visible only to the manager and helpers. Internal access Internally authorised persons (e.g. technical support) access data only on a case-by-case basis where necessary for troubleshooting or user support. To create the print file, project-related content is transmitted in structured form (e.g. as a data extract) to internal or commissioned designers where this is necessary for designing the photo book. Administrative access We access project content, including uploaded images, for administrative purposes only on a case-by-case basis and only where necessary to handle support requests, error analysis, technical incident resolution, abuse prevention, or enforcement of our terms of use. Such access is performed only by appropriately authorised persons and is limited to what is necessary. 6.3 Transparency of collaboration within a project The platform is designed for collaborative work. Users must therefore be aware that content within a project is not processed exclusively in private. In particular: Managers and helpers may view, review, edit, adjust, and delete all content in the project where this is intended for the joint creation and management of the photo book. Managers and helpers may also view photos and content uploaded by other project members and use them within the project. Participants may view and manage only their own content and images they uploaded themselves, unless project functions in individual cases require display of further aggregated information. Managers and helpers also perform organisational and moderating functions within the project. They may therefore review, edit, and remove content in the project where this is necessary for conducting the project, quality assurance, or compliance with project rules. 6.4 Disclosure to print service providers For production of the photo book, only the final print file and the address required for shipping are transmitted to the respective print service provider. Legal basis: Art. 6(1)(b) GDPR

Within the platform, users may upload, edit, organise, and assemble photos and other content for print projects. This may constitute personal data, in particular where persons are recognisable in photos or names, team affiliations, or other personal details are included. Processing serves the purpose of creating, editing, storing, collaborating within the project, and later producing photo books. The legal basis is Art. 6(1)(b) GDPR where processing is necessary to provide the agreed platform functions and to perform the user relationship. Where users upload content that contains personal data of third parties, in particular photos of other persons or minors, solely the uploading or providing users are responsible for an effective data protection basis and all other required rights, consents, and authorisations. We do not generally claim ownership of user-uploaded content and do not routinely review it in advance. If we receive concrete indications of unauthorised or unlawful processing, we may review, block, or remove affected content. Before uploading, users confirm that they hold all required rights and consents.

8.1 Description of processing Image editing is performed using an AI-assisted system based on instructions entered by users. Generated results are produced automatically and may in individual cases be incorrect, incomplete, or unexpected. We do not generally perform substantive or design review automatically in each individual case. Note on use of artificial intelligence The image editing feature uses an AI-assisted system to generate or alter image content based on user instructions. Users are informed when using the feature that editing is performed with the aid of artificial intelligence. AI-generated or AI-edited results may be substantively, technically, or aesthetically incorrect, incomplete, or unexpected and should be reviewed responsibly before further use. 8.2 Service used Provider: Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland Product: Vertex AI – Generative AI on Vertex AI API: Vertex AI REST API Regional endpoint: europe-west4-aiplatform.googleapis.com Processing region: europe-west4 – Eemshaven, Netherlands (EU) Backend runtime: Google Cloud Run, also in europe-west4 (Netherlands, EU) 8.3 Categories of data processed Each time the image processing feature is used, the following data is transmitted to Google Vertex AI: Image data: user-uploaded images (PNG, JPEG, WebP) as Base64-encoded inline data. Images may contain personal content (e.g. photos of people). User instructions (prompts): free-text instructions for the desired image editing (e.g. “Improve the exposure”). System instructions: technical instructions that steer model behaviour (e.g. “Keep the style photorealistic”). These contain no personal data. Image labels: optional short labels for uploaded images (e.g. “A”, “B”), max. 64 characters. Conversation history: for multi-step edits, the full history of prior images, instructions, and model responses within an editing session is transmitted again to give the model necessary context. Not transmitted to Google: • users’ IP addresses, • email addresses, names, or other account data, • session tokens, passwords, or authentication information, • other personal data not contained in the images themselves or in the free-text instructions. 8.4 Purpose of processing Transmission to Vertex AI occurs solely for AI-assisted image enhancement and editing that the user has actively requested. We do not otherwise use the data. Legal basis: • Art. 6(1)(b) GDPR (contract performance) where image processing is a desired and contractually owed function. • subsidiarily Art. 6(1)(f) GDPR (legitimate interests) where processing serves technical and qualitative improvement of our offering. Our legitimate interest is to provide users with high-quality, print-ready image results. 8.6 Processing agreement We have a processing agreement with Google within the meaning of Art. 28 GDPR. This is reflected in the Google Cloud Data Processing Addendum (CDPA), which forms an integral part of the Google Cloud Platform Terms of Service: https://cloud.google.com/terms/data-processing-addendum The CDPA governs in particular: • Google’s obligations as processor, • technical and organisational measures (TOMs) to protect personal data, • subprocessors and their management, • cooperation regarding data subject rights, • deletion and return of data after termination of the agreement, • the controller’s audit rights. 8.7 No use of data for model training by Google Under the Google Cloud AI/ML Privacy Commitment and the Service Specific Terms (“Training Restriction”), Google has undertaken not to use customer data – including prompts, images, and model responses – to train or improve its foundation models. Reference: https://services.google.com/fh/files/misc/genai_privacy_google_cloud_202308.pdf 8.8 Zero data retention We use Google’s Zero Data Retention (ZDR) option. For each API request, the HTTP header `X-Vertex-AI-LLM-Request-Type: zero-data-retention` is sent. This means Google does not store the transmitted prompts, images, and responses beyond immediate request processing – including not for abuse monitoring or debugging. Without this option, Google would by default retain data for up to 55 days for abuse monitoring. Activating ZDR prevents such retention entirely. 8.9 In-memory caching by Google Gemini models on Vertex AI may use in-memory caching to reduce latency for repeated requests. This caching is isolated at project level (no access by other Google Cloud customers), has a maximum lifetime of 24 hours, and can be disabled at GCP project level. Data is not stored persistently in this context. 8.10 Storage on our side Conversation data (images, prompts, model responses) is held on our backend server exclusively in memory (in-memory) and is not stored persistently. It enables multi-step edits within a session and is automatically deleted after the configurable session duration (default 1 hour) or on server restart. 8.11 Subprocessors Google maintains a publicly available, regularly updated list of subprocessors: https://cloud.google.com/terms/subprocessors Changes to this list are announced in advance by Google. The CDPA grants us a right to object to the addition of new subprocessors. 8.12 Security measures • Communication between our backend (Cloud Run) and Vertex AI uses HTTPS/TLS (encrypted connection). • Authentication towards Google uses a service account with minimally required permissions (`roles/aiplatform.user`). • Images are transmitted as Base64-encoded inline data in the JSON request body (no separate upload to a Cloud Storage bucket). • Google meets recognised security standards including ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and further industry certifications.

Users may theoretically upload images that contain special categories of personal data within the meaning of Art. 9 GDPR or allow corresponding inferences, such as ethnic origin, religious belief, health data, or biometric characteristics. We do not specifically intend or target processing of such content. Where users nonetheless upload or provide such content for processing, this is solely on their own initiative and within their responsibility regarding substantive authorisation. Users may upload or provide such content for processing only where an effective legal basis exists, in particular any required explicit consent of the data subject. If we receive concrete indications that such content is processed without authorisation, we may review, block, or remove it.

10.1 Description Our image processing backend is operated as a container service on Google Cloud Run. Service: Google Cloud Run (managed) Region: europe-west4 – Eemshaven, Netherlands (EU) Provider: Google Cloud (see 8.2) Processing agreement: Google Cloud CDPA (see 8.6) 10.2 Data processed Cloud Run processes HTTP requests from users forwarded via the Vercel frontend. The following are processed: • IP addresses of requesting clients (in the course of HTTP communication; not logged by our application or forwarded to Vertex AI), • session cookies and authentication data (solely for access control of our application; not transmitted to Vertex AI), • image data and prompts (see 8.3) • standard server logs by Google Cloud Run (request logs with metadata such as timestamp, HTTP method, path, response code; in accordance with Google Cloud logging policies). Legal basis: • Art. 6(1)(b) GDPR for provision of the service. • Art. 6(1)(f) GDPR for server logs to ensure operations and troubleshooting.

Users may invite other persons to projects to work together on photo books. We process in particular: • email address of the invited person • name, where provided • assignment to the project • role and permission information • times of invitation, acceptance, or decline Processing serves the collaborative project function. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR Our legitimate interest lies in enabling joint project work within the platform.

When a photo book is ordered via our platform, we process the personal data required to process and fulfil the order. This includes in particular: • order data • billing data • delivery address • name of the person placing the order • print data / print templates • order history • communication data related to the order For production and delivery of the photo books, we transmit necessary data to our production and print service provider: WIRmachenDRUCK GmbH Illerstraße 15 71522 Backnang Germany Transmission includes in particular: • print files / print templates • delivery name • delivery address • where applicable, further information required to process the order Processing is carried out solely to perform the contract pursuant to Art. 6(1)(b) GDPR. The production and print service provider processes the transmitted personal data only insofar as necessary to manufacture, finish, and deliver the ordered photo book. Where the production and print service provider processes personal data on our behalf and under our instructions, this is based on a processing agreement pursuant to Art. 28 GDPR. Where the production and print service provider processes personal data to comply with its own legal obligations or in the context of its own operational processes, that processing is under its own data protection responsibility.

For payment processing we use external payment service providers, in particular Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, and PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. When you select a payment method in the course of an order, we transmit the data required for payment processing to the selected payment service provider. This may include in particular name, billing data, payment amount, order reference, email address, payment status, and, where applicable, further information necessary to execute the payment. Payment service providers process this data independently to execute the payment. Payment service providers may also perform credit checks or process data for fraud prevention. In that respect, payment service providers regularly act as independent controllers within the meaning of the GDPR. We ourselves process only the data necessary to initiate, assign, verify, and document the payment. Legal basis: Art. 6(1)(b) GDPR (contract performance)

We use Amazon SES to send transactional emails, e.g.: • registration emails • project invitations • security-related notices • information on order status • other notifications necessary to use the platform We process in particular: • email address • name, where available • technical dispatch information • content and delivery information Legal basis: Art. 6(1)(b) GDPR Service provider: Amazon Web Services / Amazon SES

Where you give separate consent, we use your email address to send you information on product news, updates, campaigns, or discount offers. Subscription to such promotional emails is voluntary and is not a condition for using our platform. Legal basis: Art. 6(1)(a) GDPR You may withdraw consent at any time with effect for the future, e.g. via the unsubscribe link in the respective email or by contacting us. Our contact email is stated at the beginning of this document.

Note on reporting unauthorised content If you believe that content or images are processed via our platform without authorisation, you may inform us at any time using the contact details stated in this privacy policy. We will review the matter and, where appropriate, take reasonable measures. When you contact us, e.g. by email or via a contact form, we process the data you provide to handle your request. This concerns in particular: • name • email address • content of the message • other voluntarily provided information Legal basis: Art. 6(1)(b) GDPR where the request relates to a contract or use of our services Art. 6(1)(f) GDPR for other requests Our legitimate interest lies in the proper handling of incoming requests.

We disclose personal data to third parties only where legally permissible and necessary for the respective purposes. Recipients may include in particular: • hosting and infrastructure service providers • providers of user management and authentication • payment service providers • email delivery service providers • print shop / production service providers • technical service providers for image processing • internally authorised persons at our company where necessary for operations, support, design, quality assurance, or order processing • project collaborators within the project environment you use, in accordance with the respective roles and permissions

We regularly review the service providers we use and the legal requirements for any transfers to third countries. Where necessary, we implement additional contractual, technical, and organisational safeguards to ensure an adequate level of data protection. We may use service providers that process personal data in countries outside the European Union or European Economic Area or can access such data. Where data is transferred to third countries, this is done only in compliance with legal requirements, in particular on the basis of an adequacy decision or appropriate safeguards, such as standard contractual clauses. 18.1 Vercel When using Vercel, transfer of personal data to third countries cannot be fully excluded. Although the Vercel Functions we use are configured for the fra1 region (Frankfurt am Main, Germany), Vercel operates a globally distributed CDN and edge infrastructure. In particular in the context of support, subprocessing, security mechanisms, or technical failover, personal data may also be processed outside the EU or EEA or be accessible from there. Where personal data is transferred to the USA, we rely on the European Commission’s adequacy decision for the EU-US Data Privacy Framework where the provider is certified. Additionally or where required, transfers are based on standard contractual clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR, as provided in Vercel’s Data Processing Addendum. 18.2 Google Cloud (Vertex AI and Cloud Run) Both our backend (Cloud Run) and AI image processing (Vertex AI) are configured in the europe-west4 region (Eemshaven, Netherlands). The Netherlands is a Member State of the European Union. When using the regional Vertex AI endpoint (“europe-west4-aiplatform.googleapis.com”), Google guarantees: • Data residency: customer data at rest remains in the selected region. • Regional processing: machine learning processing occurs within the same region in which the request is made. Reference: https://docs.cloud.google.com/vertex-ai/generative-ai/docs/learn/data-residency Potential third-country nexus: Google is a US company. Although primary data processing takes place in the EU (Netherlands), it cannot be fully excluded that Google personnel based in the USA or other third countries may access data in the context of support or maintenance activities. Safeguards for third-country transfers: Where such access from third countries occurs, it is secured by the following mechanisms: • EU-US Data Privacy Framework (DPF): Google LLC is certified under the EU-US Data Privacy Framework. On 10 July 2023, the European Commission adopted an adequacy decision pursuant to Art. 45 GDPR for the USA where the receiving company is DPF-certified (Implementing Decision (EU) 2023/1795). • Standard Contractual Clauses (SCCs): the Google Cloud Data Processing Addendum (CDPA) additionally contains EU standard contractual clauses pursuant to Art. 46(2)(c) GDPR. These serve as a fallback if the EU-US Data Privacy Framework ceases to apply or does not apply. Reference: https://services.google.com/fh/files/misc/gc_new_eu_scc.pdf Additional technical and organisational measures: • encryption of all data in transit (TLS) and at rest, • strict access controls and access logging, • regular independent audits (ISO 27001, SOC 1/2/3), • Zero Data Retention (see Section 8.8), so customer data is not stored beyond immediate processing. 18.3 Amazon Web Services (AWS) Amazon Web Services is part of the Amazon group headquartered in the USA. It cannot therefore be fully excluded that in the context of support, maintenance, or intra-group administrative access, personal data may also be viewed from third countries (in particular the USA). Safeguards for third-country transfers: Where access from third countries occurs, it is secured on the basis of legal requirements: EU-US Data Privacy Framework (DPF): Amazon Web Services, Inc. is certified under the EU-US Data Privacy Framework. For transfers of personal data to the USA we therefore rely on the European Commission’s adequacy decision pursuant to Art. 45 GDPR (Implementing Decision (EU) 2023/1795), where applicable. Standard Contractual Clauses (SCCs): Additionally, the standard contractual clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR as contained in the AWS Data Processing Addendum apply. These serve as additional safeguards or a fallback mechanism. Additional technical and organisational measures: • encryption of data in transit (TLS) and at rest • strict access restrictions on a need-to-know basis • logging and monitoring of access (e.g. via CloudWatch) • certifications and audits (including ISO 27001, SOC 1/2/3) 18.4 Clerk Because Clerk, Inc. is based in the USA, it cannot be excluded that personal data is also processed in the USA or accessed from there, in particular in the context of support, maintenance, or technical operations. Safeguards for third-country transfers: Where personal data is transferred to the USA, this is done in compliance with GDPR requirements: EU-US Data Privacy Framework (DPF): Clerk, Inc. is certified under the EU-US Data Privacy Framework. We therefore rely on the European Commission’s adequacy decision pursuant to Art. 45 GDPR (Implementing Decision (EU) 2023/1795), where applicable. Standard Contractual Clauses (SCCs): Additionally, the standard contractual clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR as provided in Clerk’s Data Processing Agreement (DPA) apply. These serve as additional safeguards or a fallback mechanism. Additional technical and organisational measures: • encryption of data transmission (TLS) • secure storage of sensitive data (e.g. password hashing) • access restrictions and authentication mechanisms • logging of security-relevant events 18.5 Stripe It cannot be excluded that in the course of payment processing personal data is also transferred to third countries, in particular the USA. Stripe Payments Europe, Limited is part of the Stripe group based in the USA. Transfer of personal data to the parent company cannot be excluded. Stripe, Inc. is certified under the EU-US Data Privacy Framework. Standard contractual clauses pursuant to Art. 46(2)(c) GDPR are also used. Further information can be found in the privacy policies of the respective providers: https://stripe.com/privacy

We store personal data only as long as necessary for the respective purposes or where statutory retention obligations exist. In particular: We store account data for the duration of the user account. User accounts may be deleted at any time provided there is no active manager role in a photo book project. If there is no use, accounts are automatically deleted after 24 months of inactivity. Deleting the account removes all associated personal data; association with photo book projects ceases. We store project and content data (including photos) for the duration of the respective project. Photo book projects are deleted after 12 months of inactivity within the photo book. This also applies to projects that were not completed or ordered. After a project is completed, data and the print file are stored for 12 months to enable reorders or support requests in particular. Uploaded photos and content are generally deleted with the project and may be removed by users within the project at any time. Data after leaving a project or deleting an account If users leave a project or delete their account, content provided within the project generally remains where it is still necessary for conducting and the purpose of the photo book project. Users are informed before leaving a project that they may delete their content independently. We store order and billing-related data for up to 10 years within statutory retention periods (Section 147 AO, Section 257 HGB). We store communication data (e.g. support requests or feedback) for up to 24 months where necessary for handling and documentation. Where a support request or technical incident resolution requires case-specific access to project content or images, we process such data only for as long as necessary to handle the specific case. Backups and log data Backups and system logs are processed to ensure technical operations and data security. Database backups are retained for up to 30 days and then automatically overwritten or deleted. Log data (e.g. server logs) is generally stored for a maximum of 14 days.

Data subjects have the following rights under applicable law in particular: • right of access to personal data processed • right to rectification of inaccurate data • right to erasure • right to restriction of processing • right to data portability • right to object to processing based on legitimate interests • right to withdraw consent with effect for the future • right to lodge a complaint with a supervisory authority If you believe that processing of your personal data violates data protection law, you may lodge a complaint with a supervisory authority. Supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information Address: Alt-Moabit 59-61 10555 Berlin Phone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de/

Providing certain personal data is necessary for registration, use of the platform, collaboration in projects, or ordering photo books. Without this data, individual functions may not be provided or may not be fully provided.

No solely automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place unless expressly described otherwise in this privacy policy.

We reserve the right to amend this privacy policy where required due to legal, technical, or organisational changes. The version published on our website at the relevant time applies. As of: 15 April 2026