Privacy Policy

The controller responsible for the processing of personal data on this website within the meaning of Art. 4(7) GDPR is:

We process only the personal data that is strictly necessary to provide the Service. The following categories may be processed depending on how you use the Service.

Photograph / biometric image data (when you upload or capture an image); technical usage data (IP address, browser type, pages visited, error events); payment confirmation data (handled exclusively by PayPal – see Section 6); and email address with message content (only when you contact us directly).

When you upload or capture an image, it is transmitted to our servers and processed by our AI-powered passport photo tool. For the free tier, the processed result is returned to you immediately and is not persistently stored on our servers.

When you purchase the paid tier, the generated image is stored in encrypted form in Microsoft Azure Blob Storage (West Europe region) for up to 30 days so that you can re-download it after purchase. After 30 days, the image is deleted automatically and permanently with no manual intervention. The legal basis for this processing is the performance of a contract with you (Art. 6(1)(b) GDPR).

Your uploaded source image is deleted from our servers as soon as processing is complete. We do not use your photographs to train AI models, for profiling, or for any purpose other than generating the requested passport photo.

Our web server automatically collects standard log data, including IP addresses, HTTP request details, browser and operating system information, referrer URLs, and timestamps. We additionally use Microsoft Azure Application Insights to monitor application health, detect errors, and measure performance. Data processed by Application Insights includes anonymised usage events, exception traces, and request metadata.

All telemetry data is hosted within the European Economic Area (Microsoft Azure West Europe). The legal basis is our legitimate interest in maintaining the security, stability, and performance of the Service (Art. 6(1)(f) GDPR). Server log and telemetry data is retained for a maximum of 90 days, after which it is deleted automatically.

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to collect anonymised statistics about how visitors use the Service, such as pages visited, session duration, and geographic region. IP addresses are anonymised prior to any processing by Google.

Google may transfer analytics data to Google LLC servers in the United States under Standard Contractual Clauses approved by the European Commission. The legal basis for this processing is your consent (Art. 6(1)(a) GDPR). You may opt out at any time by installing the Google Analytics Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout, or by adjusting your browser's cookie settings.

Payments for the paid tier are processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When you choose to pay via PayPal, you are redirected to PayPal's platform, where your payment details are collected and processed under PayPal's own privacy policy. We receive only a payment confirmation and do not store any credit card or bank account information on our servers.

The legal basis for the transfer of data to PayPal is the performance of a contract (Art. 6(1)(b) GDPR). For full details of how PayPal processes your data, please refer to PayPal's Privacy Policy at https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

When you contact us by email, the personal data you provide (such as your name and email address and the content of your message) is processed solely in order to handle your enquiry. We use Microsoft Azure Communication Services to send and receive emails; this service processes data within Microsoft's infrastructure in the European Union.

Your contact data is not shared with third parties and is retained only for as long as necessary to handle your enquiry and any follow-up correspondence, typically no longer than two years. The legal basis is our legitimate interest in communicating with you (Art. 6(1)(f) GDPR).

We use a small number of cookies and browser local storage entries that are strictly necessary for the Service to function correctly. These include a language/culture preference entry and a session token. No personal data beyond session state is stored in these entries, and they expire when you close your browser or within 24 hours.

Google Analytics sets additional cookies for analytics purposes (see Section 5). You can manage or delete cookies at any time through your browser settings. Disabling strictly necessary cookies may impair the functionality of the Service.

Some of our service providers may process personal data outside the European Economic Area. In all such cases, we ensure an adequate level of protection through one of the following mechanisms: an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2) GDPR, or another appropriate safeguard under Chapter V of the GDPR.

The relevant third-party providers and their applicable transfer safeguards are: Microsoft Corporation (Azure Blob Storage, Application Insights, Communication Services) – SCCs with EU supplementary measures, primary data residency in West Europe; Google LLC (Google Analytics) – SCCs; PayPal, Inc. – SCCs via PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg).

As a data subject within the European Economic Area, you have the following rights in relation to your personal data:

• Right of access (Art. 15) – obtain confirmation of whether and what personal data we hold about you.
• Right to rectification (Art. 16) – request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17) – request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing (Art. 18) – request that we limit how we process your data.
• Right to data portability (Art. 20) – receive your personal data in a structured, machine-readable format.
• Right to object (Art. 21) – object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)) – withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at contact@formkraft-digital.de. We will respond within one month as required by Art. 12 GDPR. Requests are free of charge; in the case of manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee.

You have the right to lodge a complaint with a data protection supervisory authority at any time (Art. 77 GDPR). The authority competent for our registered address in Stuttgart, Germany is:

You may also lodge a complaint with the supervisory authority of your country of residence or habitual place of work within the EU.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will post a prominent notice on the Service before the changes take effect. The "Last updated" date at the bottom of this page indicates when this policy was last revised. We encourage you to review this policy periodically.

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us:

Last updated: Januuary 2026