CloneGen.app | Last updated: April 04, 2026
1. Introduction
This Privacy Policy explains how CloneGen.app ("CloneGen", "we", "us") collects, uses, stores, and protects your personal data when you use our Service. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.
Data Controller:
Andrew Mann, Geesthachter Straße 6, 23556 Lübeck, Germany
Email: info@clonegen.app
2. Data We Collect
We collect the following categories of personal data:
Account & Identity Data:
• Email address (required for registration)
• Password (hashed and securely managed by Supabase Auth — we never see your raw password)
• Full name (optional, user-provided)
• Profile photo/avatar (optional, user-uploaded)
• Google account email and profile info (only when using Sign in with Google)
User Content:
• Reference photos uploaded by you (used to create AI identity models)
• AI-generated images and videos produced by your account
Payment & Subscription Data:
• Stripe customer ID
• Subscription status, plan type, and credit balance
• Note: We do not store raw credit card numbers or payment card data — this is handled exclusively by Stripe
Technical & Usage Data:
• Error traces and session telemetry via Sentry (anonymized; includes user ID for error attribution only)
• IP addresses and HTTP request metadata processed by Vercel during service delivery
3. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
• Contract performance (Art. 6(1)(b) GDPR): To provide the Service, manage your account, and process credit/subscription transactions
• Legitimate interests (Art. 6(1)(f) GDPR): For security monitoring, error tracking (Sentry), and fraud prevention
• Legal obligation (Art. 6(1)(c) GDPR): For compliance with applicable German and EU law
• Consent (Art. 6(1)(a) GDPR): Where you have provided explicit consent (e.g., upload of reference photos)
4. How We Use Your Data
We use your data to:
• Create and manage your account
• Process credit purchases and manage subscription billing
• Generate AI images and videos based on your prompts and uploaded content
• Monitor and improve the performance and security of the Service
• Communicate with you about your account, purchases, and Service updates
• Comply with legal obligations
5. Third-Party Service Providers
We share your data with the following trusted third-party processors. All processors are engaged under GDPR-compliant data processing agreements where required.
Supabase (Auth, Database, File Storage)
Stores user accounts, uploaded files, and generated outputs. Data is hosted in EU West (Ireland) — GDPR-compliant region. Privacy policy: https://supabase.com/privacy
Stripe (Payment Processing)
Handles all payment transactions and subscription management. Stripe is certified under the EU-US Data Privacy Framework. Privacy policy: https://stripe.com/privacy
Replicate (AI Image & Video Generation)
Processes text prompts and reference photos transiently during AI generation. Data is not permanently retained by Replicate. US-based. Standard Contractual Clauses (SCCs) apply. Privacy policy: https://replicate.com/privacy
fal.ai (AI Image Generation)
Processes text prompts and reference photos (as ZIP) transiently during generation. Data is not permanently retained by fal.ai. US-based. SCCs apply. Privacy policy: https://fal.ai/privacy
Sentry (Error Monitoring)
Receives anonymized error traces and user IDs for error attribution. US-based. SCCs apply. Privacy policy: https://sentry.io/privacy/
Vercel (Hosting & Serverless Functions)
All HTTP requests to the Service pass through Vercel infrastructure. US-based (AWS). SCCs apply. Privacy policy: https://vercel.com/legal/privacy-policy
Google (OAuth Login)
Used only for the "Sign in with Google" OAuth token exchange. No persistent storage of Google data by CloneGen beyond your email address. Privacy policy: https://policies.google.com/privacy
5a. Special Category Data — Biometric Data (Art. 9 GDPR)
When you upload reference photos of real persons to CloneGen, those photos may constitute biometric data under Article 9 GDPR, as they contain facial features that can be used to uniquely identify an individual. This is a special category of personal data subject to heightened protection.
Legal basis: We process uploaded reference photos exclusively on the basis of your explicit consent (Art. 9(2)(a) GDPR), provided when you upload images and agree to these terms. You may withdraw this consent at any time by deleting your model and associated photos from your account.
We do not use uploaded photos to train AI models, build facial recognition databases, or for any purpose beyond generating images and videos as requested by you.
A Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR has been conducted for the processing of reference photo uploads, given the biometric nature of this data.
Some of our third-party providers are based in the United States. Where your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
• Standard Contractual Clauses (SCCs) as approved by the European Commission
• EU-US Data Privacy Framework certification (where applicable, e.g. Stripe)
Primary user data (account data, uploads, generated content) is stored in Supabase EU West (Ireland) and does not leave the EEA by default.
7. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
• Account data is retained for the lifetime of your account
• Uploaded reference photos and generated content are retained until you delete them or close your account
• Payment records are retained as required by German tax and commercial law (typically 10 years)
• Error traces in Sentry are retained according to Sentry's default retention policies
Upon account deletion, we will delete your personal data within 30 days, unless we are required by law to retain it longer.
8. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
• Right of access (Art. 15 GDPR): Request a copy of the data we hold about you
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate data
• Right to erasure (Art. 17 GDPR): Request deletion of your data ("right to be forgotten")
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR): Receive your data in a structured, machine-readable format
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, please contact us at: info@clonegen.app
You also have the right to lodge a complaint with your local data protection supervisory authority. The relevant authority for Germany is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel | https://www.datenschutzzentrum.de
9. Cookies and Tracking
CloneGen uses session cookies required for authentication (managed by Supabase Auth). We do not use third-party advertising cookies or tracking pixels. We do not use Google Analytics or similar analytics services.
You can control cookies through your browser settings. Disabling session cookies will prevent you from logging in to the Service.
10. Children's Privacy
CloneGen is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at info@clonegen.app and we will delete it promptly.
11. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or destruction. These include:
• All passwords are hashed using Supabase Auth (bcrypt)
• All data in transit is encrypted using TLS/HTTPS
• Access to our database and storage is restricted to authorized systems
• Payment data is handled exclusively by PCI-DSS compliant Stripe infrastructure
Despite our efforts, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on the website. The date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
13. Contact
For any privacy-related questions, requests, or complaints, please contact:
Andrew Mann
Geesthachter Straße 6, 23556 Lübeck, Germany
Email: info@clonegen.app