Skip to main content
Back🇩🇪 Deutsch

Privacy Policy

Pursuant to Art. 13 / 14 GDPR · Last updated: February 2026

1. Data Controller

The controller responsible for data processing on this website under the General Data Protection Regulation (GDPR) is:

PunchLab

Luca Restagno

München, Germany

Email: hello@punchlab.dev

A data protection officer is not required pursuant to Art. 37 GDPR, as we do not carry out large-scale processing of special categories of personal data.

2. What Data We Collect and Why

a) Pet Photo(s)

You upload 1–3 photos of your pet. These photos are used solely to generate AI art portraits and are transmitted to Replicate (our processor) for that purpose. We do not permanently store your photos. Legal basis: Art. 6(1)(b) GDPR (performance of a contract — providing the requested service).

b) Email Address

Your email address is passed to Stripe solely to send you a payment receipt. We do not store your email address ourselves. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

c) Payment Data

Payment data (credit card details etc.) is processed exclusively by Stripe. It never reaches our servers. Legal basis: Art. 6(1)(b) GDPR.

d) Server Access Logs

Technical data is automatically collected on each page request (IP address, browser type, OS, timestamp, requested URL). This data is processed by Cloudflare as our CDN/hosting provider for security and service stability. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the service).

e) Usage Statistics (Plausible Analytics)

We use Plausible Analytics to measure page views and user behaviour. Plausible Analytics sets no cookies and does not process personal data within the meaning of the GDPR. No IP addresses are stored and no device-specific identifiers are used. Consent under Art. 6(1)(a) GDPR is therefore not required. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing and improving the service).

3. Payment Processing by Stripe (Processor)

For payment processing we use Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin, D02 H210, Ireland) and its US parent Stripe, Inc. (354 Oyster Point Boulevard, South San Francisco, CA 94080, USA).

Stripe processes your payment data and email address as a processor under Art. 28 GDPR pursuant to a Data Processing Agreement. Transfers to the US parent are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and Stripe's certification under the EU–U.S. Data Privacy Framework.

More information: Stripe Privacy Policy

4. AI Image Generation by Replicate (Processor)

For AI portrait generation we use Replicate, Inc. (548 Market St, San Francisco, CA 94104, USA). Your uploaded photos are transmitted to the Replicate API for the duration of processing. Replicate deletes transmitted data after processing. Your photos are not used to train AI models.

The transfer to the USA is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

More information: Replicate Privacy Policy

5. Hosting and CDN by Cloudflare

This website is hosted on Cloudflare Pages. Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) processes technical access data (including IP addresses) as a processor to deliver and secure the service. Transfers to the USA are based on Standard Contractual Clauses.

More information: Cloudflare Privacy Policy

6. Plausible Analytics

We use Plausible Analytics, a privacy-friendly web analytics service. It is cookie-free, stores no personal data, and requires no cookie consent banner. The service is operated by Plausible Insights OÜ (Sepapaja tn 6, 15551 Tallinn, Estonia).

More information: Plausible Data Policy

7. Cookies and Local Storage

This website uses no tracking cookies. We use your browser's SessionStorage solely for technical necessity — to temporarily hold your uploaded photos during the payment process. This data never leaves your browser and is automatically deleted when the tab is closed.

8. Retention and Deletion

We retain personal data only for as long as necessary for each purpose:

  • Pet photos: Deleted immediately after AI generation (no permanent storage by us or Replicate).
  • Email address: Not stored by us; retained by Stripe according to their retention periods (typically up to 7 years for tax purposes).
  • Generated portraits: Available for download for up to 7 days, then automatically deleted.
  • Server logs (Cloudflare): Per Cloudflare's retention policies (typically a few days).
  • SessionStorage: Deleted when the browser tab is closed.

9. Your Rights as a Data Subject (Art. 15–22 GDPR)

You have the following rights:

  • Right of access (Art. 15 GDPR): You may request information about the data we process about you at any time.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your data, unless statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): You may request that processing of your data be restricted.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to processing of your data based on Art. 6(1)(f) GDPR.

To exercise your rights, please contact: hello@punchlab.dev

10. Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The competent authority for Bavaria, Germany is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansbach, Germany

Website: www.lda.bayern.de

Legal Notice (Impressum)Terms of ServiceDatenschutzerklärung (DE)