Privacy Policy

Effective date: 21 November 2025

This Privacy Policy explains how Parklolo UG (haftungsbeschränkt) ("we", "us", "our") processes personal data when you visit our websites, create a developer account, and use the FaceHub API or related services (collectively, the "Service").

We are committed to protecting the privacy and security of personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

This Privacy Policy is particularly relevant for developers and business customers who integrate the FaceHub API into their own applications and services.

1. Controller and Contact Details

The data controller for processing activities described in this Privacy Policy (in particular website, account, billing and communication data) is:

Parklolo UG (haftungsbeschränkt)
Jan-Külper-Weg 1 a
22547 Hamburg
Germany

Registered with the commercial register of the local court (Amtsgericht) Hamburg under HRB 175340
EUID: DEK1101R.HRB175340
Email: support@parklolo.com

For certain processing operations where we act as a processor on behalf of our business customers (e.g. processing face images via the FaceHub API), the respective business customer is the controller within the meaning of the GDPR.

2. Scope of this Privacy Policy

This Privacy Policy covers:

1. Visitors to our websites (e.g. marketing pages, documentation).
2. Developers and business contacts who register an account, obtain API keys and use the Service.
3. Individuals whose data is processed via the FaceHub API, for example in the form of images containing faces, metadata and embeddings – in these cases we usually act as processor for our customer.

If you are an end user of one of our customers (for example, a user of an app that uses the FaceHub API), please refer primarily to the privacy policy of that app or service, as they are the controller for your data.

3. Categories of Personal Data We Process

3.1 Website Visitors

When you visit our websites, we may process:

• Technical and usage data:
  • IP address
  • date and time of request
  • URL and HTTP status code
  • browser type & version, operating system
  • referrer URL
• Cookie and similar technology data (where used):
  • session identifiers
  • preferences (e.g. language)
  • [analytics / performance cookies – if used]

3.2 Developer Accounts and Business Contacts

When you create an account or contact us as a business customer, we may process:

• Account data
  • name
  • company name and role / title
  • business email address
  • password hash
  • API keys and related configuration
• Billing and contract data
  • company address
  • VAT ID / tax information
  • billing contact details
  • plan information (Free Tier / Pay-as-you-go Plan / custom plan)
  • invoicing and payment details (limited data, as payment details may be handled by our payment provider)
• Communication data
  • contents of support requests / emails
  • feedback and feature requests
  • correspondence history

3.3 API Usage Data (Developers / Customers)

When you use the FaceHub API, we process metadata about your API usage, for example:

• API key and project identifier
• endpoint called (e.g. /api/face/queue, /api/face/selfie, /api/face/count, etc.)
• timestamps and duration of requests
• request size and number of images processed
• success / error codes and logs
• usage statistics (e.g. number of images per period, queue status)

We generally try to avoid processing directly identifiable personal data in API logs where not necessary.

3.4 Images and Biometric Data Processed via the API

Customers can submit images to the FaceHub API for face recognition and related operations. These images may contain personal data, including biometric data. We process the images to extract face embeddings but do not store the raw images.

Typical categories of biometric data we process and retain include:

• 512-dimensional face embeddings or other numeric representations (extracted from submitted images)
• face coordinates (bounding boxes, key points)
• associated metadata such as EXIF / IPTC fields (e.g. timestamp, camera model, photographer, textual descriptions)
• internal identifiers and search indices generated from embeddings and metadata

In these cases we usually act as processor for our customer. Our customer decides which images to upload, for what purposes face recognition is used, how long embeddings and metadata are retained, and on which legal basis.

4. Purposes and Legal Bases of Processing

4.1 Website Operation and Security

Purpose: To display the website, ensure its stability and security, and prevent misuse (e.g. DDoS, abuse of demo endpoints).

Data: Technical logs, IP address, timestamps, requested URLs, error logs, security events.

Legal basis: Art. 6(1)(f) GDPR – legitimate interests (operation, security and optimisation of our website and services).

4.2 Account Registration, Authentication and API Access

Purpose: To create and manage developer accounts, provide API keys, enable access to the FaceHub API and related services, and fulfill our contractual obligations.

Data: Account data (name, business contact details, login data), API keys, access logs.

Legal basis: Art. 6(1)(b) GDPR – performance of a contract or steps prior to entering into a contract.

4.3 Billing, Payments and Compliance

Purpose: To manage subscriptions (e.g. Free Tier, Pay-as-you-go Plans), process payments, issue invoices, and comply with legal retention obligations (e.g. tax law).

Data: Billing data, contact details, payment references, plan information.

Legal bases:

• Art. 6(1)(b) GDPR – performance of a contract
• Art. 6(1)(c) GDPR – compliance with legal obligations (e.g. tax and commercial law retention duties)

4.4 Support, Communication and Feedback

Purpose: To handle support requests, respond to inquiries, and improve our Service based on feedback.

Data: Contact details, contents of communication, logs and screenshots you provide.

Legal bases:

• Art. 6(1)(b) GDPR – where communication relates to an existing contract or account
• Art. 6(1)(f) GDPR – legitimate interest in providing customer support and improving our Service

4.5 Marketing to Business Customers

Purpose: To inform existing or potential business customers about updates, new features and offers related to the Service.

Data: Business contact details (e.g. email, name, company), interaction with emails (open / click rates where supported).

Legal bases:

• Art. 6(1)(f) GDPR – legitimate interest in B2B direct marketing, or
• Art. 6(1)(a) GDPR – consent, where required under applicable law.

You can object to direct marketing or withdraw consent at any time (see section 8).

4.6 Processing of Images and Biometric Data via the FaceHub API

Purpose: To provide face recognition functionalities such as:

• face detection and counting
• selfie matching
• calculation of face embeddings
• image queue processing
• metadata search (EXIF / IPTC)
• drawing bounding boxes and similar outputs

Roles and legal bases:

• For these processing operations, our customer (the developer or company integrating the API) is typically the controller under GDPR.
• We act as their processor, processing images and associated data strictly in accordance with their instructions and our Data Processing Agreement (DPA).
• The legal basis (e.g. consent, legitimate interests, contract) is determined by our customer as controller.

Unless explicitly agreed otherwise:

• We process images and face data only for the purpose of providing the Service,
• We do not use Customer Data (including face images and embeddings) for our own marketing purposes, and
• We do not share Customer Data with third parties except as necessary to provide the Service (e.g. secure hosting providers, sub-processors listed in our DPA).

If you are the controller, you are responsible for ensuring that there is a valid legal basis for processing biometric data (e.g. explicit consent under Art. 9(2)(a) GDPR, or another applicable exemption).

5. Data Retention

We store personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law.

In particular:

• Website logs: stored for up to 30 days for security and troubleshooting, then deleted or anonymised.
• Account and billing data: stored for the duration of the contractual relationship and then for the statutory retention periods (typically up to 10 years under German commercial and tax law).
• Support communications: stored for as long as necessary to handle the request and maintain a record of support history, and in any case no longer than 3 years after the end of the business relationship, unless legal retention obligations apply.
• Images and biometric data via API:
  • Raw images submitted via the API are processed immediately and are not stored. We extract face embeddings (numeric representations) from the images and then discard the raw image data.
  • Face embeddings, search indices and metadata are retained as necessary to provide the Service functionalities you have enabled (e.g. search, matching, or re-identification).
  • You can configure retention settings or request deletion of embeddings and associated data via the API or by contacting us.

6. Recipients and Processors

We may share personal data with the following categories of recipients:

• Hosting providers and infrastructure partners (e.g. data centres, cloud platforms where our servers and databases are hosted)
• Email and communication service providers (for sending transactional emails, support correspondence, etc.)
• Payment service providers (for processing subscription and usage-based payments; we do not store full payment details if this is handled by a payment provider)
• Analytics and monitoring providers (if used, to understand performance and usage of our website and Service)
• Professional advisers (e.g. lawyers, tax consultants, auditors) where necessary.

All processors are carefully selected, are bound by contracts in accordance with Art. 28 GDPR and are only allowed to process personal data as instructed by us.

Where we act as a processor for our customers, we engage sub-processors in accordance with the DPA concluded with our customer and provide appropriate information about sub-processors.

7. International Data Transfers

Our primary infrastructure is located in the European Union (EU).

If and to the extent that personal data is transferred to recipients in countries outside the European Economic Area (EEA) that do not provide an adequate level of data protection, we ensure appropriate safeguards, such as:

• the conclusion of EU Standard Contractual Clauses (SCCs) with the recipient, and/or
• other safeguards recognised by the GDPR.

Information on the applicable safeguards can be provided upon request.

8. Your Rights Under the GDPR

Subject to the conditions and limitations set out in the GDPR, you have the following rights regarding personal data relating to you:

• Right of access (Art. 15 GDPR) – to obtain information about whether we process your personal data and, if so, details about the processing.
• Right to rectification (Art. 16 GDPR) – to request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) – to request deletion of personal data, for example if it is no longer needed or was processed unlawfully.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) – to receive personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller where technically feasible.
• Right to object (Art. 21 GDPR) –
  • You can object at any time to processing based on our legitimate interests, on grounds relating to your particular situation.
  • You can object at any time to the processing of your data for direct marketing.
• Right to withdraw consent (Art. 7(3) GDPR) – where processing is based on consent, you may withdraw your consent at any time with effect for the future.

To exercise your rights, please contact us at support@parklolo.com.

If you believe that the processing of your personal data violates data protection law, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

9. Obligation to Provide Data

Some personal data is necessary for entering into and performing a contract with us (e.g. account data, billing data). Without this data, we may not be able to provide you with access to the Service or specific functionalities.

Providing images via the API is, of course, optional – but certain functionalities (like face recognition) require the submission of such data by the controller (our customer).

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or destruction. These measures include, for example:

• restricting access to systems and data on a need-to-know basis,
• encryption in transit (TLS) and, where appropriate, at rest,
• monitoring, logging and regular backups,
• contractual and confidentiality obligations for staff and processors.

However, no system or transmission over the Internet is completely secure. We cannot guarantee absolute security.

11. No Automated Decision-Making in the Legal Sense

We do not use personal data for automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you in the sense of Art. 22 GDPR.

The face recognition functionalities of the API provide scores, matches and technical outputs. Our business customers decide how they use these outputs in their own applications and are responsible for any automated decision-making they carry out.

12. Role of Our Customers (Developers / Companies)

For most use cases involving face recognition, our customers act as controllers and we act as processors. This means:

• Our customers are responsible for providing appropriate privacy notices to their end users, obtaining any necessary consents, and ensuring that they have a valid legal basis for the processing of face and biometric data.
• We process such data only on their instructions and as specified in our Data Processing Agreement (DPA).
• If you contact us regarding data processed on behalf of one of our customers, we may need to forward your request to the relevant customer or ask you to contact them directly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Service or in applicable law.

We will indicate the date of the last update at the top of this Privacy Policy. For material changes, we may provide additional notice (for example via email or within the Service).

Your continued use of the Service after the effective date of the updated Privacy Policy will be considered acceptance of the changes.

14. How to Contact Us

If you have any questions about this Privacy Policy, about our processing of personal data, or if you wish to exercise your data protection rights, you can contact us at:

Parklolo UG (haftungsbeschränkt)
Jan-Külper-Weg 1 a
22547 Hamburg
Germany
Email: support@parklolo.com

← Back to FaceHub API