ReArt
← Back

Privacy Policy

Last updated: July 14, 2026

1. Controller

ByteLane UG (haftungsbeschränkt)
Kolonnenstraße 8, 10827 Berlin, Germany
Email: nik@bytelane.io

2. What We Collect & Legal Basis

When you use ReArt, we collect and process the following data depending on how you interact with the service. For each category, we state the legal basis under GDPR Art. 6(1):

  • Account data — Email address, name, and authentication data when you sign up (managed by Clerk). Legal basis: Art. 6(1)(b) — performance of contract.
  • Uploaded images — Photos you upload for artistic transformation, stored on Cloudflare R2. Legal basis: Art. 6(1)(b) — performance of contract.
  • Generated artwork — AI-generated images created from your uploads. Legal basis: Art. 6(1)(b) — performance of contract.
  • Payment data — Billing and shipping address when you order a print (processed by Stripe; we do not store full card details). Legal basis: Art. 6(1)(b) — performance of contract.
  • Contact form submissions — Name, email, and message content when you use our contact form. Legal basis: Art. 6(1)(b) — pre-contractual enquiry / Art. 6(1)(f) — legitimate interest in responding to enquiries.
  • Order feedback — After a print order is delivered, we send one email asking how it turned out. If you respond, we store your rating, your comments, and — only if you explicitly agree — permission to publish your comments as a customer review (first name only). You can object to feedback emails at checkout and in every such email, free of charge; we then keep only your email address on a suppression list so we never ask again. Legal basis: §7(3) UWG / Art. 6(1)(f) — legitimate interest in improving our product for existing customers; Art. 6(1)(a) — consent for publishing reviews.
  • Usage data — Pseudonymous product analytics via PostHog (EU servers) to understand how the service is used. When you sign in, we link your account ID to product events. In the EEA / UK / Switzerland, analytics cookies, session replay, and enrichment with email and name are enabled only after consent. Legal basis: Art. 6(1)(f) — legitimate interest in improving the service; Art. 6(1)(a) — consent for those additional analytics features in the EEA / UK / Switzerland.
  • Advertising measurement data — For visitors outside the EEA / UK / Switzerland, and for visitors inside those regions who have accepted cookies, we share hashed identifiers (e.g. hashed email, IP address, browser user-agent, click ID) with Meta Platforms to measure the effectiveness of our advertising. Legal basis (EEA/UK/CH): Art. 6(1)(a) — consent. Legal basis (other regions): legitimate interest, with notice and opt-out as required by applicable law (e.g. CCPA/CPRA).
  • Bot protection data — Cloudflare Turnstile collects device and interaction signals to distinguish humans from bots. No personal data is stored by us. Legal basis: Art. 6(1)(f) — legitimate interest in preventing abuse.

3. How We Use Your Data

  • To provide the photo-to-art transformation service.
  • To process and fulfill print orders.
  • To authenticate your account and secure access.
  • To improve the service through pseudonymous product analytics.
  • To communicate with you about your orders, account, and support enquiries.
  • To ask once, after delivery, how your print turned out (unless you have opted out).
  • To protect the service from abuse and automated attacks.

4. Third-Party Services

We use the following third-party services to operate ReArt:

  • Clerk (US) — Authentication and user management.
  • Cloudflare (Global/EU) — Hosting, CDN, image storage (R2), edge computing, and bot protection (Turnstile).
  • Stripe (US) — Payment processing. Subject to Stripe's Privacy Policy.
  • Print fulfillment partner (EU) — Receives your shipping address and artwork to produce and ship your print order.
  • Product analytics provider (EU) — Pseudonymous product analytics. Data hosted in the EU. For visitors in the EEA / UK / Switzerland, persistent analytics storage and session replay are used only after consent.
  • Email delivery provider (US) — Transactional email delivery (order confirmations, notifications).
  • AI image generation provider (US) — Your uploaded images are sent to a third-party AI service for artistic transformation. We select providers that commit to deleting input and output data after processing and that do not use your images for model training.
  • Address autocomplete provider (US) — Processes address input during checkout to suggest matching addresses. No personal data is stored by us from this service.
  • Server monitoring provider (US) — Server-side logging and error monitoring for service reliability. May process IP addresses and request metadata in server logs.
  • Meta Platforms, Inc. (US) — Conversion measurement and ad attribution via the Meta Pixel and Meta Conversions API. Receives hashed identifiers and event metadata, used to attribute ad campaigns and to build look-alike audiences. Only loads in the EEA / UK / Switzerland after you accept cookies. Subject to Meta's Privacy Policy.

5. Data Transfers

Some of our service providers are based in the United States. These transfers are protected by the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC). Analytics and print fulfillment are processed within the EU.

6. Data Retention

Uploaded images and generated artwork are retained while your account is active. You can delete your designs at any time. Payment records are retained as required by tax law (typically 10 years under German law). Account data is deleted upon account deletion.

Order feedback (rating and comments) is retained alongside the order and deleted on an erasure request — except where you have agreed to publication as a review, in which case we keep the consent record for as long as the review is published. Feedback-email suppression entries are kept even after an erasure request: they are the record of your objection and contain only your email address — deleting them would risk contacting you again (Art. 17(3)(b)/(e) GDPR).

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request deletion of your data.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw your consent at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Lodge a complaint with a supervisory authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

To exercise these rights, contact us at nik@bytelane.io.

8. Automated Decision-Making

ReArt uses AI to generate artwork from your uploaded photos. This process is automated but does not produce legal or similarly significant effects — it is a creative tool used at your direction. You can regenerate artwork or choose different styles at any time.

9. Cookies & Tracking

ReArt uses the following cookies:

  • Clerk session cookies — Essential cookies required for authentication and keeping you signed in.
  • geo — A functional cookie that stores your approximate region to apply the correct privacy settings. No personal data is stored.
  • cookie_consent_v2 — Stores your cookie preference across the ReArt website and platform (essential).
  • PostHog analytics cookie — Stores a pseudonymous visitor and session identifier so one analytics session can continue across the ReArt website and platform. In the EEA / UK / Switzerland, it is set only after you choose “Accept all”.
  • _fbp / _fbc — First-party cookies used by the Meta Pixel for advertising measurement and audience building. Only set for visitors outside the EEA / UK / Switzerland, or for visitors inside those regions who have chosen “Accept all” in the consent banner.
  • reart_attr — First-party cookie (up to 90 days) that records the marketing source of your first visit (e.g. UTM campaign tags, ad click ids, referring site) so we can measure which campaigns work. It is not set at all for visitors in the EEA / UK / Switzerland. It stores only the campaign/source values contained in the link you arrived from — not your account or contact details — and any referring site is reduced to its domain.

For users in the European Economic Area, the United Kingdom, and Switzerland, basic analytics uses no persistent browser storage by default. Analytics cookies, session replay, and the Meta Pixel remain disabled unless you choose “Accept all”. We rely on Art. 6(1)(f) GDPR (legitimate interest) for basic analytics and Art. 6(1)(a) GDPR (consent) for analytics cookies, session replay, and advertising measurement. You can withdraw consent at any time via the “Cookie settings” link in the footer.

For California residents and other US visitors with a Global Privacy Control signal: if you wish to opt out of the sharing of your personal information for advertising purposes, please email us at nik@bytelane.iowith the subject line “Do Not Sell or Share My Personal Information”. We will honour the request and confirm processing within the time frames required by applicable law.

10. Changes

We may update this policy from time to time. Material changes will be communicated via email or a notice on the service.