Skip to content
PxlTshirt

Privacy Policy

Your privacy lies close to our hearts. We only use the data that is truly necessary to transform your photo into art.

Last updated: 2026-03-30

Controller

The controller responsible for data processing on this website is ROST Services GmbH.

ROST Services GmbH
Dorfstraße 36
23843 Rümpel
hello@pxltshirt.com

Data we collect

Image data

  • Uploaded images are processed to generate pixel art.
  • Images are stored temporarily for processing.
  • Generated pixel art is stored for your order.

Order data

  • Name, address, and email for shipping.
  • Payment information is processed by our payment provider.

Technical data

  • Pseudonymized IP address (one-way HMAC hash, not reversible) for rate limiting, fraud prevention, and security audits.
  • Browser and device information for session management.
  • Cookies (essential only) for user sessions (no tracking cookies).

Email verification

  • When placing a pre-order without being logged in, we send a verification email (Double-Opt-In).
  • Verification tokens are stored for up to 30 minutes until confirmed.
  • Pseudonymized IP address (one-way HMAC hash) and browser info are logged with verification requests for security.

Legal basis

  • Art. 6(1)(b) GDPR: Performance of a contract (processing your orders and providing the service).
  • Art. 6(1)(f) GDPR: Legitimate interest (security measures, fraud prevention, service improvement).
  • Art. 6(1)(a) GDPR: Consent (optional cookies and marketing communications).
  • Art. 6(1)(c) GDPR: Legal obligation (tax record retention for orders).

Your rights

  • Right of access to your personal data (Art. 15 GDPR).
  • Right to rectification of inaccurate data (Art. 16 GDPR).
  • Right to erasure / right to be forgotten (Art. 17 GDPR).
  • Right to restrict processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object to processing (Art. 21 GDPR).
  • Right to withdraw consent at any time (Art. 7(3) GDPR).

Contact us at hello@pxltshirt.com to exercise your rights.

Data sharing

  • **Hetzner Cloud** (Germany): Hosting and infrastructure for website and databases
  • **Google Cloud** (USA/SCC): Gemini 2.0 Flash (image analysis) and Imagen 4.0 (pixel art generation)
  • **BEN2 (Server-Side)** (Germany): AI-powered background removal processed locally on our Hetzner server (no external data transfer)
  • **Local Server Storage** (Germany): All images stored on our Hetzner server
  • **Stripe** (USA/EU): Payment processing and secure card data handling
  • **United Domains** (Germany): Email delivery via SMTP
  • **Cloudflare Turnstile** (USA/EU): CAPTCHA verification for spam and bot protection (no tracking cookies)
  • **Print-on-Demand Provider**: Shipping provider for physical products

We do not sell your personal data. All data transfers to the USA are protected by EU Commission Standard Contractual Clauses (SCCs).

AI processing

  • We use AI to generate pixel art from your images.
  • Images are processed by Google Cloud (generation). Background removal runs locally on our server using BEN2 (no external transfer).
  • Data sent to AI providers is used only for processing and is not stored permanently.
  • Background removal can alternatively be performed locally in your browser without sending data to external servers.

privacy.ai.guestModeNotice

privacy.ai.providerControlsNotice

Security

  • We use SSL encryption.
  • Access controls are in place.
  • Regular security audits.

Cookies

We use cookies to ensure the website functions properly and to analyze traffic.

Web Analytics

We use Umami, a self-hosted, cookie-free analytics tool, to understand how our website is used. This tool collects no personal data, sets no cookies, and stores no IP addresses. All data is processed on our own servers in Germany (Hetzner, Nuremberg). No data is shared with third parties.

  • No cookies or local storage used for analytics
  • IP addresses are hashed with a daily rotating salt and never stored in plain text
  • No cross-site tracking or fingerprinting
  • Self-hosted on our own infrastructure in Germany
  • You can opt out via our cookie consent banner (this also disables analytics)
  • Additionally, we analyze server access logs (GoAccess) for bot detection and security monitoring — this involves no client-side tracking

Newsletter

If you subscribe to our newsletter, we process the following data:

  • Email address (required to send newsletters).
  • Date and time of subscription and confirmation.
  • Pseudonymized IP address at time of subscription (one-way HMAC hash, stored for legal verification purposes).

Processing is based on your consent (Art. 6(1)(a) GDPR) given via the Double-Opt-In confirmation email.

We use a Double-Opt-In procedure: after entering your email, you receive a confirmation link. Your email is only added to the newsletter list after you click that link.

We store your email address for newsletter purposes until you unsubscribe or request deletion of your account.

You can withdraw your consent and unsubscribe at any time — either via the unsubscribe link in every newsletter email or via your account settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

Data retention

  • Order data: 10 years (German tax law requirement).
  • User profiles and pixel art: 90 days of inactivity, then deleted with 7 days warning email.
  • Guest/unselected images: 3 days, then automatically deleted.
  • Session data: 24 hours (no account) / 30 days (logged in with 'Remember Me').
  • Email verification tokens: 30 minutes.
  • Account restoration: You can restore your account within 30 days after deletion using your restore token.
  • Data export: Before deletion, you receive an export package with all your data (pixel arts, orders, profile).

International data transfers

  • Data may be processed outside the EU/EEA (Google Cloud, Stripe).
  • We use EU-approved Standard Contractual Clauses (SCCs) to protect your data.
  • Technical measures: TLS encryption during transmission and storage.
  • Google Cloud and Stripe comply with EU-U.S. Data Privacy Framework where applicable.
  • Your data is used only to fulfill the service (image generation, storage, shipping).

Children

Our service is not directed to children under 16.

Changes to policy

We may update this policy from time to time.

Contact

ROST Services GmbH
Dorfstraße 36
23843 Rümpel, Germany
Email: hello@pxltshirt.com

Complaints

  • You have the right to lodge a complaint with a supervisory authority.

Creator rewards

If you participate in our creator reward program:

  • We track sales of your designs.
  • We issue vouchers based on sales.

Data processed

  • Sales data linked to your account.
  • Voucher codes issued.

Processing is based on the performance of the reward program contract.