Grape Butler
Sign inGet started
This is a courtesy translation. The German version is legally binding.

Privacy Policy

Last updated: March 2026

1. Data Controller

Nikolaus Kemetner
Obere Marktstraße 2
3492 Etsdorf am Kamp
Austria

Phone: +43 676 9038254
Email: office@grapebutler.com

2. Overview of Processing Activities

The following overview summarises the types of data processed, the purposes of processing, and the data subjects concerned.

Types of data processed

  • Master data (e.g. name, address)
  • Contact data (e.g. email, phone number)
  • Content data (e.g. uploaded photos, text input)
  • Usage data (e.g. pages visited, access times)
  • Meta/communication data (e.g. IP addresses, device information)
  • Payment data (e.g. bank details for invoicing)

3. Legal Basis

The processing of personal data is carried out on the basis of the following legal grounds under the GDPR:

  • Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing.
  • Performance of a contract (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or for pre-contractual measures.
  • Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation (e.g. tax retention requirements).
  • Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of legitimate interests, provided that the interests of the data subject do not override.

4. Provision of the Online Service and Web Hosting

We process user data in order to provide our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

  • Data types processed: Usage data, meta/communication data
  • Data subjects: Users of our website
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Hosting

Our website is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). Vercel processes the above-mentioned data on our behalf. Data transfers to the USA are based on the EU-US Data Privacy Framework. Further information can be found in the Vercel Privacy Policy.

5. Registration and User Account

Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account on the basis of contractual obligation.

Authentication is handled by WorkOS Inc. (San Francisco, CA, USA). WorkOS processes email address and name. Data transfers to the USA are based on the EU-US Data Privacy Framework. Further information: WorkOS Privacy Policy.

  • Data types processed: Master data, contact data
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

6. Order Processing and Photo Processing

When you place an order for photo editing, we process the images you upload as well as your contact and order data to fulfil the order.

The uploaded image files are stored at Cloudflare R2 (Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA). Data transfers to the USA are based on the EU-US Data Privacy Framework.

Order data is stored in the Convex database (Convex Inc., San Francisco, CA, USA).

  • Data types processed: Master data, contact data, content data, payment data
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
  • Retention period: Uploaded images and finished results remain permanently available in your user account as long as your account exists. Invoice data is retained in accordance with statutory retention periods (7 years pursuant to BAO).

7. Email Communication

For sending order confirmations and status notifications, we use the service Resend (Resend Inc., San Francisco, CA, USA). Resend processes your email address and message content on our behalf. Further information: Resend Privacy Policy.

  • Data types processed: Contact data
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

8. Cookies and Storage Technologies

We use technically necessary cookies and — with your consent — cookies for analytics and advertising purposes. Technically necessary cookies are set without your consent as they are essential for providing the service (Section 165(3) TKG 2021). For all other cookies, we obtain your explicit consent via our cookie banner.

Technically necessary cookies

  • Session cookies: To maintain your session after login
  • Authentication cookies: To identify logged-in users

Analytics cookies (with consent only)

  • Google Analytics: Cookies from Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to analyse website usage. The data collected (e.g. page views, time on site, device type) is anonymised and used to improve our services. IP anonymisation is enabled. Retention period: up to 14 months. Further information: Google Privacy Policy.

Marketing cookies (with consent only)

  • Google Ads (Conversion-Tracking): Cookies from Google Ireland Limited to measure the effectiveness of our advertisements. When you reach our website via a Google ad, a cookie is set to track the conversion. This data is not used for personal identification. Further information: Google Privacy Policy.
  • Meta Pixel (Facebook/Instagram): Cookies from Meta Platforms Ireland Limited (Merrion Road, Dublin 4, Ireland) to measure the effectiveness of our advertisements on Facebook and Instagram and to create audiences. Further information: Meta Privacy Policy.

You can adjust your cookie settings at any time via our cookie banner or withdraw your consent.

9. Web Analytics and Advertising

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited. Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie is usually transferred to a Google server in the USA and stored there. The transfer is based on the EU-US Data Privacy Framework.

  • Legal basis: Consent (Art. 6(1)(a) GDPR)
  • Opt-out: You can prevent data collection by Google Analytics by adjusting your cookie settings or installing the Google browser add-on: Google Analytics Opt-out

Google Ads

We use Google Ads Conversion Tracking by Google Ireland Limited to measure the effectiveness of our advertising campaigns. When you reach our website via a Google ad, a conversion cookie is set. These cookies expire after 30 days and are not used for personal identification.

  • Legal basis: Consent (Art. 6(1)(a) GDPR)

Meta Pixel (Facebook/Instagram)

We use the Meta Pixel by Meta Platforms Ireland Limited to measure the effectiveness of our advertisements on Facebook and Instagram and to create audiences for ads. When visiting our website, the Meta Pixel establishes a direct connection to Meta's servers. The transfer to the USA is based on the EU-US Data Privacy Framework.

  • Legal basis: Consent (Art. 6(1)(a) GDPR)
  • Opt-out: You can prevent data collection via your cookie settings or via the Facebook ad settings disable.

10. Data Transfer to Third Countries

In the course of our data processing, data is transferred to service providers in the USA. The transfer is based on the EU-US Data Privacy Framework (adequacy decision of the European Commission pursuant to Art. 45 GDPR). All US service providers used are certified under the EU-US Data Privacy Framework.

11. Retention Period

Personal data is only stored for as long as necessary for the respective processing purposes or as required by statutory retention obligations:

  • Contract data: For the duration of the contractual relationship and beyond in accordance with statutory retention periods (7 years pursuant to Section 132 BAO)
  • Uploaded images: Permanently available in your user account as long as your account exists; deleted after account deletion
  • Server-Logfiles: Maximum 30 days
  • User account data: Until the account is deleted by the user

12. Your Rights

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You have the right to obtain information about the personal data we process.
  • Right to rectification (Art. 16 GDPR): You can request the rectification of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction (Art. 18 GDPR): You can request the restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your data at any time.
  • Withdrawal of consent (Art. 7(3) GDPR): You can withdraw consent given at any time with effect for the future.

13. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

14. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. The AI-assisted image editing is used exclusively for optimising your product photos and does not lead to any legal or similarly significant decisions.

15. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services. The new privacy policy will apply to your next visit.