Privacy Policy
Last updated: 29.03.2026
1. Data Controller
Jason Holweg
Viktoriastraße 3a
24937 Flensburg, Deutschland
Email: hallo@jasonholweg.de
2. Data We Collect
We collect the following data during registration and use of the Platform:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, communication | Art. 6(1)(b) GDPR |
| Password (bcrypt hash) | Authentication | Art. 6(1)(b) GDPR |
| Generated videos & prompts | Service delivery, video history | Art. 6(1)(b) GDPR |
| Credit transactions | Billing, account balance | Art. 6(1)(b) GDPR |
| IP address | Security, abuse prevention | Art. 6(1)(f) GDPR |
| Session cookie | Login session management | Art. 6(1)(b) GDPR |
We do not collect: names, physical addresses, phone numbers, or demographic data.
3. Payment Processing (Stripe)
All payments are processed by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA). When you make a purchase, payment data (card number, expiry, CVC) is transmitted directly to Stripe and processed there. We never store, see, or process your payment data.
Stripe stores the following data in connection with your account:
- Customer ID (for subscription management)
- Payment method details (stored by Stripe, not by us)
- Invoice and transaction history
Stripe is certified under the EU-US Data Privacy Framework. Privacy policy: stripe.com/privacy
4. Video Generation (fal.ai)
Video generation is performed by fal.ai. The following data is transmitted to fal.ai servers:
- Text prompts entered by the user
- Uploaded images or videos (as reference material)
- Video generation parameters (duration, mode)
Generated videos are temporarily stored on fal.ai CDN servers and may be deleted after a period. We recommend downloading generated videos promptly.
fal.ai privacy policy: fal.ai/privacy
5. Cookies & Sessions
We use only technically necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| PHPSESSID | Session management (login state) | Until browser close |
| lang | Language preference (DE/EN) | 30 days |
We do not use tracking cookies, analytics tools (Google Analytics, etc.), advertising cookies, or social media plugins.
Since we only use technically necessary cookies, no cookie consent banner is required under ePrivacy Directive / TTDSG §25.
6. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, password hash) | Until account deletion |
| Generated videos | Until account deletion (fal.ai CDN: temporary) |
| Transaction history | 10 years (§257 HGB, §147 AO tax retention requirement) |
| Server logs (IP addresses) | 30 days |
| Subscription data | Until account deletion + 10 years for tax records |
After account deletion, all personal data is permanently removed. Transaction data required for tax purposes is anonymized and retained for the legally required period.
7. Data Transfers to Third Countries
Your data may be processed by the following third-party providers outside the EU/EEA:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | EU-US Data Privacy Framework |
| fal.ai | Video generation | USA | Standard Contractual Clauses (SCC) |
8. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — request information about your stored data
- Right to rectification (Art. 16) — correct inaccurate data (via profile settings)
- Right to erasure (Art. 17) — delete your account and all data (via profile settings)
- Right to restriction (Art. 18) — restrict processing of your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests
To exercise your rights, contact: kontakt@veblo.ai
You can delete your account and all associated data at any time via Profile → Delete Account.
9. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority if you believe your data is being processed in violation of the GDPR.
10. Data Security
We implement the following technical and organizational measures to protect your data:
- Passwords are stored exclusively as bcrypt hashes (never in plaintext)
- All connections are encrypted via HTTPS/TLS
- Session cookies are httponly, strict mode, SameSite=Lax
- SQL injection prevention through prepared statements (PDO)
- XSS prevention through output escaping
- Payment data is handled exclusively by Stripe (PCI DSS compliant)