Last updated: 9 December 2025
The controller responsible for data processing on this website within the meaning of the GDPR is:
Tim Geithner
Sole proprietorship
Scheuerfelder Straße 33
96450 Coburg
Germany
E-mail: photoradar@email.de
Phone: +49 179 / 1044546
No data protection officer has been appointed, as the legal requirements for mandatory appointment are not met.
We process personal data in order to provide and improve our service "Photoradar – Location Finder" (photoradar.io). Depending on how you use the service, the following processing activities may occur:
a) Provision of the Website and Security
Data:
IP address, date/time of access, requested resources (URLs), HTTP status codes, volume of data transferred, referrer URL, user agent (browser, device), error and security logs.
Purpose:
Provision of the website, ensuring stability and security (e.g. rate limiting, abuse prevention, technical monitoring).
Legal basis:
Art. 6(1)(f) GDPR (legitimate interests – operation of a secure and stable online service).
b) User Accounts and Authentication (Supabase)
Data:
E-mail address, login data, hashed passwords, session tokens, basic profile information (if provided), session metadata.
Purpose:
Registration, login, session management, administration of user access and usage.
Legal basis:
Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract).
c) Image Upload, Cropping and Analysis
Data:
Uploaded images, cropped image sections, image metadata (e.g. EXIF/GPS data where present), temporary analysis results and related technical information.
Purpose:
Provision of the core service (image-based location estimation), display of results and, where applicable, storage of a history of your analyses.
Legal basis:
Art. 6(1)(b) GDPR (performance of a contract – providing the requested analysis).
Please note: Uploaded images may contain personal data (e.g. faces, number plates, buildings, locations). You should only upload images that you are allowed to use and that do not unlawfully infringe the rights of others.
d) AI-based Analyses and Geocoding
Data:
Image content, extracted features (e.g. text recognition, labels, landmarks), intermediate AI outputs, geocoding data (coordinates, place candidates, scores).
Purpose:
Estimation of likely locations, scoring, conversion into coordinates, quality improvement of the service (e.g. better ranking of candidate locations).
Legal basis:
Art. 6(1)(b) GDPR (performance of a contract),
Art. 6(1)(f) GDPR (legitimate interests – optimisation and quality assurance of the service).
We do not use your images as training data for our own or third-party AI models unless this is clearly indicated and you have expressly consented.
e) Map Display (Mapbox)
Data:
IP address, browser/device data, technical usage data when requesting map tiles, styles and related resources from Mapbox.
Purpose:
Interactive map display of analysis results and locations.
Legal basis:
Art. 6(1)(b) GDPR (performance of a contract – core functionality of the service) and/or Art. 6(1)(f) GDPR (legitimate interests – attractive and usable visualisation).
f) Web Analytics (Google Analytics, Consent Mode v2)
Data:
Pseudonymised usage data, device information, events (e.g. page views, clicks), truncated/anonymised IP address, consent signals (Consent Mode v2).
Purpose:
Measurement of reach and usage patterns, product improvement, troubleshooting, aggregated statistics.
Legal basis:
Art. 6(1)(a) GDPR (consent).
Google Analytics is only activated if you have given your consent via the cookie banner. IP anonymisation is enabled and no personalised advertising features are used.
g) Contact / Support (optional Screenshot Upload)
Data:
Name (if provided), e-mail address, message content, category/severity, optional screenshots or attachments, technical context (e.g. browser, URL, timestamp).
Purpose:
Handling of support enquiries, answering questions, error analysis, customer communication.
Legal bases:
Art. 6(1)(b) GDPR (performance of a contract or pre-contractual queries),
Art. 6(1)(f) GDPR (legitimate interests – effective customer support).
h) Audit and Event Logs (Edge Functions)
Data:
IP address, user agent, user ID or session ID, event type (e.g. analysis started, analysis completed, errors), timestamps.
Purpose:
Traceability of actions, security, abuse detection, technical debugging.
Legal basis:
Art. 6(1)(f) GDPR (legitimate interests – security, monitoring and improvement of the service).
i) Payments and Subscriptions (Stripe)
Data:
Billing and payment data processed via Stripe, such as: name, billing address, e-mail address, selected plan, transaction IDs, last digits and type of payment method, payment status, subscription ID, partial card data (e.g. last 4 digits), timestamps.
Purpose:
Processing of payments for paid plans, subscription management (recurring billing, upgrades/downgrades), prevention of fraud and misuse, fulfilment of accounting and tax obligations.
Legal bases:
Art. 6(1)(b) GDPR (performance of a contract – paid accounts and subscriptions),
Art. 6(1)(c) GDPR (compliance with legal obligations, e.g. bookkeeping, tax retention),
Art. 6(1)(f) GDPR (legitimate interests – fraud prevention, securing payment processes).
Stripe acts as a payment service provider and may act as an independent controller for certain processing activities (e.g. fraud prevention, compliance obligations). Please also refer to Stripe's own privacy documentation.
There is no automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. All analysis results are probabilistic and intended solely as decision support.
We use cookies, local storage and similar technologies. Some of these are technically necessary, others are used only with your consent (e.g. analytics).
Legal bases:
Device access and storage: applicable telecommunications/data protection laws (e.g. German TTDSG or equivalent),
Art. 6(1)(b) and (f) GDPR – for essential cookies necessary to provide the service,
Art. 6(1)(a) GDPR – for non-essential/analytics cookies based on your consent.
Categories and Examples
Essential (no consent required):
– Session/authentication cookies and tokens (e.g. supabase-auth-token) – required for login and sessions (provider: Lovable Cloud / Supabase).
– UI preferences (e.g. sidebar state, language settings) – to remember basic interface settings.
– Technical caching and load distribution, including map tile caching (e.g. Mapbox resources).
Functional (with consent, where applicable):
– Service-worker cache entries or local storage entries to enable offline or PWA-like behaviour beyond what is strictly necessary.
Analytics (with consent):
– Google Analytics cookies (e.g. _ga, _ga*, _gid) – used to measure traffic and usage, with IP anonymisation and Consent Mode v2.
Payment and Security (Stripe):
– Stripe may set its own cookies and similar technologies on checkout pages or in embedded elements to enable secure payment processing and fraud prevention.
Consent Management
On your first visit, a cookie banner is shown with options to accept or reject non-essential cookies. You can change or withdraw your consent at any time via the cookie settings linked in the footer (or comparable area) of the website.
Google Analytics and other non-essential tools are disabled by default until you give your consent.
Depending on your use of the service, personal data may be transmitted to the following categories of recipients:
– Supabase / Lovable Cloud – hosting, database, authentication, storage (processor).
– Google Cloud Vision API / Geocoding API – image analysis and location recognition (partly processor, partly own responsibility).
– Lovable AI Gateway, OpenAI, Google Gemini – AI-based processing of analysis data (partly independent controllers).
– Mapbox – map and tile services for displaying geographic information (independent controller for tile/style requests).
– Google Analytics – web analytics provider (controller, only if you consent).
– Stripe – payment service provider for processing payments and subscriptions (controller and/or processor, depending on context).
– Technical service providers (e.g. e-mail sending, logging/monitoring tools), where used.
Where processors are used within the meaning of Art. 28 GDPR, appropriate data processing agreements (DPAs) have been concluded.
Some of the above providers are located in, or process data in, countries outside the EU/EEA, in particular the United States (e.g. Google, Stripe, OpenAI, Mapbox).
Where such transfers occur, they are based on:
– An adequacy decision of the European Commission (e.g. EU–US Data Privacy Framework, where the provider is certified), and/or
– Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by additional safeguards where necessary.
More detailed information on the specific safeguards can be provided upon request.
We store personal data only for as long as necessary for the respective purpose or as long as we are legally obliged to do so.
In particular:
– Account data: Stored for the duration of the contractual relationship. After termination, data may be retained for the period required by commercial and tax law (typically up to 6 or 10 years for accounting-related records).
– Uploaded images and analysis history: Stored as long as necessary to provide the service and the analysis history. You can delete individual images or history entries yourself where functionality is provided. We may also implement automatic deletion after defined retention periods.
– Contact/support requests: Stored until your request has been fully processed. If legal retention obligations apply (e.g. commercial or tax law), data may be stored longer.
– Audit and security logs: Typically stored for up to 90 days, unless longer storage is required for security or legal reasons.
– Analytics data: Stored according to the retention settings configured in Google Analytics, only if you have given your consent.
– Payment and billing data (Stripe, invoices): Stored for the duration of the contractual relationship and for the statutory retention periods applicable under commercial and tax law.
Specific retention periods may vary depending on the purpose and applicable legal obligations.
The provision of certain data is necessary for the use of the Service:
– Without IP address and basic technical data, the website cannot be delivered.
– Without login data, access to account-based features is not possible.
– Without image uploads, no image analysis can be performed.
– Without payment data, paid plans and subscriptions cannot be set up.
You are not obliged to provide data that is not necessary for the respective purpose (e.g. optional profile details or screenshots for support). However, some functions may not be available without certain data.
Under the GDPR, you have the following rights in relation to your personal data, subject to the relevant legal requirements:
– Right of access (Art. 15 GDPR) – to obtain information on what data we process about you.
– Right to rectification (Art. 16 GDPR) – to request correction of inaccurate or incomplete data.
– Right to erasure (Art. 17 GDPR) – to request deletion of your data, where legally permissible.
– Right to restriction of processing (Art. 18 GDPR).
– Right to data portability (Art. 20 GDPR) – to receive the data you have provided in a structured, commonly used and machine-readable format, or to have it transmitted to another controller where technically feasible.
– Right to object (Art. 21 GDPR) – to object to processing based on Art. 6(1)(f) GDPR (legitimate interests), on grounds relating to your particular situation.
– Right to withdraw consent (Art. 7(3) GDPR) – where processing is based on your consent, you may withdraw it at any time with effect for the future. This does not affect the lawfulness of processing prior to withdrawal.
– Right to lodge a complaint (Art. 77 GDPR) – with a supervisory authority, in particular in the Member State of your habitual residence, workplace or the place of the alleged infringement. For us, the competent authority is for example the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht).
To exercise your rights, please contact us using the contact details provided under section 1.
We take appropriate technical and organisational measures (TOMs) to protect personal data against loss, misuse and unauthorised access, disclosure, alteration or destruction. These measures include, in particular:
– TLS encryption for data transmission,
– Access controls and role concepts,
– Logging and monitoring of relevant events,
– Rate limiting and other protective mechanisms against abuse,
– Regular security checks and updates.
No security measure can guarantee absolute protection, but we continuously work to maintain a high level of security.
Below is a brief overview of key third-party services involved in our processing:
– Google Cloud Vision / Geocoding: Processing of image, text and location data to support analysis and location estimation.
– Lovable AI Gateway / OpenAI / Google Gemini: AI-based evaluation of extracted information, without using your content as training data unless explicitly stated and consented.
– Mapbox: Display of interactive maps; IP address and technical usage data are transmitted to Mapbox when map tiles and styles are loaded.
– Google Analytics: Web analytics for reach measurement, only with your consent; Consent Mode v2 is used, IP anonymisation is enabled, no ad personalisation.
– Stripe: Processing of payments for paid plans and subscriptions, including fraud prevention and compliance with financial regulations. Stripe receives payment-related data when you enter your payment details and complete purchases.
For details on how these providers process data, please refer to their respective privacy policies.
We may update this Privacy Policy from time to time, for example if legal requirements change or if our services are further developed.
The current version of the Privacy Policy is always available on our website. If we make material changes, we will inform you in an appropriate manner (e.g. via a notice on the website or, where appropriate, by e-mail).