Heritex

Privacy Policy

Last updated: January 29, 2026

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data when using the Heritex platform (the “Service”).

1. Controller

Controller under the GDPR:

Stefan Wattolik
Jägerstraße 5
82024 Taufkirchen
Germany

Email: datenschutz@heritexapp.com

Economic Identification Number pursuant to § 139c AO: DE218198882

2. Scope of the Service

Heritex is a web‑based application for AI‑assisted analysis of art, antiques, and collectibles. Users can upload images, request analyses, and access reports and exports (PDF/XLSX).

3. Categories of data processed

3.1 Account data

  • Email address
  • Profile data (e.g., name, language, country, time zone – if provided)
  • Internal user and authentication identifiers

3.2 Content and analysis data

  • Uploaded image files
  • User‑provided optional metadata
  • Analysis results (e.g., classification, valuation ranges, reports, presentation texts)

3.3 Billing data

  • Stripe customer ID
  • Payment and subscription references
  • Note: Payment data (e.g., card or bank details) is processed exclusively by the payment provider and is not stored on Heritex systems.

3.4 Technical log and usage data

  • Analysis status and progress information
  • Audit and system events (e.g., analysis started, completed, export triggered)
  • Timestamps and technical metadata

4. Purposes of processing

Personal data is processed for the following purposes:

  • Providing and managing user accounts
  • Authentication and access control
  • Performing object analyses
  • Displaying, storing, and exporting analysis results
  • Managing credits, plans, and subscriptions
  • Payment processing and billing
  • Ensuring technical operation, troubleshooting, and abuse prevention

5. Legal bases for processing

Processing is based on Art. 6 GDPR:

  • Art. 6(1)(b) GDPR – performance of a contract
  • Art. 6(1)(f) GDPR – legitimate interest (operational security, stability, traceability of system processes)
  • Art. 6(1)(c) GDPR – legal obligations (e.g., tax and commercial retention)

6. Storage, deletion, and retention

6.1 General principle

Personal data is stored only as long as necessary to provide the service, fulfill contracts, or comply with legal retention obligations.

6.2 Account data

Account data is stored for the duration of the user account. After user‑initiated deletion, data is deleted or anonymized within 30 days, unless legal retention obligations apply. The transition period allows recovery in case of mistakes or technical issues.

6.3 Uploaded images and analysis results

Uploaded images and derived analysis results are stored solely for performing, displaying, and documenting the analysis. If a user deletes an analysis, the related images and results are removed. All related content is deleted at the latest when the user account is deleted. Derived files (e.g., thumbnails, web renditions, exports) are not stored longer than necessary.

6.4 Technical logs and audit data

Technical logs and audit data are processed for system security, error analysis, and traceability. These data are stored for a limited period of up to 24 months and then deleted or anonymized so no personal reference remains.

6.5 Billing and payment data

Billing‑relevant data is subject to statutory commercial and tax retention. Data is retained for the legally prescribed periods (currently up to 10 years). Early deletion is excluded to that extent.

7. Recipients and processors

The following processors are used to provide the service:

  • Supabase – database, file storage, authentication
  • Stripe – payment processing and subscription management
  • OpenAI / Perplexity – AI‑assisted analysis and text generation
  • Inngest – orchestration of background and analysis processes
  • Vercel – application hosting
  • Hostinger – domain and DNS management

Data processing agreements pursuant to Art. 28 GDPR are in place or will be concluded.

8. International transfers

When using AI services, data may be processed in countries outside the EU. Such transfers are based on appropriate safeguards under Art. 44 et seq. GDPR, in particular Standard Contractual Clauses.

9. Cookies and local storage

The service uses only technically necessary storage mechanisms:

  • Cookie to store language preference
  • Local storage of UI language
  • Authentication cookies for session operation (httpOnly)

No tracking, marketing, or analytics cookies are used.

10. Security of processing

Appropriate technical and organizational measures are used to protect personal data, including:

  • Encrypted data transmission (TLS)
  • Role‑based access control
  • Strict separation of user, pipeline, and admin access
  • Logging of administrative actions in audit logs

11. Rights of data subjects

Data subjects have the right to:

  • Access pursuant to Art. 15 GDPR
  • Rectification pursuant to Art. 16 GDPR
  • Erasure pursuant to Art. 17 GDPR
  • Restriction of processing pursuant to Art. 18 GDPR
  • Data portability pursuant to Art. 20 GDPR
  • Objection pursuant to Art. 21 GDPR

Requests can be sent at any time to the contact address in section 1. Requests will be processed within the statutory time limits.

12. Changes to this Privacy Policy

This Privacy Policy may be updated when legal, technical, or organizational changes make this necessary. The version published at the time of your visit applies.