Privacy Policy for Art of X

Effective Date: October 15, 2025

This privacy policy provides information about the nature, scope, and purpose of the processing of personal data within the platform operated by Art of X - Art of X UG (haftungsbeschränkt) (hereinafter "we" or "us").

1. Data Controller

The controller within the meaning of the GDPR and other national data protection laws is:

Art of X - Art of X UG (haftungsbeschränkt)
Goethestr. 59
10625 Berlin
Germany

Email: [email protected]

2. Data Protection Officer

The external Data Protection Officer can be reached as follows:

Prof. Dr. Norman Uhlmann
h3ko Innovations GmbH
Pappelallee 64
16359 Biesenthal
Germany

Email: [email protected]

3. General Information on Data Processing

The subject of data protection is personal data. This refers to all information relating to an identified or identifiable natural person (the "data subject"). Personal data of users is generally only processed to the extent necessary to provide a functional platform and its content and services.

4. What Data is Processed and For What Purpose

a. Provision of the Website and Creation of Logfiles (Hosting)

Each time the website is accessed, the system automatically collects data and information from the computer system of the accessing computer. This data is stored in the server's logfiles. The following data is collected:

IP address of the requesting computer
Date and time of access
Name and URL of the retrieved file
Website from which access is made (referrer URL)
Browser used and, if applicable, the computer's operating system

This data is processed to ensure smooth connection establishment and comfortable use of the website, as well as to evaluate system security and stability. The legal basis for data processing is Art. 6 Para. 1 S. 1 lit. f GDPR. The legitimate interest follows from the purposes for data collection listed above.

The services of Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, are used for website hosting. A data processing agreement (DPA) has been concluded with Vercel. Through this agreement, Vercel ensures that data is processed in accordance with the GDPR and that the rights of data subjects are guaranteed. Further information can be found in Vercel's privacy policy: https://vercel.com/legal/privacy-policy.

b. Registration and Use of an Account (Authentication & Database)

To use the platform, creating a user account is required. The following data is collected:

Name
Email address
Password (stored in encrypted form)

This data is necessary to manage the account and enable access to the services. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment).

For authentication and user database management, the services of Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992, are used. Supabase provides the backend infrastructure for the platform. Data storage, including the database, authentication, storage, and AI-related embeddings, takes place in the Northern EU region (Stockholm, eu-north-1). A data processing agreement (DPA) has been concluded with Supabase. Further information on data protection at Supabase can be found here: https://supabase.com/privacy.

c. AI-Powered Features

For the provision of AI-powered features, the following services are used:

OpenAI (Text Generation, Embeddings, Image Analysis)

OpenAI OpCo, LLC, 3180 18th St, San Francisco, CA 94110, USA, is used for text generation, creation of embeddings from user content, voice transcription (Whisper), and image analysis.

When these features are used, the relevant data (e.g., text inputs or content to be analyzed) is sent to OpenAI's servers for processing. We do not transmit any personal data to OpenAI beyond what is necessary for the function, and we store the results generated by OpenAI in our system hosted on Supabase (see above).

The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR (contract fulfillment), as these features are a core component of the services offered. A data processing agreement has been concluded with OpenAI. Further information on data protection at OpenAI can be found here: https://openai.com/policies/privacy-policy.

ElevenLabs (Voice Processing)

ElevenLabs Inc., 20-22 Wenlock Road, London, N1 7GU, United Kingdom, is used for voice synthesis (text-to-speech) and voice transcription (Scribe v1). When you use voice features, audio data is transmitted to ElevenLabs for processing. A data processing agreement has been concluded with ElevenLabs. Further information: https://elevenlabs.io/privacy.

Black Forest Labs (Image Generation)

Black Forest Labs, services via api.bfl.ai, is used for AI image generation (Flux models). When you generate images, your text prompts are transmitted to BFL servers for processing. Further information: https://blackforestlabs.ai/privacy-policy/.

Langfuse (AI Observability & Prompt Management)

Langfuse GmbH, Residenzstraße 27A, 80333 München, Germany, is used for managing AI prompts, tracking AI interactions, and system observability. This helps us improve service quality and debug issues. Technical metadata about AI interactions is processed. A data processing agreement has been concluded with Langfuse. Further information: https://langfuse.com/docs/data-security-privacy.

d. Content in Flows and Training of Sparks (User Content)

The heart of the platform is the processing of content created by users in "Flows" (collaborative workspaces) and shared with "Sparks" (AI assistants). This can include voice recordings, texts, images, or other creative works ("User Content").

This data is processed for the following purposes:

Training a Personal AI Model ("My Spark"): User Content is used to create and train a personal AI model based on individual contributions.
Training General AI Models: If explicit consent (opt-in) has been given, User Content is also used to be incorporated into our larger, general AI models. These models may be used for commercial purposes and made available to customers. Important Note for Team Users: Content created as part of a team account or in shared team flows is fundamentally excluded from this regulation and will under no circumstances be used for training general AI models.

The processing of User Content for training personal AI models is based on Art. 6 Para. 1 lit. b GDPR (contract fulfillment). The processing for training general AI models is exclusively based on explicit consent in accordance with Art. 6 Para. 1 lit. a GDPR.

e. Payment Processing

If paid services are used, payment data is processed for the purpose of contract fulfillment. Processing is based on Art. 6 Para. 1 lit. b GDPR.

Payment processing is carried out through the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. No credit card data is stored; it is directly forwarded to Stripe. Stripe is a certified partner and is subject to strict data protection and security standards. A data processing agreement has been concluded with Stripe. Further information on data protection at Stripe can be found at: https://stripe.com/privacy.

f. Additional Data Processing Services

The platform uses additional specialized services to enhance functionality:

Tavily (Web Search)

Tavily AI, services via api.tavily.com, is used to provide web search capabilities within the platform. When you use search features, your search queries are transmitted to Tavily for processing. Further information: https://tavily.com/privacy.

Supadata (Data Enrichment)

Supadata, services via api.supadata.ai, is used for enriching and processing web content. URLs and content metadata may be transmitted for processing. Further information: https://supadata.ai/privacy.

OCR.space (Optical Character Recognition)

OCR.space API, operated by A9t9 software GmbH, Nordstr. 8, 87561 Oberstdorf, Germany, is used to extract text from uploaded images and documents when OCR functionality is required. Image data is transmitted for processing. Further information: https://ocr.space/privacypolicy.

g. Communication via Email

For sending platform-related emails (e.g., registration confirmations, password resets), the service Resend is used, offered by Resend Inc., 548 Market St PMB 95453, San Francisco, CA 94104-5401, USA. Resend processes the email address on our behalf. A data processing agreement (DPA) has been concluded with Resend. Further information can be found in Resend's privacy policy: https://resend.com/legal/privacy-policy.

h. Cookies

Cookies are used on the website. These are small text files stored on the end device. Some of the cookies used are so-called "session cookies." They are automatically deleted after the visit ends. Other cookies remain stored on the end device until they are deleted. These cookies make it possible to recognize the browser on the next visit.

Processing is based on Art. 6 Para. 1 lit. f GDPR from the legitimate interest in user-friendly website design, as well as on Art. 6 Para. 1 lit. a GDPR if corresponding consent has been given (e.g., for analytics cookies). The browser can be configured to be informed about cookie placement and to allow cookies only on a case-by-case basis.

i. Web Analytics with Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

The storage of Google Analytics cookies and the use of this analytics tool is based on your consent according to Art. 6 Para. 1 lit. a GDPR. You can change or revoke this consent at any time through our cookie settings.

We have activated IP anonymization on this website. As a result, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA.

We have concluded a data processing agreement with Google.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

More information on Google Analytics' handling of user data can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.

5. Storage Duration and Data Deletion

Personal data is only stored for as long as necessary to achieve the purposes stated here or as provided for by statutory retention periods.

The right to deletion is particularly important: The deletion of the account and all associated data can be requested at any time. This can be done directly in the settings under /settings/preferences. After such a request, personal data and user content are permanently removed from active systems. The data will no longer be used for training new models, and all reasonable technical steps will be taken to remove it from existing models as well.

6. Rights of the Data Subject

Data subjects have the following rights regarding their personal data:

Right to Access (Art. 15 GDPR)
Right to Rectification (Art. 16 GDPR)
Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
Right to Restriction of Processing (Art. 18 GDPR)
Right to Data Portability (Art. 20 GDPR)
Right to Object (Art. 21 GDPR)

There is also the right to withdraw consent at any time with effect for the future (Art. 7 Para. 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

To exercise these rights, the contact address mentioned above can be contacted.

7. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, there is the right to lodge a complaint with a supervisory authority, in particular in the Member State of residence, place of work, or place of the alleged infringement, if it is believed that the processing of personal data violates the GDPR (Art. 77 GDPR).

8. Data Security

All necessary technical and organizational security measures are taken to protect personal data from loss and misuse. Data is stored in a secure operating environment that is not accessible to the public. Data transmission is encrypted using SSL technology.

9. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to future visits.