Back to homepage

    Privacy Policy

    Last updated: April 2026

    1. Privacy at a glance

    This privacy policy explains how we process your personal data when you visit symban.de or use our service. Personal data is any information that can be used to identify you (e.g. name, email address, IP address).

    We process your data exclusively on the basis of statutory provisions (GDPR, German TDDDG). In this policy we inform you about the most important aspects of data processing on our website and within our service.

    2. Data controller

    The data controller for this website is:

    Michailidou Digital Services I.E.
    Alexia Michailidou
    Zakaria Paliashvili Street 41
    0179 Tbilisi, Georgia
    Email: contact@symban.de

    3. EU representative (Art. 27 GDPR)

    Because the controller is established outside the European Union but processes personal data of individuals in the EU, we have designated an EU representative in writing pursuant to Art. 27 GDPR:

    Admir Xhoxha
    Psaron 17
    12132 Peristeri
    Greece
    Email: contact@symban.de

    For all data protection enquiries and to exercise your rights, you may contact our EU representative directly.

    4. General principles of processing

    4.1 Legal bases

    We process your personal data on the following legal bases:

    • Art. 6(1)(a) GDPR – consent (e.g. cookies, analytics tools)
    • Art. 6(1)(b) GDPR – performance of a contract (e.g. user account, payments)
    • Art. 6(1)(c) GDPR – legal obligation (e.g. retention duties)
    • Art. 6(1)(f) GDPR – legitimate interest (e.g. IT security, server logs)

    4.2 Storage period

    Personal data is stored for as long as necessary for the respective purpose or as required by statutory retention obligations. Specific storage periods are listed in the sections below.

    4.3 Transfer to third countries

    Some of the providers we use are located in the United States or process data in third countries outside the EU/EEA (see Section 11). We make sure that such transfers are based either on the EU-US Data Privacy Framework (DPF), on Standard Contractual Clauses (SCCs) or on your explicit consent. Please be aware that, according to the European Court of Justice (Schrems II, ruling of 16 July 2020), the level of data protection in the United States does not match the European level, and access by US authorities cannot be ruled out.

    5. Data collected when visiting the website

    5.1 Server log files

    When you access our website, technical data is automatically captured in so-called server log files:

    • Browser type and version
    • Operating system
    • Referrer URL
    • Hostname of the requesting computer
    • Time of the server request
    • Anonymised or shortened IP address

    This processing serves the technical provision of the website, IT security and error analysis. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). This data is deleted or anonymised after a maximum of 14 days.

    5.2 Website hosting

    The symban.de website is hosted via GitHub Pages provided by GitHub, Inc. (88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA). GitHub automatically processes connection data (in particular the IP address). GitHub is certified under the EU-US Data Privacy Framework. For more information see docs.github.com/site-policy/privacy-policies.

    6. Registration and user account

    To use our service you have to create a user account. We process the following data:

    • Email address
    • Encrypted password (for email registration)
    • For OAuth login: profile information transmitted by the provider (e.g. Google account: email, name)
    • Language preference
    • Time of registration and last logins

    The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Data is stored as long as your account exists. You can have your account deleted at any time via contact@symban.de or your account settings; afterwards your personal data will be deleted, unless statutory retention obligations require otherwise (e.g. accounting and tax obligations to retain invoice data for 10 years).

    OAuth login (Google): If you log in via Google, Google transmits your email address and possibly your name to us. Google’s privacy notice: policies.google.com/privacy.

    7. Processing of your content by the AI pipeline

    At the heart of our service is a multi-stage AI pipeline that allows you to generate, review and revise book manuscripts. We process the following content that you provide:

    • Concepts, character descriptions, plot lines, style bibles, blueprints
    • Generated and manually edited scenes, chapters, books
    • Comments and ratings on generated content
    • Optionally: your own API keys (BYOK – Bring Your Own Key), stored in encrypted form

    For the performance of the contract, this content is forwarded to OpenAI’s AI model (OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA). OpenAI processes this content as a processor within the meaning of Art. 28 GDPR. We have a Data Processing Addendum in place with OpenAI, and OpenAI is certified under the EU-US Data Privacy Framework.

    No model training on user content: Neither we nor OpenAI use the inputs you submit via the API or the generated content to train AI models. This follows from OpenAI’s standard API terms (which differ from the consumer ChatGPT product) and our Terms (§ 4.4).

    The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Content is stored for as long as your project exists; on deletion of the project or the account it is removed from our database. According to OpenAI, API requests are stored for a maximum of 30 days for abuse and security purposes.

    8. Payment processing

    Payments are processed via Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) and Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). When you take out a paid subscription or purchase additional chapters, you are redirected to a checkout page hosted by Stripe. We do not process payment or credit card data ourselves.

    From Stripe we only receive information about the successful payment and a Stripe customer ID, in order to assign the booked service to your account. The legal basis is Art. 6(1)(b) GDPR. Stripe is certified under the EU-US Data Privacy Framework. Stripe’s privacy notice: stripe.com/privacy.

    9. Email communication

    For sending transactional emails (e.g. confirmations, password resets, invitations) we use Resend (Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA). Resend processes your email address and the content of the email. The legal basis is Art. 6(1)(b) GDPR. We have a Data Processing Addendum with Resend including Standard Contractual Clauses. Privacy notice: resend.com/legal/privacy-policy.

    10. Cookies, local storage and tracking

    We use cookies and comparable technologies (local storage) on our website. Where consent is required we obtain it via our consent banner; technically necessary storage is based on Art. 6(1)(f) GDPR and § 25(2) of the German TDDDG.

    10.1 Technically necessary storage

    • symban_cookie_consent – stores your cookie settings (local storage, until revoked)
    • symban_signup_lang – stores the language chosen during sign-up (local storage, short-term)
    • Supabase auth token – session token for logged-in users (local storage, until logout)

    10.2 Analytics: Google Tag Manager and Google Analytics 4

    We use Google Tag Manager and Google Analytics 4 provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to statistically evaluate the use of our website. Data may be transferred to Google LLC in the USA. Google is certified under the EU-US Data Privacy Framework.

    This analysis only takes place if you have given your consent. Before you consent, Google Consent Mode v2 is set to “denied”, so no analytics cookies are set and no personal analytics data is transferred to Google. If you consent, the following data is processed: pages visited, time spent, referrer, browser and device information, shortened IP address, pseudonymous user ID. Storage period: max. 14 months.

    Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG. You can withdraw your consent at any time with effect for the future.

    10.3 Change cookie settings

    11. Recipients and processors

    We use the following processors and service providers. Where required, a Data Processing Agreement under Art. 28 GDPR is in place:

    • Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992) – database, authentication, file storage, edge functions; hosted in Ireland (eu-west-1)
    • OpenAI, L.L.C. (USA) – AI model for text generation; DPF certified; no model training on API data
    • Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (USA) – payment processing; DPF certified
    • Resend Inc. (USA) – sending of transactional emails; SCCs in place
    • Google Ireland Limited (Ireland) and Google LLC (USA) – Tag Manager, Analytics, OAuth login; DPF certified; only with consent
    • GitHub, Inc. (USA) – hosting of the static website (GitHub Pages); DPF certified
    • Notion Labs, Inc. (USA) – support ticket management (see Section 12); DPF certified

    12. Support chat & contact form

    When you use our support chat or write to us via the contact form at /en/contact, we process the following data:

    • Support chat (agent): your messages, pseudonymised user ID, and – if signed in – your current project context (title, pipeline status, credits balance). Content is transmitted to OpenAI (USA, Responses API with store: false – zero retention) and is NOT used by OpenAI for training.
    • Escalation: If the agent forwards your request to Alexia or you use the contact form, the data (name, email, message, chat history + project context if available) is transferred to our support inbox at Notion (USA, DPF certified) and sent to us by email (via Resend).
    • Legal basis: primarily Art. 6(1)(b) GDPR (performance of contract – support is part of our service), secondarily Art. 6(1)(f) GDPR (legitimate interest in efficient handling).
    • Retention: support conversations are linked to your account and are deleted automatically on account deletion (CASCADE). Notion tickets may be retained for documentation purposes for up to 3 years.
    • Your rights to access, rectification and deletion also apply to support data (see Section 13). For deletion requests, email contact@symban.de.

    13. Your rights as a data subject

    With respect to the personal data concerning you, you have the following rights against us at any time:

    • Right of access (Art. 15 GDPR) – whether and what data we process about you
    • Rectification (Art. 16 GDPR) – of inaccurate data
    • Erasure (Art. 17 GDPR) – “right to be forgotten”
    • Restriction (Art. 18 GDPR) – of processing
    • Data portability (Art. 20 GDPR) – machine-readable export of your data
    • Objection (Art. 21 GDPR) – to processing based on legitimate interests
    • Withdrawal of consent (Art. 7(3) GDPR) – with effect for the future

    To exercise these rights, please contact contact@symban.de or our EU representative (see Section 3). We will process your request without undue delay, at the latest within one month.

    13. Right to lodge a complaint

    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

    14. Data security

    We use SSL/TLS encryption to transmit your data. BYOK API keys are encrypted symmetrically with AES-256 in our database. We take technical and organisational measures to protect your data against accidental or deliberate manipulation, loss, destruction or unauthorised access.

    15. Updates and changes to this policy

    This privacy policy is dated April 2026. Due to the further development of our website and service, or due to changes in legal or regulatory requirements, it may be necessary to update this policy. The current privacy policy can be retrieved at any time at symban.de/en/legal/privacy.