Privacy Policy
Last updated: March 14, 2026
1. Controller
Sascha D. Kasper
Romania
Email: lp@sascha-kasper.com
If you have questions about how your data is processed, contact the address above.
2. Data We Collect
We collect only what is necessary to provide the service:
- Account data: Email address, optional first name, and a hashed password. Stored by Supabase Auth (EU, Frankfurt region).
- Usage logs: Which module you used (Bases, CSS, or Templates) and a timestamp for each AI generation. Used to enforce daily tier limits.
- Billing data: Managed entirely by Stripe. We store only a Stripe Customer ID in our database. We never see or store your payment method.
- Feedback submissions: If you submit feedback through the app, your category selection, title, and description are posted to a public GitHub issue tracker. Your email is partially masked (e.g. "sa***@example.com") before submission.
- AI prompts: The text you enter in the chat or wizard is sent to Anthropic's API for generation. Prompts are not stored on our servers. No personal identifiers are included in API requests.
- Server logs: Vercel (our hosting provider) automatically logs IP addresses, request paths, and user agents in standard web server access logs.
We do not collect geolocation, device identifiers, browsing history, or any data beyond what is listed above.
3. Legal Basis for Processing
- Art. 6(1)(b) GDPR - Contract performance: Account creation, authentication, AI generation, usage tracking, and billing are necessary to provide the service you signed up for.
- Art. 6(1)(a) GDPR - Consent: Pilot program enrollment (adding your email to our Brevo mailing list) is based on your explicit consent at signup.
- Art. 6(1)(f) GDPR - Legitimate interest: Server access logging for security and abuse prevention. Our interest in maintaining service security does not override your rights, as we do not use logs for tracking or profiling.
- Art. 6(1)(c) GDPR - Legal obligation: Retention of billing records as required by Romanian fiscal law (Law 207/2015, Art. 25 - 10-year retention).
4. Third-Party Processors
We share data with the following service providers, each under a Data Processing Agreement:
| Service | Purpose | Data shared | Location | Safeguard |
|---|---|---|---|---|
| Supabase | Authentication, database, usage logs | Email, hashed password, usage counts | EU (Frankfurt) | EU hosting |
| Stripe | Subscription billing | Email, Supabase user ID (as metadata) | US | EU-US DPF + SCCs |
| Brevo | Pilot enrollment emails | Email, first name | EU | EU hosting |
| Anthropic | AI generation (Claude) | Prompt text only (no user identifiers) | US | DPA with SCCs |
| Vercel | Hosting, serverless functions | IP address, request data (automatic server logs) | US | DPA with SCCs |
| GitHub | Feedback issue tracking | Masked email, feedback text | US | EU-US DPF + SCCs |
Transfers to US-based processors are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. No data is sold to third parties. Prompts sent to Anthropic are processed under their API terms and are not used for model training.
5. Data Retention
- Account and usage data: Retained until you delete your account. Deletion removes your profile and all usage logs from our database.
- Billing records: Stripe retains transaction records independently per their legal obligations and Romanian fiscal law (10-year retention per Law 207/2015, Art. 25). Deleting your LOS account removes the Stripe customer object, but Stripe may retain invoice records for compliance.
- Brevo contact: Your email remains on the Brevo pilot list until manually removed. Contact lp@sascha-kasper.com to request removal.
- Feedback issues: Feedback submitted to GitHub is public and remains in the repository. It cannot be automatically deleted when you delete your account.
- Server logs: Vercel retains access logs per their standard retention policy.
6. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Art. 15) - use "Export My Data" in the app menu, or contact us
- Rectify inaccurate data (Art. 16) - contact us to correct your information
- Erase your data (Art. 17) - use "Delete Account" in the app menu
- Data portability (Art. 20) - "Export My Data" provides a machine-readable JSON file
- Restrict processing (Art. 18) - contact us to limit how your data is used
- Object to processing (Art. 21) - contact us if you believe our legitimate interest does not apply
- Withdraw consent at any time without affecting the lawfulness of prior processing
- Lodge a complaint with the supervisory authority: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania - www.dataprotection.ro
To exercise any of these rights, email lp@sascha-kasper.com. We will respond within 30 days.
7. Mandatory vs. Optional Data
An email address and password are required to create an account and use the service. Your first name is optional. If you do not provide a first name, the service functions identically. Providing payment information (via Stripe) is required only for paid tiers.
8. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Daily generation limits are applied based on your subscription tier, not on profiling.
9. Technical Storage
This site does not use cookies for tracking or analytics. The only client-side storage used is:
- Supabase auth tokens in localStorage - strictly necessary for authentication. Exempt from consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) as they are technically required to provide the service you requested.
- los-pilot-pending flag in localStorage - a transient signup state indicator, removed immediately after enrollment completes.
Since we use no tracking cookies, analytics, or marketing storage, no cookie consent banner is required.
10. Changes to This Policy
We will update this page when our data practices change. The "Last updated" date at the top reflects the most recent revision. If changes are material (e.g. new third-party processors or new data categories), we will notify registered users by email.