Privacy Policy
Last updated: April 2026
1. Controller
Responsible body (Verantwortliche Stelle) per GDPR Art. 4(7):
Mitja MartiniHelmkrautstr. 32
13503 Berlin
Germany
Email: hi@mitjamartini.com
2. Data Collected
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Account creation, magic link login, notifications | Art. 6(1)(b) — contract performance | Until account deletion |
| Uploaded images (doodles) | Video generation service | Art. 6(1)(b) — contract performance | Until job cleanup (30 days after failed/rejected) or account deletion |
| Generated videos | Service delivery, public sharing (if opted in) | Art. 6(1)(b) — contract performance | Until account deletion or video deletion |
| User description text | Animation prompt input | Art. 6(1)(b) — contract performance | Until account deletion |
| Credit transaction history | Billing, refund processing | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (tax records) | Credit data: until account deletion. Tax-relevant records: 10 years (§ 147 AO) |
| IP address, browser info | Server logs, rate limiting, security | Art. 6(1)(f) — legitimate interest (security) | 30 days |
| Session cookies | Authentication | Art. 6(1)(b) — contract performance | 24 hours |
| Notification preferences | Email delivery control | Art. 6(1)(a) — consent | Until changed or account deletion |
| Video view counts | Analytics (aggregated, via Bunny Stream) | Art. 6(1)(f) — legitimate interest (service improvement) | Aggregated only; no personal data retained |
3. Data Processors and Third-Party Services
Hosting: Hetzner Cloud
Server infrastructure is provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data is stored and processed in Hetzner's EU data centers (Germany/Finland). No data is transferred outside the EU for hosting purposes.
Hetzner Privacy Policy · Hetzner DPA
Video Delivery: Bunny Stream / BunnyCDN
Video transcoding, storage, and delivery is provided by BunnyWay d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia. Uploaded videos are processed by Bunny Stream for transcoding and served via BunnyCDN's global edge network. Bunny's primary data processing is in the EU (Slovenia), with edge caching in multiple regions for performance.
Data processed: video files, view counts, delivery metadata. No personal user data is shared with Bunny.
Bunny Privacy Policy · Bunny DPA
AI Services: Google Cloud (Gemini + Veo)
AI content moderation, prompt engineering, and video generation are provided by Google LLC via the Google Cloud Gemini and Veo APIs.
Data sent to Google:
- Uploaded doodle images (for moderation and prompt generation)
- User-provided text descriptions (for prompt generation)
- AI-generated prompts (for video generation)
Google processes this data under their Cloud Data Processing Addendum. Data may be processed in the US and other locations where Google operates. The EU–US Data Privacy Framework provides the legal basis for US transfers.
Google does not use API data to train its models (per Google Cloud Terms of Service, Section 4.3).
Google Privacy Policy · Google Cloud DPA
Payments: Polar
Payment processing is handled by Polar Software, Inc. Polar acts as Merchant of Record and independently collects and processes buyer data (name, email, payment details, billing address) for transaction processing and tax compliance.
WeDoodle does not store credit card numbers, bank details, or payment credentials. Polar handles all payment data directly.
Data shared with Polar: user email address.
Data received from Polar: order confirmation, product ID, customer ID (via webhook).
Email: Mailjet
Transactional emails (login links, notifications) are sent via Mailjet SAS, 13-13bis rue de l'Aubrac, 75012 Paris, France (a Sinch company). Data shared with Mailjet: recipient email address, email content. Mailjet processes data in the EU.
Mailjet Privacy Policy · Mailjet DPA
Fonts
Web fonts (Fredoka, Nunito) are self-hosted on WeDoodle's servers at
/static/fonts/. No request is made to Google Fonts or any
external font service — your browser downloads font files directly from
wedoodle.app.
4. Cookies
WeDoodle uses only essential cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
session_id |
Authentication session | 24 hours | Essential |
WeDoodle does not use analytics cookies, advertising cookies, or tracking pixels. No cookie consent banner is required because only essential cookies are used (GDPR Art. 6(1)(b), TTDSG § 25(2)).
5. Children's Data
WeDoodle is designed for use by children aged 4–12 under parental supervision. We take children's data protection seriously:
- We do not collect children's personal data beyond what is needed for the service (email for account, uploaded doodles for processing).
- We do not use behavioral tracking, profiling, or targeted advertising.
- Content moderation is applied to all uploads to ensure child safety.
- Accounts are created with a parent's or guardian's email address.
- We do not knowingly collect data from children without parental consent as required by GDPR Art. 8 and applicable national law.
If you believe a child has provided personal data without appropriate parental consent, please contact hi@mitjamartini.com and we will promptly delete the data.
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20) — receive your data in a machine-readable format
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
To exercise these rights, email hi@mitjamartini.com. We respond within 30 days.
You have the right to lodge a complaint with the supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
https://www.datenschutz-berlin.de
7. Data Transfers Outside the EU
Data is transferred outside the EU only when necessary for the service:
| Recipient | Country | Legal basis |
|---|---|---|
| Google Cloud (AI APIs) | USA | EU–US Data Privacy Framework |
| Polar (payments) | USA | Standard Contractual Clauses |
| BunnyCDN edge nodes | Global | Standard Contractual Clauses |
Hosting (Hetzner), email (Mailjet), and primary Bunny processing are EU-based.
8. Data Retention
| Data | Retention |
|---|---|
| Account data (email) | Until account deletion |
| Session data | 24 hours (auto-cleanup) |
| Magic link tokens | 15 minutes (auto-cleanup) |
| Uploaded doodles (successful) | Until account deletion |
| Uploaded doodles (failed/rejected) | 30 days, then auto-deleted |
| Generated videos | Until account deletion |
| Credit transactions | Until account deletion; tax records 10 years |
| AI request logs | 12 months |
| Server logs (IP, browser) | 30 days |
9. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users. The current version is always available at https://wedoodle.app/privacy.