Privacy Policy - Klaide

    Version 1.2 — Last updated: October 24, 2025

    1. Controller

    The controller within the meaning of the General Data Protection Regulation (GDPR) is:

    Thetaspace GmbH
    Schorner Str. 1a
    82065 Baierbrunn
    Germany

    2. Scope of This Privacy Policy

    This Privacy Policy applies to the use of the Klaide software-as-a-service platform, including:

    • website and landing pages
    • customer dashboard
    • authentication and account management
    • subscription and billing
    • uploaded business content
    • API usage

    This Privacy Policy applies only to Klaide customers (business users).

    For shoppers using a merchant’s virtual try-on page or embed link, a separate end-user privacy notice applies and is displayed directly on the try-on interface.

    3. Categories of Personal Data

    3.1 Account Data

    • user identifier
    • email address
    • authentication metadata

    3.2 Subscription and Billing Data

    • subscription status
    • invoice information
    • billing metadata

    Payment card data is processed exclusively by external payment service providers and is not stored by us.

    3.3 Uploaded Content

    • product images
    • logos or watermarks
    • technical metadata linked to the account

    4. Purposes and Legal Bases

    PurposeLegal Basis
    Account creation and loginArt. 6(1)(b) GDPR
    Provision of the SaaS serviceArt. 6(1)(b) GDPR
    Subscription and billingArt. 6(1)(b) GDPR
    Compliance with legal obligationsArt. 6(1)(c) GDPR
    Security and abuse preventionArt. 6(1)(f) GDPR

    5. Recipients and Categories of Recipients

    We disclose personal data only to the following categories of recipients:

    • authentication service providers
    • payment service providers
    • hosting and infrastructure providers
    • email and communication service providers

    All service providers act on our behalf and are contractually bound in accordance with Art. 28 GDPR.

    A current list of subprocessors is available here: Subprocessor List.

    6. Data Processing Location

    All data is processed exclusively on servers located in Germany.

    No personal data is transferred to third countries outside the European Union.

    7. Data Retention

    Trial accounts

    If no subscription is purchased:

    • all uploaded data is permanently deleted 30 days after trial expiration
    • deletion may be requested earlier at any time

    Active subscriptions

    Customers may delete their uploaded data at any time via the dashboard.

    Expired subscriptions

    If a subscription ends:

    • customers are notified
    • uploaded data is permanently deleted 90 days after subscription end, unless renewed

    Statutory retention obligations (e.g. accounting records) remain unaffected.

    8. Data Security

    We apply appropriate technical and organizational measures, including:

    • encrypted data transmission
    • access restrictions
    • separation of environments

    9. Data Subject Rights

    You have the right to:

    • access (Art. 15 GDPR)
    • rectification (Art. 16 GDPR)
    • erasure (Art. 17 GDPR)
    • restriction (Art. 18 GDPR)
    • data portability (Art. 20 GDPR)
    • objection (Art. 21 GDPR)

    Requests can be sent using the contact details.

    10. Supervisory Authority

    You have the right to lodge a complaint with a data protection supervisory authority.