irivisAI Iris Photography

Privacy Policy (Datenschutzerklärung)

Last updated: March 2026

1. Controller

Antonius Strachwitz
c/o Studopolis e.V.
Martin-Greif-Straße 1
84539 Ampfing, Germany
E-Mail: hello@irivis.app

2. What Data We Collect

2.1 Uploaded Images (Biometric Data)

When you upload a photo of your eye, we process it to generate an AI-enhanced iris image. Iris photographs may constitute biometric data under GDPR Art. 9. We process this data based on your explicit consent (Art. 9(2)(a) GDPR), which you give by checking the consent box before upload.

Important: We do not extract biometric templates or identifiers from your images. The photos are used solely to generate the artistic product. All uploaded and generated images are automatically and permanently deleted 14 days after creation.

2.2 Payment Information

When you purchase a download, your email address is collected by Stripe during checkout. We store your email address linked to your order for record-keeping. We never see or store your credit card details — these are handled entirely by Stripe.

2.3 Technical Data

Our hosting provider (Vercel) may automatically collect your IP address, browser type, and access timestamps for security and operational purposes. We do not use analytics or tracking cookies.

3. Purpose of Processing

  • Image processing: To generate your AI iris photograph (legal basis: consent, Art. 6(1)(a) and Art. 9(2)(a) GDPR)
  • Payment: To process your purchase (legal basis: contract performance, Art. 6(1)(b) GDPR)
  • Technical operation: To provide and secure the service (legal basis: legitimate interest, Art. 6(1)(f) GDPR)

4. Third-Party Processors

We use the following third-party services to operate irivis:

  • Supabase (Supabase Inc., USA) — Database and file storage. Your images are stored on Supabase servers.
  • Google Gemini(Google LLC, USA) — AI image generation. Your preprocessed eye image is sent to Google's API for processing.
  • Stripe (Stripe Inc., USA) — Payment processing. Your email and payment details are handled by Stripe.
  • Vercel (Vercel Inc., USA) — Web hosting and serverless infrastructure.

All US-based processors operate under appropriate safeguards (Standard Contractual Clauses / Data Privacy Framework).

5. Data Retention

Uploaded images and generated results: 14 days, then permanently deleted.
Payment records (email, transaction ID): Retained for tax and legal compliance (up to 10 years per German tax law).
Server logs: Automatically rotated by our hosting provider.

6. Cookies

irivis uses only essential cookies required for the service to function (e.g., Stripe checkout). We do not use analytics, advertising, or tracking cookies.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17) — note that images are auto-deleted after 14 days
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Withdraw consent at any time (Art. 7(3)) — withdrawal does not affect the lawfulness of processing before withdrawal
  • Lodge a complaint with a supervisory authority. The competent authority in Germany depends on your state (Landesdatenschutzbeauftragter).

To exercise your rights, contact us at hello@irivis.app.

8. Children

Our service is not directed at individuals under 16. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this policy from time to time. The current version is always available at irivis.app/privacy.