Privacy Policy

Last updated: January 2025

1. Data Controller

The controller responsible for processing your personal data under the General Data Protection Regulation (GDPR) is:

Leibow Ventures UG (haftungsbeschränkt)
Amsterdamer Str. 13
13347 Berlin, Germany
Represented by: Dmytro Boguslavskyy

Email (general): hello@andelion.com
Data protection contact: privacy@andelion.com

We have not appointed a data protection officer, as we are currently not legally required to do so. For all privacy-related matters, please use the contact above.

2. Scope and Overview

This Privacy Policy explains how we collect, use, store and protect your personal data when you use the Andelion platform and related services (the "Service").

We process personal data in accordance with:

  • the GDPR,
  • applicable German data protection law, and
  • the German Telecommunications-Telemedia Data Protection Act (TTDSG) for cookies and similar technologies.

3. Categories of Personal Data We Process

3.1 Data You Provide Directly

  • Account data: Name, email address, password (hashed), company / role (if provided), language and account settings.
  • Billing & payment data: Billing name, address. Payment card data is processed directly by our payment processors; we only receive limited info (e.g. last 4 digits, expiry month/year, status).
  • Content & inputs: Product URLs, text, prompts, images, audio, video and other assets you upload or provide to generate marketing content.
  • Support & communications: Messages you send us (email, chat, contact forms), feedback, bug reports.

3.2 Data Collected Automatically

  • Usage data: Feature usage, pages visited, clicks, timestamps, approximate location (country/region), session duration, referral URLs.
  • Technical data: IP address, browser type and version, operating system, device type, language settings and similar technical information.
  • Log data: Server logs, error logs, security and performance logs.

3.3 Data from Third Parties (where applicable)

Depending on how you use the Service, we may receive limited personal data from:

  • payment providers (e.g. payment status, masked card details);
  • email / communication tools (bounce info, open/click events);
  • authentication providers (if you sign in via a third-party provider, we may receive your name, email address and profile picture);
  • advertising and publishing platforms (if you connect your accounts, we may receive identifiers such as account IDs, page IDs, campaign and performance data, as well as technical tokens that allow us to publish content on your behalf).

We use this data only for the purposes described in this Policy.

4. Purposes and Legal Bases for Processing

We process personal data only where we have a legal basis under Art. 6 GDPR.

4.1 Performance of a Contract (Art. 6(1)(b) GDPR)

We process data to:

  • register and manage your account;
  • provide and operate the Service;
  • process purchases, credits and payments;
  • generate content based on your prompts and inputs;
  • publish and manage campaigns or posts on connected third-party platforms on your behalf (where you choose to use these integrations);
  • communicate with you about the Service (e.g. service messages, security notices, changes to terms).

4.2 Legitimate Interests (Art. 6(1)(f) GDPR)

We process personal data where necessary for our legitimate interests, including to:

  • maintain, protect and improve the Service;
  • monitor and prevent fraud, abuse and security threats;
  • analyse use of the Service (aggregated statistics);
  • provide customer support and optimise workflows;
  • enforce our Terms of Service and defend legal claims;
  • send B2B marketing communications to existing business customers within the limits of applicable law.

Where we rely on legitimate interests, we balance them against your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 9).

4.3 Legal Obligations (Art. 6(1)(c) GDPR)

We process data where required to:

  • comply with tax and accounting obligations;
  • respond to lawful requests from authorities;
  • comply with other legal or regulatory requirements.

4.4 Consent (Art. 6(1)(a) GDPR and § 25 TTDSG)

We rely on your consent for:

  • non-essential cookies and tracking technologies (analytics, marketing);
  • certain marketing communications (where required by law);
  • any optional processing where we ask you explicitly.

You may withdraw your consent at any time with effect for the future (see Section 9.7).

5. AI Processing

To provide the Service, we send your prompts and input content to AI service providers (for example, providers of large language models or media generation models). These providers process the data on our instructions to generate the requested outputs.

We only work with providers that offer adequate contractual and technical safeguards and that process personal data in accordance with GDPR (or with comparable protections via Standard Contractual Clauses or adequacy decisions).

We do not use your inputs or outputs to train AI models that are made available to other customers, unless you explicitly agree to this separately. We may use aggregated and anonymised statistics on usage and model performance to improve the Service.

6. Data Sharing and Recipients

We share personal data only with trusted recipients and only as necessary.

6.1 Processors (Service Providers)

We engage the following categories of processors:

  • Payment processors (to process card payments and manage subscriptions);
  • Cloud hosting providers (servers, storage, backup);
  • AI service providers (to generate content);
  • Analytics providers (to understand how the Service is used);
  • Email / communication providers (transactional and support emails);
  • Customer support tools (ticketing, helpdesk);
  • advertising and publishing platforms, where you actively connect your accounts and request us to publish or manage content via their APIs (in this case, certain personal data and content is shared with those platforms as necessary to perform your instructions).

These processors are bound by data processing agreements under Art. 28 GDPR and act solely on our instructions.

6.2 Legal Requirements

We may disclose data where required to:

  • comply with applicable laws or legal processes;
  • respond to lawful requests from authorities;
  • enforce our rights or defend legal claims;
  • prevent fraud, security incidents or other harm.

6.3 Business Transfers

If we are involved in a merger, acquisition, reorganisation, sale of assets or insolvency, your data may be transferred to the acquiring entity, subject to appropriate safeguards and continuity of this Privacy Policy or an equivalent level of protection.

7. International Data Transfers

Some processors may be located outside the European Economic Area (EEA). Where we transfer data to such recipients, we ensure an adequate level of data protection, for example by:

  • relying on adequacy decisions of the European Commission; or
  • using Standard Contractual Clauses (SCCs) and, where necessary, additional safeguards.

You can request more information and a copy of the relevant safeguards by contacting privacy@andelion.com.

8. Data Retention

We retain personal data only as long as necessary for the purposes described above or as required by law.

Typically:

  • Account data: stored for the lifetime of your account and up to 3 years after deletion (limitation periods for claims), unless longer retention is required by law.
  • Generated content and project data: stored according to your account settings; may be deleted sooner if you actively delete it.
  • Billing and payment data: stored for 7–10 years to meet tax and accounting obligations.
  • Log data and security logs: typically stored up to 12 months, unless needed longer for security incidents or legal claims.
  • Marketing data: stored until you withdraw your consent or object to processing, or until we no longer need it.

After the relevant retention period, we delete or irreversibly anonymise the data.

9. Your Rights under GDPR

You have the following rights, subject to the conditions and exceptions under GDPR:

9.1 Right of Access (Art. 15 GDPR)

You can request confirmation whether we process personal data about you and obtain a copy of that data.

9.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate data and completion of incomplete data.

9.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data, for example where it is no longer needed or processing is unlawful, provided no legal retention obligations apply.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing, for example while we check the accuracy of data or where you have objected.

9.5 Right to Data Portability (Art. 20 GDPR)

You can request to receive certain data that you have provided to us in a structured, commonly used and machine-readable format and transmit it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You may object at any time, on grounds relating to your particular situation, to processing based on legitimate interests (Art. 6(1)(f) GDPR). We will stop processing unless we demonstrate compelling legitimate grounds.

You also have an unconditional right to object to processing for direct marketing at any time.

9.7 Right to Withdraw Consent (Art. 7 GDPR)

Where we rely on consent, you may withdraw it at any time with effect for the future. This does not affect the lawfulness of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise your rights, please contact us at privacy@andelion.com.

We may ask for information to verify your identity. We aim to respond within one month; in complex cases, this may be extended by up to two further months.

10. Cookies and Similar Technologies

We use cookies and similar technologies on our website and in the Service.

10.1 Types of Cookies

  • Essential cookies: Required for the operation of the Service (e.g. login sessions, security). These are used based on our legitimate interests and/or Art. 6(1)(b) GDPR and do not require consent under § 25(2) TTDSG.
  • Functional cookies: Enhance convenience and personalisation.
  • Analytics cookies: Help us understand how the Service is used.
  • Marketing cookies / trackers: Used to measure campaigns or show relevant ads.

10.2 Legal Basis and Consent

For non-essential cookies and similar technologies, we obtain your consent via our cookie banner (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG). You can:

  • accept or reject non-essential cookies;
  • adjust your preferences at any time via the cookie settings link in the footer (where provided);
  • withdraw consent with effect for the future.

You can also configure your browser to block cookies; however, some functions of the Service may then not work properly.

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • encryption of data in transit;
  • access controls and least-privilege principles;
  • regular updates and security patches;
  • backups and disaster recovery measures;
  • internal policies and training on data protection;
  • incident response procedures.

No system is perfectly secure. If we become aware of a data breach that is likely to present a high risk to your rights and freedoms, we will inform you in accordance with GDPR.

12. Children's Privacy

The Service is targeted at adults and is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact privacy@andelion.com so we can delete it.

13. Automated Decision-Making

We do not use personal data for automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).

14. Necessity of Providing Personal Data

Providing certain personal data is necessary to use the Service:

  • Without basic account data (name, email, password), we cannot create or manage your account.
  • Without billing data and payment confirmation, we cannot process purchases and provide paid features.

In all other respects, providing data is voluntary, but some features may not be available if you choose not to provide certain information.

15. Complaints

If you believe that we are processing your data unlawfully or have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

You can contact any supervisory authority in the EU, in particular in your place of residence or work. Our locally competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin, Germany
Phone: +49 30 13889-0
Website: www.datenschutz-berlin.de

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities, legal requirements or guidance from supervisory authorities.

We will publish the updated version here and adjust the "Last updated" date. For material changes, we may also notify you by email or via the Service.

Your continued use of the Service after the updated Policy becomes effective constitutes your acceptance of it.

17. Contact

For questions, requests or concerns regarding this Privacy Policy or our data processing, please contact:

Leibow Ventures UG (haftungsbeschränkt)
Amsterdamer Str. 13
13347 Berlin, Germany

Email (data protection): privacy@andelion.com
Email (general): hello@andelion.com