Privacy Policy
Version: December 2025
Privacy Policy
Important Notice on Translations
This English version is provided for informational purposes only. The German version of these legal documents is the sole legally binding version. In the event of any discrepancy, ambiguity, or conflict between this English translation and the German original, the German version shall prevail.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Roman Moor Game-Design (Sole Proprietorship) Owner: Roman Moor Milbertshofener Straße 54 80807 Munich Germany Email: contact@framo.app
2. Purposes of Data Processing
We process personal data for the provision and further development of Framo, in particular for:
- Operation and provision of the Framo platform
- Creation, editing, and generation of AI-powered content
- Storage and management of projects and content
- Registration of user accounts and login (authentication)
- Billing for subscriptions and credits
- Communication with users (e.g., support)
- Detection and prevention of abuse and fraud
- Ensuring IT security (logs, monitoring)
- Improvement and further development of our services
- Optional sending of information and updates (newsletter), where consent has been given
3. Categories of Personal Data
3.1 User Data
- Email address
- Password (encrypted)
- Name or other voluntary profile data, where applicable
3.2 Subscription and Billing Data
We collect and process subscription-related data through our payment provider Polar:
- Current subscription plan and tier (Free, Pro, Max, Enterprise)
- Subscription status (active, canceled, past due, revoked)
- Billing interval (monthly or annual)
- Subscription start date, renewal dates, and expiration dates
- Payment method type (not full card details, which are stored by Polar)
- Billing history and invoice records
- Plan change history (upgrades, downgrades, cancellations)
- Grace period status and pending plan changes
3.3 Credit and Transaction Data
We maintain detailed records of credit transactions for account management and audit purposes:
- Current credit balance
- Credit allocation history (monthly allocations, top-up purchases)
- Credit consumption records (operation type, credits used, timestamp)
- Credit adjustments (rollovers, cap applications, forfeitures)
- Credit reservation records for in-progress operations
This transaction logging is necessary for:
- Accurate credit balance tracking
- Dispute resolution and customer support
- Fraud detection and prevention
- Compliance with financial record-keeping requirements
3.4 Content and Project Data
- Content uploaded by the User (e.g., texts, prompts, files)
- AI-generated content
- Project-specific settings and metadata
3.5 Log and System Data
- IP address (truncated where technically possible)
- Date and time of access
- Device and browser information
- Technical usage logs (e.g., error messages, performance data)
- Logs of AI generations (e.g., timestamp, model used, resource consumption)
3.6 Communication Data
- Content of support requests
- Email communication with us
- Newsletter information (registration data, receipt), where applicable
4. Legal Bases for Processing
Processing is carried out on the following legal bases, depending on the purpose:
| Legal Basis | Application |
|---|---|
| Art. 6(1)(b) GDPR (Contract performance) | Provision of the platform, user registration, billing, and use of features |
| Art. 6(1)(c) GDPR (Legal obligation) | Tax and commercial law retention obligations |
| Art. 6(1)(f) GDPR (Legitimate interest) | IT security (logs, abuse detection), improvement of our services, internal administration |
| Art. 6(1)(a) GDPR (Consent) | Sending of newsletters or optional marketing communications, and optional analysis or convenience features where applicable |
5. Storage and Deletion
5.1
Personal data is only stored for as long as necessary for the respective purposes or as we are legally obligated to do so.
5.2
Account and profile data is generally stored for as long as a user account exists. After deletion of the account, the personal data of the account will be deleted or anonymized, unless statutory retention obligations prevent this.
5.3
Content and project data is stored as long as the User maintains it in their account. The User can independently delete their own content and projects. After account deletion, content will – subject to statutory obligations – be deleted or anonymized.
5.4
Billing and booking data (e.g., invoices) is retained in accordance with statutory retention periods, generally up to 10 years.
5.5
Log and system data is stored for a technically necessary and security-relevant period (typically 30–90 days) and then deleted or anonymized, unless longer retention is required in individual cases to investigate security incidents or to assert legal claims.
5.6
Backups: Our infrastructure providers (particularly Convex) maintain automated backups for up to 30 days. Deleted data may persist in these backups until they are automatically overwritten but is not actively used or accessed.
5.7 Data Retention After Account Deletion
When a User deletes their account, we distinguish between data that is deleted immediately and data that is retained for specific purposes:
(a) Data Deleted Immediately:
- All projects, scenes, and creative content
- Uploaded files (models, images, videos, textures, HDRIs, gobos)
- Custom materials and configurations
- Profile information and preferences
- Active session data
(b) Data Retained for Account Reactivation (30 days):
- Your account may be reactivated within 30 days by signing in again
- During this period, minimal account identifiers are retained to enable reactivation
- After 30 days without reactivation, the account becomes permanently inactive
(c) Data Retained for Fraud Prevention (Indefinitely):
To protect our platform and legitimate users from abuse, we retain certain identifiers in hashed or pseudonymized form after account deletion:
- Email address hash: A one-way cryptographic hash of your email address
- OAuth provider identifiers: Hashed identifiers from authentication providers (e.g., Google account ID)
- Welcome credit claim record: A record that welcome credits were claimed, to prevent repeated claims
Purpose and Legal Basis: This retention is necessary for our legitimate interest in fraud prevention and abuse detection (Art. 6(1)(f) GDPR). Specifically, it prevents users from repeatedly deleting and recreating accounts to claim free welcome credits multiple times, which constitutes abuse of our service.
Technical Measures: These identifiers are stored in hashed form, making it computationally infeasible to derive the original data. They are used solely for fraud detection during new account registration.
(d) Your Rights Regarding Retained Data:
You may request complete erasure of all fraud prevention identifiers by contacting us at contact@framo.app. Such requests will be processed in accordance with Art. 17 GDPR, taking into account any overriding legitimate interests. Please note that if complete erasure is granted and you create a new account in the future, you will still not receive additional welcome credits, as the credit system is designed to provide one-time welcome credits per person.
6. Recipients and Categories of Recipients
In the course of operating Framo, we use service providers that process personal data on our behalf (processors):
| Category | Service Provider |
|---|---|
| Hosting and Infrastructure | Vercel (cloud hosting, provision of web application), Convex (database and session handling) |
| Payment Processing | Polar (payment service provider / Merchant of Record, Stripe-based) |
| Email Delivery | Resend (transactional and, where applicable, informational emails) |
| AI Features | fal.ai and, where applicable, other model providers for executing AI features |
These service providers process personal data only according to our instructions and on the basis of corresponding contracts pursuant to Art. 28 GDPR.
Note on Polar: As Merchant of Record, Polar acts as an independent controller for payment-related data. For details on how Polar processes your payment information, please refer to Polar's Privacy Policy.
Beyond this, we only transfer data where there is a legal obligation to do so (e.g., to authorities) or where the User has expressly consented.
7. Data Transfer to Third Countries
Some of our service providers are located outside the European Union (EU) or the European Economic Area (EEA). Data transfers are based on the following legal mechanisms:
| Service Provider | Location | Transfer Mechanism |
|---|---|---|
| Vercel | USA | EU-US Data Privacy Framework (DPF) – certified |
| Convex | USA | Standard Contractual Clauses (SCC) + technical measures |
| Resend | USA | EU-US Data Privacy Framework (DPF) – certified |
| fal.ai | USA | Standard Contractual Clauses (SCC) + technical measures |
| Polar | Sweden (EU) | No third-country transfer required; individual sub-processors may use SCC |
7.1 EU-US Data Privacy Framework (DPF)
The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on July 10, 2023. Transfers to DPF-certified US companies are therefore permitted without additional safeguards. The certification status of our service providers can be verified at dataprivacyframework.gov/list.
7.2 Standard Contractual Clauses (SCC)
For service providers not covered by the DPF, we use the Standard Contractual Clauses (SCC) provided by the EU Commission pursuant to Art. 46(2)(c) GDPR, supplemented by technical and organizational measures (particularly encryption in transit and at rest, data minimization).
Note: Despite these measures, the level of data protection in third countries may in individual cases be lower than that in the EU (e.g., government access without adequate legal remedies).
8. Newsletter and Communication
8.1
We may send newsletters or product information to users who have expressly consented. The legal basis is Art. 6(1)(a) GDPR.
8.2
The User may revoke their consent to receive newsletters at any time with effect for the future, e.g., via an unsubscribe link in the email or by notification to contact@framo.app.
8.3
Contract-related communications (e.g., security-relevant information, changes to GTC or technical features) may be sent independently of the newsletter and are based on Art. 6(1)(b) and (f) GDPR.
9. Cookies and Tracking
9.1 Technically Necessary Cookies
Technically necessary cookies (e.g., session cookies for login and security) serve exclusively for the functioning of the platform and are based on Art. 6(1)(f) GDPR (legitimate interest in secure and functional operation).
9.2 Analytics
With your consent (Art. 6(1)(a) GDPR), we use the following analytics services:
- PostHog (PostHog Inc., EU data processing) — product analytics and usage tracking
- Vercel Analytics / Speed Insights (Vercel Inc.) — page performance and web vitals
9.3 Advertising
With your consent (Art. 6(1)(a) GDPR), we use the following advertising technologies:
- Google Ads (Google Ireland Ltd.) — conversion tracking and remarketing. Google processes data in accordance with Google Consent Mode v2.
- Meta Pixel (Meta Platforms Ireland Ltd.) — conversion tracking and advertising measurement.
Data may be transferred to the USA; legal basis for transfer: EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC).
9.4 Consent Management
On your first visit, you will be shown a cookie consent banner where you can accept or reject optional cookies by category (Analytics, Marketing). You can change your preferences at any time via the "Cookies" link in the website footer.
Detailed information on all cookies is available in our Cookie Policy.
10. AI Processing and Profiling
10.1
Within Framo, content is processed using various AI models provided by third-party providers (e.g., fal.ai). Processing is carried out for the performance of the contract (Art. 6(1)(b) GDPR).
10.2
AI-generated content may be erroneous, incomplete, or biased. Users must independently review all results before further use.
10.3
No automated profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning the User or similarly significantly affects them.
11. Rights of Data Subjects
Data subjects have, within the scope of the statutory requirements, the following rights in particular:
| Right | Legal Basis |
|---|---|
| Access | Art. 15 GDPR |
| Rectification | Art. 16 GDPR |
| Erasure | Art. 17 GDPR |
| Restriction of processing | Art. 18 GDPR |
| Data portability | Art. 20 GDPR |
| Objection to certain processing | Art. 21 GDPR |
| Withdrawal of consent (with effect for the future) | Art. 7(3) GDPR |
To exercise these rights, a notification to contact@framo.app is sufficient.
12. Right to Lodge a Complaint with Supervisory Authorities
Data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement.
The competent supervisory authority for us is in particular:
Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht – BayLDA)
13. Amendments to this Privacy Policy
We may adapt this Privacy Policy to accommodate changes in the legal situation, technical developments, or new services. The currently valid version is available on our website.
Version: December 2025