Back

Privacy Policy

Last updated: February 2026

1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Ioannis Fotiou
Sole trader operating as "MalMagic"
Karaiskaki 34
62121 Serres
Greece

Phone: +49 176 37192147
Email: info@malmagic.de

2. Scope

This Privacy Policy applies to the use of the web application "MalMagic" (AI colouring page generator).

It describes the nature, scope and purpose of the processing of personal data of users, in particular those in the European Union.

3. Legal Basis for Processing

Personal data is processed on the following legal bases:

  • Art. 6(1)(a) GDPR — Consent
  • Art. 6(1)(b) GDPR — Performance of a contract
  • Art. 6(1)(c) GDPR — Legal obligation
  • Art. 6(1)(f) GDPR — Legitimate interests

4. Data We Collect

4.1 Registration and Account Data

When creating an account, the following data is processed:

  • Name
  • Email address
  • Password (stored in encrypted form)
  • Date of registration

Purpose: Provision of a user account · Legal basis: Art. 6(1)(b) GDPR

4.2 Uploaded Photos

To generate personalised colouring pages, users may upload photos. These photos are:

  • used exclusively to generate the colouring page
  • temporarily transmitted to an AI service provider (see Section 5)
  • automatically deleted after processing is complete

The generated colouring page is stored in the user account.

Legal basis: Art. 6(1)(b) GDPR

4.3 Payment Data

Payment processing is handled by Stripe Inc. Payment data is entered and processed directly through Stripe. MalMagic does not store full payment card details.

Legal basis: Art. 6(1)(b) GDPR

4.4 Technical Access Data (Server Logs)

When visiting the website, the following data is collected automatically:

  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL

Purpose: Ensuring technical functionality and system security

Legal basis: Art. 6(1)(f) GDPR

Server log data is stored for a maximum of 7 days for security purposes and then automatically deleted, unless a security incident requires longer retention.

4.5 Cookies and Technically Necessary Storage

This web application uses technically necessary cookies and comparable storage technologies (e.g. local storage) to ensure the functionality of the application, in particular for:

  • User authentication (login status)
  • Session management
  • Security and abuse prevention
  • Payment processing via Stripe

These technologies are required for the operation of the web application.

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR

5. AI Image Processing

To generate colouring pages, uploaded images are temporarily transmitted to the following service provider:

Replicate Inc., USA

Purpose: AI-based image processing

The transfer of data to the USA is based on EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR.

When transferring data to the USA, there is a risk that US authorities may access the data under national security laws without effective legal remedies for EU citizens. Standard Contractual Clauses provide appropriate safeguards within the meaning of Art. 46 GDPR.

Original images are automatically deleted after successful processing.

6. Hosting and Data Processors

The following service providers are engaged as data processors pursuant to Art. 28 GDPR:

Supabase Inc.Database, authentication · EU (Frankfurt)
Vercel Inc.Web application hosting · EU (Frankfurt)
Stripe Inc.Payment processing · EU/USA · SCCs
Resend Inc.Transactional email delivery · USA · SCCs

Data processing agreements are in place with all service providers.

7. Retention Periods

  • ·Account data: For the duration of the contractual relationship
  • ·Invoice data: In accordance with statutory retention obligations
  • ·Uploaded original photos: Immediately deleted after processing
  • ·Generated colouring pages: Stored until deleted by the user or upon account deletion

8. Obligation to Provide Data

The provision of personal data is contractually necessary to use the web application. Without the required data (e.g. email address, payment details), no user account can be created and no paid service can be provided.

There is no statutory obligation to provide data.

9. Your Rights as a Data Subject

You have the following rights under GDPR:

  • Right of access — Art. 15 GDPR
  • Right to rectification — Art. 16 GDPR
  • Right to erasure — Art. 17 GDPR
  • Right to restriction of processing — Art. 18 GDPR
  • Right to data portability — Art. 20 GDPR
  • Right to object — Art. 21 GDPR
  • Right to withdraw consent — Art. 7(3) GDPR

To exercise any of these rights, please send an email to: info@malmagic.de

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

The competent supervisory authority based on our place of establishment is:

Hellenic Data Protection Authority (HDPA)

www.dpa.gr

You may also lodge a complaint with the supervisory authority in your country of residence.

11. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

The AI-based image processing is used solely to technically generate the requested colouring page and has no legal effect on users.

12. Data Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data against loss, manipulation and unauthorised access.