Privacy Policy

Preface

We, Chatbyte GmbH, take the protection of your personal data seriously and would like to inform you here about data protection in our company. As part of our data protection responsibility, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR”) to protect the personal data of the person affected by processing. (We will also address you as the affected person below as “customer”, “user”, “you”, “you” or “affected person”).

To the extent that we decide on the purposes and means of data processing either alone or jointly with others, this primarily includes the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (see Articles 13 and 14 DS- GMOs ). With this declaration (hereinafter: “Privacy Policy”) we inform you about how your personal data is processed by us.

Our privacy policy has a modular structure. It consists of a general part for all processing of personal data and processing situations that come into play every time our website is accessed (A. General) and a special part, the content of which only relates to the processing situation specified there with the name of the respective offer or product refers, to the visit to websites detailed here (e.g. visiting websites).

To be able to find the parts that are relevant to you, please note the following overview of the breakdown of the data protection information:

• Part A (General): Always relevant.
• Part B (Website and social media): Relevant if you use our website including our presence on social media.

A. General

1 Definitions

This policy uses the terms defined in Art. 4 GDPR (e.g. personal data, processing, controller, processor, consent).

2 Categories of Personal Data

When you use the ShortsPilot website or platform we handle several distinct categories of information:

— Server log data. Shortened IP addresses, the date and time of access, the URL requested, referrer information, HTTP status codes and details about your browser or app. We process these data to maintain the security, availability and technical functionality of our services on the basis of Article 6 (1) (f) GDPR (legitimate interest).

— Contact‑form data. If you send us a message via one of our contact forms we collect your name, company (if applicable), e‑mail address and the content of your enquiry in order to answer your request. Legal basis: Article 6 (1) (b) GDPR (pre‑contractual communication).

— Account & subscription data. To register and manage your user account we store your name, e‑mail address, hashed password, billing address, subscription status and the payment token issued by our payment provider. Processing is necessary for the performance of the contract (Article 6 (1) (b) GDPR).

— Payment data. Payment details such as your card or bank information are processed directly by Stripe. We receive only the payment token and status required to activate or renew your subscription. Legal basis: Article 6 (1) (b) GDPR in conjunction with § 25 (2) No. 2 TTDSG.

— Newsletter data. If you opt‑in to our newsletter we store your e‑mail address together with the timestamps of registration and confirmation (double‑opt‑in). We also record, in a pseudonymised manner, whether you open a newsletter or click on a link. Processing relies on your consent under Article 6 (1) (a) GDPR and § 25 (1) TTDSG; you may withdraw your consent at any time.

— Content data. Scripts, prompts, uploaded media assets and the AI‑generated videos you create are processed solely to provide the service you requested. The legal basis is Article 6 (1) (b) GDPR (contract performance).

— Usage data. We collect anonymised information about how you navigate and use the platform, including error reports from Sentry and participation in product experiments, so that we can improve reliability and user experience. Legal basis: Article 6 (1) (f) GDPR (legitimate interest).

3 Cookies & Similar Technologies Cookies & Similar Technologies Cookies & Similar Technologies No Data Protection Officer

Under § 38 BDSG we are not obliged to appoint a Data Protection Officer because fewer than 20 persons in our company regularly process personal data. For all data‑protection enquiries you can contact us using the details above.

4 Third‑Party Providers and International Transfers

To operate ShortsPilot we rely on carefully selected service providers. Each provider acts under a data‑processing agreement that complies with Article 28 GDPR. Where providers are located outside the European Economic Area we secure the transfer with the 2021 EU Standard Contractual Clauses and, where necessary, additional technical and organisational safeguards.

— Vercel Inc. EU (Frankfurt). Hosts our web front‑end and content‑delivery network. Only server‑log information is transmitted. Legal basis: Article 6 (1) (f) GDPR.

— Microsoft Azure Open AI Service (Sweden). Supplies the AI models that process the text you submit and render scripts into video content. We do not transmit personal identifiers. Legal basis: Article 6 (1) (b) GDPR.

— Sentry Inc. EU (Frankfurt). Provides real‑time error reporting. We send pseudonymised IP fragments, device information and stack traces so we can detect and fix software faults quickly. Legal basis: Article 6 (1) (f) GDPR.

— Stripe Payments Europe Ltd. (Ireland). Handles subscription payments and recurring billing. Legal basis: Article 6 (1) (b) GDPR.

— AWS (Frankfurt, Germany). Delivers transactional and marketing e‑mails, receiving only your e‑mail address and, where applicable, your display name. Legal basis: Article 6 (1) (f) GDPR.

— Google Ireland Ltd. / Google LLC (European Economic Area / United States). Enables Google sign‑in and, if you choose, publishing of your finished videos to YouTube. Legal basis: Article 6 (1) (b) GDPR.

— TikTok Ltd. (Ireland, Norway). Provides the TikTok Content Posting API so that you can publish videos directly from the ShortsPilot dashboard. Legal basis: Article 6 (1) (b) GDPR.

— Meta Platforms Ireland Ltd. (Ireland, with sub‑processing in the United States). Supplies an advertising and analytics pixel that records specific events—but only after you grant cookie consent. Legal basis: Article 6 (1) (a) GDPR.

— Neon Inc. EU (Frankfurt). Hosts our PostgreSQL database, which stores account data and project content. Legal basis: Article 6 (1) (b) GDPR.

— Clerk Inc. EU (Frankfurt). Manages user authentication and stores your e‑mail address, optional display name and password hash. Legal basis: Article 6 (1) (b) GDPR.

— Intercom R&D Unlimited Company (Ireland). Powers our in‑app chat and support desk. Intercom receives your registered e‑mail address and any information you choose to share in a conversation with our support team. Legal basis: Article 6 (1) (f) GDPR.

5 Newsletter & Direct Marketing Newsletter & Direct Marketing Storage Period

We erase or anonymise personal data as soon as the purpose and/or legal basis ceases to apply, unless statutory retention obligations (e.g. § 257 HGB, § 147 AO) or the establishment, exercise or defence of legal claims require longer storage.

6 Data Security

We use state‑of‑the‑art technical and organisational measures (e.g. TLS encryption, role‑based access control, pseudonymisation, regular backups) to protect your data against unauthorised access, alteration, loss or destruction.

7 Processors

Where we engage service providers who process personal data on our behalf, we conclude Data Processing Agreements pursuant to Art. 28 GDPR and monitor compliance.

8 International Transfers

If we transfer personal data to recipients in countries outside the European Economic Area that do not offer an EU adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (Art. 46 GDPR) and, where necessary, supplementary technical and organisational measures.

9 Automated Decision‑Making / Profiling

We do not use your personal data for automated decision‑making, including profiling, within the meaning of Art. 22 GDPR.

10 Provision of Data

You are generally neither legally nor contractually obliged to provide personal data to us. However, without certain data we may be unable to provide our services (e.g. user account, payment processing).

11 Legal Disclosure Obligations

We may be required to disclose personal data to public authorities under Art. 6 (1) (c) GDPR (e.g. tax offices, law‑enforcement agencies).

12 Your Rights (Art. 12 – 22 GDPR)

You have the right to

• access (Art. 15),
• rectification (Art. 16),
• erasure (Art. 17),
• restriction (Art. 18),
• data portability (Art. 20),
• object to processing based on Art. 6 (1) (e) or (f) (Art. 21),
• withdraw consent at any time with effect for the future (Art. 7 (3)).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular with the authority competent for your habitual residence or with the authority responsible for us:

Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
Ludwig‑Erhard‑Str. 22, 20459 Hamburg
Phone: +49 40 428 544 040
E‑mail: mailbox@datenschutz.hamburg.de

13 Changes to this Notice

We may update this Notice to reflect changes in law or our processing activities. The current version is always available at https://www.shortspilot.ai/privacy‑policy.

B. Website, Platform & Social Media

1 Purpose of the Service

ShortsPilot is a cloud‑based SaaS platform that enables users to generate, edit and publish short‑form videos to social‑media channels. Access is granted on a paid subscription basis.

2 Categories of Personal Data

Server log data
We automatically collect server log information—including truncated IP addresses, timestamps (date and time), requested URLs, HTTP status codes, the user‑agent string, and referrer URLs—solely to ensure the security and stability of our infrastructure. Our legitimate interest in safeguarding system integrity forms the legal basis for this processing (Art. 6 (1)(f) GDPR).

Contact form data
When you use our contact form, we gather the details you provide—such as your name, company affiliation, email address, and message content—to handle your inquiry and respond appropriately. This processing is necessary for pre‑contractual communication at your request (Art. 6 (1)(b) GDPR).

Account & subscription data
To manage your user account and any active subscriptions, we store your name, email address, hashed password, billing address, subscription status, and payment tokens. This data is processed to perform (and potentially modify) the contract under which you subscribe to our services (Art. 6 (1)(b) GDPR).

Payment data
All card and billing details required to complete transactions are processed on our behalf by Stripe. We handle this information only to fulfil payment obligations under your contract with us and to comply with any related legal requirements (Art. 6 (1)(b) GDPR; § 25 II 2 TTDSG).

Newsletter data
If you subscribe to our newsletter, we record your email address, the timestamp of your double‑opt‑in confirmation, and your subsequent interactions (e.g., via web beacons) in order to deliver and optimise our email communications. Your explicit consent underlies this processing (Art. 6 (1)(a) GDPR; § 25 I TTDSG).

Content data
When you use our content‑generation features—such as scripts, prompts, uploads of media, or produced videos—we process these inputs to provide and continuously improve the service you requested. This is necessary to perform the service agreement between us (Art. 6 (1)(b) GDPR).

Usage data
We analyse anonymous feature‑usage metrics, error logs (via Sentry), and A/B test results to enhance and optimise our product offering. These operational improvements are pursued under our legitimate interest in refining and stabilising our service (Art. 6 (1)(f) GDPR).

3 Cookies & Similar Technologies

We use cookies and comparable technologies. Technically‑necessary cookies are placed on the basis of § 25 II No. 2 TTDSG / Art. 6 (1) (f) GDPR. Any other cookies (analytics, marketing) are used only with your consent (§ 25 I TTDSG / Art. 6 (1) (a) GDPR).

4 Third‑Party Providers & International Transfers

Below is an overview of the processors and third parties we use. All providers are bound by contracts in accordance with Art. 28 GDPR. Where data transfer to third countries occurs, it is protected by EU Standard Contractual Clauses and, where required, additional measures.

Vercel Inc.

Role: Hosting & CDN
Processed Data: Log data
Location: EU (Frankfurt)
Legal Basis: Art. 6 (1) (f) GDPR
Vercel powers our site’s hosting and CDN from its Frankfurt region to ensure fast, reliable performance. We process operational and log data under our legitimate interest in maintaining a stable service.

Microsoft Azure Open AI

Role: AI inference & embeddings
Processed Data: Content data (no personal identifiers)
Location: EU (Sweden)
Legal Basis: Art. 6 (1) (b) GDPR
Our AI workloads run in Microsoft’s Sweden datacenter. Processing is necessary to perform the services we’ve agreed with you.

Sentry Inc.

Role: Error monitoring
Processed Data: IP address, device data, stack trace
Location: EU (Frankfurt)
Legal Basis: Art. 6 (1) (f) GDPR
Sentry collects error reports—including IP and device details—from its Frankfurt data residency offering to help us detect, diagnose, and fix issues under our legitimate interest in service reliability.

Stripe Payments Europe Ltd.

Role: Payment processing
Processed Data: Billing & payment data
Location: EU (Ireland)
Legal Basis: Art. 6 (1) (b) GDPR
Stripe manages your payments and billing details in its Ireland region. Processing is required to fulfill our contract with you.

Amazon Web Services, Inc. (Simple Email Service)

Role: Transactional & marketing e‑mails
Processed Data: E‑mail address, display name
Location: EU (Frankfurt)
Legal Basis: Art. 6 (1) (f) GDPR
AWS SES sends our system notifications, password resets, and promotional messages from its Frankfurt mail cluster under our legitimate interest in account security and user communication.

Google LLC / Google Ireland Ltd.

Role: OAuth sign‑in & YouTube API
Processed Data: Account tokens
Location: EU (Ireland)
Legal Basis: Art. 6 (1) (b) GDPR
We integrate with Google for single‑sign‑on and YouTube features via Google’s Ireland region. Processing is necessary to provide these services.

TikTok Ltd.

Role: Content posting API
Processed Data: Authentication tokens
Location: EU (Ireland, Norway)
Legal Basis: Art. 6 (1) (b) GDPR
TikTok’s EU API endpoints in Ireland and Norway let you post content directly, with all data processing remaining within the EU to comply with contract performance requirements.

Meta Platforms Ireland Ltd.

Role: Advertising pixel
Processed Data: IP address, user‑agent, events
Location: EU (Ireland)
Legal Basis: Art. 6 (1) (a) GDPR
Our use of Meta’s advertising pixel is based on your consent, processed through Meta’s Ireland region. You may withdraw consent at any time.

Neon Inc.

Role: PostgreSQL database
Processed Data: Account & content data
Location: EU (Frankfurt)
Legal Basis: Art. 6 (1) (b) GDPR
Neon hosts our user accounts and content storage in its Frankfurt region. Processing is essential to perform our service contract.

Clerk Inc.

Role: Authentication
Processed Data: E‑mail, name, password hash
Location: EU (Frankfurt)
Legal Basis: Art. 6 (1) (b) GDPR
Clerk manages user login and credentials via its Frankfurt tenancy, which is necessary to secure your account under our contract.

Intercom R&D Unlimited Company

Role: In‑app chat & customer support
Processed Data: Chat transcripts, e‑mail
Location: EU (Dublin)
Legal Basis: Art. 6 (1) (f) GDPR
Intercom enables real‑time support and collects chat logs and e‑mail addresses in its Dublin region under our legitimate interest in providing timely assistance.

5 Newsletter & Direct Marketing

You can subscribe to our newsletter by double‑opt‑in. You can withdraw your consent at any time via the unsubscribe link or by contacting us. Newsletter success metrics (opens, clicks) are tracked pseudonymously.

6 Social‑Media Pages

When you visit our pages on LinkedIn, YouTube, TikTok etc., the respective operators act together with us as joint controllers within the meaning of Art. 26 GDPR. Please also note the privacy notices of those platforms.

7 Contact & Support

When you contact us (e.g. by e‑mail, Intercom chat, social media), we process your details to handle the enquiry (Art. 6 (1) (b) or (f)). Conversations are stored for evidence and quality‑assurance purposes and deleted when no longer needed.

8 Video Upload Integrations

If you choose to connect your YouTube or TikTok account, we receive OAuth tokens that allow us to publish videos on your behalf. You may revoke access at any time in your Google or TikTok security settings.

9 Data Subject Requests, Deletion & Export

You can submit requests for Data Exports by e‑mail to support@shortspilot.ai. We will respond within one month in accordance with Art. 12 GDPR. You can delete your account and personal data via the settings at https://www.shortspilot.ai/settings

C. Contact

If you have any questions about data protection, please contact us at support@shortspilot.ai or write to the postal address listed under A.2 above.