Privacy Policy

As of: February 2026 · Version 1.0

1. Controller

Controller within the meaning of the GDPR:

2. Scope of Application

This Privacy Notice applies to the use of the SaaS platform Pixalo and the associated website. Pixalo is directed exclusively at commercial users (B2B) and offers professional photographers a technical platform to operate digital shops.

Pixalo is neither a marketplace nor a mediator. There are no contractual relations between Pixalo and the end customers of the photographers.

3. Role Allocation under the GDPR

3.1 Pixalo as Controller

Pixalo is the Controller (Art. 4 No. 7 GDPR) for the following processing activities:

• Registration and management of Tenant accounts (photographers)
• Billing of the Pixalo subscription via Stripe
• Operation and security of the platform
• Communication with Tenants
• Visitor statistics of the website (upon consent)

3.2 Pixalo as Processor

Insofar as photographers (Tenants) process personal data of their end customers via the platform, Pixalo acts exclusively as a Processor pursuant to Art. 28 GDPR.

In this case, the Tenant is the Controller for the data processing. A Data Processing Agreement (DPA) is bindingly concluded upon registration.

4. Processed Data and Legal Bases

4.1 Tenant Account Data

Data: Name, email address, company name, address, login credentials, billing details

Legal basis: Art. 6 Abs. 1 lit. b GDPR (performance of contract)

Storage period: Duration of the contractual relationship plus statutory retention periods

4.2 Subscription Payment (Stripe)

Payment of the Pixalo subscription is processed via Stripe. Pixalo transmits necessary details for this to Stripe Payments Europe Ltd. (Ireland).

Legal basis: Art. 6 Abs. 1 lit. b GDPR (performance of contract)

Stripe processes payment details independently. Further details: stripe.com/de/privacy

4.3 Payment Processing by Tenants

Tenants can connect their own payment providers (e.g., Stripe, PayPal). Pixalo merely provides the technical interface.

4.4 Protocol and Security Data

Data: IP address, timestamp, access paths, user-agent, error logs

Purpose: Security, stability, error analysis, abuse prevention

Legal basis: Art. 6 Abs. 1 lit. f GDPR (legitimate interest)

Storage period: Maximum 90 days, unless longer retention is required for investigation

4.5 Legal Records (DPA, AGB)

Data: Time of consent, IP address, document version

Legal basis: Art. 6 Abs. 1 lit. c GDPR (legal obligation)

Storage period: Indefinite (legal burden of proof)

5. Photos, Downloads, and Data Minimization

Pixalo consistently pursues the principle of data minimization:

• Preview Images: Low resolution, watermarked. No access to originals without purchase.
• Download Links: Valid for a maximum of 7 days. After expiration, access is no longer possible.
• End-customer Data: Processed exclusively upon instructions of the Tenant (order processing).

6. Retention Periods

7. Hosting and Infrastructure

The platform is operated on servers within the European Union. Cloud infrastructure, object storage, and content delivery networks are utilized.

To ensure security, detailed information about the systems or providers used is not published.

Legal basis: Art. 6 Abs. 1 lit. b and f GDPR

8. Mobile App (Pixalo Photographer)

The Pixalo Mobile App is used by photographers to start shooting sessions and create student tags.

The app does not store or process photos directly on the mobile device. Photos are processed later via the Pixalo Dashboard.

The app may transfer the following data:

• Session ID
• Tagging information (association of students to photos)
• Photographer's user account (authentication)

Legal basis: Art. 6 Abs. 1 lit. b GDPR (performance of contract)

9. Third Country Transfer

If personal data is transferred to countries outside the EU/EEA, this occurs exclusively on the basis of:

• Adequacy decisions of the EU Commission (Art. 45 GDPR)
• Standard contractual clauses (Art. 46 Abs. 2 lit. c GDPR)
• Additional technical and organizational protection measures

10. Cookies and Tracking

Pixalo uses a cookie consent banner pursuant to § 25 TTDSG and Art. 6 Abs. 1 lit. a GDPR.

Technically Necessary Cookies

These cookies are required for the operation of the platform and are set without consent.

Legal basis: § 25 Abs. 2 No. 2 TTDSG, Art. 6 Abs. 1 lit. f GDPR

Analytics Cookies

Statistics and analysis tools are only activated after explicit consent.

Legal basis: Art. 6 Abs. 1 lit. a GDPR (consent)

Consent can be revoked at any time via the cookie banner.

11. Disclosure of Data

A transfer of personal data only occurs:

• for the performance of the contract (e.g., payment processing via Stripe)
• if there is a legal obligation
• within the scope of order processing with appropriate contracts

A transfer for advertising purposes or a sale of data does not take place.

12. Automated Decision Making

There is no automated decision-making including profiling within the meaning of Art. 22 GDPR.

13. Rights of the Data Subjects

Data subjects have the following rights:

• Access (Art. 15 GDPR) to the processed data
• Rectification (Art. 16 GDPR) of incorrect data
• Erasure (Art. 17 GDPR), provided that no retention obligations exist
• Restriction (Art. 18 GDPR) of processing
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR) to the processing
• Withdrawal of granted consents with effect for the future
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

Please address requests to: [email protected]

Insofar as Pixalo acts as a processor, requests must be addressed to the respective controller (tenant).

Competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

13.1 Right to Data Erasure

Users have the right to request the erasure of their user account and all associated personal data (Art. 17 GDPR).

Erasure usually occurs within 30 days, unless statutory retention obligations (e.g., tax or commercial retention duties pursuant to § 147 AO, § 257 HGB) prevent this.

14. Changes to this Privacy Policy

This Privacy Policy may be adjusted in the event of legal, technical, or organizational changes. The current version is available at any time on this page.