Privacy Policy

1. Introduction

Vound Brand UG (haftungsbeschränkt) ("we," "us," or "our") is the controller for the processing of personal data in connection with sevenlayers services. This Privacy Policy explains which personal data we process, for which purposes, under which legal bases, how long we retain data, and which rights you have.

2. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

Data Protection Officer (DPO): We are currently not legally required to appoint a Data Protection Officer under Art. 37 GDPR. Privacy requests can be sent directly to support@sevenlayers.io or by post to the controller address above.

3. Data We Collect

We accumulate certain data to provide our Service effectively:

• Identity Data: Name, email address, password hash.
• Contact Data: Billing address, phone number.
• Financial Data: Payment details (processed securely via Stripe; we do not store full credit card numbers).
• Technical Data: IP address, login data, browser type and version, time zone setting, operating system.
• Usage Data: Information on how you use our website and Service, including audit logs of actions taken within the platform.
• User Content: Data input into the Service, including text for AI processing and generated results.

4. Purpose of Processing

We process your data for the following purposes:

• To provide and operate the Service (including AI content generation).
• To manage your account and subscription.
• To process payments.
• To provide customer support.
• To improve our Service via analytics.
• To detect and prevent fraud and security issues.

5. Legal Basis for Processing

We process Personal Data under the following legal bases pursuant to the GDPR:

• Consent (Art. 6(1)(a) GDPR): Use of cookies/tracking technologies and sending of marketing emails.
• Contract (Art. 6(1)(b) GDPR): Processing necessary to perform the contract with you (e.g., providing the service, processing payments).
• Legitimate Interests (Art. 6(1)(f) GDPR): Network security, product improvement, and fraud prevention.

6. Data Sharing and Subprocessors

We use the following current categories of processors and subprocessors to deliver and secure the service:

• Cloud Hosting: Vercel (frontend hosting), Convex (application backend/data), AWS (infrastructure services).
• Payment Processing: Stripe Payments Europe, Ltd. for payment transactions, invoicing support, and fraud controls.
• AI Models: OpenAI and Anthropic for request-scoped model inference on customer instruction.
• Analytics: PostHog for optional product analytics (consent-based and disabled until opt-in in the main app).

We review and update this processor list as our infrastructure evolves. Material processor changes are reflected in this policy and, where legally required, we request renewed consent before optional processing starts.

7. International Data Transfers

If we transfer data to countries outside the European Economic Area (EEA), such as to the US for certain AI or cloud services, we ensure appropriate safeguards are in place, primarily through the use of Standard Contractual Clauses (SCCs) or reliance on the EU-US Data Privacy Framework where the provider is certified.

8. Data Retention

We apply the following retention windows unless a longer period is legally required:

• Account Data: Stored for the account lifetime; deleted or anonymized within 30 days after account closure, unless legal retention applies.
• Tax/Commercial Records: Invoices and legally required accounting records are retained for 10 years; business correspondence relevant under § 257 HGB / § 147 AO is retained for 6 years.
• Security and Abuse Logs: Authentication, security, and abuse-prevention logs are retained for 30 days by default and up to 180 days when incident investigation requires extended preservation.
• Consent Records: Cookie/consent decisions are retained for up to 3 years after the last consent change to document GDPR accountability obligations.
• Encrypted Backups: Rolling encrypted backups are retained for up to 35 days before automatic overwrite.
• AI Input/Output: Transient processing data is deleted shortly after generation unless saved by the customer as workspace content.

9. Your Data Protection Rights

Under the GDPR, you have the following rights:

• Right to Withdraw Consent (Art. 7(3)): You may withdraw consent at any time. In the main app, changing or withdrawing consent is available from the same Legal & Cookies controls used to give consent.
• Access, Rectification, Erasure: You can request to access, correct, or delete your data.
• Restriction & Objection: You may restrict processing or object to processing based on legitimate interests.
• Data Portability: You may request your data in a structured format.
• Complaint: You have the right to lodge a complaint with a supervisory authority.

10. Security (TOMs)

We implement appropriate technical and organizational measures ("TOMs") including encryption (SSL/TLS), access controls, and regular security reviews to protect your data.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at: