Privacy Policy
Last updated: March 20, 2026
This policy explains how ClipSpark collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
Eduard Röhrig
Iris-Runge-Platz 11, 30539 Hannover, Germany
Email: privacy@clipspark.de
2. Data We Collect
2.1 Account Data
- Email address
- Password (hashed, never stored in plaintext)
- OAuth profile data (Google, Discord, or Twitch — name, avatar, ID)
- Referral code and referral relationships
2.2 Payment Data
- Stripe customer ID and subscription status
- Payment method details are stored exclusively by Stripe, Inc. — we never see or store your card number
2.3 Video Content
- Videos you upload for processing
- Processed output videos and thumbnails
- Overlay settings and configurations
2.4 Usage & Analytics Data
- IP address, browser type, operating system
- Pages visited, features used, processing requests
- UTM parameters and referrer (acquisition source tracking)
2.5 Analytics Tools (only with your consent)
- Google Analytics 4 (Google LLC, USA) — website usage analytics, anonymized IP
- Microsoft Clarity (Microsoft Corp., USA) — session recordings and heatmaps
These tools are only activated after you give explicit consent via the cookie banner. You can withdraw consent at any time by clearing your browser cookies.
3. Legal Basis for Processing (GDPR Art. 6)
| Processing Activity | Legal Basis |
|---|---|
| Account creation & management | Contract performance (Art. 6(1)(b)) |
| Video processing | Contract performance (Art. 6(1)(b)) |
| Payment processing via Stripe | Contract performance (Art. 6(1)(b)) |
| Email notifications (service-related) | Legitimate interest (Art. 6(1)(f)) |
| Email marketing (drip campaigns) | Consent (Art. 6(1)(a)) |
| Analytics (GA4, Clarity) | Consent (Art. 6(1)(a)) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Data Recipients
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Payment processing | Stripe, Inc. | Subscriptions & billing | USA (EU-US DPF) |
| AI transcription | OpenAI, Inc. | Caption generation | USA (EU-US DPF) |
| AI transcription | AssemblyAI, Inc. | Caption generation | USA |
| Website analytics | Google LLC | Google Analytics 4 | USA (consent-based) |
| Session analytics | Microsoft Corp. | Microsoft Clarity | USA (consent-based) |
| Social login | Google / Discord / Twitch | OAuth authentication | USA |
| Social upload | ByteDance (TikTok) | Video draft upload | Singapore/USA |
| Server hosting | Contabo GmbH | Infrastructure | Germany |
5. International Data Transfers
Some of our service providers are located in the United States. We ensure adequate protection through:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Consent-based processing for analytics tools
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Uploaded videos | 30 days after processing |
| Processed videos | 30 days after processing |
| Demo videos | 1 hour (auto-deleted) |
| Payment records | 10 years (German tax law, AO § 147) |
| Server logs | 90 days |
| Analytics data | 14 months (GA4 default) |
7. Cookies
7.1 Essential Cookies
Required for the website to function. Cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
session | Login session | 7 days |
csrf_token | Security (CSRF protection) | Session |
7.2 Analytics Cookies (consent required)
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_ga, _ga_* | Google Analytics | Usage analytics | 2 years |
_clck, _clsk | Microsoft Clarity | Session recording | 1 year |
Analytics cookies are only set after you click "Accept" on the cookie banner.
8. Your Rights (GDPR)
You have the following rights regarding your personal data:
- Access (Art. 15): Request a copy of your personal data
- Rectification (Art. 16): Correct inaccurate personal data
- Erasure (Art. 17): Request deletion of your data ("right to be forgotten") — available via Account Settings or by email
- Portability (Art. 20): Receive your data in a machine-readable format
- Objection (Art. 21): Object to processing based on legitimate interest
- Restriction (Art. 18): Restrict processing under certain circumstances
- Withdraw Consent (Art. 7): Withdraw consent at any time (e.g., for analytics or marketing emails)
Exercise Your Rights
Email us at privacy@clipspark.de. We will respond within 30 days. You can also delete your account directly from your Account Settings.
9. Children's Privacy
ClipSpark is not intended for persons under the age of 16. We do not knowingly collect data from children under 16. If we become aware of such collection, we will delete the data immediately.
10. Data Security
- TLS 1.3 encryption for all data in transit
- Passwords hashed with industry-standard algorithms (bcrypt-level)
- CSRF protection on all forms
- Rate limiting on sensitive endpoints
- Daily encrypted database backups
- Server access restricted to SSH key authentication only
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the most recent revision.
12. Supervisory Authority
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the competent supervisory authority:
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
www.lfd.niedersachsen.de
13. Contact
Privacy inquiries: privacy@clipspark.de
General contact: contact@clipspark.de