Privacy Policy
Version: December 2025
Privacy Policy
Important Notice on Translations
This English version is provided for informational purposes only. The German version of these legal documents is the sole legally binding version. In the event of any discrepancy, ambiguity, or conflict between this English translation and the German original, the German version shall prevail.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Roman Moor Game-Design (Sole Proprietorship) Owner: Roman Moor Milbertshofener Straße 54 80807 Munich Germany Email: contact@framo.app
2. Purposes of Data Processing
We process personal data for the provision and further development of Framo, in particular for:
- Operation and provision of the Framo platform
- Creation, editing, and generation of AI-powered content
- Storage and management of projects and content
- Registration of user accounts and login (authentication)
- Billing for subscriptions and credits
- Communication with users (e.g., support)
- Detection and prevention of abuse and fraud
- Ensuring IT security (logs, monitoring)
- Improvement and further development of our services
- Optional sending of information and updates (newsletter), where consent has been given
3. Categories of Personal Data
3.1 User Data
- Email address
- Password (encrypted)
- Name or other voluntary profile data, where applicable
3.2 Subscription and Billing Data
We collect and process subscription-related data through our payment provider Polar:
- Current subscription plan and tier (Free, Pro, Max, Enterprise)
- Subscription status (active, canceled, past due, revoked)
- Billing interval (monthly or annual)
- Subscription start date, renewal dates, and expiration dates
- Payment method type (not full card details, which are stored by Polar)
- Billing history and invoice records
- Plan change history (upgrades, downgrades, cancellations)
- Grace period status and pending plan changes
3.3 Credit and Transaction Data
We maintain detailed records of credit transactions for account management and audit purposes:
- Current credit balance
- Credit allocation history (monthly allocations, top-up purchases)
- Credit consumption records (operation type, credits used, timestamp)
- Credit adjustments (rollovers, cap applications, forfeitures)
- Credit reservation records for in-progress operations
This transaction logging is necessary for:
- Accurate credit balance tracking
- Dispute resolution and customer support
- Fraud detection and prevention
- Compliance with financial record-keeping requirements
3.4 Content and Project Data
- Content uploaded by the User (e.g., texts, prompts, files)
- AI-generated content
- Project-specific settings and metadata
3.5 Log and System Data
- IP address (truncated where technically possible)
- Date and time of access
- Device and browser information
- Technical usage logs (e.g., error messages, performance data)
- Logs of AI generations (e.g., timestamp, model used, resource consumption)
3.6 Communication Data
- Content of support requests
- Email communication with us
- Newsletter information (registration data, receipt), where applicable
4. Legal Bases for Processing
Processing is carried out on the following legal bases, depending on the purpose:
| Legal Basis | Application |
|---|---|
| Art. 6(1)(b) GDPR (Contract performance) | Provision of the platform, user registration, billing, and use of features |
| Art. 6(1)(c) GDPR (Legal obligation) | Tax and commercial law retention obligations |
| Art. 6(1)(f) GDPR (Legitimate interest) | IT security (logs, abuse detection), improvement of our services, internal administration |
| Art. 6(1)(a) GDPR (Consent) | Sending of newsletters or optional marketing communications, and optional analysis or convenience features where applicable |
5. Storage and Deletion
5.1
Personal data is only stored for as long as necessary for the respective purposes or as we are legally obligated to do so.
5.2
Account and profile data is generally stored for as long as a user account exists. After deletion of the account, the personal data of the account will be deleted or anonymized, unless statutory retention obligations prevent this.
5.3
Content and project data is stored as long as the User maintains it in their account. The User can independently delete their own content and projects. After account deletion, content will – subject to statutory obligations – be deleted or anonymized.
5.4
Billing and booking data (e.g., invoices) is retained in accordance with statutory retention periods, generally up to 10 years.
5.5
Log and system data is stored for a technically necessary and security-relevant period (typically 30–90 days) and then deleted or anonymized, unless longer retention is required in individual cases to investigate security incidents or to assert legal claims.
5.6
Backups: Our infrastructure providers (particularly Convex) maintain automated backups for up to 30 days. Deleted data may persist in these backups until they are automatically overwritten but is not actively used or accessed.
6. Recipients and Categories of Recipients
In the course of operating Framo, we use service providers that process personal data on our behalf (processors):
| Category | Service Provider |
|---|---|
| Hosting and Infrastructure | Vercel (cloud hosting, provision of web application), Convex (database and session handling) |
| Payment Processing | Polar (payment service provider / Merchant of Record, Stripe-based) |
| Email Delivery | Resend (transactional and, where applicable, informational emails) |
| AI Features | fal.ai and, where applicable, other model providers for executing AI features |
These service providers process personal data only according to our instructions and on the basis of corresponding contracts pursuant to Art. 28 GDPR.
Note on Polar: As Merchant of Record, Polar acts as an independent controller for payment-related data. For details on how Polar processes your payment information, please refer to Polar's Privacy Policy.
Beyond this, we only transfer data where there is a legal obligation to do so (e.g., to authorities) or where the User has expressly consented.
7. Data Transfer to Third Countries
Some of our service providers are located outside the European Union (EU) or the European Economic Area (EEA). Data transfers are based on the following legal mechanisms:
| Service Provider | Location | Transfer Mechanism |
|---|---|---|
| Vercel | USA | EU-US Data Privacy Framework (DPF) – certified |
| Convex | USA | Standard Contractual Clauses (SCC) + technical measures |
| Resend | USA | EU-US Data Privacy Framework (DPF) – certified |
| fal.ai | USA | Standard Contractual Clauses (SCC) + technical measures |
| Polar | Sweden (EU) | No third-country transfer required; individual sub-processors may use SCC |
7.1 EU-US Data Privacy Framework (DPF)
The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework on July 10, 2023. Transfers to DPF-certified US companies are therefore permitted without additional safeguards. The certification status of our service providers can be verified at dataprivacyframework.gov/list.
7.2 Standard Contractual Clauses (SCC)
For service providers not covered by the DPF, we use the Standard Contractual Clauses (SCC) provided by the EU Commission pursuant to Art. 46(2)(c) GDPR, supplemented by technical and organizational measures (particularly encryption in transit and at rest, data minimization).
Note: Despite these measures, the level of data protection in third countries may in individual cases be lower than that in the EU (e.g., government access without adequate legal remedies).
8. Newsletter and Communication
8.1
We may send newsletters or product information to users who have expressly consented. The legal basis is Art. 6(1)(a) GDPR.
8.2
The User may revoke their consent to receive newsletters at any time with effect for the future, e.g., via an unsubscribe link in the email or by notification to contact@framo.app.
8.3
Contract-related communications (e.g., security-relevant information, changes to GTC or technical features) may be sent independently of the newsletter and are based on Art. 6(1)(b) and (f) GDPR.
9. Cookies and Tracking
We currently do not use optional analytics or marketing cookies. Where technically necessary cookies or comparable technologies (e.g., session cookies for login and security) are used, these serve exclusively for the functioning of the platform and are based on Art. 6(1)(f) GDPR (legitimate interest in secure and functional operation).
Detailed information on any cookies is available in our Cookie Policy. As soon as optional cookies or analytics tools are used, we will – where legally required – obtain your consent before their use.
10. AI Processing and Profiling
10.1
Within Framo, content is processed using various AI models provided by third-party providers (e.g., fal.ai). Processing is carried out for the performance of the contract (Art. 6(1)(b) GDPR).
10.2
AI-generated content may be erroneous, incomplete, or biased. Users must independently review all results before further use.
10.3
No automated profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning the User or similarly significantly affects them.
11. Rights of Data Subjects
Data subjects have, within the scope of the statutory requirements, the following rights in particular:
| Right | Legal Basis |
|---|---|
| Access | Art. 15 GDPR |
| Rectification | Art. 16 GDPR |
| Erasure | Art. 17 GDPR |
| Restriction of processing | Art. 18 GDPR |
| Data portability | Art. 20 GDPR |
| Objection to certain processing | Art. 21 GDPR |
| Withdrawal of consent (with effect for the future) | Art. 7(3) GDPR |
To exercise these rights, a notification to contact@framo.app is sufficient.
12. Right to Lodge a Complaint with Supervisory Authorities
Data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement.
The competent supervisory authority for us is in particular:
Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht – BayLDA)
13. Amendments to this Privacy Policy
We may adapt this Privacy Policy to accommodate changes in the legal situation, technical developments, or new services. The currently valid version is available on our website.
Version: December 2025