Privacy Policy
Our server and analytics (Matomo) are hosted in Germany. Only screenshots (OpenAI) and payment data (Stripe) leave the EU.
Uploaded images go directly to OpenAI for processing and are never written to our servers.
OpenAI (screenshot processing) and Stripe (payments). No advertising networks, no data brokers.
Email us and your account and all associated data will be erased within 30 days.
1. Data controller
RizzlerGPT is operated by:
Kirpeit Solutions is the data controller responsible for your personal data under the GDPR and applicable data protection law. When this policy says "we", "us" or "our", it refers to Kirpeit Solutions.
2. Data we collect
Data you provide directly
| Data | When | Purpose |
|---|---|---|
| Email address | Sign-in or subscription | Authentication (magic link), subscription management, transactional emails |
| Payment data | Premium subscription | Processed entirely by Stripe — we never receive or store card details |
Data collected automatically
| Data | Purpose | Stored where | Retention |
|---|---|---|---|
| IP address | Free-tier rate limiting, abuse prevention | Our EU server | 90 days |
| Browser user-agent | Debugging | Our EU server | 90 days |
| Usage events (success / error / paywall hit) | Product analytics, billing integrity | Our EU server | 12 months |
| Anonymised page/event analytics | Understanding traffic patterns | Matomo, self-hosted on our EU server | 13 months |
| Session cookie (a session token) | Keeping you logged in | Your browser | 30 days |
Data we explicitly do not collect or store
- Uploaded screenshots — images are forwarded in real-time to OpenAI's API and are never written to our storage. They are discarded immediately after the API response is returned.
- The text content of messages visible in any screenshot
- Precise geolocation data
- Device identifiers beyond user-agent
- Any data for advertising or retargeting purposes
Note on OpenAI: Screenshots are processed by OpenAI's API (USA). OpenAI may use API inputs to improve their models unless you opt out via their platform. We recommend reviewing OpenAI's Privacy Policy. We have selected OpenAI's API tier, which offers stronger data protection than their consumer products.
3. How we use your data
- Providing the service — forwarding screenshots to OpenAI, returning reply suggestions, managing your account and Premium subscription status.
- Authentication — generating and sending magic login links via PHP mail() on our own server, verifying session tokens.
- Payment management — communicating with Stripe via webhook to activate or revoke Premium access based on subscription status. We never store card details.
- Abuse prevention — IP-based rate limiting enforces the 3-free-try limit without requiring an account.
- Product analytics — aggregated, anonymised usage data via self-hosted Matomo to understand how the service is used. No individual user profiling.
- Legal compliance — retaining billing records as required by German commercial and tax law (§ 257 HGB, § 147 AO), typically for 10 years.
We send only transactional emails (login links, billing confirmations). We do not send marketing or promotional emails.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
4. Legal basis for processing (GDPR)
For users in the European Economic Area and United Kingdom, processing is based on the following grounds under Article 6 GDPR:
| Processing activity | Legal basis |
|---|---|
| Providing the service, session management | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (login, billing) | Art. 6(1)(b) — performance of a contract |
| Stripe subscription billing | Art. 6(1)(b) — performance of a contract |
| IP-based rate limiting, abuse prevention | Art. 6(1)(f) — legitimate interests (protecting service integrity) |
| Anonymised product analytics (Matomo) | Art. 6(1)(f) — legitimate interests (product improvement) |
| Billing record retention | Art. 6(1)(c) — legal obligation (German tax law) |
Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms, given the minimised and non-sensitive nature of the data involved and the EU-based infrastructure used.
5. Third-party sub-processors
We share personal data with exactly two external sub-processors. All other processing — including analytics, email, and database storage — takes place on our own EU-hosted server.
| Provider | Purpose | Data shared | Location | Safeguard |
|---|---|---|---|---|
| OpenAI, LLC | AI processing of uploaded screenshots | Screenshot images only — no account data, no email | USA | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | Recurring subscription payment processing | Email address, subscription status, payment method (card data handled entirely by Stripe) | Ireland / USA | Standard Contractual Clauses (SCCs); Stripe Ireland Ltd. is EU-based |
We have no relationship with advertising networks, data brokers, social media platforms, or marketing tools. We do not use Google Analytics, Meta Pixel, or any equivalent tracking service.
6. Analytics — Matomo
We use Matomo, an open-source analytics platform, to understand how visitors use RizzlerGPT. Matomo is installed and operated on our own server in Germany. No analytics data is sent to any third party.
Matomo is configured with the following privacy settings:
- IP addresses are anonymised before storage (last octet masked)
- No cross-site tracking or fingerprinting
- Data is stored exclusively on our EU server and is never shared or sold
- Analytics data is retained for 13 months, then automatically deleted
Your opt-out: You can opt out of Matomo analytics at any time by enabling the "Do Not Track" (DNT) setting in your browser — Matomo respects this signal. Alternatively, contact us at kirpeit@kirpeit-solutions.de to request exclusion.
7. International data transfers
The majority of your data never leaves the European Union — our server, database, analytics, and email are all EU-based.
The following transfers to third countries occur:
- OpenAI (USA) — screenshot images only, protected by Standard Contractual Clauses (SCCs) per European Commission Decision 2021/914.
- Stripe (USA / Ireland) — payment processing. Stripe's primary European entity is Stripe Ireland Ltd., which is subject to GDPR. US-based transfers are protected by SCCs.
California (CCPA/CPRA): California residents have the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of sale. We do not sell or share personal data for cross-context behavioural advertising. To submit a CCPA request, email kirpeit@kirpeit-solutions.de.
United Kingdom: Transfers are conducted under the UK GDPR and the International Data Transfer Agreement (IDTA) where applicable.
Other jurisdictions: We make reasonable efforts to comply with applicable local privacy law. If you have a concern specific to your jurisdiction, please contact us.
8. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account (email, premium status) | Until deletion request + 30 days to fully erase | Service provision |
| Session tokens | 30 days from last login | Authentication |
| Magic link tokens | 1 hour (auto-expired; deleted on use) | Security |
| IP address & user-agent logs | 90 days | Abuse prevention |
| Usage event logs | 12 months | Product analytics |
| Matomo analytics data | 13 months | Traffic analysis |
| Billing records | 10 years | German tax law (§ 257 HGB, § 147 AO) |
| Uploaded screenshots | Not stored — deleted immediately after API response | Privacy by design |
10. Children's privacy
RizzlerGPT is intended for users aged 16 and over (or 13 and over where local law permits a lower age). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at kirpeit@kirpeit-solutions.de and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes — such as adding a new sub-processor or changing the legal basis for any processing — we will notify registered users by email at least 14 days before the changes take effect. Continued use of RizzlerGPT after the effective date constitutes acceptance of the updated policy.
12. Contact & complaints
Right to lodge a complaint
If you are in the EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection authority. As we are based in Germany, the lead supervisory authority is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
UK residents may contact the Information Commissioner's Office (ICO). You may also contact the supervisory authority in your own EU member state.