Privacy Policy

1. Controller

The controller responsible for the processing of personal data described in this policy is:

Timothée Kammies (sole proprietor / Einzelunternehmen)
Ochsenstr. 83
76327 Pfinztal
Germany
E-mail: info@tkammies.com
Phone: +49 1604195415

2. Data Protection Officer

We are not statutorily required to appoint a Data Protection Officer under Art. 37 GDPR / § 38 BDSG (we have fewer than 20 persons regularly engaged in automated processing, no large-scale processing of special categories, and no systematic monitoring as a core activity). For all data-protection enquiries, please contact us at info@tkammies.com.

3. Categories of personal data we process

The following categories may be processed, depending on how you use our services:

• Waitlist data: first name, e-mail address, role (e.g. freelance DP, production company), language, source / UTM parameters, timestamp.
• Account data: e-mail, password (hashed and salted, never stored in plaintext), display name, profile photo (optional), language preference, time zone, account creation and last-login timestamps.
• Workspace and project data: workspace name, project titles, descriptions, schedules, call sheets, shot lists, packing lists, budgets, crew assignments, invitations to collaborators and clients.
• Postal addresses of third parties: physical addresses you enter as part of production logistics — shoot locations and unit-base addresses on call sheets, crew member home or pickup addresses, client and agency office addresses, vendor / rental-house / studio addresses. Where these addresses identify or relate to a natural person, you are responsible as Controller for ensuring you have a lawful basis (typically Art. 6(1)(b) or (f) GDPR) and have informed the affected persons in line with Art. 13–14 GDPR.
• Contact data of third parties: names, phone numbers, e-mail addresses, roles, agency / company affiliations and similar contact details that you enter into call sheets, crew sheets, contact lists or invite flows for the persons involved in your productions.
• User-generated content: notes, interview transcripts, field notes, comments, review feedback you and your collaborators / clients enter into the app.
• Files: images, documents, audio and video files you upload to a project, including their metadata (file name, size, type, timestamp, optional thumbnail, video duration / resolution).
• Documentary mode data (optional): audio you submit for transcription via OpenAI Whisper and resulting transcript text, optional theme / topic analysis prompts and outputs from Anthropic Claude.
• Client review data: name, e-mail (optional), comments and approval / change-request actions left by clients on review links.
• Payment data (Studio app, future): billing name, billing address, VAT number, country, plan, subscription status, invoice metadata. Card numbers are processed exclusively by our payment processor; we do not store full PAN, CVV, or expiry.
• Support and communication data: the content of e-mails or in-app messages you send us, including any attachments.
• Server logs: IP address, user-agent string, requested URL, HTTP method, response code, referrer, timestamp.
• Cookies and similar technologies: see section 11.
• Mobile / device data (iOS app): device identifier (IDFV), operating system version, app version, push-notification token (only if you opt in), crash diagnostics (only if you opt in via iOS Settings).

4. Purposes and legal bases

We process personal data only on the following legal bases (Art. 6(1) GDPR):

5. Recipients and processors (subprocessors)

We engage the following processors under written data-processing agreements (Art. 28 GDPR). The list reflects all subprocessors that may be used in the marketing site and the Studio app at launch; some may not yet be active.

We do not sell, rent, or trade personal data. Beyond the processors above we only disclose data when (i) you direct us to share it, (ii) we are legally required (e.g. court order, tax authority request), or (iii) it is necessary to investigate or stop misuse of the service.

6. International data transfers

Some processors are headquartered in the United States. Where data is transferred outside the European Economic Area, the transfer is safeguarded by one or more of the following: (a) the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795), where the recipient is certified; (b) the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) where DPF does not apply; and (c) supplementary technical and organisational measures (encryption-in-transit, encryption-at-rest, access controls). A copy of the relevant transfer safeguards is available on request.

7. Retention

We retain personal data only as long as necessary for the purpose for which it was collected:

• Waitlist: until you unsubscribe or, at the latest, 12 months after the public launch of the Studio app.
• Account and workspace data: for the lifetime of your account. After deletion of the account: a soft-delete window of 30 days for restore, then permanent deletion within a further 60 days from operational backups.
• Files (R2 / Stream): for the lifetime of the project; deleted immediately when you delete the file or the project, and within 60 days from backups.
• AI submissions: the source audio / text is stored under your account only if you choose to keep it. We do not retain copies at the AI provider beyond the request lifecycle (zero-retention configuration).
• Billing / invoicing data: 10 years from the end of the calendar year (§ 147 AO, § 257 HGB).
• Server logs: 30 days, then deleted.
• Support correspondence: 3 years after closure of the request, in line with statutory limitation periods.
• Cookie consent record: 12 months from your last decision.

8. Your rights

Subject to the conditions in the GDPR, you have the right to:

• Access — request confirmation of whether we process data about you and a copy of that data (Art. 15 GDPR).
• Rectification — have inaccurate or incomplete data corrected (Art. 16 GDPR).
• Erasure / “right to be forgotten” — have data deleted where the legal grounds in Art. 17 GDPR apply.
• Restriction — limit our processing of your data in the cases listed in Art. 18 GDPR.
• Data portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20 GDPR).
• Object — object at any time to processing based on legitimate interests (Art. 21 GDPR), including direct marketing.
• Withdraw consent — withdraw any consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR).
• Not be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you (Art. 22 GDPR). We do not currently carry out such processing.

To exercise any of these rights, contact info@tkammies.com. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

9. Right to lodge a complaint

You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

The competent authority for the controller is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

10. Hosting and access logs

The marketing website tkammies.studio and the Studio web application at app.tkammies.studio are hosted on infrastructure operated by Vercel Inc. and Cloudflare, Inc., with EU points of presence used where available. On every request, the following access logs are processed for the technical delivery of the page and for security:

• IP address (anonymised after delivery where technically possible)
• Date and time of the request
• Requested URL and HTTP method
• Response status code and transferred byte size
• Referrer URL (if any)
• Browser type, version, and user-agent string
• Operating system

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical operation and security). Logs are retained for a maximum of 30 days and then deleted, unless an incident requires longer retention to investigate.

11. Cookies and similar technologies

When you first visit the site, a consent banner asks you to choose which categories of cookies you accept. You can change your decision at any time via the “Cookie Settings” link in the footer.

• Strictly necessary — set to remember your language, your consent decision, and (where applicable) your preview-access cookie. These cannot be disabled. Legal basis: § 25(2) TTDSG / § 25 DDG.
• Anonymous usage analytics — only set if you accept. We use a privacy-respecting, IP-anonymising analytics tool to count page views, demo opens, and feature clicks. No cross-site tracking, no advertising IDs, no transmission of names or e-mails. Legal basis: § 25(1) TTDSG / § 25 DDG and Art. 6(1)(a) GDPR.

Within the Studio app (app.tkammies.studio), additional cookies are used to maintain your authenticated session and your in-app preferences. These are strictly necessary to provide the service.

12. E-mail marketing

If you join the waitlist or opt in to product-update e-mails, we send you updates about tkammies Studio via Brevo. You can unsubscribe at any time using the link at the bottom of every e-mail or by writing to info@tkammies.com. Brevo records open and click events for the purpose of measuring delivery and engagement; this is based on Art. 6(1)(a) GDPR (your consent).

13. Account registration and login

To use the Studio app, you create an account via Supabase Auth. We process your e-mail address and a hashed password, and we may send you transactional e-mails (e.g. e-mail verification, password reset, security alerts). Legal basis: Art. 6(1)(b) GDPR (performance of contract). You may delete your account at any time from in-app settings.

14. Workspaces, projects, and collaborators

The Studio app is collaborative by design. When you invite a collaborator or client to a project, they receive an e-mail with an invitation link, and, when they accept, they gain access to the data scope you grant. The workspace owner is the controller for the project data they upload; we act as processor for that data on the owner's behalf and offer a Data Processing Agreement on request. Files you upload are stored on Cloudflare R2; large videos may additionally be transcoded by Cloudflare Stream for adaptive-bitrate playback.

15. Client review links

You can share a project or asset with a client via a review link. The link can optionally be protected by a passcode. We process the comments and approval / change-request actions left by the client, plus any name and e-mail they choose to provide, for the purpose of operating the review feature. Legal basis: Art. 6(1)(b) GDPR (performance of contract with you); the client is informed of the processing on the review page.

16. Optional AI features (Documentary Mode)

If you enable Documentary Mode, audio you choose to transcribe is sent to OpenAI for processing by the Whisper API; the resulting transcript and any theme / topic analysis you request is processed by Anthropic's Claude API. Both providers are configured under their zero-retention API terms: no training on your data and no retention beyond the request. We display an explicit opt-in confirmation each time before submission. Legal basis: Art. 6(1)(b) GDPR (contract on opt-in feature) and Art. 6(1)(a) GDPR (your explicit consent).

17. Payments and billing

From the public launch of paid plans, payment processing is handled by Stripe Payments Europe, Ltd. We receive billing metadata (name, country, VAT number, plan) and never see your full card number, CVV, or expiry. Stripe acts as an independent controller for fraud-prevention purposes; we act as controller for invoicing and bookkeeping. We retain invoices for 10 years as required by §§ 147 AO, 257 HGB.

18. iOS / iPadOS app

The Studio iOS app is distributed via the Apple App Store and built with Capacitor. In addition to the categories above, the following may apply:

• Identifier for Vendor (IDFV) — used for crash-grouping; not used for advertising.
• Push-notification token (APNs) — only collected if you accept the prompt.
• Crash and performance diagnostics — only collected if you opt in via iOS Settings → Privacy → Analytics & Improvements; received via Apple's analytics pipeline.

The data categories and purposes declared on the App Store privacy nutrition label correspond to this section.

19. Children

The Studio app and this website are not directed to children. In line with Art. 8 GDPR and § 25 BDSG, we do not knowingly collect data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact info@tkammies.com and we will delete it.

20. Automated decision-making and profiling

We do not use personal data for automated decision-making, including profiling, that produces legal effects or similarly significant effects concerning you (Art. 22 GDPR).

21. Security

We take reasonable technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (Art. 32 GDPR). These include: encryption in transit (TLS 1.2+), encryption at rest for stored files and database content, access controls and least-privilege access for personnel, principle-of-least-privilege for service-to-service communication, signed and time-limited URLs for file downloads, regular dependency updates, and monitoring for security incidents.

22. Source of data and obligation to provide

Most personal data is provided directly by you (waitlist sign-up, account creation, files you upload). Some data is generated by your device or our systems (server logs, account timestamps, analytics counts where you consented). Providing personal data is generally voluntary, but is a contractual prerequisite for using the corresponding feature: e.g., we cannot create an account without an e-mail address.

23. Data Processing Agreement (B2B)

If you use the Studio app to process personal data of others (e.g. crew, interviewees, clients) in the course of your professional activity, you act as the controller for that data and we act as your processor under Art. 28 GDPR. A Data Processing Agreement (Auftragsverarbeitungsvertrag) is available on request and will be made available for download in-app.

24. Changes to this policy

We may update this policy to reflect changes to the service, our processors, or the law. Material changes will be communicated to active users by e-mail and via an in-app notice at least 30 days in advance. The latest version is always available at this URL.

25. Contact

For any privacy enquiry, please write to info@tkammies.com.