Privacy Policy

Google Cloud Storage

We use Google Cloud Storage to host media assets (images, audio, video). Files are served from Google's CDN. Google may process technical connection data. Privacy policy: policies.google.com/privacy.

Google Fonts

We use Google Fonts served via Next.js font optimization, which self-hosts the font files. No requests are made to Google servers when loading fonts.

MongoDB Atlas

We use MongoDB Atlas (MongoDB, Inc., 1633 Broadway, New York, NY 10019, USA) as our primary database. Metadata about content, orders, and app configuration is stored there. Data is hosted in the EU (Frankfurt region). Privacy policy: mongodb.com/legal/privacy-policy.

Shopify

Our online store is operated via Shopify Inc. (151 O'Connor Street, Ground Floor, Ottawa, Ontario, K2P 2L8, Canada). When you visit or make a purchase in our store, Shopify processes the following categories of data on our behalf as a data processor:

• Name, email address, shipping and billing address
• Order details, product selections, and cart contents
• IP address, browser type, and device information
• Payment method type (not full card details — see Payments below)
• Custom line item properties (e.g., AI-generated preview image URLs for custom products)

Legal basis: Art. 6(1) lit. b GDPR (contract performance). Shopify is certified under the EU-US Data Privacy Framework. Privacy policy: shopify.com/legal/privacy.

Shopify Web Pixels & Customer Privacy API

Our Shopify store may use Shopify Web Pixels — a sandboxed tracking framework that runs in an isolated environment and cannot directly access the page DOM or cookies. Pixels may collect behavioral data such as page views, product views, add-to-cart events, and checkout steps for analytics and conversion measurement purposes.

We use Shopify's Customer Privacy API to manage consent. Tracking pixels that require consent (e.g., marketing or analytics pixels beyond strictly necessary functionality) are only activated after the visitor has provided explicit consent via the cookie banner. Visitors in the EU/EEA are presented with granular consent options (Strictly Necessary / Analytics / Marketing) in accordance with the ePrivacy Directive and GDPR Art. 6(1) lit. a.

Currently active pixel categories:

• Strictly necessary: Shopify checkout, cart, session management
• Analytics (consent required): Shopify Analytics (aggregate, anonymized)
• Marketing pixels: None currently active — will be disclosed here when added

Payment Processing — Stripe (planned)

We plan to integrate Stripe (Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA / Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland for EU customers) as our payment processor.

When Stripe is active, payment data (card number, expiry, CVC) is entered directly into Stripe's PCI-DSS-compliant hosted fields and is never transmitted to or stored on our servers. We receive only a payment token and the last four digits of the card for order confirmation purposes.

Stripe may also use cookies and device fingerprinting for fraud prevention (Stripe Radar). This processing is based on Art. 6(1) lit. f GDPR (legitimate interest in fraud prevention) and Art. 6(1) lit. b GDPR (contract performance). Stripe is certified under the EU-US Data Privacy Framework. Privacy policy: stripe.com/privacy.

Printful (order fulfillment)

For print-on-demand products (e.g., custom pet portraits, stickers), orders are fulfilled by Printful Inc. (11025 Westlake Dr, Charlotte, NC 28273, USA / Printful Latvia SIA, Plienciema 1, Riga, LV-1046, Latvia for EU orders). Printful receives the shipping name, address, and product specification necessary to produce and ship your order. Legal basis: Art. 6(1) lit. b GDPR. Privacy policy: printful.com/policies/privacy.

AI-generated product images (custom products)

For custom AI-generated products (pet portraits, stickers), images uploaded or described by the customer are sent to our AI generation backend and to third-party AI model providers (currently OpenRouter / Google Gemini) solely to generate the requested product image. Uploaded images are stored temporarily in Google Cloud Storage (max. 30 days for previews; permanent for print-ready files required for fulfillment). We do not use customer-uploaded images to train AI models. Legal basis: Art. 6(1) lit. b GDPR.

Order data retention

Order data (name, address, order contents) is retained for 10 years in accordance with § 147 AO / § 257 HGB (German statutory retention obligations for commercial and tax records). After this period, data is deleted or anonymized.

General principles (all ChatGPT Apps)

• Our apps receive only the specific inputs the user or ChatGPT model explicitly passes to a tool (e.g., a company name or search query). We do not receive, reconstruct, or store the full conversation history.
• Tool inputs are used solely to fulfill the stated purpose of the tool call. They are not used for advertising, profiling, or training AI models.
• We do not collect payment card information, protected health information, government identifiers, or authentication credentials through any ChatGPT App.
• No personal data is stored persistently by our apps unless explicitly stated below for a specific app. Tool calls are stateless — each request is independent.
• Server-side request logs (IP address, timestamp, tool name) may be retained for up to 30 days for security and reliability purposes, then deleted automatically.

Handelsregister Search

• Data received: Company name (required), optional city or register number — as entered by the user in conversation.
• Purpose: To query the German commercial register (handelsregister.de) and Wikidata for publicly available company registration data and financial KPIs.
• Data sources: handelsregister.de (public register, no personal data beyond company names and addresses of registered entities) and Wikidata (public domain, CC0 licensed).
• Data storage: No user data is stored. Query inputs are not logged beyond standard server request logs (see above). Results are returned directly to ChatGPT and not retained on our servers.
• Third-party transfers: Queries are forwarded to our backend API (hosted on a European cloud provider), which in turn queries handelsregister.de and Wikidata. No user-identifying data is included in these downstream requests.
• Legal basis: Art. 6(1) lit. f GDPR — legitimate interest in providing accurate, publicly available company data in response to the user's explicit request.