Privacy Policy

The controller within the meaning of Art. 4(7) of the General Data Protection Regulation (GDPR) is:

If you have questions about the processing of your personal data, your rights as a data subject, or wish to revoke consent, please contact us using the details above.

This privacy policy explains the nature, scope, and purposes of the collection and processing of personal data on the KPOPPERS platform (hereinafter "Platform"). It applies to all services offered under the domain kpoppers.app and related subdomains.

Personal data within the meaning of Art. 4(1) GDPR means any information relating to an identified or identifiable natural person. This includes, for example, names, email addresses, IP addresses, and usage behavior.

We process personal data only in compliance with the applicable data protection regulations, in particular the GDPR, the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).

We process personal data on the following legal bases, depending on the specific processing activity:

• Art. 6(1)(a) GDPR — Consent: Where you have given express consent for a specific processing purpose (e.g., optional analytics cookies, marketing communications). You may withdraw consent at any time with effect for the future.
• Art. 6(1)(b) GDPR — Performance of a contract: Where processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract. This applies in particular to account creation, subscription management, and the provision of the Platform's core features.
• Art. 6(1)(c) GDPR — Legal obligation: Where processing is necessary for compliance with a legal obligation to which we are subject, in particular tax and commercial law retention obligations under German law (§ 147 AO, § 257 HGB).
• Art. 6(1)(f) GDPR — Legitimate interests: Where processing is necessary for the purposes of a legitimate interest pursued by us or a third party, provided that your interests, fundamental rights, and freedoms do not override such interest. Our legitimate interests include platform security, fraud prevention, service optimization, and the assertion or defense of legal claims.

The specific legal basis for each processing activity is indicated in the relevant sections below.

When you access the Platform, our hosting provider automatically collects and stores information in so-called server log files, which your browser transmits automatically. This includes:

• IP address of the requesting device
• Date and time of the request
• URL and HTTP method of the request
• HTTP status code returned by the server
• Volume of data transferred
• Referring URL (previously visited page)
• Browser type and version, operating system

This data is processed for the purpose of ensuring the secure and stable operation of the Platform, for error analysis, and for the prevention and investigation of abuse. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the provision of a technically functioning and secure platform.

Server log data is not combined with other data sources. Log data is automatically deleted after 30 days unless a longer retention is required for a specific investigation of abuse or a security incident.

To use the Platform's features beyond browsing, you must create a user account. During registration, we collect the following data:

• Email address
• Username (chosen by you)
• Encrypted password hash (if registering with email/password)
• Date and time of registration

If you register using Google OAuth, Google transmits your name, email address, and profile picture URL to us. We do not receive your Google password. Google's privacy policy applies to data processed by Google in connection with the OAuth process.

Your account data is processed for the purpose of creating and managing your user account, authenticating your identity, and providing you with access to the Platform's features. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

Your account data is stored for the duration of your account. Upon account deletion, your data is removed in accordance with Section 12 of this policy.

When you subscribe to an AI idol, payment processing is handled exclusively by Stripe, Inc. (hereinafter "Stripe"). We do not collect, store, or process your credit card number, bank account details, or other payment instrument data on our servers. This data is entered directly on Stripe's payment page or through Stripe's embedded payment elements and transmitted to Stripe in encrypted form.

We receive the following data from Stripe:

• Stripe customer ID
• Subscription ID, status, and billing period
• Payment method type (e.g., "card") and last four digits of the card
• Transaction amounts, currency, and timestamps
• Invoice IDs and payment success/failure status

This data is processed for the purpose of managing your subscriptions, providing access to paid features, issuing invoices, and handling billing disputes. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

Stripe processes payment data as an independent controller for its own fraud prevention and compliance purposes. Stripe is certified under the PCI DSS (Payment Card Industry Data Security Standard). For details on Stripe's data processing, please refer to Stripe's privacy policy at stripe.com/privacy.

Invoice and transaction data is retained for the statutory retention period of 10 years under German tax law (§ 147 AO) and 6 years under German commercial law (§ 257 HGB), beginning at the end of the calendar year in which the transaction occurred.

When you use the Platform, we collect and process data about your interactions for the purpose of providing the service and improving the user experience. This includes:

The Platform uses cookies and similar technologies (e.g., local storage) to ensure its functionality, enhance usability, and analyze usage. Cookies are small text files stored on your device by your browser.

You can configure your browser to reject all or certain cookies, or to notify you when cookies are set. Please note that disabling strictly necessary cookies may impair the functionality of the Platform.

We engage third-party service providers to operate the Platform. Where these providers process personal data on our behalf, data processing agreements pursuant to Art. 28 GDPR are in place. Where providers are located outside the EU/EEA, data transfers are safeguarded by EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) or an adequacy decision of the European Commission (Art. 45 GDPR).

Several of our service providers are located in the United States of America or other countries outside the European Economic Area (EEA). Where personal data is transferred to such countries, we ensure that an adequate level of data protection is maintained through one or more of the following safeguards pursuant to Chapter V of the GDPR:

• EU Standard Contractual Clauses (Art. 46(2)(c) GDPR): We have concluded Standard Contractual Clauses as adopted by the European Commission with each service provider located outside the EEA.
• Adequacy decisions (Art. 45 GDPR): Where applicable, transfers are based on adequacy decisions by the European Commission confirming that the recipient country ensures an adequate level of data protection.
• Supplementary measures: Where required by the circumstances, additional technical (e.g., encryption) and organizational measures are implemented to ensure the effectiveness of the transfer safeguards.

You may obtain a copy of the safeguards in place by contacting us using the details in Section 1.

Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us using the details in Section 1. We will respond to your request within one month. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. The specific retention periods are as follows:

• Account data: Stored for the duration of your account. Upon account deletion, personal data is anonymized or deleted within 30 days, except where statutory retention obligations apply.
• Conversation and interaction data: Stored for the duration of your account. Deleted upon account deletion.
• Payment and invoice data: Retained for 10 years from the end of the calendar year of the transaction pursuant to § 147 AO (Abgabenordnung) and § 257 HGB (Handelsgesetzbuch).
• Server log files: Automatically deleted after 30 days.
• Rate limiting data (Upstash): Automatically expired after minutes to hours, depending on the rate limit window.
• Analytics data (Vercel): Aggregated and anonymized; individual data points are not retained beyond the analytics retention period.

After expiry of the applicable retention period, data is deleted or irreversibly anonymized, unless further retention is necessary for the establishment, exercise, or defense of legal claims.

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. These measures include, but are not limited to:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database data is encrypted at rest using AES-256 encryption.
• Authentication security: Passwords are hashed using industry-standard algorithms (bcrypt). Sessions are managed with secure, HTTP-only cookies.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Rate limiting: API endpoints are protected against abuse through rate limiting.
• Regular updates: Software dependencies and infrastructure are kept up to date with security patches.

Despite these measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

The Platform uses AI systems to generate content (chat responses, voice messages, music, ASMR). These AI systems process your inputs to produce personalized responses, but they do not make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR.

We do not engage in automated decision-making based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Content recommendations and personalization are based on your usage patterns but do not restrict your access to any features or content for which you hold a valid subscription.

The Platform is intended for users aged 16 and older. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that data as soon as possible.

If you are a parent or guardian and believe that your child under 16 has provided us with personal data, please contact us using the details in Section 1.

We reserve the right to update this privacy policy from time to time to reflect changes in our data processing practices, legal requirements, or technical developments. The current version is always available on the Platform.

Material changes that affect the nature, scope, or purposes of data processing will be communicated to you via email or through a prominent notice on the Platform before they take effect. Where changes require your consent, we will obtain such consent before applying the changes.

The "Last updated" date at the top of this policy indicates when it was last revised.

For any questions regarding this privacy policy, to exercise your rights as a data subject, or to report a data protection concern, please contact:

We will endeavor to respond to all legitimate requests within one month. Occasionally it may take longer if your request is particularly complex or you have made a number of requests.