Privacy Policy

1. Data controller

The controller responsible for processing personal data under the GDPR is:

Muhamed Gaff
Aachenerstraße 1325
50859 Cologne
Germany

Email: support@mimeze.app

2. General principles

We process personal data only where necessary to operate the mimeze app and website, perform contracts (including shipping physical products), comply with legal obligations, or where you have given consent.

Our services are not directed at children. If you are under 16, please use mimeze only with permission from a parent or guardian. We do not knowingly collect data from children for marketing purposes.

3. Purposes and legal bases

Depending on the activity, we rely on the following legal bases under Article 6(1) GDPR:

• Contract and pre-contract (Art. 6(1)(b) GDPR): creating and managing your account, processing orders and payments as required, communicating about your purchases, delivering in-app features you request.
• Legitimate interests (Art. 6(1)(f) GDPR): IT security, fraud and abuse prevention, service stability, improving user experience (e.g. technical logs, aggregated or pseudonymised analytics where applicable), asserting or defending legal claims.
• Consent (Art. 6(1)(a) GDPR): where we ask for optional consent (e.g. non-essential cookies or marketing), which you may withdraw at any time with effect for the future.
• Legal obligation (Art. 6(1)(c) GDPR): retention for commercial or tax law, responses to lawful requests from authorities.

4. Categories of personal data

• Account data: name, email address, unique user identifiers.
• Content you provide: photos of rooms or other images you upload for AI-assisted suggestions.
• Order data: order history, shipping address, contact details for delivery, and if needed phone number for logistics.
• Payment data: processed by payment providers; we do not store full payment card numbers.
• Device and usage data: device type, OS version, timestamps, and technical or diagnostic logs where needed to run and secure the service.

5. Processors, recipients, and sharing

We use carefully selected processors who handle personal data only on our instructions and under appropriate contracts (including Article 28 GDPR data processing agreements where required), for example:

• Backend, database, authentication: Supabase. See supabase.com/privacy.
• Payments: Stripe; in-app purchases may also be processed by Apple (Apple Pay / App Store). Their privacy policies apply to payment data they process.
• Print and fulfilment: Gelato, Prodigi Group, and their production labs / logistics providers (possibly worldwide). The fulfilment partner used may depend on product type, delivery country, availability, and production requirements. Order data, shipping details, contact details required for delivery, and print files are shared only to fulfil your order. See gelato.com/legal/privacy and prodigi.com/privacy-and-cookie-policy.

We otherwise share personal data only if you consent, we are legally required to, or it is necessary to establish, exercise, or defend legal claims.

6. International transfers

Some providers may process data outside the European Economic Area (EEA). Where required, we implement appropriate safeguards, such as the EU Standard Contractual Clauses under Article 46 GDPR. You may request further information about such safeguards where we are permitted to share it.

7. AI processing

To generate design suggestions, your uploads may be transmitted to AI services or processed on our or our host's infrastructure. We limit processing to what is needed for the feature. The legal basis is typically performance of the contract (Art. 6(1)(b) GDPR) and, where applicable, your consent (Art. 6(1)(a) GDPR).

8. Retention

We delete or anonymise personal data when it is no longer needed for the purposes described, unless longer retention is required by law (e.g. commercial or tax records). Account data is generally kept until you request deletion and no legal retention obligation prevents it. Order records may be kept for up to ten years where commercial law requires.

9. Your rights

Where the GDPR applies, you have the following rights in relation to our processing (subject to conditions):

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure ("right to be forgotten") (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on legitimate interests (Art. 21 GDPR)
• Withdraw consent at any time, where processing is based on consent (Art. 7(3) GDPR)

To exercise your rights, email support@mimeze.app from the address associated with your account, or include enough information for us to verify your identity.

10. Supervisory authority

You have the right to lodge a complaint with a data protection authority. Our establishment is in Germany; the authority for North Rhine-Westphalia is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW). A list of EU authorities is available via bfdi.bund.de.

11. Whether provision of data is mandatory

Some personal data is required to enter into or perform a contract (e.g. a shipping address for physical goods). If you do not provide it, we may be unable to fulfil your order.

12. Automated decision-making

We do not use solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR, unless we introduce a separate, clearly disclosed mechanism in the future.

13. Changes to this policy

We update this Privacy Policy when our practices or the law change. The version on the website with the "Last updated" date above is the current one.