Privacy Policy (Datenschutzerklärung)

1. Introduction and Scope

• 1.1 Ahoi Kapptn FlexCo ("GenAerial", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the GenAerial platform and services (the "Service").
• 1.2 This Privacy Policy is designed to comply with:
  • 1.2.1 The General Data Protection Regulation (GDPR - EU 2016/679);
  • 1.2.2 Austrian Data Protection Act (Datenschutzgesetz - DSG);
  • 1.2.3 Austrian Telecommunications Act (Telekommunikationsgesetz - TKG 2021) regarding cookies and tracking.
• 1.3 By using GenAerial, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

2. Data Controller and Contact Information

• 2.1 The Data Controller for the processing of your data is:

  Ahoi Kapptn FlexCo

  Industriezeile 35

  4020 Linz

  Austria

  Contact for Data Protection Inquiries:

  Email: support@genaerial.com

• 2.2 If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us at the addresses provided above.

3. Types of Personal Data We Collect

We collect and process the following categories of personal data:

• 3.1 Account Registration Data: When you create an account with GenAerial, we collect:
  • 3.1.1 Email address: Used for account identification, authentication, and communications;
  • 3.1.2 Name: To personalize your account and communications;
  • 3.1.3 Password: Stored in encrypted form for account security.
• 3.2 Input Data (Location and Place Information): To generate AI aerial imagery, you provide location information which may include:
  • 3.2.1 GPS coordinates (latitude and longitude);
  • 3.2.2 Physical addresses;
  • 3.2.3 Google Maps links or place identifiers;
  • 3.2.4 Location descriptions and search queries.
  • 3.2.5 This data is necessary to fulfill our contractual obligation to generate imagery for your specified locations.
• 3.3 Payment and Billing Data: All payment processing is handled via Stripe Managed Payments by our third-party payment processor, Stripe. GenAerial does not store or have access to your full credit card numbers. We collect and store:
  • 3.3.1 Billing name and address (as provided during subscription purchase);
  • 3.3.2 Last four digits of your payment card (provided by Stripe for reference);
  • 3.3.3 Transaction history and invoice records;
  • 3.3.4 VAT/Tax identification numbers (if provided).
  • 3.3.5 Stripe handles all sensitive payment card data. Please refer to Stripe's Privacy Policy for details on how they process payment information.
• 3.4 Technical and Usage Data: We automatically collect certain technical information when you use the Service:
  • 3.4.1 IP address: For security, fraud prevention, and analytics;
  • 3.4.2 Browser type and version: To ensure compatibility;
  • 3.4.3 Device information: Operating system, screen resolution;
  • 3.4.4 Usage data: Pages visited, features used, time spent on the platform, and generation history;
  • 3.4.5 Cookies and tracking technologies: See Section 5 for detailed cookie information.
• 3.5 Generated Content and Outputs: We store AI-generated images you create through the Service, along with associated metadata such as generation parameters, timestamps, and usage credits consumed. This data is necessary to provide the Service and maintain your account history.
• 3.6 Communications and Support Data: If you contact us for customer support or communicate with us via email or other channels, we collect and store the content of those communications, including any information you choose to provide.

4. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

• 4.1 Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to fulfill our contractual obligations to provide the GenAerial Service, including:
  • 4.1.1 Creating and managing your account;
  • 4.1.2 Processing location data to generate AI aerial imagery;
  • 4.1.3 Delivering generated outputs to you;
  • 4.1.4 Processing payments and managing subscriptions;
  • 4.1.5 Providing customer support.
• 4.2 Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data based on our legitimate business interests, which include:
  • 4.2.1 Security and fraud prevention: Protecting the Service from abuse, unauthorized access, and fraudulent activities;
  • 4.2.2 Service improvement: Analyzing usage patterns to improve the AI model, user experience, and platform features;
  • 4.2.3 Technical operations: Maintaining, testing, and optimizing Service performance and reliability;
  • 4.2.4 Business analytics: Understanding how users interact with the Service to inform product development.
  • 4.2.5 We carefully balance these interests against your rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 9).
• 4.3 Consent (Art. 6(1)(a) GDPR): For certain processing activities, we rely on your explicit consent:
  • 4.3.1 Marketing communications: Sending promotional emails, newsletters, or updates about GenAerial (you can opt-out at any time);
  • 4.3.2 Non-essential cookies: Using analytics and marketing cookies beyond those strictly necessary for Service operation.
  • 4.3.3 You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• 4.4 Legal Obligations (Art. 6(1)(c) GDPR): We process personal data when required to comply with legal obligations, such as:
  • 4.4.1 Austrian tax and accounting laws requiring retention of billing records;
  • 4.4.2 Responding to valid legal requests or court orders;
  • 4.4.3 Complying with consumer protection regulations.

5. Cookies and Tracking Technologies

GenAerial uses cookies and similar tracking technologies to provide, secure, and improve the Service. In compliance with Austrian TKG 2021 and GDPR, we provide the following information:

• 5.1 What Are Cookies? Cookies are small text files stored on your device that help websites remember information about your visit. We use both session cookies (deleted when you close your browser) and persistent cookies (remain on your device for a set period).
• 5.2 Types of Cookies We Use:
  • 5.2.1 Strictly Necessary Cookies (No consent required):
    • 5.2.1.1 Authentication cookies: Keep you logged in and manage your session;
    • 5.2.1.2 Security cookies: Detect and prevent fraudulent activity and abuse;
    • 5.2.1.3 Load balancing cookies: Distribute traffic across our servers.
  • 5.2.2 Performance and Analytics Cookies (Consent required):
    • 5.2.2.1 Help us understand how users interact with the Service;
    • 5.2.2.2 Track page views, navigation patterns, and errors;
    • 5.2.2.3 We may use services like Google Analytics (anonymized where possible).
  • 5.2.3 Marketing Cookies (Consent required):
    • 5.2.3.1 Track the effectiveness of advertising campaigns;
    • 5.2.3.2 Enable personalized marketing communications.
• 5.3 Managing Cookies: You can control and delete cookies through your browser settings. Please note that disabling necessary cookies may affect the functionality of the Service. Most browsers allow you to:
  • 5.3.1 View what cookies are stored;
  • 5.3.2 Delete all cookies or specific cookies;
  • 5.3.3 Block third-party cookies;
  • 5.3.4 Block cookies from specific websites;
  • 5.3.5 Block all cookies (this may prevent access to the Service).

6. How We Use Your Personal Data

We use your personal data for the following purposes:

• 6.1 Service Delivery: To provide the core functionality of GenAerial, including generating AI aerial imagery based on your location inputs;
• 6.2 Account Management: To create, maintain, and secure your account, manage authentication, and track subscription status;
• 6.3 Payment Processing: To process payments, issue invoices, and manage billing (in cooperation with Stripe);
• 6.4 Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance;
• 6.5 Service Improvement: To analyze usage patterns, improve AI model performance, develop new features, and optimize user experience;
• 6.6 Security and Fraud Prevention: To detect, prevent, and respond to security threats, fraudulent activities, and Terms of Service violations;
• 6.7 Legal Compliance: To comply with applicable laws, regulations, and legal processes;
• 6.8 Marketing (with consent): To send you promotional materials, newsletters, and updates about GenAerial;
• 6.9 Business Operations: For internal record-keeping, accounting, and business analytics.

7. Third-Party Data Sharing and Transfers

GenAerial relies on trusted third-party service providers to deliver the Service. We share your personal data with the following categories of recipients:

• 7.1 Google Maps API:
  • 7.1.1 Purpose: To let you select a location on a map.
  • 7.1.2 Data Shared: GPS coordinates, addresses, and Google Maps links you input into the Service.
  • 7.1.3 Legal Basis: Necessary for contract performance and service delivery.
  • 7.1.4 Data Transfer: Google may process data outside the EU/EEA. Google is certified under the EU-U.S. Data Privacy Framework and provides adequate safeguards.
  • 7.1.5 Privacy Policy: See https://policies.google.com/privacy.
• 7.2 Stripe (Payment Processor):
  • 7.2.1 Purpose: To process subscription payments and manage billing using Stripe Managed Payments. Stripe acts as the merchant of record and all payment disputes, invoices, and chargebacks are handled by Stripe.
  • 7.2.2 Data Shared: Billing name, email address, user ids, payment information (handled directly by Stripe).
  • 7.2.3 Legal Basis: Necessary for contract performance (payment processing).
  • 7.2.4 Data Transfer: Stripe may process data outside the EU/EEA with appropriate safeguards.
  • 7.2.5 Privacy Policy: See https://stripe.com/privacy.
• 7.3 AI Infrastructure and Model Providers:
  • 7.3.1 AI Technology: GenAerial utilizes Google's Gemini AI Nano Banana Pro as the primary AI image generation infrastructure.
  • 7.3.2 Data Shared: Location coordinates, generation parameters, and prompts necessary to generate imagery.
  • 7.3.3 Legal Basis: Necessary for contract performance (core service delivery).
  • 7.3.4 Agreements: We maintain Data Processing Agreements (DPAs) with providers to ensure GDPR compliance.
  • 7.3.5 Data Transfer: AI processing may occur on servers outside the EU/EEA. We ensure appropriate safeguards (SCCs) are in place.
• 7.4 Hosting and Cloud Infrastructure: GenAerial uses cloud hosting services to store and process data. These providers are contractually bound to process data only on our instructions and in compliance with GDPR, including implementing appropriate technical and organizational security measures.
• 7.5 Analytics and Performance Monitoring: We may use third-party analytics services (e.g., Google Analytics, Vercel Analytics) to understand usage patterns and improve the Service. Where possible, we anonymize or pseudonymize data before sharing with these providers.
• 7.6 Legal Disclosures: We may disclose your personal data if required by law or in response to valid legal processes, including:
  • 7.6.1 Court orders or subpoenas;
  • 7.6.2 Law enforcement requests;
  • 7.6.3 Legal obligations under Austrian or EU law;
  • 7.6.4 Protection of our legal rights or those of our users or third parties.
• 7.7 International Data Transfers: Some of our service providers are located outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place:
  • 7.7.1 EU-U.S. Data Privacy Framework certification (where applicable);
  • 7.7.2 Standard Contractual Clauses approved by the EU Commission;
  • 7.7.3 Binding Corporate Rules;
  • 7.7.4 Other mechanisms recognized under GDPR.
  • 7.7.5 Inquiry: You may request copies of safeguards by contacting support@genaerial.com.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

• 8.1 Retention Periods:
  • 8.1.1 Account Data: Retained for the duration of your active account. Upon account deletion, personal data is deleted within 30 days unless retention is required by law;
  • 8.1.2 Billing and Payment Records: Retained for 7 years in compliance with Austrian tax and commercial law (BAO and UGB);
  • 8.1.3 Generated Imagery and Usage Data: Retained for the duration of your active account. Historical generation data may be retained for analytics in aggregated, anonymized form;
  • 8.1.4 Technical Logs (IP addresses, access logs): Typically retained for 90 days for security and fraud prevention purposes;
  • 8.1.5 Support Communications: Retained for 3 years to provide continuous support and resolve disputes;
  • 8.1.6 Marketing Consents: Retained until you withdraw consent or for 2 years of inactivity.
• 8.2 Data Deletion: When personal data is no longer needed, we securely delete or anonymize it. Anonymized data (data that can no longer identify you) may be retained indefinitely for statistical and research purposes.

9. Your Rights as a Data Subject

Under the GDPR and Austrian data protection law, you have the following rights regarding your personal data:

• 9.1 Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive information about:
  • 9.1.1 The purposes of processing; the categories of personal data; the recipients or categories of recipients; the retention period; your other rights under GDPR; and the source of the data.
• 9.2 Right to Rectification (Art. 16 GDPR): You have the right to request correction of inaccurate personal data and to complete incomplete personal data. You can update most account information directly through your account settings.
• 9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): You have the right to request deletion of your personal data in circumstances where:
  • 9.3.1 Data is no longer necessary; consent is withdrawn; you object and there are no overriding legitimate grounds; data was unlawfully processed; or deletion is required for legal obligations.
  • 9.3.2 Note: This right is not absolute. We may retain data where legally required (e.g., tax records) or to defend legal claims.
• 9.4 Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction (limiting but not deleting) of processing in situations where:
  • 9.4.1 Accuracy is contested; processing is unlawful but you oppose erasure; we no longer need the data but you need it for legal claims; or pending verification of an objection.
• 9.5 Right to Data Portability (Art. 20 GDPR): Where processing is based on consent or contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it elsewhere.
• 9.6 Right to Object (Art. 21 GDPR): You have the right to object to processing of your personal data in certain situations:
  • 9.6.1 Legitimate interest: We will cease processing unless we demonstrate compelling legitimate grounds.
  • 9.6.2 Direct marketing: You have an absolute right to object at any time via the unsubscribe link or contacting us.
• 9.7 Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
• 9.8 Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

  9.8.1 Austrian Data Protection Authority:

  Österreichische Datenschutzbehörde (DSB)

  Barichgasse 40-42, 1030 Wien, Austria

  Website: https://www.dsb.gv.at

  Email: dsb@dsb.gv.at

• 9.9 Exercising Your Rights: To exercise any of these rights, please contact us at support@genaerial.com.
  • 9.9.1 Response Time: We will respond within one month (or up to three months for complex cases).
  • 9.9.2 Verification: We may request additional information to verify your identity before fulfilling your request.

10. Data Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• 10.1 Encryption: Data transmission is secured using TLS/SSL encryption. Passwords are stored using industry-standard cryptographic hashing;
• 10.2 Access Controls: Strict access controls ensure that only authorized personnel can access personal data on a need-to-know basis;
• 10.3 Secure Infrastructure: We use reputable cloud hosting providers with robust security certifications (e.g., ISO 27001, SOC 2);
• 10.4 Regular Security Audits: We conduct regular security assessments and vulnerability testing;
• 10.5 Data Minimization: We collect and retain only the data necessary for legitimate purposes;
• 10.6 Employee Training: Our team receives training on data protection and security best practices;
• 10.7 Incident Response: We maintain procedures for detecting, responding to, and reporting data breaches in accordance with GDPR requirements (notification within 72 hours where required).
• 10.8 While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security but continuously work to protect your data.

11. Children's Privacy

• 11.1 GenAerial is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
• 11.2 If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@genaerial.com, and we will promptly delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• 12.1 Update the "Last Updated" date at the top of this Privacy Policy;
• 12.2 Notify you by email (to the address associated with your account);
• 12.3 Provide prominent notice on the Service or through other appropriate means.
• 12.4 We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Information and Data Protection Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

13.1 We are committed to resolving any privacy concerns promptly and transparently. Please allow up to 30 days for us to respond to your inquiries.