Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection regulations is:

Robin Hamid Gämsenbergstraße 10/1 71640 Ludwigsburg Germany

Email: info@rankdglobal.com

We, the controller, process personal data exclusively for the purposes stated below and on the legal bases stated.

2. Scope

This Privacy Policy applies to the processing of personal data in connection with the use of the website rankdglobal.com and the services provided through it (hereinafter "Service" or "RankdGlobal"). RankdGlobal is a SaaS service for professional product image generation for streetwear and fashion brands.

3. Definitions

The terms used in this Privacy Policy correspond to the definitions of the GDPR. In particular, "personal data" means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

4. Server Log Files

When you visit our website, our hosting provider Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) automatically collects information in so-called server log files that your browser automatically transmits:

• IP address (truncated/anonymized) • Date and time of the request • Time zone difference to GMT • Content of the request (specific page) • HTTP status code • Amount of data transferred • Website from which the request comes (referrer) • Browser, operating system and its interface, language and version of the browser software

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). We have a legitimate interest in the technically error-free, secure, and fast provision of the website.

We have concluded a Data Processing Agreement (DPA) with Vercel pursuant to Art. 28 GDPR and EU Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR to ensure an adequate level of protection even when data is transferred to the USA.

More information: https://vercel.com/legal/privacy-policy

Retention period: Server logs are stored for a maximum of 30 days and then automatically deleted.

5. User Account and Authentication

For registration, login, and management of your user account, we use the Supabase service of Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. The data is stored in a database instance in the EU (Frankfurt am Main).

Processed data:

• Email address • Password (hashed, never in plain text) • User ID • Times of login and logout • Session cookies (technically necessary)

Purpose: Provision of the user account, authentication, contract fulfillment.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

We have concluded a Data Processing Agreement pursuant to Art. 28 GDPR including EU Standard Contractual Clauses with Supabase. Supabase, in turn, uses sub-processors (AWS, Google Cloud), which are also contractually obligated to GDPR compliance.

More information: https://supabase.com/privacy

Retention period: Until deletion of the user account. After account deletion, final data deletion takes place within 30 days, unless statutory retention obligations conflict.

6. Payment Processing

To process payments, we use the Stripe service of Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA. When you make a purchase, you are redirected to the Stripe Checkout page, where the payment is processed directly with Stripe.

Processed data (by Stripe):

• Name • Email address • Billing address (if required) • Payment method information (credit card number, IBAN, etc.) — this data is processed exclusively by Stripe and never stored on our servers • Stripe Customer ID, Subscription ID, Payment Intent ID (stored with us for contract management) • IP address, browser information (for fraud prevention)

Purpose: Contract processing, payment processing, fraud prevention, fulfillment of statutory retention obligations.

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligation, e.g., under AO), Art. 6(1)(f) GDPR (legitimate interest in fraud prevention).

Stripe is certified under the EU-U.S. Data Privacy Framework (DPF). Additionally, we have concluded a Data Processing Agreement (DPA) and EU Standard Contractual Clauses with Stripe.

More information: https://stripe.com/privacy

Retention period: Transaction data is stored for 10 years pursuant to § 257 HGB / § 147 AO (German tax law).

7. Product Image Generation

For the generation of product images, we use the API of OpenAI L.L.C., 3180 18th Street, San Francisco, CA 94110, USA. Image generation is based on machine learning models.

Processed data:

• Images uploaded by you (templates for AI generation) • Prompts and text descriptions you enter • Request metadata

Purpose: Generation of AI images based on your inputs (contractual service).

Legal basis: Art. 6(1)(b) GDPR (contract performance).

OpenAI is certified under the EU-U.S. Data Privacy Framework (DPF). Additionally, we have a Data Processing Agreement (DPA) and EU Standard Contractual Clauses with OpenAI.

Important: According to its privacy policy, OpenAI does not use API inputs for training its models. Data may be stored for up to 30 days for Trust & Safety purposes.

More information: https://openai.com/policies/privacy-policy

Retention period with us: Uploaded images and generated results are stored in your account for as long as you do not delete them or your account is active.

8. Image Processing

For automatic background removal of images, we use Hugging Face Spaces, a service of Hugging Face, Inc., 20 Jay Street, Brooklyn, NY 11201, USA.

Processed data:

• Front and back product images that you upload • Request metadata

Purpose: Removing the background from product images for further image-processing.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

We have concluded a Data Processing Agreement (DPA) and EU Standard Contractual Clauses with Hugging Face.

More information: https://huggingface.co/privacy

Retention period: Images are deleted within seconds after processing and are not permanently stored by Hugging Face.

9. Email Delivery

For sending transactional emails (registration confirmations, invoices, cancellation confirmations, service notifications), we use Resend by Plus Five Five, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA.

Processed data:

• Email address • Content of the sent email • Sending metadata (timestamp, success status, bounce information)

Purpose: Sending contractually or legally required email notifications.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

We have concluded a Data Processing Agreement (DPA) and EU Standard Contractual Clauses with Resend.

More information: https://resend.com/legal/privacy-policy

Retention period: Email sending logs are stored for a maximum of 90 days.

10. Background Processing

For processing background jobs (asynchronous image generation, scheduled tasks), we use Trigger.dev by Trigger.dev Ltd., 86-90 Paul Street, London, EC2A 4NE, United Kingdom.

Processed data:

• Job metadata (user ID, order ID, job parameters) • Processing status • Error logs

Purpose: Asynchronous processing of image generation orders.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

The United Kingdom has an adequacy decision from the EU Commission (UK Adequacy Decision). Additionally, we have concluded a Data Processing Agreement (DPA) with Trigger.dev.

More information: https://trigger.dev/legal/privacy

Retention period: Job data is retained for a maximum of 90 days for error diagnosis.

11. Domain and Mail Hosting

For domain registration and email reception via info@rankdglobal.com, we use IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany.

Processed data:

• Email content (incoming and outgoing emails to info@rankdglobal.com) • Sender, recipient data • Connection metadata

Purpose: Provision of email communication, domain management.

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest in business communication).

IONOS processes data exclusively in data centers within the European Union. We have concluded a Data Processing Agreement (DPA) with IONOS.

More information: https://www.ionos.de/terms-gtc/terms-privacy/

Retention period: Business emails are retained for 6 years pursuant to § 257 HGB.

12. Data Transfer to Third Countries

As shown above, we also transfer personal data to processors based in the USA and the United Kingdom. We have concluded appropriate safeguards pursuant to Art. 46 GDPR for all these transfers, in particular:

• EU Standard Contractual Clauses (SCC) • EU-U.S. Data Privacy Framework (DPF) for US providers that are certified (Stripe, OpenAI) • UK Adequacy Decision for the United Kingdom

Despite these safeguards, it cannot be ruled out that US authorities may access data in certain cases. You can object to the transfer of your data to third countries at any time — however, note that the use of the service may no longer be possible.

13. Cookies and Similar Technologies

On our website, we use only technically necessary cookies (essential cookies). These cookies are required to provide the basic functions of the website, in particular:

• Session cookies for authentication (login status, set by Supabase Auth) • CSRF tokens to protect against cross-site request forgery

These cookies are absolutely necessary pursuant to § 25(2)(2) TDDDG (German Telecommunications-Digital-Services Data Protection Act) and therefore do not require consent. They are automatically deleted when you leave the page (session cookies) or after a maximum of 7 days.

We do not use any analytics, tracking, or marketing cookies. Third-party cookies are only set by Stripe on the external Stripe Checkout page (separate privacy policy by Stripe).

14. Retention Period

We store personal data only for as long as is necessary to fulfill the respective purposes. Specifically:

• Account data: until account deletion, then deletion within 30 days • Generated images: until manual deletion by the user or account deletion • Invoice data and payment information: 10 years pursuant to § 257 HGB / § 147 AO (German tax law) • Business emails: 6 years pursuant to § 257 HGB • Server logs: maximum 30 days • Job logs (Trigger.dev): maximum 90 days • Email sending logs (Resend): maximum 90 days

15. Your Rights as a Data Subject

You have the following rights with regard to your personal data:

• Right of access (Art. 15 GDPR) • Right to rectification (Art. 16 GDPR) • Right to erasure ("right to be forgotten", Art. 17 GDPR) • Right to restriction of processing (Art. 18 GDPR) • Right to data portability (Art. 20 GDPR) • Right to object (Art. 21 GDPR) • Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact us by email at info@rankdglobal.com. We will process your request within the legal period of one month (Art. 12(3) GDPR).

16. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us (Art. 77 GDPR). Supervisory authority responsible for us:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW) Königstraße 10a 70173 Stuttgart Germany Phone: +49 711 615541-0 Email: poststelle@lfdi.bwl.de Web: https://www.baden-wuerttemberg.datenschutz.de

17. Changes to this Privacy Policy

We reserve the right to adjust this Privacy Policy to adapt it to changed legal situations or changes to our services. For your renewed visit to our website, the new Privacy Policy then applies.