Skip to content
Spreadfilms.AI
Legal

Privacy Policy

Last updated: 2026-05-27

This Privacy Policy explains how we process personal data when you visit spreadfilms.ai, submit our contact form, or use the Spreadfilms.AI platform. It is written in accordance with the EU General Data Protection Regulation (GDPR), the German Bundesdatenschutzgesetz (BDSG) and the Telekommunikation-Digitale- Dienste-Datenschutz-Gesetz (TDDDG / TTDSG).

1. Data controller

Controller in the sense of Art. 4 (7) GDPR is:
Spreadfilms GmbH
Ludwigstraße 27
83278 Traunstein, Germany
Email: info@spreadfilms.ai
Phone: +49 (0) 861 90119000

Privacy enquiries reach the same address — please mark them “Datenschutz” in the subject line.

2. Data we process

  • Contact-form data— intent, work email, name, company, phone (optional), markets (optional), free-text message (optional). Provided by you when you submit the demo / sales form.
  • Account & platform content— once you sign up for the Spreadfilms.AI product at app.spreadfilms.ai: account credentials, organization data, and any master films, brand assets, translations or voiceover scripts you upload. Processed solely on your instruction under a separate Data Processing Agreement.
  • Server logs— IP address, timestamp, requested URL, HTTP status, referrer, user-agent string. Generated by our hoster for security and abuse prevention.
  • Analytics events— when you grant consent via our cookie banner: pageviews, referrers, device category, country-level location, plus “generate_lead” events for contact-form submissions. Collected via Plausible Analytics and Google Analytics 4 (see §5).

3. Legal basis

  • Contact form & pre-contract communication: Art. 6 (1) (b) GDPR (steps prior to entering into a contract) and Art. 6 (1) (f) GDPR (our legitimate interest in replying to your enquiry).
  • Server logs: Art. 6 (1) (f) GDPR — legitimate interest in operating and securing the service.
  • Analytics, marketing cookies, embedded video previews: Art. 6 (1) (a) GDPR + § 25 (1) TDDDG — your prior opt-in via the cookie banner. You can withdraw consent any time without affecting past processing.

4. Hosting & infrastructure

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, on edge nodes in the European Union (primarily Frankfurt am Main, Germany). Vercel acts as a processor under Art. 28 GDPR; we have a current Data Processing Agreement and EU Standard Contractual Clauses (SCCs, EU Commission decision 2021/914) in place for any transfers to the United States, plus a transfer impact assessment per Schrems II. Vercel’s privacy information: vercel.com/legal/privacy-policy.

The Spreadfilms.AI platform (app.spreadfilms.ai) runs on infrastructure operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, in data centers located in Nuremberg and Falkenstein, Germany. No personal customer data is transferred outside the EU/EEA unless you explicitly configure a non-EU region in your account settings.

5. Sub-processors and third-party services

We engage the following sub-processors. With each we have a written Data Processing Agreement under Art. 28 GDPR.

  • Vercel Inc.(USA / EU edge) — website hosting, edge functions, image optimization. Legal basis: Art. 6 (1) (f) GDPR. Transfer safeguard: SCCs + TIA.
  • Sendinblue SAS, trading as Brevo, 106 Boulevard Haussmann, 75008 Paris, France — transactional email used to deliver the demo / sales-form submission to our team. Legal basis: Art. 6 (1) (b) and (f) GDPR. Hosted in the EU. brevo.com/legal/privacypolicy.
  • Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia — cookieless web analytics, EU-hosted, no cross-site tracking, no personal identifiers. Loaded only after analytics consent. Legal basis: Art. 6 (1) (a) GDPR. plausible.io/privacy.
  • Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland — Google Analytics 4 (measurement ID G-14W9Q7TNBF) for aggregated site analytics and the “generate_lead” conversion event. Configured with IP anonymization, advertising features off, and no Google Signals. Loaded only after analytics consent. Legal basis: Art. 6 (1) (a) GDPR. Transfers to the United States are covered by Google’s EU-U.S. Data Privacy Framework certification and SCCs. policies.google.com/privacy.
  • Hetzner Online GmbH(Germany) — product platform hosting (app.spreadfilms.ai only, see §4).

Beyond these we use no third-party advertising networks, no social- media tracking pixels and no cross-site tracking technologies. Web fonts are bundled at build time (next/font) and served from our own domain — no runtime call to Google Fonts.

6. Retention periods

  • Contact-form submissions: kept for up to 24 months after last contact for sales follow-up, then deleted — unless a customer relationship is established, in which case statutory retention under §147 AO / §257 HGB applies (6 / 10 years for accounting documents).
  • Server logs: 14 days, then automatic rotation.
  • Plausible analytics: stored for 24 months, aggregated, no individual user profiles.
  • Google Analytics 4: standard retention set to 14 months, then automatic deletion.
  • Consent record (sf-consent-v2 in localStorage): kept on your device until you clear it or 12 months have passed.

7. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15);
  • rectify inaccurate data (Art. 16);
  • have your data erased (Art. 17, “right to be forgotten”);
  • restrict processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal (Art. 7 (3)).

To exercise any of these rights, contact info@spreadfilms.ai. We will respond within one month (Art. 12 (3)).

You also have the right to lodge a complaint with a supervisory authority. The competent authority for Spreadfilms GmbH is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — lda.bayern.de.

8. Automated decision-making

We do not use your personal data for automated decision-making in the sense of Art. 22 GDPR. AI-generated content on the platform is produced on your instruction from inputs you provide.

9. Cookies and device storage

See our dedicated Cookie Policy for the complete list of cookies and localStorage entries used on this website, their purpose, and how to manage your consent.

10. Changes to this policy

We may update this policy as the service evolves or as legal requirements change. The current version is always available at this URL with a “last updated” date at the top. Material changes will be highlighted on this page for at least 30 days.