Privacy Policy (GDPR)#
Last updated: 22 May 2026
Controller (for website/account/billing): withoutBG API – Einzelunternehmen (Inhaber: Imran Kocabiyik), Dudenstr. 24, 10965 Berlin,
Processor vs. Controller
- For API image data you send for background removal, we act as your processor.
- For account, website analytics, fraud/security, email delivery, and billing, we are the controller.
1. What we collect & why#
A) Website & Account (Controller)#
- Email address (magic-link login, third-party sign-in via Google/GitHub, & transactional email): to create/manage your account and communicate about the Service. Email is sent via AWS Simple Email Service (SES) operated in our own AWS account (no separate email vendor). Legal basis: Contract (Art. 6(1)(b) GDPR).
- Third-party sign-in (Google, GitHub): If you choose to sign in with Google or GitHub, the provider sends us your verified email address and an opaque user identifier (the OAuth subject ID, e.g. Google's
subor GitHub's user ID). We use the email as the account identifier and store the subject ID alongside your account record so we can recognise you on future logins. We request only the minimum scopes needed for sign-in:openid email profile(Google) andread:user user:email(GitHub). Theprofilescope is requested by Google for consent screen display only; we do not store your name or profile picture. We do not store OAuth access tokens or refresh tokens after the sign-in flow completes, and we do not access any other resource on your Google or GitHub account (no repositories, contacts, calendars, etc.). Short-lived OAuth state tokens (random value, no personal data, 10-minute TTL) are stored temporarily to prevent CSRF and are deleted automatically. If a user with the same verified email already exists, the provider is linked to that account rather than creating a duplicate. Legal basis: Contract (Art. 6(1)(b) GDPR). Google and GitHub act as independent controllers for the data they process about you in connection with the sign-in flow; see their respective privacy policies linked in Section 3. - Analytics (Ahrefs Web Analytics): We use Ahrefs Web Analytics to measure site usage. It runs without cookies or persistent identifiers and does not store IP addresses. Unique visitor counts are derived via a daily salted hash of IP address and user agent; salts are rotated every 24 hours, preventing cross-day or cross-site tracking. Location is limited to city/country. Controller: us; Processor: Ahrefs.
Legal basis: Legitimate interests (Art. 6(1)(f)) in understanding and improving service usage.
Right to object (Art. 21): If you object to analytics, we will stop collecting analytics for your visits. How to opt out: add the?no-analytics=1URL parameter to our pages (we’ll honor it for that visit), or email us and we’ll exclude your visits going forward. - Security/Fraud logs: IPs, timestamps, auth and abuse signals. Legal basis: Legitimate interests (security, abuse prevention). Right to object (Art. 21): If you object to security/fraud logs, we will assess whether we have compelling legitimate grounds that override your interests. Retention: 90 days (or the shortest period operationally feasible) unless needed longer to investigate incidents or comply with law.
B) Payments (Stripe)#
Automated decisions & profiling (payments). We use Stripe to process payments. Stripe acts as an independent controller and may use automated decision-making and profiling (e.g., fraud screening via Stripe Radar, 3-D Secure risk evaluation) to prevent fraud and comply with payment regulations. This may affect whether a payment is approved or requires additional verification. Under GDPR Art. 22, you have the right to obtain human review, to express your point of view, and to contest the decision. For details on Stripe’s processing and how to exercise your rights with Stripe, see Stripe’s Privacy Policy and Stripe’s Privacy Center.
We do not use automated decision-making producing legal or similarly significant effects outside Stripe’s payment screening.
We use Stripe to process payments. Stripe is a separate, specialized payment service provider. For most payment processing, Stripe acts as an independent controller of personal data needed to provide its services (e.g., fraud prevention, compliance with financial regulations). We remain the controller for our own records and billing.
What data is processed
- You provide directly to Stripe in checkout: card details (PAN, CVC) or alternative method details (e.g., SEPA IBAN, Apple Pay/Google Pay payment tokens), cardholder name, billing address, and device/fraud signals (e.g., 3-D Secure/SCA). We do not receive or store full card or bank details.
- We receive from Stripe (via API/webhooks) and store in our billing records: your Stripe customer ID, payment method type, last 4 digits, card brand, expiration month/year, billing name, billing address (where provided), payment intent IDs, charge IDs, invoice and subscription metadata, payment status (success/failure), refunds, and dispute/chargeback events (including the fact of a dispute and our submitted evidence).
- Tax data: where applicable, country, VAT ID/company details you provide for invoicing; tax rate and jurisdiction applied.
Purposes & legal bases
- To take and manage payments, subscriptions, refunds, and credits — Contract (Art. 6(1)(b)).
- Accounting, bookkeeping, and tax compliance — Legal obligation.
- Fraud prevention, security, and dispute handling — Legitimate interests and, for Stripe, its own legal obligations as a regulated payment institution.
- Storing a payment method for future renewals (via Stripe vaulting, e.g., cards, SEPA mandates): Contract and our legitimate interests in providing a seamless subscription experience. You can delete stored payment methods in your dashboard or by contacting us.
Who sees what
- We can see the limited billing details listed above (never full card or bank numbers).
- Stripe receives/creates additional data needed to operate a secure payments network (e.g., fraud signals, bank identifiers) and uses it under its own privacy notice and regulatory obligations.
- For SCA/3-D Secure, your bank/issuer may receive authentication data.
Security & compliance
- Card and bank details are entered on Stripe’s infrastructure and are never sent to or stored on our servers.
- Stripe is certified to PCI DSS. We use Stripe features such as Tokenization, 3-D Secure (SCA/PSD2), and Radar fraud screening.
- Our systems store only tokenized identifiers (e.g., Stripe customer, payment method, and charge IDs) and limited card metadata (brand, last 4, expiry) for receipts, refunds, dispute handling, and subscription renewals.
Retention
- Invoices, payments, and related billing records: retained for 10 years under German tax law.
- Dispute/chargeback records: retained as long as needed to resolve the dispute and comply with regulatory/financial recordkeeping.
- Stored payment methods (at Stripe): retained until you remove them, your subscription ends and settlement completes, or we instruct Stripe to delete them.
International transfers
Stripe may process data in the EEA, UK, and the US (and other locations where necessary to provide payment services). Where data is transferred outside the EEA/UK, Stripe applies an adequacy decision (where available) or Standard Contractual Clauses (SCCs)/UK IDTA, plus supplementary safeguards. We also rely on SCCs in our contract with Stripe.
Your choices
- You can update or remove a stored payment method in the dashboard, switch payment method, or ask us to initiate deletion.
- If you object to Stripe’s processing as an independent controller, please contact Stripe directly in addition to contacting us; we’ll still help facilitate requests that relate to the data we control.
C) API Processing (Processor)#
Image processing & temporary storage nuance
How image data is handled. Processing is designed to be in-memory only. We disable application-level disk writes in the image processing path; container filesystems are read-only, swap is disabled, and temporary working directories use memory-backed storage. Where the cloud platform may create ephemeral storage or network-level buffers outside our direct control, we configure them to auto-purge and we do not persist your content beyond completion of the request. We do not write input images or results to long-term storage unless you explicitly ask us to.
Verification. We enforce these controls via automated tests in CI, periodic runtime checks (verifying no file I/O in the processing path), infrastructure policies (read-only root, no swap), and log sampling to confirm no object-store writes for processing requests. We review these controls at least quarterly and after material infrastructure changes.
- Images you submit are processed in RAM only and discarded immediately after inference.
- API logs (non-content): timestamp, file size, inference time, status codes, error logs—for operations, abuse detection, and reliability. Legal basis (controller for logs): Legitimate interests. Right to object (Art. 21): If you object to API logs, we will assess whether we have compelling legitimate grounds that override your interests.
We do not#
- Store passwords (magic-link or third-party sign-in only).
- Store OAuth access tokens or refresh tokens after the sign-in flow completes.
- Read or write any Google or GitHub resource on your behalf (no repositories, emails, contacts, calendars, etc.) beyond the basic identity needed to sign you in.
- Train models on your data unless you explicitly ask us to (only for product photos, not human images).
- Use marketing pixels or re-identification cookies.
- Store full card or bank details on our systems.
2. Retention#
Minimal retention for abuse-prevention#
After account deletion, we retain a salted SHA-256 hash of your account email and API key identifier solely to prevent fraud/abuse and honor suppressions. These hashes are non-reversible, not used for profiling or marketing, and are retained for up to 12 months before automatic deletion.
- Account email: retained until you delete your account.
- OAuth subject identifier (Google/GitHub link): retained alongside your account record until you delete your account or unlink the provider.
- OAuth state tokens (CSRF protection): 10 minutes TTL, then auto-deleted; contain no personal data.
- Invoices & tax records: 10 years (German law).
- API logs: 90 days.
- Website security/fraud logs: 90 days (or the shortest period operationally feasible) unless needed longer to investigate incidents or comply with law.
- After account deletion: we delete all account data (including any OAuth subject identifier) except (i) invoices (legal retention), (ii) a hash of your email to prevent abuse of free credits, and (iii) your API key identifier for audit/abuse prevention.
3. Subprocessors & Recipients#
- Stripe (payments; acts as an independent controller for much of payment processing and as our processor where it follows our documented instructions—e.g., invoicing and payment collection).
- Ahrefs Web Analytics (privacy-friendly website analytics).
- Amazon Web Services (AWS) – Frankfurt (eu-central-1) (infrastructure, including AWS Simple Email Service (SES) for transactional email operated in our AWS account).
- Google LLC – identity provider for “Continue with Google”. If you choose this sign-in method, Google receives your sign-in request and returns your verified email address and an opaque subject identifier to us. Google acts as an independent controller for the data it processes about you. See Google's Privacy Policy.
- GitHub, Inc. (a Microsoft subsidiary) – identity provider for “Continue with GitHub”. If you choose this sign-in method, GitHub receives your sign-in request and returns your primary verified email address and an opaque user identifier to us. GitHub acts as an independent controller for the data it processes about you. See GitHub's Privacy Statement.
We do not share data with advertisers and do not sell personal data.
4. International Transfers#
Our servers run in AWS Frankfurt (eu-central-1). If a subprocessor or recipient transfers data outside the EEA/UK, they must use an adequate mechanism (e.g., SCCs/UK IDTA or an adequacy decision) and implement appropriate safeguards. Where you choose to sign in with Google or GitHub, those providers may process your sign-in data outside the EEA/UK (including in the United States) under their own SCCs and supplementary safeguards described in their respective privacy notices.
5. Security#
TLS in transit; processing in memory; no persistent storage of images; role-based access; monitoring and protective rate limiting. No caching, queueing, or backups for image content. Payment data security relies on Stripe’s PCI-DSS-certified infrastructure; our systems never handle raw card or bank details.
6. Your Rights (GDPR)#
You can access, rectify, erase, restrict, port, or object to processing where applicable. You may withdraw consent (if we ever rely on it) at any time.
Where we rely on legitimate interests, you may object at any time (Art. 21). If you object to analytics, we will stop collecting analytics for your visits (see Analytics for opt-out methods). If you object to security/fraud or API logs, we will assess whether we have compelling legitimate grounds that override your interests.
We respond to rights requests within one month (extendable by two months for complexity). You may lodge a complaint with the Berliner Beauftragte für Datenschutz und Informationsfreiheit (contact details on their official site).
For payment data that Stripe controls, you may also contact Stripe to exercise your rights.
7. Children#
Not directed to children; we do not knowingly process data of individuals under 16.
8. Communications#
We email you about security, service, billing, and changes to terms (effective after 30 days). No marketing newsletters unless you ask.
9. Cookies#
We use privacy-friendly, cookie-less analytics. If you use Stripe Checkout or embedded Stripe components, Stripe may set cookies or similar technologies on its domains for security and fraud prevention; these are strictly necessary for payment functionality and do not require consent under ePrivacy where they are essential. If this changes, we will show a consent banner.
Analytics opt-out reminder: add ?no-analytics=1 to our URLs, or email us to exclude your visits.
10. Deletion & Data Management#
On deletion we remove your account data per Section 2 above; billing records are retained as required by law.
11. Contact & DPO#
12. Changes to this Policy#
We may update this policy; we will post the new version here and, for material changes, email you in advance.
Data Processing Agreement (DPA) summary for API image processing (Processor role)#
- Role: You = Controller; withoutBG = Processor.
- Subject matter: transient processing of images to remove background.
- Duration: for the duration of each API request; logs retained 90 days.
- Nature/Purpose: automated processing in memory; output returned to you.
- Types of data: images and derived non-content logs.
- Data subjects: individuals depicted in images (if any).
- Security: TLS, in-memory processing, no persistent storage, access controls.
- Subprocessors: AWS Frankfurt (including SES for email, operated in our account).
- Instructions: Only process per your API calls; no training unless you opt-in (product photos only).
- Deletion: images discarded after inference; logs per retention.
Payments addendum (Stripe)#
- Parties & roles: withoutBG (merchant), Stripe (payment service provider). Stripe is generally an independent controller for payment processing, fraud prevention, and compliance; it may act as our processor where it processes data strictly on our documented instructions (e.g., issuing invoices).
- Standards & safeguards: PCI DSS, tokenization, SCA/3-D Secure, Radar.
- Data minimization: we store only tokenized IDs and limited card metadata; never full PAN/CVC/IBAN.
- Transfers: SCCs/UK IDTA and supplementary measures where required.
- Data subject rights: contact us and/or Stripe for rights requests relating to the respective controller.
- Removal of stored methods: you can remove saved methods at any time; removal does not affect data retained for legal obligations (e.g., invoices).