Privacy Policy
Datenschutzerklärung · Last updated: 18 May 2026
This Privacy Policy explains how Before&After.Studio ("we", "us") processes personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR" / "DSGVO"), the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG / former TTDSG). This policy applies to two groups of users:
- Studios (Clients): beauty and wellness professionals who hold a Pro Studio account.
- End customers: visitors of a Studio who upload before/after photos via a QR code or link without creating an account.
1. Controller
The controller within the meaning of Art. 4 (7) GDPR is the operator listed in our Imprint. You can reach us at soodtushar15@gmail.com.
2. Categories of data we process
2.1 Studios (Clients)
- Account data: name, email, password hash, phone, postal address.
- Business data: business name, business type, logo, accent colour, links (website, Google review URL, Instagram, TikTok, booking URL).
- Billing data: subscription status, plan, renewal date. Card data is processed by our payment provider; we do not store full card numbers.
- Content: before/after images you upload, generated layouts, QR scan counts, download counts.
- Technical data: IP address, browser, device, log timestamps.
2.2 End customers (no account)
- The before and after photographs you upload through a Studio's QR link.
- Technical data necessary to deliver the page (IP address, browser, timestamp).
- No account, no name, no email is requested from end customers.
3. Purposes & legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the Studio account and dashboard | Art. 6 (1) (b) — contract performance |
| Processing payments and renewals | Art. 6 (1) (b), (c) — contract & legal obligation |
| Generating branded layouts from uploaded photos | Art. 6 (1) (b) — performance of the service requested by the Studio / the end customer using the Studio's QR link |
| Issuing a private share link (reveal page) | Art. 6 (1) (b) — service delivery |
| Security, fraud prevention, log files | Art. 6 (1) (f) — legitimate interest |
| Statutory retention (invoices, tax) | Art. 6 (1) (c) — legal obligation |
| Service emails (account, billing, security) | Art. 6 (1) (b) |
4. End-customer uploads: special note
When an end customer uploads photos via a Studio's QR code, they act on behalf of, and at the invitation of, that Studio. The Studio is jointly responsible for ensuring it has the lawful basis (e.g. the customer's consent under Art. 6 (1) (a) and, where applicable, Art. 9 (2) (a) GDPR for any data revealing health, ethnic origin or other special categories) before requesting an upload.
Before&After.Studio acts as a processor on behalf of the Studio for these uploads (Art. 28 GDPR). A Data Processing Agreement (DPA / AVV) is concluded with every Pro Studio account and forms part of our Terms.
5. Retention
- Studio account data: until the account is deleted, plus statutory retention (up to 10 years for invoices under § 147 AO).
- End-customer uploads and generated layouts: stored until the share link expires (default 30 days), or until the Studio or end customer terminates the link, whichever is sooner.
- Server logs: 14 days.
6. Recipients & processors
We use the following categories of processors, all bound by Art. 28 GDPR agreements:
- Cloud hosting and database (EU region).
- Payment provider (for subscription billing).
- Transactional email provider.
- Error monitoring and analytics (privacy-preserving, no cross-site tracking).
7. International transfers
Personal data is hosted in the European Union. Where a processor is established outside the EEA, the transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and supplementary measures.
8. Your rights (Art. 15–22 GDPR)
You have the right to:
- Access — confirm whether we process your data and obtain a copy.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — delete your data.
- Restriction — limit processing.
- Data portability — receive your data in a structured format.
- Objection — including against processing based on legitimate interest.
- Withdraw consent at any time, without affecting prior processing.
Studios can delete their account at any time from the dashboard (Account → Manage account → Delete). End customers can terminate a share link from the reveal page itself, which permanently removes the uploaded images.
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). In Germany, this is the data protection authority of the federal state in which you reside.
9. Cookies & local storage (TDDDG)
We only set strictly necessary cookies and local-storage entries required to keep you signed in and to deliver the service. No tracking, no advertising cookies — therefore no consent banner under § 25 (2) TDDDG.
10. Automated decision-making
No automated decision-making within the meaning of Art. 22 GDPR takes place.
11. Changes
We may update this policy from time to time. The current version is always available at this URL with the date of the last update.