Legal
Privacy Policy
Last updated: May 27, 2026
1. Controller
The controller for the processing described in this Privacy Policy is:
StereoLift – Dr. Marvin Weigand
Lammertstraße 15-19
63075 Offenbach
Germany
Email: privacy@stereolift.com
2. Scope and Service Model
This Privacy Policy explains how we process personal data when you visit our website, upload files, place an order, receive processed output, use accountless restore access, contact us, or submit a legal or abuse notice.
Our service is a private, user-specific video-processing service. Uploaded source files and generated output files are not made public as part of the ordinary service flow.
Ordinary use does not require a permanent customer account. Access is handled through order-specific access controls, browser-stored access data, and, where needed, an email-based restore flow.
We may also offer Business Credits for business or professional customers. This Privacy Policy explains how we process personal data when Business Credits are purchased, credited, viewed, used, restored, refunded, disputed, suspended, reviewed, or corrected.
3. Categories of Personal Data
3.1 Website and security data
When you use the website or service, we may process technical access and security data such as IP address, date and time, requested pages or endpoints, technical request metadata, and, where relevant, user-agent information, rate-limit records, and abuse-prevention records.
3.2 Order and access data
We process data needed to create, manage, and secure an order, including your email address, order identifiers, selected processing options, public order references, access-token hashes, restore-token hashes, restore-session hashes, expiry timestamps, and related order-state records.
3.3 Uploaded files and derived technical metadata
We process uploaded files, generated output files, and technical metadata required for verification, pricing, scheduling, processing, validation, and delivery. This may include file name, content type, size, checksum values, container and codec information, duration, resolution, frame rate, bit depth, color metadata, audio metadata, and processing or validation results.
Uploaded files may contain personal data, including images, voices, or other information relating to identifiable persons.
3.4 Payment, billing, tax, and Business Credit top-up data
Payments are handled through Stripe. We do not store full payment-card details ourselves. We may receive and store payment-related metadata such as Stripe Checkout Session identifiers, PaymentIntent identifiers, Charge identifiers, Stripe Customer identifiers, invoice identifiers and, where available, invoice or receipt URLs or PDFs, payer or customer email, payment status, refund data, dispute or chargeback data, tax amount, net and gross amounts, billing country, billing address snapshot, VAT or tax ID where provided, automatic-tax result, reverse-charge or zero-tax indicators where applicable, and whether Stripe indicated business or tax information.
For Business Credit top-ups, we may also process the selected package ID, top-up token hash, token expiry, optional checkout ID, normalized email identity, Terms version, product or tax model metadata, business or professional name where provided through Stripe or checkout, and business type where provided.
3.5 Business Credit, declaration, and ledger data
If you purchase, view, or use Business Credits, we may process data required to administer the Business Credits system. This may include normalized email identity, Business Credit package, credits granted, promotional bonus credits, Business Credit balance and activity records, ledger entries, credit-paid conversion debits and restorations, top-up status, pending or review-required states, failed-conversion restoration rows, refund, dispute, chargeback, unresolved-payment or reversal rows, frozen or suspension state and reason, correction entries, restore challenge ID where applicable, and related support or audit records.
We also process business-customer declaration acceptance data, including declaration version or text version, acceptance timestamp, client IP address, user-agent information, and the applicable Terms version. We do not necessarily store the full checkbox text for each purchase as a separate field, but we store the version information needed to identify the declaration used.
3.6 Communication and notice data
If you contact us or submit a legal or abuse notice, we may process your name, email address, message content, attachments, evidence links, notice details, and related correspondence and audit records.
Where personal data is not obtained directly from the data subject, it generally comes from customer-uploaded files, payment or billing events from Stripe, legal or abuse notices submitted by third parties, or, where remote-import features are enabled and used by you, the third-party provider selected by you for that import.
4. Purposes and Legal Bases
4.1 Service performance
We process order data, uploaded files, output files, technical metadata, and access-control data in order to provide the requested video-processing service, make outputs available, and provide restore access where needed.
Legal basis: Art. 6(1)(b) GDPR.
Where uploaded files contain personal data of persons other than the customer, we process that data only to the extent technically necessary to carry out the requested private processing workflow and based on our legitimate interest in enabling the customer to have lawfully uploaded files privately processed as requested. Uploaded and generated files are not made public as part of the ordinary service flow.
Legal basis: Art. 6(1)(f) GDPR.
4.2 Payment, invoicing, tax compliance, and Business Credit top-ups
We process payment, billing, tax, invoice, and Business Credit top-up data in order to handle checkout, verify payment, credit Business Credits after verified payment confirmation, send confirmations, process refunds, handle payment disputes or chargebacks, issue invoices or receipts, and comply with tax, accounting, and commercial-law obligations.
Legal basis: Art. 6(1)(b) GDPR where processing is necessary for contract performance or pre-contractual steps, and Art. 6(1)(c) GDPR where processing is necessary for legal obligations.
4.3 Business Credits administration and ledger integrity
We process Business Credit, declaration, and ledger data to assign Business Credits to the relevant email identity, maintain the Business Credit ledger, show balances and activity, require restore or authentication before spending, process credit-paid conversions, restore credits after failed conversions, prevent credits from being used to buy credits, enforce the business-only Business Credits model, handle pending or review-required top-ups, and correct manifest ledger or payment errors.
Legal basis: Art. 6(1)(b) GDPR.
4.4 Security, fraud prevention, and abuse control
We process technical access data, IP addresses, rate-limit records, human-verification data, restore-session data, and related security records in order to protect the service, prevent abuse and fraud, enforce access control, and maintain integrity and availability.
For Business Credits, we also process declaration, payment, ledger, dispute, chargeback, freeze, suspension, reversal, and correction data to prevent abuse, enforce access control, protect ledger integrity, investigate payment disputes, prevent unauthorized spending, and defend against fraudulent or abusive use.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interests are network and information security, fraud prevention, payment security, ledger integrity, access control, abuse prevention, service integrity, and defense of legal claims.
4.5 Legal compliance, notice handling, and claims defense
We process data where necessary to comply with legal obligations, respond to lawful requests, handle legal or abuse notices, enforce restrictions, preserve evidence, and establish, exercise, or defend legal claims.
Legal basis: Art. 6(1)(c) and Art. 6(1)(f) GDPR.
4.6 Communication with you
We process your contact and communication data to answer inquiries, send transactional emails, provide restore links, and communicate about orders, delivery, failures, refunds, restrictions, or legal issues.
Legal basis: Art. 6(1)(b) GDPR for communications directly related to order performance. Art. 6(1)(f) GDPR for other service-related communications, such as answering general inquiries, communicating about restrictions, or addressing legal issues. Our legitimate interests are operating the service, maintaining necessary contact with users, and protecting our legal position.
5. Recipients and Processors
We use service providers and infrastructure providers where necessary to operate the service. Depending on the active production setup, recipients or processors may include:
- hosting and infrastructure providers, including Google Cloud and database providers such as Supabase / managed Postgres,
- object-storage, edge, and security providers, including Cloudflare services such as R2 object storage and Turnstile,
- cloud compute providers used for video processing, including Modal,
- payment providers, including Stripe,
- transactional email providers, including Resend,
- third-party cloud-import providers selected by you where remote-import features are enabled and used by you, such as Dropbox or Google Drive,
- and advisers, authorities, or courts where disclosure is legally required or necessary to protect legal claims.
Where a provider processes personal data on our behalf as a processor, we conclude a data processing agreement in accordance with Art. 28 GDPR.
Payment providers may also process certain data under their own responsibility to the extent inherent in payment services.
6. International Transfers
Some of our providers or their subprocessors may process personal data outside the European Union or the European Economic Area, in particular in the United States.
Where a third-country transfer is relevant, we rely on a lawful transfer mechanism under Chapter V GDPR, including where applicable:
- an adequacy decision under Art. 45 GDPR,
- appropriate safeguards such as Standard Contractual Clauses under Art. 46 GDPR,
- or, in limited cases, a derogation for specific situations under Art. 49 GDPR.
Where personal data is transferred to recipients in the United States, an adequacy decision under Art. 45 GDPR currently applies only to organizations participating in the EU-U.S. Data Privacy Framework. Otherwise, we rely on Art. 46 GDPR or, where applicable, Art. 49 GDPR.
You may request more information about relevant safeguards by contacting us.
7. Storage and Deletion
We keep personal data only for as long as necessary for the relevant purpose unless longer retention is required by law.
7.1 Uploaded source files and processing artifacts
Uploaded source files, temporary uploads, sealed copies, and processing artifacts may be kept only for as long as needed for upload handling, verification, processing, troubleshooting, abuse handling, or legal retention, and may be deleted once no longer needed for those purposes.
7.2 Processed output files
Processed outputs are generally made available for 7 days from the time they are first made available, unless a different period is expressly stated in the ordering flow or availability notice.
7.3 Access credentials
Restore-link tokens currently expire after 15 minutes. Restore-session cookies currently expire after up to 30 days unless revoked earlier. Server-side order access tokens are time-limited and currently expire after up to 30 days, and may become unusable earlier if access is revoked or the order expires.
7.4 Order, billing, Business Credit, and legal records
Order, payment, tax, invoice, notice, Business Credit top-up, Business Credit ledger, declaration, refund, dispute, chargeback, fraud-review, suspension, correction, and related audit records are kept for as long as necessary to perform the contract, maintain balance and ledger integrity, handle abuse, support requests, disputes, claims, chargebacks, refunds, corrections, and comply with statutory tax, accounting, commercial-law, and legal-retention duties. Where commercial or tax law requires longer retention, the relevant records are kept for that statutory period.
Security, rate-limit, throttle, Turnstile-related, and abuse-prevention records are kept only as long as needed for security, abuse prevention, incident handling, or evidentiary preservation.
7.5 Anonymization
Expired order records are anonymized after the configured grace period, currently 30 days after expiry, unless longer identification is required for legal retention or claims handling.
8. Browser Storage and Cookies
We use browser storage and cookies or similar technologies for service operation, security, and continuity of requested workflows.
This includes, in particular:
- browser storage for order access tokens, locally stored source-file names, upload-resume state, checkout email continuity, local checksum caching, and display-currency preference,
- an HttpOnly restore-session cookie after successful restore-link exchange,
- and Cloudflare Turnstile on protected flows such as checkout, restore, and notice submission.
The storage of information on, and access to information from, your end device is carried out in accordance with § 25 TDDDG. Where such storage or access is strictly necessary to provide a digital service expressly requested by you, no consent is required under § 25(2) no. 2 TDDDG. Otherwise, we obtain consent where required under § 25(1) TDDDG and, where personal data is then processed, Art. 6(1)(a) GDPR.
No analytics or marketing cookies or similar tracking technologies are loaded by default in the ordinary service flow.
Locally stored browser data remains on your device until it is removed by the application, overwritten, or cleared by you or your browser.
9. Whether Providing Data Is Required
Providing order data, upload data, and payment-related data is necessary if you want to use the service. Your email address is required to complete checkout, receive output or order communications, and restore access. Without that data, we cannot complete the order flow, provide output communications, or restore access.
If you want to purchase, view, or use Business Credits, providing an email address, the required business-customer declaration, payment and billing data, and where applicable tax information is necessary. Without this data, Business Credits cannot be purchased, credited, viewed, restored, or used. VAT or tax ID information is optional unless required in a specific case, but omitting it may affect tax treatment such as reverse charge or zero-rated treatment.
Providing communication or notice data is required only if you choose to contact us or submit a notice.
10. Your Rights
Subject to the legal requirements, you may have the following rights:
- right of access,
- right to rectification,
- right to erasure,
- right to restriction of processing,
- right to data portability,
- right to object under Art. 21 GDPR to processing based on Art. 6(1)(f) GDPR,
- and the right to lodge a complaint with a supervisory authority under Art. 77 GDPR.
If processing is based on consent in a particular case, you also have the right to withdraw that consent with effect for the future.
Right to object: Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object under Art. 21 GDPR at any time on grounds relating to your particular situation. If you object, we will no longer process the data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
You can contact us about privacy matters at privacy@stereolift.com.
11. Complaints and Automated Decision-Making
You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
We do not use solely automated decision-making within the meaning of Art. 22 GDPR. Automated operational checks may require restore authentication, block insufficient or frozen Business Credit spending, mark top-ups as pending or review-required, apply rate limits, or react to Stripe refund, dispute, chargeback, or payment events. These checks are used to operate and secure the service and do not constitute profiling-style permanent automated decisions without possible support or administrative review.