Privacy Policy
Last updated: April 2026
1. Controller
The controller responsible for the processing of personal data as defined by the General Data Protection Regulation (GDPR) is:
Avanity GmbH
Großer Biergrund 3, 63065 Offenbach am Main, Germany
Managing Director: Torben Gehr
Email: contact@avanity.de
2. What data we process
When you use Loopy, we process the following categories of personal data:
2.1 Account data
On signup: email address, password (hashed), display name (optional), language preference, timestamp of registration. This data is processed by our authentication provider Supabase.
2.2 Usage data
When you visit our pages: IP address, browser used, operating system, time of visit. This data is unavoidably collected while serving the website and is stored in server logs at our hosting provider Vercel.
2.3 Content data (uploaded covers)
Album covers you upload for animation are stored in our Supabase Storage bucket (EU region). Metadata such as EXIF information (including GPS coordinates, if present) is automatically removed on upload. The original cover is automatically deleted 30 days after generation.
2.4 Generation data
For each animation we store: the project name you set, the optional animation direction, the internal video prompt generated by the AI, the finished video, and metadata such as timestamps and generation duration.
2.5 Payment data
On purchase or subscription: billing address, Stripe customer ID and transaction IDs. We do not process credit card data ourselves — this is handled exclusively by Stripe and stored on their PCI-DSS certified servers.
3. Purposes and legal bases
We process your data exclusively for the following purposes:
- Performance of contract (Art. 6 para. 1 lit. b GDPR): providing the account, generating your animations, storing your projects, processing payments.
- Legal obligation (Art. 6 para. 1 lit. c GDPR): retention of invoicing data under German Commercial Code §257 and Tax Code §147 for 10 years.
- Legitimate interest (Art. 6 para. 1 lit. f GDPR): error correction, abuse detection, platform security, fraud prevention.
- Consent (Art. 6 para. 1 lit. a GDPR): non-essential cookies, if explicitly granted.
4. Recipients / Third-party providers
We work with the following data processors to provide Loopy. We have data processing agreements (DPAs) in place with all of them:
| Provider | Location | Purpose |
|---|---|---|
| Supabase Inc. | USA (EU region for data) | Database, authentication, storage |
| Vercel Inc. | USA | Hosting, CDN, edge functions |
| Stripe Payments Europe Ltd. | Ireland | Payment processing, invoicing |
| fal.ai (Features & Labels Inc.) | USA | AI inference (Gemini + Seedance) |
| n8n GmbH | Germany | Workflow orchestration |
4.1 AI processing of your covers
When you upload a cover and start generation, the image is sent to fal.ai, who act as an intermediary for the AI models. fal.ai forwards your cover to the following models:
- Google Gemini 2.5 Pro: analyzes the cover and generates a motion prompt. Google processes the image exclusively for inference and does not retain training data when the call goes through fal.ai.
- ByteDance Seedance 1.5 Pro: produces the animated video from the cover and the prompt. Important notice: ByteDance is headquartered in China (a third country outside the EU). The transfer of your cover to Seedance occurs as part of providing the Loopy service (contract performance). The transfer to a third country takes place on the basis of Standard Contractual Clauses of the EU Commission and our contract with fal.ai as data processor. Please consider this risk before uploading covers.
4.2 Transfer to the USA
Some of our service providers (Supabase, Vercel, fal.ai) are located in the USA. The transfer of personal data to the USA takes place on the basis of the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) of the EU Commission.
5. Retention periods
- Account data (profiles, credits, subscriptions): until you delete your account.
- Uploaded covers (uploads/): 30 days after generation, then automatic deletion.
- Finished animations (results/): until you delete them or close your account.
- Invoicing data (transactions): 10 years per German Commercial Code §257 and Tax Code §147. On account deletion this data is anonymized (user_id is removed) but the transaction record itself is retained for tax purposes.
- Server logs: typically 14 days.
6. Your rights
You have the following rights under the GDPR:
- Access to the data we store about you (Art. 15 GDPR)
- Rectification of inaccurate or incomplete data (Art. 16 GDPR)
- Erasure of your data, subject to retention obligations (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability — release of your data in a structured, machine-readable format (Art. 20 GDPR)
- Objection to processing based on legitimate interests (Art. 21 GDPR)
- Withdrawal of given consent with effect for the future (Art. 7 para. 3 GDPR)
- Complaint to a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is the Hessen Data Protection Commissioner.
To exercise your rights, a simple email to contact@avanity.de is enough.
7. Account deletion
You can delete your account at any time via the settings in the app. All your projects, uploaded covers, credits and profile data will be irrevocably deleted. Invoicing data will be retained in anonymized form for 10 years due to statutory retention obligations. An active Stripe subscription will be canceled along with the account deletion.
8. Cookies
Loopy only uses the strictly necessary cookies to maintain your login session. These so-called essential cookies do not require consent, as they are indispensable for the operation of the platform. We currently do not use any analytics or tracking cookies.
9. EXIF data and image metadata
When you upload a cover, we automatically remove all embedded metadata (EXIF), including any GPS coordinates. This happens server-side before the file lands in our storage. We do not store location data.
10. Data security
We protect your data with technical and organizational measures: HTTPS transport encryption on all connections, encrypted storage in our databases, strict access controls (Row Level Security), regular backups, separated production and development environments.
11. Changes to this privacy policy
We update this privacy policy when our processing activities change or new legal requirements arise. The current version is always available at /en/privacy. For material changes we will notify you by email.