Last updated: 16 October 2025

Privacy Policy

ENDE

How we collect, use, and protect your data across beautyofbits.com and related services.

Status and honesty

We currently operate as a natural person under the name BeautyOfBits.com (Julius Kleinle). There is no company register (Firmenbuch) entry and no VAT ID yet. We have no ethics or IRB approval and no government or legal guidance in place at this time. This policy follows EU and Austrian law including the GDPR and Section 165 TKG 2021.

Controller

Controller: Julius Kleinle — beautyofbits.com

Address: Birkenleiten 28, 81543 München, Germany

Email: [email protected]

Phone: +49 160 93879410

Data Protection Officer: Julius Kleinle

EU or EEA representative: not applicable

Scope

This policy explains what personal data we process when you visit our website or use our Services, why we process it, on what legal bases, for how long, with whom we share it, whether we transfer it internationally, how we secure it, and what rights you have.

Categories of personal data

  • Account and contact data. Name, email address, password hash, support messages, and related metadata such as timestamps, IP at sign-up, and verification tokens.
  • Usage and device data. IP address, device, operating system and browser information, request headers, crash or error logs, performance and quality metrics.
  • Cookies and similar technologies. Strictly necessary cookies for security and session continuity. Non-essential cookies such as analytics or A/B testing only after your consent via our cookie banner. See Section 12.
  • Biomarker and audiovisual data — special categories. Collected only if you start a test that requires your camera or microphone and only with your explicit consent. Depending on the test we may process raw inputs (camera video stream of face and eyes, and for specific tasks, audio — not stored by default), derived features (e.g., face landmarks, gaze vectors, fixations, saccades, blink rate, pupil metrics, vergence, head pose, facial action units and micro-expressions, reaction time and accuracy, device quality metrics), and reports (computed scores and interpretations presented to you). Optionally remote PPG heart rate or HRV if a PPG task is offered.
  • Payments and billing (if applicable later). Billing contact data, invoice records, and payment tokens from our payment provider. We do not store full card numbers.

Purposes and legal bases

For each purpose we identify our Article 6 GDPR legal basis, and where special category data is involved we identify an Article 9 GDPR basis.

  • Provide the Services and tests. Account, authentication, session management, computation of biomarker metrics, and display of your report. Legal basis: Article 6(1)(b) GDPR (contract). For biomarker data we rely on Article 9(2)(a) GDPR (explicit consent) which you grant when starting the test and may withdraw at any time.
  • Security and reliability. Fraud and abuse prevention, incident detection, availability, and debugging. Legal basis: Article 6(1)(f) GDPR (legitimate interests).
  • Support and communications. Respond to your requests. Legal basis: Article 6(1)(b) and Article 6(1)(f) GDPR.
  • Analytics and product telemetry — non-essential. Legal basis: Article 6(1)(a) GDPR (consent) and Section 165 TKG 2021 for storing or reading non-essential cookies or identifiers.
  • Legal compliance. Tax, accounting, and responses to lawful requests. Legal basis: Article 6(1)(c) GDPR.
  • Research and statistics — optional and currently inactive. If we later run ethics-reviewed studies using pseudonymised datasets, participation will be voluntary and disclosed in a separate consent form. Legal basis: Article 9(2)(a) GDPR (explicit consent) or Article 9(2)(j) GDPR with Article 89 safeguards. We will update this policy before such studies begin.

Artificial intelligence and machine learning — transparency

  • On-device versus server-side processing. Where feasible, pre-processing such as face detection and landmarks runs on your device. Some tests require secure server-side processing to compute metrics or validate quality.
  • Inference. We run algorithms to extract features such as fixations and saccades and to compute scores. We do not perform automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
  • Training and human annotation. Not required to use the Service. We use your biomarker or video data for model improvement only if you explicitly opt in. If you opt in, we may retain short video snippets for up to 72 hours and pseudonymised derived features for up to 12 months, or up to 24 months if we later set that policy, for quality assurance, human annotation, and training. You can withdraw consent at any time in Settings → Privacy.
  • Third-party AI. We do not send raw video, audio, or biomarker features to general purpose large language model providers. If we later use vetted AI processors, we will list them in this policy and obtain consent where required.

Recipients and processors

We use service providers that process data for us under Article 28 GDPR and are bound by data processing agreements and confidentiality. We will maintain a current list on our website with region and transfer safeguards. Typical categories include hosting and CDN, email or CRM, analytics that run only after consent, payments, and human annotation vendors who only see pseudonymised snippets. We do not sell personal data.

International transfers

If a provider processes data outside the EEA, for example in the United States, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as EU adequacy decisions and Standard Contractual Clauses, and where needed add supplementary technical and organisational measures. Transfer impact assessments are documented. Summaries are available on request.

Storage periods

  • Server and security logs. 30 days, retained longer if investigating incidents.
  • Support tickets. 24 months after closure.
  • Accounts. For the life of the account, with basic audit entries for an additional 3 months.
  • Biomarker and audiovisual data.
    • Raw video or audio. Not stored by default. If you opt in to QA or annotation we keep short snippets for up to 72 hours, then delete or anonymise.
    • Derived features and metrics. 12 months by default, or up to 24 months if we later set that policy, or until account deletion, whichever occurs first.
    • Research datasets. Only if activated in the future and only as described in a separate consent form with safeguards.
  • Invoices and tax records. 7 years under Austrian law.

Your rights

You have the rights of access, rectification, erasure, restriction, objection, and data portability under Articles 15 to 21 GDPR. Where processing relies on consent you may withdraw that consent at any time. Withdrawal does not affect processing carried out before withdrawal.

How to exercise your rights. Email [email protected]. We will verify your identity and respond within 30 days. We may extend the deadline by up to two months if the request is complex, and we will inform you of the reasons.

Supervisory authority. You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR). In Germany, this is in particular the competent data protection authority of your federal state or, where applicable, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Graurheindorfer Straße 153, 53117 Bonn, [email protected].

Children

Our Services are not directed to children. If minors use the Service we follow the applicable national rules for digital consent and may require parental consent. If we learn that child data was collected without proper consent we delete it.

Security of processing

We apply measures appropriate to risk. These include encryption in transit, encryption at rest using AES-256, network isolation, role-based access control, least privilege, multi-factor authentication, audit logging, secure software development lifecycle, dependency and vulnerability scanning, secrets in a managed key management service, monitoring and alerting, backups and disaster recovery, and incident response.

Cookies and consent

Non-essential cookies or identifiers — for example analytics, A/B testing, or marketing — are off by default and are activated only after your consent via our banner. You can change your choice at any time via Cookie settings. Strictly necessary cookies run on the basis of Article 6(1)(b) and Article 6(1)(f) GDPR.

Initial pageview for attribution. To understand where our visitors come from (traffic sources, referrers, UTM parameters), we capture a single initial pageview when you first visit our site. This happens before the cookie banner appears and is based on our legitimate interest in understanding our marketing effectiveness (Article 6(1)(f) GDPR). No subsequent tracking occurs until you explicitly consent. If you decline cookies, no further pageviews or events are tracked.

Consent choice tracking. We record your cookie consent choice (accept or decline) for compliance documentation and to measure our consent rates. This single event is captured regardless of your choice, as it is necessary to demonstrate GDPR compliance and improve our consent processes (Article 6(1)(f) GDPR - legitimate interest).

Current cookie status

Strictly Necessary Cookies

Required for the site to function properly

Status: None currently active

Details: We do not set first-party session cookies; authentication uses secure token storage in the browser

Legal basis: Article 6(1)(b) or (f) GDPR

Analytics Cookies

Consent Required

Help us understand how visitors interact with our site

Provider: PostHog (EU hosting in Frankfurt)

Cookie name: ph_<token>_posthog

Purpose: Anonymized pageview tracking, traffic source analysis, user behavior insights

Data stored: Anonymous user ID, session data, page paths, referrer information

Initial pageview: First pageview is captured for attribution purposes (Article 6(1)(f) - legitimate interest)

Duration: 365 days (localStorage + cookie)

Default state: Disabled after initial pageview until you accept via cookie banner

Legal basis: Article 6(1)(f) for initial attribution, Article 6(1)(a) GDPR (consent) + Section 165 TKG 2021 for ongoing tracking

Opt-out: Decline in banner prevents all tracking beyond initial pageview, or change in cookie settings anytime

Privacy policy: posthog.com/privacy

A/B Testing & Marketing

Status: Not currently active. Will be listed here once enabled.

Changes to this policy

We will update this policy as our Services evolve. The current version and a change log will be available on this page.

Annexes

Annex 1 — Biomarker catalogue (examples)

We compute only what is necessary and disclose per-test details on the consent screen.

  • Vision and oculomotor: fixations, saccades, scan path, smooth pursuit gain, blink metrics, pupil metrics including diameter and task-evoked pupillary response, vergence, head pose and stability indices.
  • Affect and facial dynamics: facial action units and micro-expressions, valence or arousal proxies that are non-diagnostic, expression variability measures.
  • Behavioural and task: reaction times, accuracy, omissions and commissions, sustained attention measures, timing intervals, quality control metrics such as frame rate, illumination, occlusion, calibration quality, face or eye visibility.
  • Physiological where present: remote PPG heart rate and HRV, respiratory proxies.

We do not use biometrics to uniquely identify you.

Annex 2 — Data flow and storage architecture

On-device processing where feasible. TLS transport with HSTS. Server-side feature extraction only where required, followed by metric computation and report generation. Raw media is not stored by default. If you opt in to QA or annotation, short clips are kept for no more than 72 hours in a segregated EU bucket.

We segregate storage for raw clips (if any), derived features, reports, and audit or consent logs. Encryption at rest using AES-256 with managed keys. Least-privilege IAM, multi-factor authentication, quarterly access reviews. EU primary region. Backups are encrypted with a typical retention of 30 days, including an immutable copy. Recovery point objective up to 24 hours and recovery time objective up to 72 hours.

Annex 3 — Legal basis and data mapping (text form)

Account data. Purpose: provide account and authentication. Article 6(1)(b). No Article 9 basis. Retention: life of account plus 3 months. Recipients: first-party database in the EU and email or CRM processor.

Server logs. Purpose: security and abuse prevention. Article 6(1)(f). Retention: 30 days. Recipients: hosting and CDN.

Non-essential cookies. Purpose: analytics and A/B testing. Article 6(1)(a) plus Section 165 TKG 2021. Retention: per tool. Recipients: analytics provider.

Raw video or audio. Purpose: optional QA, annotation, and training. Article 6(1)(a) and Article 9(2)(a). Consent required. Retention: up to 72 hours. Recipients: segregated storage in the EU and annotation vendor if used.

Derived features. Purpose: compute metrics and reports, optional training. Article 6(1)(b). For training, Article 6(1)(a) and Article 9(2)(a). Retention: 12 months or up to 24 months. Recipients: feature store in the EU.

Research datasets. Purpose: research and statistics. Article 6(1)(a) or 6(1)(f) and Article 9(2)(a) or 9(2)(j). Consent route if used. Retention: as consented. Recipients: research partners if any.

Billing. Purpose: invoicing and tax. Article 6(1)(b) and 6(1)(c). Retention: 7 years. Recipients: payment service provider and accounting.

Annex 4 — Consent user experience and records

Two toggles at test start. Toggle 1 is required to run the test and covers consent for special category processing. Toggle 2 is optional and covers QA, human annotation, and training, up to 72 hours for raw clips and up to 12 months for derived features. Provide just-in-time prompts for tasks that estimate HR or HRV using remote PPG. Withdrawal is available in Settings → Privacy.

We keep consent logs for 24 months after the last activity, including policy or screen version identifiers, timestamps, IP and country, device, locale, test identifiers, and the toggle states.

Annex 5 — Data subject rights procedure

Request by email from the account address. We verify identity and respond within 30 days. We may extend by up to two months if the request is complex. We provide exports in a portable format such as JSON, CSV, or PDF, explain any redactions, and execute deletion across profiles, features, and any QA bucket. Backups age out per schedule.

Annex 6 — Processor inventory template

Host or CDN, Email or CRM, Analytics, Payments, Annotation. For each we record role, region, transfer safeguard, and a link to the DPA terms. The current list will be published on our website.

Annex 7 — International transfers and TIAs

For each transfer to a third country we record the data types, purposes, recipient law, and the technical and organisational measures. We rely on EU adequacy decisions or Standard Contractual Clauses and apply additional measures such as encryption and access controls. Summaries are available on request.

Annex 8 — Security measures

Access control with role-based access and least privilege. Multi-factor authentication. Encryption in transit and at rest. Secure development and code review. Dependency and vulnerability scanning. Logging and monitoring. Endpoint protection. Backups and disaster recovery. Change management. Regular penetration testing. Staff training and NDAs. Vendor risk reviews.

Annex 9 — Incident and breach response

Detect, assess, contain, eradicate, recover, and notify. If a breach is likely to result in a risk to individuals we notify the Austrian Data Protection Authority within 72 hours and affected users without undue delay. Notifications include the scope, contact details, likely consequences, and measures taken.

Annex 10 — Research ethics and governance — current status

Current status as of 25 September 2025. We are not conducting formal human subjects research under an institutional ethics committee or IRB. We have no ethics approval and research mode is inactive. We do not share user data with external research partners. We do not publish raw datasets.

If we later run research, we will first seek competent ethics approval or a waiver where required, provide a study-specific consent form, pseudonymise data at ingestion, use data use or material transfer agreements with partners, and name the oversight body publicly.

Annex 11 — Model training governance and model cards — current status

Training uses only data from users who explicitly opt in. There is no external auditor or ethics board for model governance at this time. Model cards are in preparation.

Removal policy: on withdrawal we stop any further training with your data and delete remaining raw QA material. Model parameters already trained are generally not technically reversible, but we exclude your future data and any retraining sets. For each major model we plan to publish intended use and limits, high-level dataset composition, preprocessing and feature extraction summary, evaluation metrics, fairness checks where statistically sound, update cadence, and version history.

Annex 12 — Cookie and tracker inventory

Cookies are explained in Section 12. Current inventory:

PostHog Analytics

  • Cookie name: ph_<project_token>_posthog
  • Purpose: Store user ID and session data for analytics
  • Type: First-party, localStorage + cookie
  • Duration: 365 days
  • Provider: PostHog Inc., EU hosting (Frankfurt)
  • Legal basis: Consent (Article 6(1)(a) GDPR, Section 165 TKG 2021)
  • Opt-out: Via cookie banner or cookie settings

BITS keeps this list up to date as we update our tools and services.