Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

capty.ai
Frömmgen und Wintjens GbR
KWL Büro 0.05, Lothringer Str. 38
44805 Bochum, Germany
Email: info@capty.ai

2. Scope of this Privacy Policy

This privacy policy applies to the use of our website at capty.ai and to the use of our SaaS platform capty (hereinafter "Platform" or "Service"). It informs you about the nature, scope, and purposes of the processing of personal data.

capty is directed exclusively at companies, agencies, freelancers acting in a professional or commercial capacity, and other organisations (B2B). Natural persons acting outside their professional or commercial capacity are not the intended audience of this service.

3. Website Hosting and Server Logs

Our website is hosted by Hostinger International Ltd. When you visit our website, the hosting provider automatically collects information in server log files that your browser transmits automatically:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the accessed file
  • Website from which access is made (referrer URL)
  • Browser and operating system used
  • Hostname of the accessing device

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the website). Server log files are automatically deleted after 30 days.

Hostinger processes data in data centres within the EU. More information: Hostinger Privacy Policy.

4. SSL/TLS Encryption

This site uses SSL/TLS encryption for security reasons. An encrypted connection is indicated by the browser address bar changing from "http://" to "https://" and the lock icon in the address bar.

5. Waitlist and Contact Requests

When you sign up for our waitlist or use our contact form, we collect the following data:

  • First and last name
  • Email address
  • Company (optional)
  • Message (optional)

Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (pre-contractual measures). The data is used to process your enquiry and to contact you regarding the product launch. We do not share this data with third parties without your explicit consent.

Waitlist and contact data is retained for up to 24 months from collection, unless a contractual relationship arises or earlier deletion is requested.

6. Newsletter and Product Emails (Brevo)

We use Brevo (formerly Sendinblue), Brevo SAS, 106 boulevard Haussmann, 75008 Paris, France, for sending newsletters and product-related emails.

When you subscribe to our newsletter, your email address is stored and processed by Brevo. Brevo also collects technical data such as open rates and click behaviour to optimise our email communications.

Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time by unsubscribing from the newsletter (link in every email) or by contacting us at info@capty.ai. Email addresses are retained until consent is withdrawn. Upon an unsubscribe request, deletion from active mailing lists occurs within 30 days.

Brevo is certified under the EU-US Data Privacy Framework. More information: Brevo Privacy Policy.

7. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device by your browser.

7.1 Strictly Necessary Cookies

These cookies are required for the operation of the website and cannot be disabled:

  • capty_cookie_consent: Stores your cookie preferences (duration: 365 days)
  • capty_lang: Stores your language setting (duration: 365 days)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality of the website).

7.2 Analytics Cookies (Google Analytics)

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies that enable an analysis of website usage.

We have implemented the following privacy measures:

  • IP anonymisation is enabled (your IP address is truncated within the EU)
  • A data processing agreement has been concluded with Google
  • Data sharing with Google is disabled
  • Google Signals is disabled

Legal basis: Art. 6(1)(a) GDPR (consent). Analytics cookies are only set after your explicit consent via our cookie banner. You can revoke your consent at any time via the cookie settings.

More information: Google Privacy Policy. You can also prevent collection by Google Analytics with the browser add-on.

7.3 Managing Cookie Settings

You can adjust your cookie settings at any time via our cookie settings page. Additionally, you can manage or delete cookies in your browser settings.

8. Google Fonts

We use Google Fonts for the uniform display of fonts. When you access a page, your browser loads the required fonts from Google servers. In doing so, your IP address is transmitted to Google.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a uniform presentation). Google is certified under the EU-US Data Privacy Framework.

More information: Google Privacy Policy.

9. Account Creation and Account Management

Use of the capty Platform requires the creation of a user account. During registration and account management, we process the following data:

  • First and last name
  • Email address
  • Company name (required for invoicing)
  • Password (stored encrypted, not readable in plain text)
  • Team assignments and role permissions (depending on the selected plan)
  • Registration timestamp and most recent login data (for security purposes)

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Account data is retained for the duration of the contractual relationship. After cancellation, the 30-day export window set out in the Terms applies. Account data is then deleted, unless statutory retention obligations apply.

10. Uploaded Content and Generated Outputs

In the course of using the Platform, customers upload media content and receive AI-generated outputs. The following data is processed:

  • Uploaded images and videos
  • Text inputs (instructions, brand descriptions, and other inputs)
  • AI-generated captions, copy, and other outputs
  • Approval statuses and comments within approval workflows
  • Usage metadata (e.g. upload timestamps, processing status)

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Uploaded and generated content is retained for the duration of the contractual relationship. After cancellation, the 30-day export window set out in the Terms applies. Content is then irrevocably deleted, unless statutory retention obligations apply.

Uploaded content is not shared with third parties for advertising, analytics, or other secondary purposes.

11. Connected Social Media Accounts and Publishing

When users connect social media accounts to the Platform or publish content via the Platform, the following data is processed:

  • Connection tokens (OAuth tokens) of the respective platform
  • Platform account IDs and names
  • Metadata relating to scheduled or published posts

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Connection tokens are retained for the duration of the active account link and deleted upon disconnection or cancellation.

Please note: Connecting social media accounts is also subject to the terms of service and privacy policies of the respective platform (e.g. Meta Platforms, LinkedIn Corporation, TikTok). capty has no influence over data processing carried out by these platforms.

12. Payment Processing (Stripe)

We use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland) for payment processing.

The following data is transmitted to Stripe during payment processing:

  • Name, email address
  • Payment information (credit card number, expiry date, CVC)
  • Billing address and company details
  • Transaction amount and plan information

Legal basis: Art. 6(1)(b) GDPR (performance of contract). Payment data is processed exclusively by Stripe and is not stored on our servers. Stripe is PCI DSS Level 1 certified. Billing and transaction records subject to tax or commercial law retention obligations are retained for 10 years (§ 147 AO / § 257 HGB).

More information: Stripe Privacy Policy.

13. AI-Supported Processing

capty uses one or more AI service providers to deliver and improve the functionality of the Service. Depending on the feature, use case, availability, quality, and technical requirements, capty may use different AI providers and processing infrastructures.

These providers may process submitted content solely for the purpose of providing the requested service to capty. Where required, capty enters into appropriate contractual arrangements with such providers. If personal data is transferred to countries outside the EU or EEA, capty relies on the safeguards provided by applicable data protection law, where available and applicable.

capty does not guarantee that any specific AI provider, model, or processing location will be used for a particular request unless explicitly agreed otherwise in writing.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

14. Recipients and Processors

We engage the following service providers in the operation of our website and Platform. Data processing agreements pursuant to Art. 28 GDPR have been concluded, or will be concluded prior to the activation of the respective processing activity:

Provider Purpose Location
Hostinger International Ltd. Web hosting and infrastructure EU (Lithuania)
Brevo SAS Email delivery (newsletter, product emails) EU (France)
Stripe Payments Europe, Ltd. Payment processing EU (Ireland)
Google Ireland Ltd. (Analytics) Website analytics (consent-based only) EU (Ireland) / potentially USA
AI service providers AI-assisted processing of uploaded content and text generation EU and/or third countries (depending on provider used)

The AI service providers currently in use will be disclosed on request at info@capty.ai.

15. International Data Transfers

Some of our service providers are based outside the European Union (EU) or European Economic Area (EEA), or may access data from third countries. This applies in particular to AI service providers whose infrastructure may be located wholly or partially outside the EU.

  • Brevo is certified under the EU-US Data Privacy Framework (DPF).
  • Stripe processes data primarily through its EU entity (Ireland). Transfers to third countries are safeguarded by Standard Contractual Clauses (SCCs).
  • AI service providers: Where AI processing involves transfers to third countries, capty relies on the safeguards provided by applicable data protection law, where available and applicable (e.g. SCCs, adequacy decisions).

Where data is transferred to countries without an adequate level of data protection, we limit such transfers to what is necessary for the provision of the service and ensure that appropriate safeguards are in place or will be concluded.

16. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about your personal data stored by us.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided no legal retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR): You can request that we provide your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data at any time if processing is based on legitimate interest.
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw consent at any time with effect for the future.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Germany, www.ldi.nrw.de.

To exercise your rights, please contact: info@capty.ai

17. Retention Periods

We retain personal data only for as long as necessary for the respective processing purpose or as required by applicable law. The following table summarises the key retention periods:

Data category Retention period
Server log files 30 days
Waitlist and contact data Up to 24 months from collection, or until deletion is requested
Newsletter subscriber data Until consent is withdrawn; deletion from active lists within 30 days of unsubscribe request
Account and user data Duration of the contractual relationship + 30-day export window after cancellation
Uploaded and generated content Duration of the contractual relationship + 30-day export window after cancellation, then deletion
Billing and payment records 10 years pursuant to § 147 AO / § 257 HGB (German commercial and tax law)

After expiry of the applicable retention period, data is routinely and irrevocably deleted, unless statutory obligations require further retention.

18. Data Processing on Behalf of Customers (DPA)

Where customers process personal data of third parties via the Platform (e.g. employee data, client data), customers act as data controllers and capty acts as data processor. In such cases, the parties are required to conclude a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. capty provides a standard DPA template, available at capty.ai/legal/dpa/.

19. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to our service. The current version is always available on this page. For material changes, we will inform you by email if your email address is available to us.