SYNTHGUARD
    Log inStart Free
    Back to home

    Privacy Policy

    Last updated: April 2026

    1. The short version

    SynthGuard processes images, videos and text entirely in your browser. Your media never leaves your device, never reaches our servers, and we have no technical means to see, copy, or store it. We do collect a small amount of account and usage data so we can run authentication, weekly credits, billing, and basic analytics. Everything below explains exactly what, why, on which legal basis, and for how long.

    2. Controller

    The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:
    Tim Geithner — Sole proprietorship "SynthGuard"
    c/o IP-Management #9778, Ludwig-Erhard-Str. 18, 20459 Hamburg, Germany
    Email: info@synthguard.net
    Phone: +49 151 58120466

    Full provider details are available in our Legal Notice.

    3. Data Protection Officer

    We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR / § 38 BDSG. For any privacy enquiry, please contact us at info@synthguard.net.

    4. Architectural privacy guarantee

    The Photo Humanizer, Video Humanizer, Text Humanizer and AI Image Detector run as WebAssembly / Web Worker code in your browser. The processed file is read into memory via the browser File API, transformed locally, and offered back to you as a download. No image bytes, video frames, or text inputs are transmitted to any server we operate or to any sub-processor. We log only metadata-only run records (see § 6).

    5. Hosting & infrastructure

    The website and the application are hosted by Lovable AB(Sveavägen 159, 113 46 Stockholm, Sweden), which provides static hosting and edge delivery. The backend (database, authentication, edge functions) is operated through Lovable Cloud, which uses Supabase infrastructure (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992) on EU regions (Frankfurt, Germany — AWS eu-central-1). Server-access logs (IP address, user-agent, timestamp, requested URL, response code) are processed for technical operation and security and are typically retained for up to 30 days.

    • Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in operating a secure service.
    • Sub-processor agreements (DPAs) are in place with Lovable AB and Supabase Inc.

    6. Personal data we process

    The following categories of personal data are stored in our backend:

    • Account data: email address, optional display name, hashed password (bcrypt) or the OAuth identifier of the chosen provider (Google / Apple).
    • Plan & usage: current plan tier (free / pro / studio), weekly credits used, ISO-week reset timestamp, plan source, payment status.
    • Run logs: a metadata-only record per processing run — tool name, status (success / error / blocked), duration in milliseconds, file size in bytes, and the original file name. The file content itself is never recorded. Stored for up to 90 days, then aggregated.
    • Sessions: IP address, approximate country/city derived from IP, and user-agent for the last sign-ins. Used for fraud detection and account security. Retained for up to 90 days.
    • Billing: Stripe customer ID, Stripe subscription ID, current subscription status, current period start/end. Card data is never seen or stored by us.
    • Support correspondence: if you email us, we keep the conversation for as long as necessary to handle the request and for up to 3 years thereafter for statutory retention.

    7. Authentication

    Sign-up and sign-in is handled by Lovable Cloud (Supabase Auth). Available methods are email/password, Google, and Apple. When you choose Google or Apple, you are redirected to the respective provider, which returns a verified email address and OAuth identifier to us. We do not receive your password or contact list. A first-party session cookie (HttpOnly, Secure, SameSite=Lax) keeps you signed in.

    • Legal basis: Art. 6 (1) (b) GDPR — performance of the user contract.
    • Provider privacy policies: Google, Apple, Supabase.

    8. Payments — Stripe

    Subscriptions and one-off payments are processed by Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). When you start a checkout, Stripe collects your payment method (card number, expiry, CVC, billing address) directly via its hosted checkout — this data does not pass through our servers. Stripe shares with us only the customer ID, subscription ID, current status, masked card brand/last4, and country.

    • Legal basis: Art. 6 (1) (b) GDPR — performance of the subscription contract.
    • Stripe is certified under the EU-U.S. Data Privacy Framework. Data transfers to non-EU countries are covered by Standard Contractual Clauses.
    • Stripe's privacy policy: https://stripe.com/privacy.

    9. Cookies & local storage

    We use the smallest possible set of cookies / browser storage:

    • Strictly necessary — Supabase auth session token, CSRF token, consent decision (synthguard.consent.v1). No consent required (Art. 6 (1) (f) GDPR / § 25 (2) TTDSG).
    • Analytics (optional) — see § 10. Loaded only after you click "Accept all" or enable Analytics in Cookie settings.

    You can change or revoke your choice at any time via .

    10. Web analytics — Google Analytics 4

    With your consent we use Google Analytics 4, a service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies and similar identifiers to measure aggregated, pseudonymised usage statistics (page views, sessions, conversions, approximate region). IP anonymisation is enabled by default in GA4. We do not use Google Signals, ad personalisation, or cross-device remarketing.

    • Legal basis: Art. 6 (1) (a) GDPR — your explicit consent. You may withdraw it at any time with effect for the future.
    • Retention: GA4 user/event data is retained for 2 months by default.
    • International transfer: Google may transfer data to the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework; additional Standard Contractual Clauses are in place.
    • Google's privacy policy: https://policies.google.com/privacy. You can opt out at any time via .

    11. Transactional emails

    We send service-related emails (sign-up confirmation, password reset, billing receipts, critical service announcements) via the email infrastructure of Lovable Cloud. These emails are required to operate your account.

    • Legal basis: Art. 6 (1) (b) GDPR.

    12. Blog & marketing pages

    The blog and marketing pages do not embed third-party comment, social, or video widgets by default. External links open in a new tab and are subject to the linked site's privacy policy.

    13. International data transfers

    We try to keep processing inside the EU. Where transfers to third countries occur (e.g. Stripe, Google Analytics, Apple Sign-In), they are based on (i) an adequacy decision (EU-U.S. Data Privacy Framework where applicable) and/or (ii) Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, complemented by additional technical and organisational measures (TLS encryption, pseudonymisation).

    14. Recipients & sub-processors

    • Lovable AB (Sweden) — hosting, edge delivery.
    • Supabase Inc. (Singapore, EU data residency) — database, auth, edge functions, transactional email.
    • Stripe Payments Europe Ltd. (Ireland) — payment processing.
    • Google Ireland Ltd. — Google Analytics, Google Sign-In (when used).
    • Apple Distribution International Ltd. — Apple Sign-In (when used).

    15. Retention periods

    We keep personal data only as long as necessary for the purpose stated above. After account deletion, profile, role, run logs and authentication record are removed without undue delay (typically within 30 days). Statutory retention (e.g. invoices: 10 years under § 147 AO, German Fiscal Code) overrides shorter periods where applicable.

    16. Your rights under the GDPR

    You have the following rights with regard to your personal data:

    • Right of access (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure / "right to be forgotten" (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR)
    • Right to object (Art. 21 GDPR)
    • Right to withdraw consent (Art. 7 (3) GDPR) — without affecting the lawfulness of processing carried out before withdrawal

    You can exercise most of these rights directly from your account hub (export, correction, deletion). For anything else, email info@synthguard.net.

    17. Right to lodge a complaint

    You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). Our lead authority is:
    Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
    Ludwig-Erhard-Str. 22, 7. OG, 20459 Hamburg, Germany
    https://datenschutz-hamburg.de

    18. Automated decision-making

    We do not use your personal data for automated decision-making with legal effects (Art. 22 GDPR). Quota enforcement (weekly credits) is a contractual rule, not a profiling decision.

    19. Children

    The service is not directed at children under 16. If you believe a child has created an account, contact us and we will delete the account.

    20. Changes to this policy

    We may update this policy to reflect changes in the service, the law, or our sub-processors. The current version is always available at /privacy with the "Last updated" date at the top. Material changes will be announced in-app or by email.

    We use a small number of cookies to keep you signed in. With your consent we'd also like to load privacy-friendly analytics so we can improve SynthGuard. See our Privacy Policy.