Privacy Policy – Unleash Your Inner Rockstar

Last updated: 23 May 2025

This Privacy Policy describes how Plaiground Studio, operated by Elbkind Reply GmbH ("we", "us", or "our"), processes personal data when you use our website Unleash Your Inner Rockstar ("Service"). We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR).

1. Data Controller Information (Art. 13(1)(a) GDPR)

Elbkind Reply GmbH
Admiralitätstraße 59
20459 Hamburg, Germany
Email: plaiground.studio@reply.de

For any privacy-related inquiries, please contact us via the email provided above.

2. Categories of Data Processed, Purposes, and Legal Bases

We process the following categories of personal data:

• Uploaded Photos: Purpose: Used exclusively to generate a personalized "rockstar" image by using an AI-based image generation model. Legal basis: Your explicit consent (Art. 6(1)(a) GDPR). Please note: Depending on the photo content, biometric data may be involved (Art. 9 GDPR). Processing is limited to this specific purpose and requires your prior agreement via opt-in.
• AI Processing of Uploaded Photos: The uploaded photo is transmitted to a third-party AI model (OpenAI) and automatically transformed using machine learning algorithms to generate a stylized version. No profiling or facial recognition is performed. The image is not used to train the AI and is deleted shortly after processing. Legal basis: Explicit consent (Art. 6(1)(a) GDPR; Art. 9(2)(a) GDPR where applicable).
• Generated Images: Purpose: Stored temporarily (30 days) for user retrieval purposes. Legal basis: Contractual performance necessity (Art. 6(1)(b) GDPR).
• Email Address: Purpose: Used to deliver the generated image to you and (optionally) subscribe you to our newsletter. Legal basis: Contractual necessity for delivery (Art. 6(1)(b) GDPR), separate consent for newsletter subscription (Art. 6(1)(a) GDPR).
• Server Logs and Metadata: Includes: IP addresses, timestamps, browser type, and operating system (user-agent). Purpose: This data is necessary for ensuring IT security, preventing misuse, and analyzing platform performance. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

We do not perform automated decision-making or profiling.

3. Data Processing and Transfer

Your uploaded photo is temporarily stored on our servers located within the EU and relayed to the OpenAI GPT-image-1 API to generate your rockstar image. Upon successful generation, your original uploaded image is permanently deleted from both our and OpenAI’s servers within one hour.

We deliver the generated image via Mailchimp. Your email address, when subscribed to our newsletter, is stored securely via Airtable.

4. Data Processors and International Transfers (Art. 13(1)(e) GDPR)

We use external service providers who act as data processors under GDPR-compliant agreements:

Provider	Purpose	Location	Legal Safeguard
OpenAI, L.L.C.	Image generation via GPT-based API	USA	Standard Contractual Clauses (SCCs)
Mailchimp (Intuit Inc.)	Email delivery	USA	SCCs
Airtable, Inc.,	Newsletter subscription management	USA	SCCs
Hetzner Online GmbH,	Hosting of the application	Germany	No data transfer outside the EU

 

We have entered into data processing agreements with all service providers in accordance with Art. 28 GDPR. Where transfers to third countries (e.g., USA) occur, these are based on EU-approved Standard Contractual Clauses.  We also implement additional safeguards such as encryption, strict access controls, and pseudonymization where feasible.

We do not sell or share personal data with third parties for advertising purposes.

5. Data Retention Periods

• Uploaded photos: Deleted within 1 hour of processing completion.
• Generated images: Stored for 30 days from creation for user access.
• Email addresses (non-newsletter subscribers): Retained for 90 days to ensure successful delivery.
• Newsletter subscribers: Retained until unsubscribed.
• Server logs: Retained for 30 days.

6. Your Data Protection Rights (Art. 15-21 GDPR)

You have the right to:

• Access your personal data (Art. 15)
• Request correction (Art. 16)
• Request deletion (Art. 17)
• Request restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw your consent at any time without affecting the lawfulness of prior processing

 

To exercise these rights, please contact us at: plaiground.studio@reply.de

If you believe that the processing of your personal data violates applicable laws, you also have the right to lodge a complaint with the supervisory authority:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 20459 Hamburg
Tel. +49 40 428 54 4040
mailbox@datenschutz.hamburg.de

7. Security Measures

We apply robust technical and organizational safeguards to protect your personal data, including:

·         TLS (HTTPS) encryption during data transfer

·         Strict access control and internal data minimization policies

·         Secure storage and timely deletion mechanisms

·         Pseudonymization and secure data transfer

8. Cookies

We use only essential session cookies required for website functionality. No third-party tracking or advertising cookies are used.

9. Changes to This Privacy Policy

We reserve the right to update this privacy policy to comply with legal requirements or adapt to technical changes. Significant changes will be communicated clearly; minor updates will be noted on this page.