Privacy Policy

The controller responsible for the processing of personal data within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:

MyTrendView GmbH
Musterstraße 1
10115 Berlin, Germany
Email: privacy@mytrendview.com

You can reach our data protection contact at dpo@mytrendview.com.

This Privacy Policy applies to processing carried out by MyTrendView GmbH when you use mytrendview.com or any of our subdomains, our web application and connected APIs (the "Service"). Processing is governed by the EU GDPR, the German Federal Data Protection Act (BDSG) and the German Telecommunications-Telemedia Data Protection Act (TDDDG / former TTDSG).

Account data: name, email address, hashed password (bcrypt), profile picture (only if you sign in with Google), language preference, time zone.

Brand & business data: the website URL you connect, brand description, industry, target audience and any text you enter into the product.

Social account data: if you connect YouTube (or other platforms in the future), we store the OAuth access token, refresh token, expiry, the channel ID, channel name, handle and avatar URL. We do not read private messages, comments inboxes or non-public videos.

Content data: trend lists, competitor and creator lists, video plans, frames, generated images, captions and hooks generated through our AI features and stored under your account.

Usage and log data: IP address (truncated where possible), user-agent, requested URL, timestamp, HTTP status, referrer, error logs.

Billing data (once paid plans are launched): name, billing address, VAT-ID, payment method tokens. Card numbers are processed solely by our payment provider; we never see or store full PANs.

Providing the Service — account creation, authentication, running scrapes, generating AI plans and images, publishing to social accounts you have connected: Art. 6 (1) (b) GDPR (performance of a contract).

Security, fraud prevention, abuse detection, server logs: Art. 6 (1) (f) GDPR (legitimate interest in operating a secure service). Server logs are deleted or anonymised after 14 days.

Optional analytics & product improvement: Art. 6 (1) (a) GDPR (your consent given via the cookie banner, withdrawable at any time).

Marketing emails: Art. 6 (1) (a) GDPR (consent) or § 7 (3) UWG for existing-customer recommendations of similar services.

Compliance with legal obligations (tax-, commercial-law-, GoBD-required retention of invoices for up to 10 years): Art. 6 (1) (c) GDPR.

We only set strictly necessary cookies by default: a NextAuth session cookie (httpOnly, secure, SameSite=Lax) and a CSRF token. These are required to keep you signed in and to protect the form submissions. No consent is required for these under § 25 (2) Nr. 2 TDDDG.

We do not currently use third-party analytics, advertising trackers, fingerprinting, Google Analytics, Meta Pixel, Hotjar or similar tools. If we introduce such tools in the future, they will only be loaded after you give explicit, separate, granular consent through a Consent-Management-Platform compliant with § 25 TDDDG and EDPB Guideline 03/2022.

We use the following processors under a Data Processing Agreement. The list is updated when we add or remove vendors:

- Vercel Inc. (USA) — hosting of the web application. EU data centers used where possible. Transfer based on EU Standard Contractual Clauses (SCCs) and Data Privacy Framework certification.
- MongoDB, Inc. (USA, Atlas cluster located in Frankfurt, eu-central-1) — primary database.
- Cloudinary Ltd. (Israel / EU) — storage and delivery of generated images. Israel is recognised as adequate under the Commission Decision of 31.01.2011.
- Anthropic PBC (USA) — Claude AI models for trend scoring, hook generation and video planning. Anthropic does not train its production models on API inputs. Transfer based on SCCs.
- Google LLC / Google Ireland Ltd. — (a) Google OAuth for "Sign in with Google", (b) Gemini API ("Nano Banana Pro") for image generation, (c) YouTube Data API v3 for publishing if you connect a YouTube account. Transfer based on SCCs and the EU-US Data Privacy Framework.
- Apify Technologies s.r.o. (Prague, Czech Republic, EU) — running scrapers against public web data.
- Email provider (transactional email; SES / Postmark or equivalent) — sending login, password-reset and notification emails.

Where data is transferred to countries outside the EU/EEA without an adequacy decision, we rely on the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and additional technical measures (encryption in transit and at rest).

If you connect your YouTube channel, MyTrendView's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we:
- use Google data only to provide the user-facing publishing feature you requested,
- never transfer Google data to third parties except as needed to provide that feature, comply with applicable law or as part of a merger,
- never use Google data for advertising or to train generalised AI/ML models,
- never allow humans to read Google data unless we have your affirmative consent, it is necessary for security/abuse/legal reasons or the data has been aggregated and anonymised.

You can revoke MyTrendView's access to your Google account at any time at myaccount.google.com/permissions or via the Disconnect button in our Calendar page.

MyTrendView uses third-party AI models (Anthropic Claude, Google Gemini) to score trends, generate text and generate images on your behalf. These processors act under our instructions and contractually undertake not to train their public models on our API inputs.

No decision producing legal effects on you or similarly significantly affecting you is made solely by automated means within the meaning of Art. 22 GDPR. All AI outputs are suggestions you can edit or discard.

For competitor and creator discovery we collect publicly available metadata from social platforms (e.g. handle, follower count, engagement metrics) through Apify-hosted scrapers and official APIs. We restrict ourselves to data that has been manifestly made public by the data subject (Art. 9 (2) (e) GDPR where applicable). If you are a creator listed in our database and want your data removed, contact privacy@mytrendview.com and we will erase it within 30 days.

- Account data: kept for the duration of your account, deleted within 30 days of account closure.
- Connected social tokens: kept until you disconnect or your account is closed.
- Generated content (plans, images, captions): kept until you delete the item or close the account; Cloudinary images are deleted in cascade.
- Server / access logs: 14 days, then deleted or anonymised.
- Invoices and tax-relevant documents: 10 years (§ 147 AO, § 257 HGB).
- Backups: rolling 30-day window.

You have the following rights with regard to your personal data:
- Right of access (Art. 15) — to a copy of the data we hold about you.
- Right to rectification (Art. 16).
- Right to erasure / "to be forgotten" (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — in particular against processing based on legitimate interests.
- Right to withdraw consent (Art. 7 (3)) at any time, without affecting prior lawful processing.
- Right to lodge a complaint with a supervisory authority (Art. 77). For us, the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany.

To exercise any of these rights, email privacy@mytrendview.com. We respond within one month (Art. 12 (3) GDPR).

Personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256 on MongoDB Atlas and Cloudinary). Passwords are hashed with bcrypt. Access to production systems is restricted, logged and requires multi-factor authentication. We follow the state of the art within the meaning of Art. 32 GDPR.

MyTrendView is not intended for users under 16. We do not knowingly collect data from children. If we learn that we have inadvertently collected data from a child, we delete it without delay.

We may update this Policy to reflect changes in our service or in the law. Material changes will be communicated by email and announced in-app at least 30 days in advance. The current version is always available at /privacy.