Privacy Policy (GDPR)#

Last updated: 27 October 2025

Controller (for website/account/billing): withoutBG API – Einzelunternehmen (Inhaber: Imran Kocabiyik), Dudenstr. 24, 10965 Berlin,

Contact email address

Processor vs. Controller

  • For API image data you send for background removal, we act as your processor.
  • For account, website analytics, fraud/security, email delivery, and billing, we are the controller.

1. What we collect & why#

A) Website & Account (Controller)#

  • Email address (magic-link login & transactional email): to create/manage your account and communicate about the Service. Email is sent via AWS Simple Email Service (SES) operated in our own AWS account (no separate email vendor). Legal basis: Contract (Art. 6(1)(b) GDPR).
  • Analytics (Ahrefs Web Analytics): We use Ahrefs Web Analytics to measure site usage. It runs without cookies or persistent identifiers and does not store IP addresses. Unique visitor counts are derived via a daily salted hash of IP address and user agent; salts are rotated every 24 hours, preventing cross-day or cross-site tracking. Location is limited to city/country. Controller: us; Processor: Ahrefs.
    Legal basis: Legitimate interests (Art. 6(1)(f)) in understanding and improving service usage.
    Right to object (Art. 21): If you object to analytics, we will stop collecting analytics for your visits. How to opt out: add the ?no-analytics=1 URL parameter to our pages (we’ll honor it for that visit), or email us and we’ll exclude your visits going forward.
  • Security/Fraud logs: IPs, timestamps, auth and abuse signals. Legal basis: Legitimate interests (security, abuse prevention). Right to object (Art. 21): If you object to security/fraud logs, we will assess whether we have compelling legitimate grounds that override your interests. Retention: 90 days (or the shortest period operationally feasible) unless needed longer to investigate incidents or comply with law.

B) Payments (Stripe)#

Automated decisions & profiling (payments). We use Stripe to process payments. Stripe acts as an independent controller and may use automated decision-making and profiling (e.g., fraud screening via Stripe Radar, 3-D Secure risk evaluation) to prevent fraud and comply with payment regulations. This may affect whether a payment is approved or requires additional verification. Under GDPR Art. 22, you have the right to obtain human review, to express your point of view, and to contest the decision. For details on Stripe’s processing and how to exercise your rights with Stripe, see Stripe’s Privacy Policy and Stripe’s Privacy Center.

We do not use automated decision-making producing legal or similarly significant effects outside Stripe’s payment screening.

We use Stripe to process payments. Stripe is a separate, specialized payment service provider. For most payment processing, Stripe acts as an independent controller of personal data needed to provide its services (e.g., fraud prevention, compliance with financial regulations). We remain the controller for our own records and billing.

What data is processed

  • You provide directly to Stripe in checkout: card details (PAN, CVC) or alternative method details (e.g., SEPA IBAN, Apple Pay/Google Pay payment tokens), cardholder name, billing address, and device/fraud signals (e.g., 3-D Secure/SCA). We do not receive or store full card or bank details.
  • We receive from Stripe (via API/webhooks) and store in our billing records: your Stripe customer ID, payment method type, last 4 digits, card brand, expiration month/year, billing name, billing address (where provided), payment intent IDs, charge IDs, invoice and subscription metadata, payment status (success/failure), refunds, and dispute/chargeback events (including the fact of a dispute and our submitted evidence).
  • Tax data: where applicable, country, VAT ID/company details you provide for invoicing; tax rate and jurisdiction applied.

Purposes & legal bases

  • To take and manage payments, subscriptions, refunds, and creditsContract (Art. 6(1)(b)).
  • Accounting, bookkeeping, and tax complianceLegal obligation.
  • Fraud prevention, security, and dispute handlingLegitimate interests and, for Stripe, its own legal obligations as a regulated payment institution.
  • Storing a payment method for future renewals (via Stripe vaulting, e.g., cards, SEPA mandates): Contract and our legitimate interests in providing a seamless subscription experience. You can delete stored payment methods in your dashboard or by contacting us.

Who sees what

  • We can see the limited billing details listed above (never full card or bank numbers).
  • Stripe receives/creates additional data needed to operate a secure payments network (e.g., fraud signals, bank identifiers) and uses it under its own privacy notice and regulatory obligations.
  • For SCA/3-D Secure, your bank/issuer may receive authentication data.

Security & compliance

  • Card and bank details are entered on Stripe’s infrastructure and are never sent to or stored on our servers.
  • Stripe is certified to PCI DSS. We use Stripe features such as Tokenization, 3-D Secure (SCA/PSD2), and Radar fraud screening.
  • Our systems store only tokenized identifiers (e.g., Stripe customer, payment method, and charge IDs) and limited card metadata (brand, last 4, expiry) for receipts, refunds, dispute handling, and subscription renewals.

Retention

  • Invoices, payments, and related billing records: retained for 10 years under German tax law.
  • Dispute/chargeback records: retained as long as needed to resolve the dispute and comply with regulatory/financial recordkeeping.
  • Stored payment methods (at Stripe): retained until you remove them, your subscription ends and settlement completes, or we instruct Stripe to delete them.

International transfers

Stripe may process data in the EEA, UK, and the US (and other locations where necessary to provide payment services). Where data is transferred outside the EEA/UK, Stripe applies an adequacy decision (where available) or Standard Contractual Clauses (SCCs)/UK IDTA, plus supplementary safeguards. We also rely on SCCs in our contract with Stripe.

Your choices

  • You can update or remove a stored payment method in the dashboard, switch payment method, or ask us to initiate deletion.
  • If you object to Stripe’s processing as an independent controller, please contact Stripe directly in addition to contacting us; we’ll still help facilitate requests that relate to the data we control.

C) API Processing (Processor)#

Image processing & temporary storage nuance

How image data is handled. Processing is designed to be in-memory only. We disable application-level disk writes in the image processing path; container filesystems are read-only, swap is disabled, and temporary working directories use memory-backed storage. Where the cloud platform may create ephemeral storage or network-level buffers outside our direct control, we configure them to auto-purge and we do not persist your content beyond completion of the request. We do not write input images or results to long-term storage unless you explicitly ask us to.

Verification. We enforce these controls via automated tests in CI, periodic runtime checks (verifying no file I/O in the processing path), infrastructure policies (read-only root, no swap), and log sampling to confirm no object-store writes for processing requests. We review these controls at least quarterly and after material infrastructure changes.

  • Images you submit are processed in RAM only and discarded immediately after inference.
  • API logs (non-content): timestamp, file size, inference time, status codes, error logs—for operations, abuse detection, and reliability. Legal basis (controller for logs): Legitimate interests. Right to object (Art. 21): If you object to API logs, we will assess whether we have compelling legitimate grounds that override your interests.

We do not#

  • Store passwords (magic-link only).
  • Train models on your data unless you explicitly ask us to (only for product photos, not human images).
  • Use marketing pixels or re-identification cookies.
  • Store full card or bank details on our systems.

2. Retention#

Minimal retention for abuse-prevention#

After account deletion, we retain a salted SHA-256 hash of your account email and API key identifier solely to prevent fraud/abuse and honor suppressions. These hashes are non-reversible, not used for profiling or marketing, and are retained for up to 12 months before automatic deletion.

  • Account email: retained until you delete your account.
  • Invoices & tax records: 10 years (German law).
  • API logs: 90 days.
  • Website security/fraud logs: 90 days (or the shortest period operationally feasible) unless needed longer to investigate incidents or comply with law.
  • After account deletion: we delete all account data except (i) invoices (legal retention), (ii) a hash of your email to prevent abuse of free credits, and (iii) your API key identifier for audit/abuse prevention.

3. Subprocessors & Recipients#

  • Stripe (payments; acts as an independent controller for much of payment processing and as our processor where it follows our documented instructions—e.g., invoicing and payment collection).
  • Ahrefs Web Analytics (privacy-friendly website analytics).
  • Amazon Web Services (AWS) – Frankfurt (eu-central-1) (infrastructure, including AWS Simple Email Service (SES) for transactional email operated in our AWS account).

We do not share data with advertisers and do not sell personal data.

4. International Transfers#

Our servers run in AWS Frankfurt (eu-central-1). If a subprocessor or recipient transfers data outside the EEA/UK, they must use an adequate mechanism (e.g., SCCs/UK IDTA or an adequacy decision) and implement appropriate safeguards.

5. Security#

TLS in transit; processing in memory; no persistent storage of images; role-based access; monitoring and protective rate limiting. No caching, queueing, or backups for image content. Payment data security relies on Stripe’s PCI-DSS-certified infrastructure; our systems never handle raw card or bank details.

6. Your Rights (GDPR)#

You can access, rectify, erase, restrict, port, or object to processing where applicable. You may withdraw consent (if we ever rely on it) at any time.

Where we rely on legitimate interests, you may object at any time (Art. 21). If you object to analytics, we will stop collecting analytics for your visits (see Analytics for opt-out methods). If you object to security/fraud or API logs, we will assess whether we have compelling legitimate grounds that override your interests.

We respond to rights requests within one month (extendable by two months for complexity). You may lodge a complaint with the Berliner Beauftragte für Datenschutz und Informationsfreiheit (contact details on their official site).

For payment data that Stripe controls, you may also contact Stripe to exercise your rights.

Contact us:Contact email address

7. Children#

Not directed to children; we do not knowingly process data of individuals under 16.

8. Communications#

We email you about security, service, billing, and changes to terms (effective after 30 days). No marketing newsletters unless you ask.

9. Cookies#

We use privacy-friendly, cookie-less analytics. If you use Stripe Checkout or embedded Stripe components, Stripe may set cookies or similar technologies on its domains for security and fraud prevention; these are strictly necessary for payment functionality and do not require consent under ePrivacy where they are essential. If this changes, we will show a consent banner.

Analytics opt-out reminder: add ?no-analytics=1 to our URLs, or email us to exclude your visits.

10. Deletion & Data Management#

Self-serve deletion in the dashboard or emailContact email address

On deletion we remove your account data per Section 2 above; billing records are retained as required by law.

11. Contact & DPO#

We do not meet the thresholds for appointing a DPO. For privacy questions, contact:Contact email address

12. Changes to this Policy#

We may update this policy; we will post the new version here and, for material changes, email you in advance.

Data Processing Agreement (DPA) summary for API image processing (Processor role)#

  • Role: You = Controller; withoutBG = Processor.
  • Subject matter: transient processing of images to remove background.
  • Duration: for the duration of each API request; logs retained 90 days.
  • Nature/Purpose: automated processing in memory; output returned to you.
  • Types of data: images and derived non-content logs.
  • Data subjects: individuals depicted in images (if any).
  • Security: TLS, in-memory processing, no persistent storage, access controls.
  • Subprocessors: AWS Frankfurt (including SES for email, operated in our account).
  • Instructions: Only process per your API calls; no training unless you opt-in (product photos only).
  • Deletion: images discarded after inference; logs per retention.

Payments addendum (Stripe)#

  • Parties & roles: withoutBG (merchant), Stripe (payment service provider). Stripe is generally an independent controller for payment processing, fraud prevention, and compliance; it may act as our processor where it processes data strictly on our documented instructions (e.g., issuing invoices).
  • Standards & safeguards: PCI DSS, tokenization, SCA/3-D Secure, Radar.
  • Data minimization: we store only tokenized IDs and limited card metadata; never full PAN/CVC/IBAN.
  • Transfers: SCCs/UK IDTA and supplementary measures where required.
  • Data subject rights: contact us and/or Stripe for rights requests relating to the respective controller.
  • Removal of stored methods: you can remove saved methods at any time; removal does not affect data retained for legal obligations (e.g., invoices).