NDEY Enhance

Privacy Policy

Last Updated: November 21, 2025

This Privacy Policy explains how NDEY AI ("we," "us," or "our") collects, uses, processes, and protects your personal data when you use NDEY Enhance (ndey-enhance.com, the "Service"). This policy complies with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

NDEY AI
Benderstraße 99
40625 Düsseldorf, Germany
Email: legal@ndey-enhance.com
Support: support@ndey-enhance.com

2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

  • Email address (required for account creation)
  • Name (if provided)
  • Account creation date and last login timestamp
  • User ID and authentication tokens

2.2 Payment Information

  • Payment Data Processed by Stripe: When you make a purchase, your payment card details and billing information are collected and processed directly by Stripe, our payment processor. We do not store your full credit card numbers on our servers.
  • Payment Data We Store: We store your Stripe customer ID, payment transaction IDs, purchase amounts, dates, and payment status to maintain your account balance and transaction history.
  • Stripe Privacy: Stripe's use of your payment information is governed by their Privacy Policy.

2.3 Usage Data

  • Feature usage (which AI tools you use and when)
  • Token consumption and balance
  • IP addresses and device information
  • Browser type and version
  • Pages visited and time spent on the Service
  • Error logs and diagnostic information

2.4 Content Data

  • Images and media you upload to the Service
  • AI-generated outputs you create
  • File metadata (filename, size, type, upload timestamp)

2.5 Communications

  • Support requests and correspondence
  • Email communications (if you opt in to marketing)

3. How We Use Your Data

We process your personal data for the following purposes, based on the legal grounds specified:

3.1 Service Provision (Legal Basis: Contract Performance - Art. 6(1)(b) GDPR)

  • Creating and managing your account
  • Processing your purchases and managing token balances
  • Providing AI enhancement and generation features
  • Storing and delivering your generated content
  • Providing customer support

3.2 Payment Processing (Legal Basis: Contract Performance - Art. 6(1)(b) GDPR)

  • Processing payments through Stripe
  • Maintaining transaction records for accounting
  • Handling refunds and disputes
  • Preventing fraud and unauthorized transactions

3.3 Service Improvement and Security (Legal Basis: Legitimate Interests - Art. 6(1)(f) GDPR)

  • Analyzing usage patterns to improve features
  • Monitoring performance and fixing technical issues
  • Detecting and preventing abuse, fraud, and security threats
  • Enforcing our Terms of Service and Acceptable Use Policy

3.4 Marketing (Legal Basis: Consent - Art. 6(1)(a) GDPR)

  • Sending promotional emails about new features (only if you opt in)
  • You may withdraw consent at any time by unsubscribing or contacting us

3.5 Legal Compliance (Legal Basis: Legal Obligation - Art. 6(1)(c) GDPR)

  • Complying with tax and accounting requirements
  • Responding to lawful requests from authorities
  • Retaining records as required by law

4. Data Sharing and Recipients

We share your personal data only as necessary with the following categories of recipients:

4.1 Payment Processor

Stripe, Inc. - We use Stripe to process all payments. When you make a purchase, your payment information is transmitted directly to Stripe for processing. Stripe may use your data as described in their Privacy Policy. Stripe is located in the United States and complies with relevant data protection frameworks.

4.2 Infrastructure Providers

  • Hosting Services: We use cloud hosting providers to store and serve the Service
  • Database Services: For secure storage of your account and usage data
  • Content Delivery Networks (CDN): To deliver content efficiently

4.3 AI Service Providers

We use third-party AI model providers to process your images and generate enhancements. Your uploaded content may be sent to these providers for processing but is not used for training purposes.

4.4 Analytics and Monitoring (If Enabled)

  • Analytics services to understand usage patterns (with your consent)
  • Error monitoring tools to identify and fix technical issues

4.5 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, safety, or property.

5. International Data Transfers

Some of our service providers operate outside the European Economic Area (EEA), including in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

  • Stripe: Stripe complies with applicable data protection regulations and uses Standard Contractual Clauses (SCCs) where required
  • Other Providers: We rely on SCCs, adequacy decisions, or other approved transfer mechanisms as required by GDPR

6. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Retained while your account is active and for up to 90 days after account closure
  • Payment Records: Retained for 10 years to comply with tax and accounting regulations
  • Transaction Data: Stripe retains payment data according to their retention policies and legal requirements, including anti-money laundering regulations
  • Content Data: Uploaded images and generated outputs are retained as long as your account is active or as needed to provide the Service
  • Usage Logs: Retained for up to 12 months for security and troubleshooting purposes
  • Marketing Data: Retained until you withdraw consent or for up to 2 years of inactivity

After retention periods expire, we securely delete or anonymize your data.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

7.1 Right of Access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you.

7.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete data.

7.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your data, subject to legal retention requirements.

7.4 Right to Restriction (Art. 18 GDPR)

You can request limitation of processing under certain circumstances.

7.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format.

7.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests, including for marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in your EU member state.

Exercising Your Rights: To exercise any of these rights, contact us at legal@ndey-enhance.com. We will respond within 30 days as required by GDPR.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

8.1 Essential Cookies (No Consent Required)

  • Authentication and session management
  • Security and fraud prevention
  • Load balancing and service delivery

8.2 Optional Cookies (Require Consent)

  • Analytics Cookies: To understand how users interact with the Service
  • Preference Cookies: To remember your settings and preferences

You can manage cookie preferences through your browser settings or our cookie consent tool (if implemented).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (TLS/SSL) and at rest
  • Access controls and authentication
  • Regular security assessments and updates
  • Secure payment processing through PCI-compliant Stripe
  • Employee training on data protection

However, no system is 100% secure. If you suspect unauthorized access to your account, contact us immediately at support@ndey-enhance.com.

10. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately at legal@ndey-enhance.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, contact:

NDEY AI
Benderstraße 99, 40625 Düsseldorf, Germany
Email: legal@ndey-enhance.com
Support: support@ndey-enhance.com