Privacy Policy

1. Controller

The controller responsible for data processing is:

SourceArt Ltd
HE456555
Evagora Pallikaridi 38
8010 Pafos, Cyprus
E-mail: legal@animstream.com
Phone: +49 178 5495650

We have not appointed a Data Protection Officer, as one is not required under Art. 37 GDPR at our current scale. As we are established in the EU (Cyprus), no EU representative under Art. 27 GDPR is required.

2. Data We Collect

2.1 Account data

When you register we collect your name, e-mail address and password (stored as a cryptographic hash). If you register through a social login (see §4.5) we receive your name, e-mail and avatar from that provider. If you register as a Vendor we additionally collect your store name, an optional legal-notice (Impressum) URL and payout information via Stripe.

2.2 Transaction data

When you make a purchase, Stripe processes your payment information. We store transaction records (purchased item, price, date, your user ID, Stripe payment/session IDs). We do not store card numbers or full payment details on our servers.

2.3 Usage data & embed analytics

We automatically collect technical data when you visit AnimStream, including IP address, browser type, operating system, referring URL, pages viewed and timestamps, via short-lived server access logs used for operating and securing the service.

Separately, when a purchased Item is displayed through an AnimStream embed link, we log a pseudonymous embed impression so Vendors can see how often their work is shown. This record contains the referring website host, an approximate country (from the CDN header), a coarse device type, the user-agent, and a salted, one-way (SHA-256) hash of the IP address. We do not store the raw IP for this purpose and the hash is not, on its own, used to identify you. This is pseudonymous, not anonymous, data.

2.4 Uploaded content

Vendors upload animations, audio, preview images and profile images. These files are stored on our object storage and delivered to Buyers and visitors via our CDN.

2.5 Push notifications

If you enable browser push notifications, we store your push subscription (endpoint and the encryption keys p256dh and auth) and your user-agent in order to deliver notifications (e.g. new comments, follows). You can revoke this at any time in your browser settings; invalid subscriptions are pruned automatically.

2.6 AI Studio inputs

If you (as a Vendor) use the AI Studio, the prompts, parameters and any reference material you submit are processed to generate content and are transmitted to the AI providers in §4.4. Do not enter personal or confidential information into AI prompts.

3. Purpose & Legal Basis

Our legitimate interest in embed-impression analytics is to provide Vendors with reliable view statistics and to detect abuse; we keep this intrusion low by hashing IPs and not building user profiles. You may object under Art. 21 GDPR (see §7).

Automated decision-making. We do not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing (Art. 22 GDPR). Features such as the Vendor price recommendation are advisory only — you always set your own prices.

4. Third-Party Services (Processors & Recipients)

4.1 Stripe (payments)

Payments are processed by Stripe, Inc. (USA) and its EU entities. Your payment data is transmitted directly to Stripe, which acts as an independent controller for payment data. Transfers to the USA rely on the EU-U.S. Data Privacy Framework and/or EU Standard Contractual Clauses. See Stripe's Privacy Policy.

4.2 Hosting, storage & CDN

Our application and object storage are hosted within the European Union with Hetzner (Hetzner Online GmbH, Germany). Uploaded files and images are delivered globally through the Bunny.net CDN (BunnyWay d.o.o., Slovenia/Luxembourg, EU); the CDN processes visitors' IP addresses in its access logs to deliver content. Both act as processors under data-processing agreements.

4.3 E-mail (Brevo)

We use Brevo (Sendinblue SAS, Paris, France) to send transactional e-mails (verification, password reset, purchase confirmations, notifications) and, where you have opted in, marketing/recommendation e-mails, and to process inbound replies to our support address. Brevo processes your e-mail address, name, language and account role as a processor within the EU.

4.4 AI Studio providers

When a Vendor uses the AI Studio, the submitted prompts/parameters (and, for some features, generated or reference media) are processed by the following providers, located in the United States:

• OpenAI, L.L.C. (USA) — prompt assistance (text/prompt processing).
• Google LLC (USA) — Gemini image generation (e.g. cover images).
• fal.ai / Features and Labels, Inc. (USA) — video and audio generation (text-to-video, text-to-speech, music/SFX).

These are transfers to the USA; they rely on the EU-U.S. Data Privacy Framework (where the provider is certified) and/or the EU Standard Contractual Clauses, as set out in each provider's data-processing terms. Please do not submit personal or confidential information in AI prompts.

4.5 Social login

You may sign in via Google, Discord, Twitch, TikTok or Kick. If you do, that provider transmits basic profile data (name, e-mail, avatar) to us and processes your data as an independent controller under its own privacy policy. Using social login is optional.

5. Cookies & Similar Technologies

Storing or reading information on your device requires your consent under Art. 5(3) ePrivacy Directive (§ 25 TDDDG) — except where strictly necessary to deliver the service you requested. We split cookies into two categories; you can change your choice any time via the “Cookie settings” link in the footer.

5.1 Essential cookies (no consent required)

5.2 Analytics (consent required, default off)

With your consent we use Google Analytics 4 (Google Ireland Ltd., Dublin, Ireland) to measure which pages are used and improve the platform. The Google Analytics scripts and cookies are only loaded after you opt in; with consent declined, no Google Analytics cookies are set and no analytics events are sent. Google Analytics 4 does not log or store IP addresses; the IP is used only transiently for coarse geolocation and then discarded. Legal basis: Art. 6(1)(a) GDPR (consent).

Data may be transferred to Google LLC in the USA under the EU-U.S. Data Privacy Framework (Google LLC is certified) plus EU Standard Contractual Clauses as a fallback. You can withdraw your consent at any time via the “Cookie settings” link in the footer; withdrawal does not affect the lawfulness of processing performed before withdrawal. More info: Google's Privacy Policy.

6. Data Retention

• Account data: retained while your account is active; removed within 30 days of account deletion, except where law requires retention.
• Transaction records: retained for 10 years under tax and commercial-law obligations.
• Server access logs: deleted after 90 days.
• Embed-impression analytics: pseudonymous records are retained for up to 14 months, after which the raw per-impression rows are automatically deleted; cumulative view counts and aggregate daily statistics are preserved.
• AI Studio job records (prompts/parameters): retained while your account is active so you can review your history; deleted on account deletion.
• Marketing contacts (Brevo): removed on unsubscribe or account deletion.
• Push subscriptions: kept until you revoke them or they become invalid.
• Uploaded content: removed upon Vendor request or account deletion.

7. Your Rights

Under the GDPR you have the following rights:

• Access – a copy of the data we hold about you.
• Rectification – correction of inaccurate data.
• Erasure – deletion of your data.
• Restriction – limitation of processing.
• Portability – your data in a structured, machine-readable format.
• Objection – object to processing based on legitimate interests.
• Withdraw consent– for any processing based on consent (analytics, marketing e-mails), withdraw at any time without affecting prior lawful processing — via the “Cookie settings” link or the unsubscribe link in our e-mails.

To exercise these rights, contact legal@animstream.com. We respond within 30 days.

8. International Data Transfers

Your data is primarily processed within the EU/EEA. Some processors are located in the United States — namely Stripe (payments), Google LLC (Google Analytics, Gemini), OpenAI (prompt assistance) and fal.ai (video/audio generation). These transfers rely on the EU-U.S. Data Privacy Framework (where the recipient is certified) and/or the European Commission's Standard Contractual Clauses, together with additional safeguards where appropriate.

9. Security & Breach Notification

We implement technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords and access controls. No method of transmission over the internet is 100% secure.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required, within 72 hours, and will inform affected users where the breach is likely to result in a high risk (Art. 33–34 GDPR).

10. Minors

AnimStream is intended for users aged 18 and over (see our Terms) and is not directed at children. We do not knowingly collect personal data from minors. If we learn that a minor has provided personal data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated by e-mail or a notice on the Platform. The "last updated" date above reflects the most recent revision.

12. Supervisory Authority

You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority for SourceArt Ltd is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy). You may also contact the authority in your EU country of residence.

13. Contact

SourceArt Ltd
Evagora Pallikaridi 38
8010 Pafos, Cyprus
E-mail: legal@animstream.com
Phone: +49 178 5495650