Last updated: 17 July 2026. This policy explains what data ScreenLab processes when you use the service, why, and which third parties are involved (Art. 13 GDPR).
1. Controller
Seifert AviationSoftware
Kilian Seifert
Am Ziegelland 47, 85604 Zorneding, Germany
Email: software@seifert-aviation.de
2. Overview of your data
We process: your account email and password hash, the app name/description/style you enter, the screenshots and logos you upload, projects and their generated designs, and payment/subscription status. We do not sell your data.
3. Account & Database (Supabase)
Registration, login, and all project/design data are stored with Supabase (Supabase Inc., hosted in the EU). Legal basis: performance of our contract with you (Art. 6(1)(b) GDPR). Your password is stored as a salted hash — we never see or store it in plain text.
4. File Storage (Supabase Storage, moving to Cloudflare R2)
Screenshots, logos, and AI-generated images you create are stored in a private storage bucket, accessible only to your account. We plan to migrate this storage to Cloudflare R2 (Cloudflare, Inc.) as the service grows; this policy will be updated when that happens. Legal basis: Art. 6(1)(b) GDPR.
5. AI Design Features (Google Gemini)
When you use AI design/analysis/translation features, the screenshots, app description, and text you provide are sent to Google's Gemini API (Google Ireland Limited / Google LLC) for processing. This may involve transferring data to the United States; Google participates in the EU-U.S. Data Privacy Framework and/or relies on EU Standard Contractual Clauses as a transfer safeguard. Legal basis: Art. 6(1)(b) GDPR (this is a core feature you actively request). Data sent is not used by Google to train their public models per their API terms.
6. AI Image Generation (Replicate)
When you generate a sticker or background image, your text prompt is sent to Replicate, Inc. (United States) to run the image-generation model. This involves a transfer to the United States under appropriate safeguards (Standard Contractual Clauses). Legal basis: Art. 6(1)(b) GDPR.
7. Stock Photo Search (Pexels, Unsplash)
When you search for background photos, your search term is sent to Pexels and/or Unsplash to retrieve matching images. No account data is shared — only the search term and your IP address (technically required for the request). Legal basis: Art. 6(1)(b) GDPR.
8. Payments (Stripe Managed Payments)
Subscription and token-package purchases are processed by Stripe (Stripe Payments Europe, Limited, Ireland, and its affiliates), acting as merchant of record. Stripe receives your email address and payment details directly — we never see or store your card/payment details ourselves. Stripe handles VAT/sales tax on these transactions as the legal seller. Legal basis: Art. 6(1)(b) GDPR. See
Stripe's own privacy policy for details of their processing.
9. Transactional Email (Resend)
Account verification, purchase receipts, and low-token-balance notices are sent via Resend. Your email address and the email content are processed by Resend for this purpose. Legal basis: Art. 6(1)(b) GDPR.
10. Hosting & Server Logs (Railway)
The application runs on Railway (EU region). Standard server logs (IP address, timestamp, requested URL) are recorded briefly for operation and security purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, reliable service).
11. Cookies & Local Storage
We use one essential cookie (Supabase session/auth token) required to keep you logged in. We do not use tracking or advertising cookies, and no consent banner is needed for this strictly necessary cookie under Art. 6(1)(b) GDPR / § 25(2) TTDSG.
12. Data Retention
Account and project data is kept for as long as your account exists. If you delete your account, we delete your data within 30 days, except where we are legally required to keep records longer (e.g. invoice data under German tax law, typically 10 years).
13. Your Rights
Under GDPR you have the right to access, rectify, erase, or restrict processing of your data, to data portability, and to object to processing based on legitimate interest. You also have the right to lodge a complaint with a supervisory authority — in Germany, the competent authority for Bavaria is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA). To exercise any of these rights, contact us at software@seifert-aviation.de.
14. Changes to This Policy
We may update this policy as the service evolves (e.g. moving file storage to Cloudflare R2). The "last updated" date above always reflects the current version.