Privacy Policy

Controller

Nils Thomsen, Westerende 3, 25884 Norstedt, Email: hey@frizzai.com

Data protection contact

Data protection requests can be sent to the email address listed above. If a data protection officer is legally required, their contact will be added here.

Website and log files

When visiting the website, we process IP address, time, user agent, and referrer for technical delivery and security. The legal basis is Art. 6(1)(f) GDPR.

Storage on your device

For the technical operation of the website we use required storage mechanisms (e.g. session, language choice, cookie notice state). In addition, we use the Meta Pixel and Vercel Web Analytics for conversion and reach measurement. Section 25 TDDDG applies; non-essential storage access only happens on the basis of consent.

Meta Pixel and conversion tracking

We use the Meta Pixel by Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland) to measure reach and conversions for our ads on Facebook and Instagram. When you visit the website, the pixel transmits IP address, user agent, referrer, visited URL and click IDs (e.g. fbclid) to Meta. Meta may process these data in the United States and combine them with its own user profiles. Legal basis is your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Consent can be withdrawn at any time with effect for the future, e.g. via browser settings, an installed add-on or this site's cookie notice. We have entered into a joint controllership arrangement with Meta under Art. 26 GDPR as well as Standard Contractual Clauses under Art. 46 GDPR for transfers to the United States.

Vercel Web Analytics

We use Vercel Web Analytics by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) for reach and performance measurement. Vercel works largely cookieless using daily rotating, hashed visitor IDs without persistent recognition. Anonymized usage data such as page view, referrer, approximate region, device type and browser are processed. Legal basis is our legitimate interest in statistical analysis and stability of our service under Art. 6(1)(f) GDPR. Transfers to the United States are safeguarded by Standard Contractual Clauses under Art. 46 GDPR. You can object to the processing at any time using the data protection email address listed above.

Server log analytics and campaign tracking

We aggregate reach data from the technical server logs of our hoster Vercel (e.g. number of visits per path, top referrers, UTM parameters, click IDs). No additional personal profile is created; the analysis is used solely to evaluate the success of running ads. Legal basis is Art. 6(1)(f) GDPR.

Newsletter and launch discounts

If you sign up for the newsletter, we process your email address, language, domain, campaign parameters, and confirmation status to verify the signup through double opt-in, send the newsletter, and provide a launch discount. The legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw consent at any time through the unsubscribe link in the newsletter or by email.

Salon accounts

For salon owners, we process email address, salon name, Stripe customer ID, contract status, and technical usage data to fulfill the contract under Art. 6(1)(b) GDPR.

Payments via Stripe

Payments are processed through Stripe Payments Europe. Payment and contract data may be transferred to Stripe. Details are available in Stripe's privacy notices.

AI image processing

End-customer photos are processed only for the respective hairstyle consultation. Photos are not used by FRIZZAI! for public profiles, advertising, or training purposes. The goal is temporary processing without permanent photo storage; technical logs do not contain image files. The salon is the controller; FRIZZAI! acts as processor.

Notice on AI-generated content

Generated hairstyle previews are synthetic media produced by an AI model. They are visibly labelled as AI-generated within the image (Art. 50 EU AI Act). The preview is an approximation; the actual salon result may differ.

Salon notice

The salon must inform customers before taking a photo and ensure a suitable consent or other legal basis.

Data processing agreement

A data processing agreement under Art. 28 GDPR is concluded for salon end-customer data. The DPA is part of onboarding.

Subprocessors

• Vercel: hosting, serverless functions, website delivery, EU/US possible, DPA/SCC to be reviewed; EU function region to be configured
• Supabase: database, authentication, storage, EU/Frankfurt, DPA required
• Stripe Payments Europe: payment processing, Ireland/possible US transfer, DPA/SCC to be reviewed
• Google Gemini API: AI image processing, EU region targeted, DPA/subprocessor setup to be reviewed
• IONOS SMTP: transactional emails, Germany/EU, DPA required

International transfers

Some subprocessors (in particular Stripe and Google) may also process data in the United States. Such transfers are based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR with supplementary measures and, where certified, on the EU-US Data Privacy Framework. Current status per processor is listed above.

Retention

Account and contract data are stored for the contract term and then deleted or anonymized according to legal requirements. Photo and session data are processed only as long as technically required for the consultation; image files are not stored as a salon archive.

Data subject rights

Data subjects have rights to access, rectification, deletion, restriction, portability, objection, and complaint with a data protection supervisory authority.

Withdrawal of consent

Consents can be withdrawn at any time with effect for the future. Withdrawal does not affect processing that has already taken place.

Last updated

May 10, 2026