Privacy Policy

1. General Information & GDPR Compliance

Protecting your personal data is important to us at Tasy AI GmbH (“we”, “us”). This Privacy Policy informs you about the type, scope, and purpose of processing personal data on our platform and online services. Our offerings include AI-generated video software, AI avatars, text-to-video functionalities, and voice generation. Important: All avatars, voices, and videos created through our platform are entirely artificial and computer-generated using artificial intelligence technology. This policy also explains data handling concerning newsletters, Google Analytics, and other tracking and analysis tools.

GDPR Compliance: We are fully committed to complying with the EU General Data Protection Regulation (GDPR). This means we protect the personal data of EU residents by obtaining proper consent, securing data, respecting individual rights, and ensuring transparency. We only collect data that is necessary for our services, implement “privacy by design” principles, and maintain accountability through comprehensive documentation and security measures.

Privacy by Design: We implement privacy and data protection measures from the initial design stage of our systems and throughout the entire lifecycle of data processing. This includes data minimization, purpose limitation, and technical safeguards built into our infrastructure.

Data Minimization: We only collect and process personal data that is strictly necessary for the purposes stated in this policy. We regularly review our data collection practices to ensure we are not collecting excessive or unnecessary information.

2. Data Controller

The data controller according to the GDPR is:

We currently do not have a designated Data Protection Officer. For privacy-related inquiries, please contact us directly at the above address.

3. Categories of Collected Data

Depending on your usage, we collect and process different categories of personal data:

• Identification and Contact Data: Name, email, phone number (if provided), billing or payment information (for paid services).
• Login and Authentication Data: Username, encrypted password, authentication data via external providers (e.g., Clerk).
• Usage and Metadata: IP address, browser type/version, operating system, timestamps of access (log files), location data derived from IP address.
• User-Generated Content: Uploaded scripts/texts for video or voice generation (processed via HeyGen/ElevenLabs), uploaded images/videos, AI-generated videos and avatars.
• Communication Data: Messages sent via contact forms or email, newsletter subscription data.

4. Purpose of Data Processing

We process personal data primarily for:

• Providing and managing our AI-powered video software and online services, including personalization and avatar generation.
• Payment processing via Stripe (for paid services).
• Communication regarding customer support or important service updates.
• Analyzing, improving, and securing our services (error handling, technical analysis, performance optimization).
• Content safety and moderation (automated filtering, harassment prevention, discrimination detection).
• Ensuring transparency and proper disclosure of AI-generated content in compliance with applicable regulations.
• Sending newsletters and marketing materials.
• Compliance with legal obligations (e.g., tax and commercial laws, AI transparency requirements).

5. Legal Basis for Data Processing

Our processing activities are based on:

• Contract fulfillment or pre-contractual measures (Art. 6(1)(b) GDPR).
• User consent (e.g., newsletters, marketing cookies, Art. 6(1)(a) GDPR).
• Legitimate interests (e.g., security, preventing abuse, Art. 6(1)(f) GDPR).
• Legal obligations (Art. 6(1)(c) GDPR).

6. Newsletter and Marketing Communication

We use your email address, provided during registration, to send newsletters unless explicitly opted out.

Unsubscribe: You can unsubscribe at any time via the provided unsubscribe link in newsletters or by contacting us at help@tasy.ai. The legality of prior processing remains unaffected by withdrawal.

7. Data Sharing with Third Parties

We share data with third parties only when:

• Required for fulfilling contractual obligations.
• You have given explicit consent.
• Legally required.
• Necessary to protect our legitimate interests (e.g., legal enforcement).

Recipients of your data include:

• HeyGen / ElevenLabs (AI avatars & voice generation, possibly processed in the USA).
• Stripe (payment processing).
• Google Cloud / GoDaddy (hosting infrastructure).
• Clerk (authentication).
• beehiiv (newsletter).
• Altan.ai (AI functionalities).

8. AI Transparency and Content Disclosure

Transparency Commitment: We are committed to transparency regarding the artificial nature of content created through our platform. All avatars, voices, and videos are generated using artificial intelligence and are not real people or authentic recordings.

Data Processing for AI Transparency

• Content Labeling: We process metadata and content information to facilitate proper AI disclosure labeling.
• Compliance Monitoring: We track user compliance with AI disclosure requirements to ensure regulatory adherence.
• Educational Materials: We process user interaction data to improve our AI transparency education and guidance.
• Regulatory Reporting: We may process aggregated data for compliance reporting to regulatory authorities regarding AI content generation.

9. Content Safety and Moderation

As part of our commitment to maintaining a safe and respectful platform, we process user data for content safety and moderation purposes:

Data Processing for Safety

• Text Analysis: We analyze text inputs, scripts, and prompts to detect potentially harmful, discriminatory, or harassing content before processing.
• Audio Content Monitoring: Generated audio content is scanned for threatening language, hate speech, and other prohibited content.
• Video Content Analysis: AI-generated videos are analyzed to detect inappropriate visual or audio elements that violate our content policies.
• Pattern Recognition: We use machine learning algorithms to identify patterns associated with harassment, discrimination, and other harmful behaviors.
• User Behavior Analysis: We monitor usage patterns to detect potential misuse of our platform for creating harmful content.

Legal Basis and Retention

Content safety processing is based on our legitimate interests (Art. 6(1)(f) GDPR) to:

• Prevent the creation and distribution of harmful content
• Protect users from harassment and discrimination
• Maintain platform safety and integrity
• Comply with legal obligations regarding content moderation

Content flagged for safety review may be retained longer than standard retention periods for investigation and improvement of our safety systems. We implement strong security measures to protect this data and limit access to authorized personnel only.

Third-Party Safety Services

We may share content data with specialized third-party content moderation services to enhance our safety measures. These services are bound by strict data processing agreements and are only permitted to use data for content safety purposes.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our services. Certain cookies are essential for the website to function; others serve analytics or marketing purposes and require your consent.

11. Data Retention

We retain personal data only as long as necessary for the purposes stated in this policy or as required by applicable law. Our retention periods are based on the following criteria:

• Account Data: Retained for the duration of your account plus 30 days after account deletion (to allow account recovery).
• Billing and Payment Data: Retained for 10 years as required by German tax and commercial law (§ 147 AO, § 257 HGB).
• User-Generated Content (Videos, Scripts): Retained until you delete them or request deletion. Deleted content is permanently removed within 30 days, except for backup copies which may persist for up to 90 days.
• Communication Data: Retained for 3 years after the last communication or until you request deletion.
• Newsletter Data: Retained until you unsubscribe or request deletion.
• Log Files and Analytics Data: Retained for up to 26 months (Google Analytics) or as specified by the respective service provider.
• Content Safety Data: Content flagged for safety review may be retained longer (up to 2 years) for investigation and system improvement purposes.

After the retention period expires, personal data is securely deleted or anonymized. Backup copies may persist temporarily after deletion until routine removal cycles (typically within 90 days). If you request deletion of your account or data, we will process your request within 30 days, subject to legal retention requirements.

12. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to your personal data. You can export your data directly from your account settings, or request a complete copy by contacting us.
• Right to Rectification (Art. 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your data directly in your account settings.
• Right to Erasure (“Right to be Forgotten”, Art. 17 GDPR): You have the right to request deletion of your personal data when it is no longer necessary, you withdraw consent, or you object to processing. You can delete your account directly from your settings, or contact us for assistance.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of data or object to processing.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. Use the “Download Your Data” feature in your account settings to export your data in JSON format.
• Right to Object (Art. 21 GDPR): You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. You can opt out of marketing communications at any time.
• Right to Withdraw Consent (Art. 7(3) GDPR): When processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You can manage cookie consent through Cookiebot or unsubscribe from newsletters via the provided links.
• Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Germany, the competent authority is the Bavarian State Office for Data Protection Supervision (BayLDA).

How to Exercise Your Rights: You can exercise most of these rights directly through your account settings (data export, account deletion, profile updates). For other requests or assistance, please contact us at help@tasy.ai. We will respond to your request within one month. Verification of your identity may be required to protect your data security.

13. Security Measures

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data in transit is encrypted using TLS/SSL protocols. Sensitive data at rest is encrypted using industry-standard encryption methods.
• Access Controls: Access to personal data is restricted to authorized personnel only, based on the principle of least privilege. We use authentication and authorization mechanisms to control access.
• Secure Infrastructure: Our services are hosted on secure cloud infrastructure (Google Cloud, Supabase) with regular security updates and monitoring.
• Data Backup: Regular backups are performed to ensure data availability and recovery. Backups are encrypted and stored securely.
• Security Monitoring: We monitor our systems for security threats and vulnerabilities, and respond promptly to security incidents.
• Employee Training: Our team is trained on data protection and security best practices.
• Data Processing Agreements: All third-party service providers are bound by data processing agreements that ensure GDPR-compliant handling of your data.
• Regular Security Audits: We conduct regular reviews of our security measures and update them as needed.

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR (Art. 33-34).

14. Accountability and Documentation

As part of our GDPR compliance, we maintain accountability through:

• Documentation: We maintain records of processing activities (Art. 30 GDPR) documenting what data we process, why, and how.
• Data Protection Impact Assessments: We conduct assessments for high-risk processing activities.
• Privacy Policy: This comprehensive privacy policy demonstrates our commitment to transparency and compliance.
• User Rights Implementation: We have implemented technical and organizational measures to enable you to exercise your rights easily (data export, account deletion, etc.).
• Third-Party Management: We maintain data processing agreements with all third-party service providers to ensure they handle your data in compliance with GDPR.
• Incident Response: We have procedures in place to detect, report, and investigate personal data breaches.
• Regular Reviews: We regularly review and update our data protection practices to ensure ongoing compliance.

15. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. When we transfer personal data to third countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses: We use EU-approved standard contractual clauses with service providers in third countries.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.
• Privacy Shield Successor: We ensure our US-based service providers comply with appropriate data protection frameworks.

Service providers that may process your data outside the EEA include: HeyGen/ElevenLabs (USA), Google Cloud (USA), Stripe (USA), and other providers as listed in Section 7. All transfers are subject to appropriate safeguards as required by GDPR Chapter V.

16. Amendments to this Privacy Policy

We reserve the right to update this Privacy Policy due to changes in legal requirements, our services, or data processing practices. The current version is always available on our website with the “Last updated” date indicated at the top. Significant changes that affect your rights or how we process your data will be communicated to you, if possible, via email or prominently displayed on our website. We encourage you to review this policy periodically.

17. Contact & Supervisory Authority

For questions regarding data processing or exercising your rights, contact:

Supervisory Authority: If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the competent supervisory authority. In Germany, this is:

Thank you for your trust. If you have any further questions about data protection or wish to exercise your rights, please contact us directly.