Privacy Policy

1. Introduction

FollowerX GmbH ("we", "us", "our", or "Company") operates the Twentyfirst AI platform ("Service", "Platform", or "Website"). We take the protection of your personal data very seriously and treat your personal information confidentially and in accordance with statutory data protection regulations, including the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

This Privacy Policy explains how we collect, use, process, store, and protect your personal data when you use our Service. By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller

The data controller responsible for the processing of your personal data is:

Note: For customer support inquiries, please use our support page at /support, not the email address above.

3. Types of Data We Collect

3.1 Account and Registration Data

When you register for an account with our Service, we collect certain information that is necessary to create and manage your account. The primary piece of information we collect is your email address, which serves as your unique account identifier and is required for account creation. Your email address is used not only for account identification but also for important communications such as account verification, password resets, subscription confirmations, and service-related notifications.

During registration, you will be asked to create a password to secure your account. It is important to understand that we never store your password in plain text. Instead, we use industry-standard cryptographic hashing algorithms (specifically bcrypt) to securely hash your password before storing it in our database. This means that even if our database were compromised, your actual password would remain protected and could not be recovered from the stored hash. You are responsible for maintaining the confidentiality of your password and should never share it with anyone.

We may also collect your full name, though this is optional and not required for account creation. If you choose to provide your full name, it may be used to personalize your experience, for billing purposes, and for customer support interactions. If you authenticate using OAuth providers such as Google, we may collect your profile image from that provider to enhance your account profile.

We automatically collect and store your language preference, which allows us to customize your experience by displaying the Service in your preferred language. We also record metadata about your account, including the date and time of account creation and the timestamp of your last login. This information helps us provide account security, detect suspicious activity, and improve our Service.

3.2 Authentication Data

If you choose to authenticate using OAuth providers such as Google, we collect and store certain authentication-related data to enable seamless login and account management. This includes identifying which OAuth provider you used (e.g., Google), as well as your unique account identifier from that provider, which allows us to associate your OAuth account with your Service account.

To maintain your authenticated session and enable automatic re-authentication, we store access tokens and refresh tokens provided by the OAuth provider. These tokens are encrypted before storage to ensure their security. Access tokens allow us to verify your identity with the OAuth provider, while refresh tokens enable us to obtain new access tokens when your current ones expire, ensuring uninterrupted access to the Service without requiring you to repeatedly log in.

We also collect profile information that the OAuth provider makes available to us, which typically includes your name, email address, and profile picture. This information is used to populate your account profile and personalize your experience. The specific information we receive depends on what the OAuth provider makes available and what permissions you grant during the OAuth authentication process.

3.3 Subscription and Payment Data

To manage your subscription and process payments, we collect and maintain certain subscription and payment-related information. This includes details about your subscription plan and tier, which determine the features and credit allocations available to you. We also track your subscription status, including whether your subscription is active, canceled, past due, or in a trial period, as well as important dates such as your subscription start date, renewal dates, and expiration dates.

When you subscribe, we create a customer record with Stripe, our payment processor, and we store the Stripe customer ID that links your Service account to your Stripe customer record. This allows us to manage your subscription, process payments, and handle billing-related issues. We may also store your billing address if you provide it, which is used for billing purposes and tax compliance.

We track your credit balance and usage to manage your subscription and provide you with information about your account status. This includes monitoring how many credits you have available, how many credits you have consumed, and when credits are allocated or expire. We also maintain information about your billing cycle, including whether you are on a monthly or yearly billing cycle and when your next billing date occurs.

Important Security Information: We do not store credit card numbers, bank account information, or any other sensitive payment information. All payment method information, including credit card numbers, is processed and stored exclusively by Stripe, our payment processor, which is certified as a PCI DSS Level 1 Service Provider, the highest level of certification available. This means that Stripe maintains the strictest security standards for handling payment information, and we never have access to your full credit card number or other sensitive payment details. This separation of payment data provides an additional layer of security and ensures that your payment information is handled by a specialized, secure payment processor.

3.4 Company Information (Business Accounts)

For business accounts, we collect additional information necessary to provide business-specific features and ensure compliance with tax and regulatory requirements. This includes your company's legal name, which is used for billing, invoicing, and account identification purposes. We may also collect your company's website address, which helps us understand your business and may be used for verification purposes.

We collect your company description, which provides context about your business and helps us tailor our services to your needs. Your company's official address is collected for billing purposes, tax compliance, and to ensure we can provide proper invoicing documentation. We may also collect your company's phone number for business communications and account verification.

For businesses operating in jurisdictions that require VAT registration, we collect your VAT number (Value Added Tax identification number). This is essential for proper tax handling, invoicing, and compliance with tax regulations in various jurisdictions, particularly within the European Union. The VAT number allows us to issue proper tax-compliant invoices and handle tax obligations correctly.

3.5 Usage Data

When you use our Service, we automatically collect comprehensive usage data that helps us understand how you interact with the platform and enables us to provide, improve, and optimize our services. This usage data includes detailed information about which AI models you use, when you use them, and how frequently you access different models. This information helps us understand user preferences, optimize our model catalog, and improve the user experience.

We collect prediction data, which includes both the inputs you provide to AI models (such as prompts, images, or other data you submit) and the outputs generated by the models. This data is stored to enable you to access your prediction history, review past generations, and manage your content. The storage of prediction data is essential for providing core functionality of the Service, as it allows you to view, download, and manage the content you have created using our platform.

We track which models you have marked as favorites or saved for quick access, which helps us personalize your experience and provide recommendations. We monitor your credit consumption in real-time, tracking how many credits you use for each request and maintaining a running balance. This enables accurate billing, prevents overconsumption, and helps you manage your subscription effectively.

Session information is collected to maintain your authenticated session, ensure security, and provide a seamless user experience. This includes information about when you log in, how long your sessions last, and when you log out. We also collect feature usage statistics, which help us understand which features are most valuable to users, identify areas for improvement, and guide our product development decisions.

3.6 Technical Data

We automatically collect technical information about your device and how you access our Service. This technical data is essential for providing, securing, and improving our Service. Your IP address is collected to enable communication between your device and our servers, to detect and prevent fraud and abuse, and to comply with legal obligations. We anonymize IP addresses where possible, particularly for analytics purposes, to protect your privacy while still enabling us to analyze usage patterns and improve our Service.

We collect information about your browser type and version, which helps us ensure compatibility, optimize performance, and troubleshoot technical issues. Device information, including device type (mobile, tablet, desktop), screen resolution, and device capabilities, is collected to optimize the user experience for your specific device and to ensure our Service functions correctly across different platforms.

Your operating system information is collected for similar compatibility and optimization purposes. We may collect the referrer URL, which indicates the website or page you visited before accessing our Service. This information helps us understand how users discover our Service and enables us to improve our marketing and user acquisition efforts.

We track which pages you visit and how much time you spend on different pages. This usage analytics helps us understand user behavior, identify popular features, and optimize the user experience. We also record the date and time of access for security purposes, to detect suspicious activity, and to comply with legal and regulatory requirements.

3.7 Communication Data

If you contact us through our support page or other communication channels, we collect:

• Your name and email address
• Message content
• Communication history
• Any attachments you send

3.8 Newsletter and Marketing Data

If you subscribe to our newsletter or marketing communications, we collect:

• Email address
• Subscription preferences
• Open and click rates (if you consent to tracking)

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Service Provision

The primary purpose for which we process your personal data is to provide you with access to our Service and to fulfill our contractual obligations to you. This includes creating and managing your account, which requires processing your registration information, authentication credentials, and account preferences. Without processing this data, we would be unable to create your account, verify your identity, or provide you with access to the Service.

We process your data to provide you with access to AI models and features. This includes processing your usage data to execute AI model requests, storing your prediction history so you can access your generated content, and managing your favorites and saved models. We also process your subscription and payment data to manage your subscription, process payments, allocate credits, and track credit usage to ensure accurate billing and prevent overconsumption.

Customer support is an essential part of our Service, and we process your communication data, account information, and usage history to provide you with effective support. This enables us to understand your issue, access relevant account information, and provide appropriate assistance. We also process your data to send you service-related communications, such as account verification emails, password reset instructions, subscription confirmations, billing notifications, and important service updates. These communications are essential for account security and service delivery.

4.2 Legal Basis: Contract Performance (Art. 6(1)(b) GDPR)

We process your data to fulfill our contractual obligations to you, including providing the Service, processing payments, and managing your subscription.

4.3 Service Improvement

We process your usage data and technical data to analyze usage patterns and improve our Service. By understanding how users interact with our platform, which features are most popular, and where users encounter difficulties, we can make informed decisions about product development, feature prioritization, and user experience improvements. This analysis helps us identify trends, optimize performance, and ensure our Service continues to meet user needs.

The insights gained from analyzing usage data guide our development of new features and functionality. By understanding user behavior and preferences, we can develop features that provide genuine value and enhance the user experience. This data-driven approach to product development ensures that we invest our development resources in features that will be most beneficial to our users.

We use technical data and usage analytics to optimize the user experience across different devices, browsers, and platforms. This includes optimizing page load times, improving interface responsiveness, ensuring compatibility across different technical environments, and personalizing the experience based on user preferences and behavior patterns.

Technical data is also essential for identifying and fixing technical issues. When problems occur, technical information such as browser type, device information, error logs, and usage patterns help us diagnose issues, understand their scope and impact, and develop fixes. This proactive approach to technical maintenance ensures that our Service remains reliable and performs well for all users.

4.4 Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR)

We process data based on our legitimate interests in improving our Service, ensuring security, and preventing fraud, provided your interests and fundamental rights do not override these interests.

4.5 Marketing and Communications

• To send marketing communications (only with your consent)
• To send newsletters (only with your consent)
• To provide information about new features and updates

4.6 Legal Basis: Consent (Art. 6(1)(a) GDPR)

We process marketing and analytics data based on your consent, which you can withdraw at any time.

4.7 Legal Compliance

• To comply with legal obligations (e.g., tax law, data retention requirements)
• To respond to legal requests and court orders
• To protect our rights and prevent fraud

4.8 Legal Basis: Legal Obligation (Art. 6(1)(c) GDPR)

We process data to comply with legal obligations, such as tax and accounting requirements.

5. Third-Party Services and Data Sharing

We use third-party services to provide and improve our Service. We share data with these providers only as necessary:

5.1 Payment Processing - Stripe

Service: Payment processing and subscription management
Data Shared: Customer ID, subscription details, billing information
Purpose: Processing payments and managing subscriptions
Privacy Policy: https://stripe.com/privacy
Location: United States (with appropriate safeguards)

5.2 AI Model Provider - Replicate

Service: AI model execution and processing
Data Shared: Model inputs and outputs, user requests
Purpose: Executing AI model predictions
Privacy Policy: https://replicate.com/privacy
Location: United States (with appropriate safeguards)

5.3 Analytics - Google Analytics

Service: Website analytics and usage statistics
Data Shared: Anonymized usage data, page views, user interactions (only with consent)
Purpose: Understanding how users interact with our Service
Privacy Policy: https://policies.google.com/privacy
Location: United States (with appropriate safeguards)
Note: IP addresses are anonymized. You can opt-out via cookie preferences.

5.4 Advertising - Google Ads

Service: Online advertising and conversion tracking
Data Shared: Conversion events, anonymized user data (only with consent)
Purpose: Measuring advertising effectiveness and conversion tracking
Privacy Policy: https://policies.google.com/privacy
Location: United States (with appropriate safeguards)
Note: You can opt-out via cookie preferences.

5.5 Translation Services - OpenAI and DeepL

Service: Content translation and generation
Data Shared: Content to be translated, model documentation
Purpose: Translating content and generating descriptions
Privacy Policies:OpenAI,DeepL
Location: United States / European Union

5.6 Authentication - NextAuth

Service: User authentication and session management
Data Shared: Authentication tokens, session data
Purpose: Managing user authentication and sessions
Privacy Policy: https://next-auth.js.org
Location: Data stored on our servers

5.7 OAuth Providers (Google)

Service: Social authentication
Data Shared: Profile information (name, email, profile picture) - only what you authorize
Purpose: User authentication
Privacy Policy: https://policies.google.com/privacy

5.8 Data Processing Agreements

We have Data Processing Agreements (DPAs) in place with all third-party service providers that process personal data on our behalf, ensuring they comply with GDPR requirements.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information.

6.1 Types of Cookies

Necessary Cookies: Required for the Service to function (e.g., authentication, language preferences). These cannot be disabled.

Analytics Cookies: Help us understand how visitors use our Service (e.g., Google Analytics). These require your consent.

Marketing Cookies: Used for advertising and conversion tracking (e.g., Google Ads). These require your consent.

6.2 Cookie Management

You can manage your cookie preferences at any time through our cookie banner or your browser settings. However, disabling necessary cookies may affect Service functionality.

7. Data Storage and Retention

7.1 Data Storage Location

Your personal data is primarily stored on servers located in the European Union. Some third-party services may process data in the United States or other countries, but we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

7.2 Data Retention Periods

We retain your personal data only for as long as necessary:

• Account Data: Retained while your account is active and for 3 years after account deletion (for legal compliance)
• Payment Data: Retained for 10 years (tax and accounting requirements)
• Usage Data: Retained for 2 years for analytics purposes
• Communication Data: Retained for 3 years after last contact
• Marketing Data: Retained until you withdraw consent or unsubscribe

7.3 Data Deletion

You can request deletion of your account and associated data at any time. We will delete your data within 30 days, except where we are required to retain it for legal compliance.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access that data, including copies of the data.

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate personal data corrected and incomplete data completed.

8.3 Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data ("right to be forgotten"), subject to certain exceptions (e.g., legal retention requirements).

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your personal data in certain circumstances.

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent (Art. 7 GDPR)

If processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.8 Right to Object to Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. If this changes in the future, we will inform you and provide you with the right to object to such processing.

8.9 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.

The responsible supervisory authority for us is:

8.10 Exercising Your Rights

To exercise any of these rights, please contact us at business(at)twentyfirst.ai (replace "(at)" with "@") or through our support page. We will respond to your request within one month.

9. Data Security and Breach Notification

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Secure password storage (bcrypt hashing)
• Regular security audits and updates
• Access controls and authentication
• Secure database management
• Regular backups

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

9.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, and in any event, no later than 72 hours after becoming aware of the breach, in accordance with Art. 33 and 34 GDPR. We will provide clear information about the nature of the breach, the likely consequences, and the measures we are taking to address it.

10. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information.

11. International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). When we transfer personal data to these providers, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by GDPR

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification to your registered email address (for material changes)

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: