KI-Cutter — Privacy Policy

1. Data Controller

The party responsible for data processing on this website is:

KI-Cutter
Birger Weiß
Zur alten Ziegelei 10a
48607 Ochtrup
Germany

Email: info@ki-cutter.de
Phone: +49 151 28865865

2. Access Data / Server Log Files

Based on our legitimate interest (Art. 6 para. 1 lit. f GDPR), we collect data about visits to the website and store it as "server log files" on the website's server. The following data is recorded:

• Pages visited
• Time of access
• Amount of data transferred in bytes
• Source / referrer from which you came to the page
• Browser used
• Operating system used
• IP address used (in anonymized form)

Server log files are stored for a maximum of 7 days and then deleted. Data is stored for security purposes, e.g. to investigate misuse. If data must be retained for evidentiary purposes, it is exempt from deletion until the matter has been fully resolved.

3. Hosting

The contents of our website are hosted on servers operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). Hetzner is a German provider and processes data within the EU. Use is based on our legitimate interests in a reliable presentation of our website (Art. 6 para. 1 lit. f GDPR).

4. Contact via Email

If you contact us by email, your information will be stored for the purpose of processing the request and in case of follow-up questions. We will not pass this data on without your consent. The legal basis is Art. 6 para. 1 lit. b GDPR (pre-contractual measures / performance of a contract) or Art. 6 para. 1 lit. f GDPR (legitimate interest in answering inquiries).

5. Cookies & Analytics

Strictly necessary cookies: For login and session management we set Firebase session cookies on the .ki-cutter.de domain (lifetime: 7 days). These are required to keep you signed in and are set without consent (Art. 6 (1)(f) GDPR, legitimate interest in operating the service).

Analytics cookies (consent only): On your first visit we ask for your consent via a cookie banner. If you accept, we set the following cookies / load the following services:

• PostHog (PostHog Inc., EU hosting via eu.i.posthog.com): product analytics and anonymous usage tracking across both subdomains (ki-cutter.de and app.ki-cutter.de). Cookie name: ph_*_posthog. Lifetime: up to 12 months.
• Google Analytics 4 (Google Ireland Ltd.): audience measurement. Cookies: _ga, _ga_*. Lifetime: up to 24 months. Data transfer to the US is possible (Standard Contractual Clauses, EU-US Data Privacy Framework).

Legal basis: Art. 6 (1)(a) GDPR (consent). You can withdraw your consent at any time by clearing the cookies in your browser — the cookie banner will appear again on your next visit.

6. Your Rights

You have the right, at any time, to:

• Access information about your stored data (Art. 15 GDPR)
• Correct inaccurate data (Art. 16 GDPR)
• Erase your data (Art. 17 GDPR)
• Restrict processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)

To exercise your rights, you can contact us at any time at info@ki-cutter.de.

7. Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Germany.

8. SSL Encryption

This site uses SSL encryption for security reasons. You can recognize an encrypted connection by the string "https://" and the lock symbol in your browser bar.

9. Transfer to Third Parties When Posting to Social Media

KI-Cutter allows you to publish finished reels directly from your account to Instagram or TikTok — either immediately via the respective "Post" button or scheduled via the built-in content calendar. Once you connect one of these accounts and trigger a post, we transmit the data listed below to the respective platform operators on your behalf and in the name of your platform account.

TikTok (TikTok Content Posting API)

Data transmitted:

• The fully rendered video (MP4), provided as a publicly accessible URL which TikTok retrieves via "Pull-from-URL"
• The caption you confirmed, including hashtags
• Your TikTok user ID (Open-ID), transmitted to us during the OAuth connection

Requested OAuth scopes: video.publish, user.info.basic.

Controller: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland. After transfer, TikTok is an independent controller within the meaning of the GDPR. TikTok privacy policy: tiktok.com/legal/page/eea/privacy-policy/en. Terms of service: tiktok.com/legal/page/eea/terms-of-service/en.

Instagram (Meta Graph API — Reels Container)

Data transmitted:

• The fully rendered video (MP4), provided as a publicly accessible URL (Bunny CDN), which Meta retrieves via "Pull-from-URL"
• The caption you confirmed, including hashtags
• Optional: the thumbnail generated in KI-Cutter as a cover image (publicly accessible URL)
• Your Instagram Business Account ID, transmitted to us during the OAuth connection

Requested OAuth scopes: instagram_basic, instagram_content_publish, pages_show_list, business_management.

Controller: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. After transfer, Meta is an independent controller within the meaning of the GDPR. Meta privacy policy: facebook.com/privacy/policy. Terms of service: help.instagram.com/581066165581870.

Storage of Your Access Tokens

The OAuth access tokens issued to us by Instagram or TikTok after your authorization are stored encrypted at rest in our PostgreSQL database (AES-256). Tokens only leave our systems when you trigger a post — either directly by clicking the "Post" button or at the time of a post you scheduled (content calendar). No other processing of tokens takes place; in particular, they are not used for advertising audience building or profile analysis.

Scheduled Posts (Content Calendar)

If you schedule a post for a later time, we store in our database only the scheduled time, the target account (Instagram or TikTok), a reference to the reel to be delivered, and the status (e.g. "scheduled", "published"). No token data is stored in this table; transmission to the platform happens on-the-fly at the scheduled time. You can view, edit, or cancel scheduled posts at any time at app.ki-cutter.de/calendar.

Legal Basis

Processing takes place on the basis of your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, which you provide by connecting the respective account via the OAuth flow, as well as for the performance of the contract concluded with you in accordance with Art. 6 para. 1 lit. b GDPR.

Disconnecting & Withdrawing Consent

You can disconnect Instagram or TikTok at any time at app.ki-cutter.de/settings under "Connected Accounts". When disconnecting, the stored token is immediately and completely removed from our systems — posting again is not possible without re-authorization. You can also revoke the app permission directly on the respective platform (Instagram: Settings → Apps and Websites; TikTok: Settings → Privacy → Connected Apps).

Retention Period

Tokens are stored until you explicitly disconnect or until they expire (TikTok: 24h access token + 365d refresh token; Instagram: 60 days, auto-renewable). Upon deletion of your KI-Cutter account, all stored tokens are deleted without delay (see Section 10).

10. How to Delete Your Data

You can delete your account and all associated personal data at any time. To do so:

1. Log in at app.ki-cutter.de/settings.
2. Scroll to the "Account" section and click "Delete account".
3. Confirm the deletion — we will irrevocably remove your account, your brand settings, all uploaded videos, all rendered reels, your caption texts, and all linked social media tokens (Instagram, TikTok) from our systems.

Alternatively, you can send an informal deletion request to info@ki-cutter.de — we will confirm the deletion within 7 days.

Note: Data in our backups expires automatically after a maximum of 30 days. Mandatory invoice retention data (e.g. Stripe invoices) is kept for 10 years in accordance with § 147 of the German Fiscal Code (AO).