Privacy Policy for Studio Pro

Effective Date: 27 May 2025
Last Updated: 20 May 2025

This Privacy Policy explains how Klein aber GmbH („Klein aber“, „we“, „us“ or „our“) collects, uses and protects personal data when you install or use the Studio Pro browser extension, related software or services (collectively, the „Service“). It also describes the rights you have under the EU General Data Protection Regulation („GDPR“) and other applicable laws.

1. Data Controller

Klein aber GmbH
Glockengießerwall 26
20095 Hamburg, Germany
Email: [email protected]

VAT ID: DE 275 913 412

2. What Data We Collect

CategoryExamplesSource
Account DataName, email address, Google Account IDGoogle OAuth sign‑in
Payment DataBilling address, last four digits, Stripe customer IDStripe
YouTube DataComment text, commenter channel name, video title, video transcriptYouTube API during usage
Usage DataCounts of AI suggestions, sentiment scores, clicks, error logs, device typeAutomatic via Firebase logs
SettingsLanguage preference, reply toneSaved by you locally and in Firebase

3. Purposes & Legal Bases

We process personal data only where a legal basis under Art. 6 GDPR applies:

  • Contract performance (Art. 6 (1)(b)) – create/manage your account, generate AI suggestions, provide sentiment analysis.
  • Payment handling (Art. 6 (1)(b)) – subscription billing through Stripe.
  • Legitimate interests (Art. 6 (1)(f)) – improve security and quality, pseudonymised analytics, AI model training (see 3.1).
  • Legal obligations (Art. 6 (1)(c)) – tax, accounting and fraud prevention.
  • Consent (Art. 6 (1)(a)) – optional marketing emails; non‑essential cookies/analytics.

3.1 AI Model Training & Profiling Notice

We may use pseudonymised excerpts of comment text and your edits to train and evaluate current and future AI models. This constitutes profiling within the meaning of Art. 4 No. 4 GDPR but does not result in automated decisions producing legal or similarly significant effects (Art. 22 GDPR). You can object at any time (Art. 21 GDPR) via in‑app settings or email; new data will be excluded within 30 days.

4. Sharing Your Data

We share personal data only with:

  • Google Cloud / Gemini / Firebase – hosting, AI generation. We have GDPR‑compliant Data Processing Agreements incl. Standard Contractual Clauses (SCCs).
  • Stripe – payment processing, fraud prevention. Covered by SCCs and an AVV.
  • Authorised service providers – IT maintenance, penetration testing, under strict confidentiality and AVV.
  • Public authorities or courts – where legally required.

We do not sell or rent personal data.

5. International Transfers

Where recipients are located outside the EU/EEA, we rely on:

  • European Commission adequacy decisions, or
  • Standard Contractual Clauses & supplementary safeguards.

If a new adequacy framework (e.g. EU‑US Data Privacy Framework) becomes applicable, we will switch to that mechanism.

6. Data Retention

  • Active account – data kept while account is active.
  • Inactive for 24 months – we delete or anonymise personal data.
  • Invoices & tax records – stored 10 years under German law.
  • AI opt‑out – your data stops feeding future models within 30 days; existing models cannot be un‑trained.

7. Security Measures

  • TLS 1.2+ encryption in transit
  • Server‑side encryption at rest
  • Role‑based access controls with logged admin actions
  • Regular penetration tests & dependency vulnerability scans

8. Your Rights

You can exercise the following rights:

  • Access, rectification, erasure, restriction, portability
  • Object to processing based on legitimate interest (incl. AI training)
  • Withdraw consent (marketing emails – every email includes a one‑click unsubscribe link)
  • Lodge a complaint with a supervisory authority – in Germany: Hamburg Commissioner for Data Protection (HmbBfDI) or your local EU authority under the one‑stop‑shop mechanism.

We respond within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests (Art. 12 (3) GDPR).

9. Automated Decision‑Making

AI Reply Suggestions are generated automatically, but no legal or similarly significant decisions are taken solely by automated means.

10. Cookies & Similar Technologies

The extension stores essential local storage tokens. We do not set advertising cookies. If we enable Firebase Analytics in future, we will request your opt‑in consent via a banner.

11. Children

The Service is not directed to children under 16. We do not knowingly process data of children without verifiable parental consent.

12. Changes & Version History

Material changes will be announced by email and in‑app at least 30 days in advance. Archived versions of this Policy are available on request.

13. Contact & Data Protection Officer

If you have questions about this Policy or wish to exercise your rights, contact:

E-Mail: [email protected]

Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg