Privacy Policy

Last updated: February 20, 2026

1. Data Controller

We are responsible for the processing of your personal data as described in this Privacy Policy.

  • Entity: GenBatch (Eenmanszaak)
  • KVK-nummer: 97878782
  • BTW-id: NL005293761B05
  • Contact: [email protected]

2. Data Collected

We collect and process the following categories of personal data:

  • Account Data: Email address and authentication provider details (e.g., Google OAuth ID).
  • Generation Data: Text prompts, reference image uploads, and the resulting generated video/image files.
  • Payment Data: Handled securely via Stripe. We only store transaction records; we do not store your raw credit card numbers.
  • Support/Communication Data: Content of your emails or support tickets.
  • Technical & Logging Data: IP addresses, user-agent strings, and diagnostic application logs.

3. Legal Basis for Processing

Under the GDPR/AVG, we rely on the following bases to process your data:

  • Contract Performance (Art. 6(1)(b)): Necessary to provide core services like account creation, billing, and rendering generations.
  • Legitimate Interest (Art. 6(1)(f)): Necessary for security monitoring, application logging, and abuse prevention.
  • Consent: Where applicable, for explicitly opted-in communications.

4. Third-Party Processors

To deliver GenBatch services efficiently, we utilize third-party sub-processors. All international data transfers are protected by Standard Contractual Clauses (SCCs) where applicable:

  • Stripe (US): Payment processing and subscription management.
  • Supabase (US): Core database and authentication provider.
  • Cloudflare R2 (Global): Object storage for user uploads and generated outputs.
  • AI Processing Provider: Third-party compute engine for completing AI generations based on your prompts.
  • Sentry (US): Application error monitoring (may process User ID and email to trace crashes).
  • Upstash Redis: Temporary caching for rate limiting and queue management.

5. Data Retention

We retain data only as long as necessary:

  • Account & Generation Data: Kept until you delete your account. You may also request deletion of specific generation history by contacting us.
  • Payment/Transaction Data: Retained for 7 years to comply with Dutch fiscal/tax laws.
  • Technical Logs: Kept for up to 90 days for security and debugging purposes before being purged or anonymized.

6. Your Rights (GDPR / AVG)

As an EU resident, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure (Right to be Forgotten): Request deletion of your account and associated data.
  • Restriction & Objection: Limit or object to certain ways we process your data.
  • Data Portability: Receive a machine-readable export of your data.

To exercise any of these rights, please email us at [email protected]. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Cookies & Tracking

GenBatch respects your privacy and avoids intrusive tracking:

  • Functional Cookies Only: We only use cookies that are strictly necessary to run the site (e.g., Supabase authentication session tokens). Consequently, we do not present a disruptive cookie consent banner.
  • No Analytics Cookies: We do not track your behavior using third-party marketing or analytics cookies.
  • External Embedded Assets: We may load external assets (like Google Fonts) which require an HTTP connection, and our payment provider Stripe uses its own fraud-prevention cookies during the checkout flow.

8. Security Measures

We implement robust security measures to protect your data, including enforcing HTTPS across all endpoints, utilizing Row Level Security (RLS) policies within our database to isolate user data, AES-256-CBC encryption for stored API keys, and encrypted browser sessions.

9. Children's Privacy

GenBatch is not intended for use by anyone under the age of 18. We do not knowingly process data from minors. If you believe a minor has provided us with personal data, please contact us immediately.

10. Changes to This Policy

We reserve the right to update this Privacy Policy. If we make material changes, we will notify you through the platform or via email prior to the changes taking effect.

11. Contact Information

If you have privacy concerns or wish to request data deletion, contact us at: [email protected]

Supervisory Authority:
Autoriteit Persoonsgegevens (Dutch DPA)