GDPR Compliant

Privacy Policy

Last updated: February 2026 · Applies to autoalt.ai and all subdomains

1. Controller

The controller within the meaning of the GDPR, the BDSG (German Federal Data Protection Act) and other data protection regulations is:

webAufstieg GmbH
Anton-Huber-Str. 20
73430 Aalen, Germany

Managing Director: Alexander Flach
Commercial Register: Local Court of Ulm, HRB 732541
VAT ID No.: DE294961679

Phone: +49 7361 6339046
Email: info@autoalt.ai

As we employ fewer than 20 people who are constantly involved in the automated processing of personal data, there is no legal obligation to appoint a data protection officer (§ 38 BDSG). If you have any questions about data protection, please contact: datenschutz@autoalt.ai

2. Principles of Data Processing

We process personal data only insofar as this is necessary to provide a functional website, our content and services. Processing is carried out exclusively on the basis of a legal permission:

Art. 6 para. 1 lit. a GDPR – Consent of the user
Art. 6 para. 1 lit. b GDPR – Performance of a contract or pre-contractual measures
Art. 6 para. 1 lit. c GDPR – Compliance with a legal obligation
Art. 6 para. 1 lit. f GDPR – Safeguarding legitimate interests

3. Hosting & Infrastructure

Our website and the AutoAlt.ai service are hosted by Timmehosting (Timme Hosting GmbH & Co. KG, Waldstr. 23, 21465 Reinbek, Germany). The servers are located in Germany. With every access, information is automatically saved in server log files:

Browser type and version
Operating system used
Referrer URL
IP address of the accessing computer (anonymized)
Time of server request

We have concluded a Data Processing Agreement (DPA) with Timmehosting. Data processing takes place exclusively in Germany. There is no third-country transfer of your hosting data.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in technical provision and security).

4. Data Processing during Website Visits

4.1 Contact Form

If you contact us via the contact form or email, your details (name, email address, message) will be processed to handle your request. Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest).

4.2 Free SEO & Compliance Check

If you use our free SEO & Compliance Check, you enter the URL of your online shop. We process this URL exclusively to carry out the technical analysis. No personal data of the visitors to the analyzed shop is collected. Legal basis: Art. 6 para. 1 lit. b GDPR.

5. Customer Account & Registration

Upon registration we collect:

Email address (mandatory field)
Password (stored encrypted)
Company name (optional)
VAT ID No. (optional, for B2B invoicing)
Billing address (for paid services)

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract).

6. AI Image Processing (Core Function of AutoAlt.ai)

TL;DR Summary

To generate alt texts, only image data (the image file itself) is transmitted to our AI subcontractors (OpenAI and Google). No personal data, no EXIF data, no metadata, no file names, and no customer identifiers are passed on to the AI providers. The images are not saved after processing and are not used to train AI models.

6.1 Type of Processed Data

Data Type	Transmitted to AI?	Details
Image file (Pixel data)	✅ Yes	Technically necessary for image recognition and alt text generation
EXIF data (GPS, camera, etc.)	❌ No	Stripped server-side before transmission
File name	❌ No	Not transmitted to AI providers
Email / Account ID	❌ No	No link whatsoever between image and customer account
Shop URL / Domain	❌ No	Not transmitted to AI providers
Personal data	❌ No	As a matter of principle, no personal data is transmitted

6.2 AI Subcontractors

a) OpenAI, L.L.C.

Service: GPT-4 Vision API (image analysis and text generation)
Headquarters: San Francisco, CA, USA
Processing: Image data is analyzed via the OpenAI API and is not stored permanently upon completion
No training: API data is not used to train OpenAI models (Zero Data Retention)
Third country transfer: SCCs pursuant to Art. 46 para. 2 lit. c GDPR, EU-US Data Privacy Framework pursuant to Art. 45 GDPR
DPA: Data Processing Agreement pursuant to Art. 28 GDPR is in place

b) Google LLC (Google Cloud / Gemini API)

Service: Gemini Vision API (image analysis and text generation)
Headquarters: Mountain View, CA, USA
Processing: Image data is analyzed via the Gemini API. Customer data is not used to train generative AI models
Third country transfer: SCCs pursuant to Art. 46 para. 2 lit. c GDPR, EU-US Data Privacy Framework pursuant to Art. 45 GDPR
DPA: Data Processing Addendum pursuant to Art. 28 GDPR is in place with Google Cloud

6.3 Legal Basis for AI Processing

The processing of the image data is based on Art. 6 para. 1 lit. b GDPR (performance of a contract). The alt text generation is the contractually owed main service. In addition, we base the processing on Art. 6 para. 1 lit. f GDPR (legitimate interest). Since exclusively image data without personal reference is transmitted, the interests of our customers do not prevail.

6.4 Special Notes on Product Images

AutoAlt.ai is designed for e-commerce product images. If your images show recognizable persons (e.g. model photos), please note:

The AI analyzes the image exclusively for content description
No biometric identification takes place
The image is not stored permanently after processing
You as the controller must ensure the necessary legal basis for depicted persons

6.5 Technical Safeguards

EXIF Stripping: All metadata is removed server-side before AI transmission
Encrypted transmission: Exclusively via TLS 1.2/1.3
No account linking: API requests contain no sender information
No permanent storage: Neither by us nor by AI providers
No AI training: Contractually ensured with OpenAI and Google

6.6 Data Processing Agreement (DPA)

For customers who use AutoAlt.ai as a processor (e.g. agencies), we provide a DPA according to Art. 28 GDPR in German, English, and French. Request at: datenschutz@autoalt.ai

7. Payment Processing

7.1 Stripe

For payments we use Stripe, Inc. (510 Townsend Street, San Francisco, CA / Stripe Payments Europe, Ltd., Dublin, Ireland). Payment data is transmitted directly to Stripe. We do not have access to complete payment data. Stripe is PCI DSS Level 1 certified.

Data: Payment data, transaction data, billing address, email, VAT ID No. if applicable.
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract)
Third country transfer: SCCs, EU-US Data Privacy Framework
Privacy Policy: stripe.com/en-de/privacy

7.2 Tax Calculation

Stripe Tax calculates the correct VAT. The IP address is used for location determination, VAT ID No. is validated via VIES. Legal basis: Art. 6 para. 1 lit. c GDPR.

8. 8. Cookies & Tracking

8.1 Technically Necessary Cookies

Cookie	Purpose	Duration	Legal Basis
session_id	Session Management / Login	Session	Art. 6 para. 1 lit. f GDPR
csrf_token	CSRF Protection	Session	Art. 6 para. 1 lit. f GDPR
cookie_consent	Cookie Preference	12 months	Art. 6 para. 1 lit. c GDPR

8.2 Google Analytics 4

This website uses Google Analytics 4 (Google Ireland Limited, Dublin, Ireland). GA4 anonymizes IP addresses by default.

Data: Anonymized IP, page views, time spent, device/browser info, referrer, approximate location
Legal basis: Art. 6 para. 1 lit. a GDPR (consent via cookie banner)
Third country transfer: SCCs, EU-US Data Privacy Framework
DPA: Data Processing Agreement with Google is in place
Opt-Out: Refuse consent in the cookie banner or install browser add-on: tools.google.com/dlpage/gaoptout

Note: Google Analytics is activated only after explicit consent via our cookie banner. No tracking takes place without consent.

9. Google reCAPTCHA

We use Google reCAPTCHA (Google Ireland Limited, Dublin, Ireland) to protect against automated access (bots, spam, DDoS).

Data: IP address, referrer URL, operating system, cookies, mouse movements, time spent, device settings
Purpose: Distinguishing human users from bots
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in protection against abusive access)
Third country transfer: SCCs, EU-US Data Privacy Framework

Further information: Google Privacy Policy

10. Transfer to Third Countries

Service Provider	Headquarters	Purpose	Safeguards
OpenAI, L.L.C.	USA	AI image analysis (image data only)	SCCs + EU-US DPF + DPA + no AI training
Google LLC	USA / Ireland	AI image analysis, Analytics, reCAPTCHA	SCCs + EU-US DPF + DPA
Stripe, Inc.	USA / Ireland	Payment processing	SCCs + EU-US DPF + DPA + PCI DSS

Note: The adequacy decision on the EU-US Data Privacy Framework (July 10, 2023) forms an additional legal basis. All providers are DPF-certified. In addition, SCCs exist as a secondary safeguard. Your hosting with Timmehosting takes place exclusively on German servers.

11. Your Rights as a Data Subject

Access (Art. 15 GDPR): Right to information about processed data
Rectification (Art. 16 GDPR): Right to correction of inaccurate data
Erasure (Art. 17 GDPR): Right to deletion, provided there are no retention obligations
Restriction (Art. 18 GDPR): Right to restriction of processing
Data portability (Art. 20 GDPR): Right to machine-readable format
Objection (Art. 21 GDPR): Right to object to processing
Revocation (Art. 7 para. 3 GDPR): Consent can be revoked at any time

Contact: datenschutz@autoalt.ai

Right to lodge a complaint with a supervisory authority

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de

12. Retention Period & Deletion

Data Category	Retention Period	Justification
Account data	Until account deletion + 30 days	Performance of contract
Billing data	10 years	§ 147 AO, § 257 HGB (German tax/commercial law)
Image data (AI)	Deleted immediately after generation	No storage
Generated alt texts	Until deletion by customer	Performance of contract
Server log files	14 days	Security
Google Analytics	14 months	GA4 setting
Contact requests	6 months after conclusion	Legitimate interest

13. Data Security

Technical and organizational measures according to Art. 32 GDPR:

TLS 1.2/1.3 encryption of all transmissions
HSTS (HTTP Strict Transport Security)
Encrypted password storage (bcrypt/argon2)
Regular security updates
Access controls and authorization concepts
EXIF stripping of all images before AI transmission
No permanent storage of image data
Hosting on German servers (Timmehosting, Reinbek)
Data processing agreements with all sub-processors

14. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy in the event of legal changes or changes to the service. In the event of material changes, we will inform registered customers by email.

Last updated: February 2026