Uncreative
|
Get started

Privacy Policy

Last updated: 21 April 2026

1. Controller

The controller responsible for processing personal data on this website is:

Tomo Clement
Jahnstr. 15
71032 Böblingen
Germany
Email: system@uncreative.dev

2. Hosting & Server Logs

This website is hosted on a virtual private server operated by Contabo GmbH, Aschauer Straße 32a, 81549 Munich, Germany, acting as a data processor under a data-processing agreement. The same server hosts the application database (PostgreSQL), job queue (Redis), and file storage (MinIO).

When you visit this site your browser automatically transmits usage data to the server. This may include your IP address, browser type, operating system, referring URL, pages accessed, and time of access. These server logs are stored for operational and security purposes.

Legal basis: Art. 6 para. 1 lit. f GDPR — our legitimate interest in ensuring stable and secure operation.

3. Cookies

Technically necessary cookies

We use only strictly necessary cookies — no marketing or tracking cookies are set:

  • NEXT_LOCALE — stores your language preference (en or de). Expires after 1 year.
  • OAuth state cookie — a short-lived, HMAC-signed cookie used to protect the Klaviyo OAuth 2.0 / PKCE authorization flow against cross-site request forgery. Deleted once the OAuth flow completes.

Legal basis: § 25 para. 2 TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR — necessary for providing the service.

Stripe Checkout cookies

When you proceed to payment, Stripe Payments Europe Ltd. may set cookies for fraud prevention and payment processing. These are only loaded after you actively initiate checkout.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance) and Art. 6 para. 1 lit. f GDPR (fraud prevention).

4. Klaviyo OAuth Connection

To deliver the service, we ask you to authorise Uncreative to access your Klaviyo account via OAuth 2.0. The resulting access and refresh tokens are stored in an encrypted form in our PostgreSQL database (hosted on the Contabo VPS). We use these tokens exclusively to create email templates, flows, and image assets in your Klaviyo account on your behalf.

The data recipient is Klaviyo, Inc., 125 Summer St, Boston, MA 02110, USA. Klaviyo processes data under its own privacy policy: klaviyo.com/legal/privacy-notice. The legal basis for the transfer is the EU–US Data Privacy Framework (Klaviyo participates) and, as a fallback, standard contractual clauses.

Legal basis: Art. 6 para. 1 lit. b GDPR — necessary to perform the contract.

5. Payment Processing (Stripe)

Payments are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Only data required to process your payment is transmitted to Stripe.

No recurring charges are initiated without your explicit separate consent. All Stripe transactions are subject to the Stripe Privacy Policy: stripe.com/privacy.

Legal basis: Art. 6 para. 1 lit. b GDPR — necessary to perform the contract.

6. Image Uploads (Product Images & Logo)

Product images and your brand logo are uploaded and stored locally in a self-hosted MinIO instance on our Contabo VPS. They are not shared with third parties except as described in sections 7 (OpenAI) and 4 (Klaviyo) — namely, when uploaded product images are included in prompts sent to OpenAI for description, and when rendered email images are pushed to your Klaviyo account.

By uploading images you warrant that you hold the necessary rights to use them for this purpose.

Legal basis: Art. 6 para. 1 lit. b GDPR — necessary to perform the contract.

7. AI-Assisted Content Generation (OpenAI)

We use the OpenAI API to generate email subject lines, preview text, and body copy, and to obtain textual descriptions of your product images (GPT-4o Vision). Data sent to OpenAI includes: brand name, brand voice, colour palette descriptors, product category, and product image content.

Provider: OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, Ireland. Processing may occur on subprocessors in the United States; the transfer basis is standard contractual clauses (SCCs). OpenAI does not use API inputs to train its models (OpenAI API data-usage policy).

Notice pursuant to Art. 52 EU AI Act: Content generated by AI may contain errors or incomplete information. All generated emails are drafts — please review them critically before syncing to Klaviyo.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance) and Art. 6 para. 1 lit. f GDPR (legitimate interest in providing a high-quality service).

8. Database & Job Queue

Session data, brand information, generated email versions, and workflow metadata are stored in a PostgreSQL database running on our self-hosted Contabo VPS. Background generation jobs are queued in Redis (also self-hosted on the same server). No data is shared with third parties from these systems beyond what is described above.

Legal basis: Art. 6 para. 1 lit. b GDPR — necessary to perform the contract.

9. No Analytics or Tracking

We do not use Google Analytics, Meta Pixel, PostHog, Sentry, Plausible, or any other analytics, advertising, or error-tracking services on this website.

10. Retention

Data associated with your session and generated emails is retained for as long as your account remains active. After account closure, data is deleted subject to statutory retention obligations under German commercial and tax law (§ 257 HGB, § 147 AO: up to 10 years for billing records).

Klaviyo OAuth tokens are deleted immediately upon your request.

11. Your Rights

Subject to the statutory requirements, you have the following rights under Arts. 15–21 GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

To exercise these rights, contact system@uncreative.dev.

12. Right to Lodge a Complaint

You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority if you believe that the processing of your personal data is unlawful. The supervisory authority competent for us is:

Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Königstraße 10a
70173 Stuttgart
Germany
Tel.: +49 711 6155410
Email: poststelle@lfdi.bwl.de

13. Right to Object

Where personal data processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interests), you have the right to object at any time on grounds relating to your particular situation. We will then stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defence of legal claims.