Privacy Policy — Innoverse Platform

Responsible for data processing under the General Data Protection Regulation (GDPR):

Innoverse
Lindenthalgürtel 101, 50935 Cologne, Germany
Email: info@innoverse.art

We have not appointed an external data protection officer because we are not legally required to do so. For all data protection matters please contact us at the email above.

We only collect personal data necessary to use our platform:

A) Creators

• Name / first name
• Email address
• Social media profiles (e.g. Instagram, portfolio)
• Website / portfolio link
• Profile pictures and uploaded content (photos, videos)
• Matching information (e.g. interests, categories, skills, occasions)
• Address, tax and bank/payout details (collected by Stripe directly during Stripe Connect onboarding when a creator licenses content for payment)
• Invoice and transaction data (license fees, deposits, payouts)

B) Brands

• Name / company name
• Email address
• Social media profiles
• Website
• Profile pictures and logos
• Information for evaluating creators
• Billing address, VAT ID and bank/payout details (collected via Stripe and Stripe Connect for rental payouts)
• Invoice and transaction data

C) Technical data

• Server logs of our hosting provider (IP address, user agent, timestamp, requested URL) — created automatically when you use the platform.
• Authentication token stored in your browser's local storage so you stay signed in.

• Platform access and authentication: Enabling login and use of Innoverse.
• Communication: Sending messages, notifications or information relevant to platform use (transactional emails).
• Matching & selection: Assessing whether a creator or brand fits our platform and potential projects (see also Section 9 on automated processing).
• Platform features: Managing your profile, displaying content, processing rentals and licenses, internal analyses to improve the platform.
• Payments & payouts: Processing license fees, rental fees, deposits and payouts via Stripe / Stripe Connect.
• Legal purposes: Fulfilling legal obligations, in particular tax and commercial law retention obligations (§ 147 AO, § 257 HGB) and legal evidence.

• Art. 6 (1)(b) GDPR — performance of the contractual relationship between you and Innoverse.
• Art. 6 (1)(c) GDPR — compliance with legal obligations (tax, accounting, anti-money-laundering).
• Art. 6 (1)(f) GDPR — legitimate interest in matching creators and brands, operating the platform securely, preventing abuse.
• Art. 6 (1)(a) GDPR — consent, where applicable (e.g. optional marketing emails, future optional cookies).

We only store personal data for as long as necessary for the purposes described above or as required by law:

• Account data & profile: for the duration of your account. After deletion of your account, residual data is removed from our active systems within 30 days, unless retention obligations apply.
• Uploaded content (photos, videos): for the duration of your account or until you delete the item, whichever is earlier.
• Invoices, contracts, payment and tax-relevant data: 10 years from the end of the calendar year in which the document was issued (§ 147 AO, § 257 HGB).
• Communication / support emails: generally up to 3 years after the last contact, to handle warranty and legal claims.
• Server / access logs of our hosting provider: up to 30 days, for IT security and abuse prevention; longer only in case of a documented incident.
• Consent records (where consent was the legal basis): for the duration of the consent and 3 years after its withdrawal as evidence.

The Innoverse platform (frontend, backend, database, authentication, file storage, transactional email, AI features) is operated end-to-end through Lovable (Lovable AB, Sveavägen 24-26, 111 57 Stockholm, Sweden). Lovable bundles the underlying application runtime (Cloudflare Workers), database, authentication and file storage (Supabase) and an AI gateway into a single managed product ("Lovable Cloud" / "Lovable AI").

Account, profile, content, message and invoice data is stored in EU data centers. The application code itself runs on Cloudflare's global edge network; for European visitors requests are normally served from EU edge locations.

The use of Lovable is based on Art. 6 (1)(f) GDPR (legitimate interest in operating a secure, scalable platform) and Art. 6 (1)(b) GDPR (performance of the contract). A data processing agreement (DPA) with Lovable is in place. You can request deletion of your account and data at any time.

We work with the following processors who handle personal data on our behalf under data processing agreements (DPAs) in accordance with Art. 28 GDPR:

• Lovable (Lovable AB, Sweden) — application hosting, database, authentication, file storage, transactional email and AI gateway. Data is hosted in the EU; the edge runtime (Cloudflare Workers) is global, see Section 8.
• Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) — payment processing, invoicing, tax compliance, and Stripe Connect onboarding and payouts for both brands and creators. When you onboard to Stripe Connect, Stripe collects identification, tax and bank account information directly and acts as a separate controller for that data under its own privacy policy (https://stripe.com/privacy).

Beyond these processors we do not share your data with third parties except where we are legally required to do so or where you have given us your explicit consent.

DPA with brands: Where a brand processes creator personal data through the platform (e.g. to evaluate applications, license content or manage rentals), Innoverse and the brand conclude a data processing agreement under Art. 28 GDPR. The DPA is part of the cooperation agreement (§ 11) and is available on request at info@innoverse.art.

Personal data is primarily processed within the EU. Limited transfers to third countries can occur in the following cases:

• Cloudflare Workers (edge runtime, used by Lovable): our application code runs on a global edge network. While EU visitors are normally served from EU edge locations, technical metadata (IP address, request headers) can be processed in other regions. Cloudflare is certified under the EU-U.S. Data Privacy Framework and provides EU Standard Contractual Clauses (SCC).
• Stripe: Stripe may transfer payment data to the United States and other countries. Stripe is certified under the EU-U.S. Data Privacy Framework and uses SCCs as additional safeguards.
• AI processing (Lovable AI gateway): If we use AI features (e.g. content moderation, suggestions), prompts may be processed by AI model providers that can operate outside the EU. Transfers are based on SCCs and DPAs; we minimize the personal data included in prompts.

For these transfers we rely on adequacy decisions (where available), on EU Standard Contractual Clauses (Art. 46 (2)(c) GDPR) and on supplementary technical and organizational measures. We have performed a transfer impact assessment (TIA) in line with the Schrems II ruling. You are aware that, despite these safeguards, U.S. authorities may in principle access data transferred to U.S. providers.

Innoverse uses simple automated filters to match creators and brands (e.g. by category, occasion, availability). These filters only pre-sort and pre-rank content; they do not on their own produce legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR.

Decisions that affect you significantly — in particular the approval or rejection of creator applications, the approval of access to a brand piece, and decisions about deposit retention — are always reviewed and made by a human at Innoverse or at the relevant brand. You always have the right to obtain human intervention, to express your point of view and to contest the decision by contacting info@innoverse.art.

Innoverse currently does not use any cookies or similar technologies for tracking, analytics, advertising or profiling. We do not embed third-party analytics, advertising or social media tracking services.

We use the following strictly necessary browser storage, which does not require consent under § 25 (2) No. 2 TDDDG because it is technically required to provide a service explicitly requested by you:

• Authentication token in local storage — keeps you signed in.
• Cookie/notice banner flag in local storage — remembers that you have dismissed the informational cookie notice so we do not show it again.

Should we introduce optional cookies, analytics or marketing tools in the future, we will ask for your explicit consent beforehand via a consent banner (TDDDG / GDPR compliant) and update this policy accordingly. You will then be able to withdraw your consent at any time with effect for the future.

• Right of access to data stored about you (Art. 15 GDPR).
• Right to rectification (Art. 16 GDPR).
• Right to erasure / "right to be forgotten" (Art. 17 GDPR).
• Right to restrict processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object to processing based on legitimate interest (Art. 21 GDPR).
• Right to withdraw consent at any time, where processing is based on consent (Art. 7 (3) GDPR).

To exercise your rights, please contact us at info@innoverse.art.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority competent for Innoverse is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
https://www.ldi.nrw.de

All personal data is protected by technical and organizational measures (encryption in transit via TLS, access controls, role-based authorization in the database, logging) to prevent unauthorized access, loss or misuse. In case of data breaches, we promptly notify the competent data protection authority and, where applicable, affected users.

We reserve the right to adjust this privacy policy, e.g. due to changes in legal requirements or platform features. Changes will be published on the platform.

For privacy questions, contact us at: info@innoverse.art