Privacy Policy (English Translation)
LEGAL DISCLAIMER: This English translation is provided solely for informational purposes and ease of understanding. It has no legal validity or binding effect. Only the German version of this Privacy Policy (“Datenschutzerklärung”) constitutes the legally binding agreement between the parties. In case of any discrepancies, contradictions, or ambiguities between this English translation and the German original, the German version shall prevail exclusively.
Cumin & Potato GmbH - Privacy Policy for the PXL Clock System
Notice regarding relationship to Terms and Conditions: This Privacy Policy supplements our General Terms and Conditions (https://pxlclock.com/de/agb) in the same version. It does not regulate additional contractual obligations but informs about the processing of personal data when using the PXL Clock system. To the extent this declaration and the Terms and Conditions contain different statements, mandatory data protection provisions take precedence. Contractual rights and obligations arise from the Terms and Conditions.
Language version: Only the German version is binding; translations serve orientation purposes only.
Data Controller:
Cumin & Potato GmbH
Holzhofallee 21
64295 Darmstadt
Commercial Register: HRB 107113, Local Court of Darmstadt
Phone: +49 6151 7866583
Email: info@cuminandpotato.com
VAT ID: DE449775915
WEEE Reg. No.: DE 41629348
Lucid Registration: DE4940239725994 (Dual System Zentek)
Supervisory Authority:
Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
§ 1 General Information
This Privacy Policy supplements the General Terms and Conditions (Terms and Conditions) of Cumin & Potato GmbH. It informs about the processing of personal data in connection with the PXL Clock product as well as our website, our online shop, and our AI tool PXL Studio in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
This document is written in German. Any translations into other languages serve solely for better understanding. In case of deviations or contradictions, only the German version shall be authoritative.
§ 2 Data Processing for Product Purchase
Purpose: Contract processing, customer service, provision of website and online shop Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment), Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and efficient website provision) Data: Name, address, email address, telephone number, payment data, IP address, browser and device information Storage Duration: 10 years after contract termination (commercial and tax law retention obligations according to § 147 AO, § 257 HGB) Recipients:
(a) Hosting providers Our website and online shop are operated on servers of the following providers:
- Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Further information: https://www.hetzner.com/legal/privacy-policy
- Fly.io, Inc., 2261 Market Street #4990, San Francisco, CA 94114, USA. Servers in the EU (Amsterdam/Frankfurt). Data transfer to the USA based on EU Standard Contractual Clauses (SCCs). Further information: https://fly.io/legal/privacy-policy/
- Salesforce, Inc. / Heroku, 415 Mission Street, San Francisco, CA 94105, USA. Servers in the EU (Dublin/Frankfurt). Data transfer to the USA based on the EU-US Data Privacy Framework. Further information: https://www.salesforce.com/company/privacy/
Each page visit automatically processes IP address, user agent, requested URL and timestamp in server log files. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure provision).
(b) Stripe Payments Europe, Limited (payment processing) 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland. When clicking the order button, you are redirected to Stripe, where payment processing takes place. Only from this point does Stripe process personal data (name, payment data, IP address) for payment processing. Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment). Stripe Payments Europe, Limited acts as a data processor; data processing is governed by the Stripe Privacy Policy and Stripe Data Processing Agreement. Data transfer to the USA is based on the EU-US Data Privacy Framework. Further information: https://stripe.com/en-de/privacy
Cookies: Cookies and similar technologies may be used when visiting our websites. Details see § 3a of this Privacy Policy.
§ 3 Cookies and Similar Technologies
Legal Basis: § 25 TTDSG (Telecommunications-Telemedia Data Protection Act)
The PXL Clock device itself does not use cookies. The optional mobile app and cloud services only use technically necessary session cookies that do not require consent (§ 25 para. 2 no. 2 TTDSG).
Should non-necessary cookies or tracking technologies be used in the future, this will only occur after your explicit consent via a cookie banner (§ 25 para. 1 TTDSG).
§ 3a Website Cookies and Tracking
(1) Cookie Overview
Our website uses localStorage (client-side storage) for various purposes: Necessary Storage (no consent required)
Purpose: Storage of cookie consent
Provider: Cumin & Potato GmbH
Storage Duration: Consent decision (pxl-consent-v1 in localStorage) remains stored until actively revoked via the cookie settings in the footer
Legal Basis: § 25 para. 2 no. 2 TTDSG
Analytics Cookies (only with your consent)
Purpose: Visitor statistics, website performance improvement Provider: Google Analytics 4 (with IP anonymization) Storage Duration: 12 months Legal Basis: Art. 6 para. 1 lit. a GDPR Note: Google Analytics is only loaded after explicit consent via the cookie banner. Without consent, no Google script is executed and no contact with Google servers takes place.
Marketing Cookies (only with your consent)
Purpose: Measuring success of advertising campaigns, personalized advertising Provider: Google Ads, Facebook (if activated) Storage Duration: 90 days Legal Basis: Art. 6 para. 1 lit. a GDPR
(2) Storage Used in Detail
Our website does not use server-side cookies. Only localStorage (client-side storage in the browser) is used:
pxl-consent-v1: Stores the cookie consent (technically necessary, § 25 para. 2 no. 2 TTDSG)_ga,_ga_*: Google Analytics identifiers (only after explicit consent, § 25 para. 1 TTDSG)
(3) Your Cookie Settings
First visit: A cookie banner appears on first website visit for selecting your preferences Subsequent changes: Adjustable at any time via the “Cookie Settings” link in the footer Browser settings: You can also manage or delete cookies directly in your browser Objection: By email to datenschutz@cuminandpotato.com
(4) Third-Party Services
Depending on your consent and our configuration, the following services may be active:
Google Analytics (if activated)
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Web analysis, user behavior, reach measurement
IP Anonymization: Activated
Opt-out option: https://tools.google.com/dlpage/gaoptout
Google Ads Conversion Tracking (if activated)
Purpose: Measuring effectiveness of Google advertising campaigns
Storage Duration: 90 days
Facebook Pixel (if activated)
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland
Purpose: Measuring advertising success, remarketing
Data transfers to the USA are based on the EU-US Data Privacy Framework.
(5) Functional Limitations Without Cookies/localStorage
Without localStorage: No restrictions on shop functions. The order is processed via Stripe redirect and requires no local data storage. The cookie banner will appear again on each visit.
Without analytics cookies: No restrictions on shop functions
Without marketing cookies: You see general instead of personalized advertising
(6) Do-Not-Track
We respect Do-Not-Track signals from your browser. When DNT is activated, only necessary cookies are automatically set.
(7) Further Information
General information on cookies: https://www.verbraucherzentrale.de/wissen/digitale-welt/datenschutz/cookies-kontrollieren-und-verwalten-11996
§ 4 Device Data and Telemetry
Purpose: Device functionality, security
Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)
Data:
- Device information (serial number, firmware version)
- IP address (for device identification and security)
- Usage statistics (non-personal)
- Error reports and performance data
- Network connection data Balancing of Interests: Our legitimate interest lies in ensuring device security, error analysis and product improvement. Processing is data-minimized and can be deactivated at any time. Storage Duration: 24 months from collection or until withdrawal of consent
§ 5 Cloud Backend (optional)
Purpose: Synchronization of settings and content
Legal Basis: Art. 6 para. 1 lit. a GDPR (consent)
Data: User settings, self-created animations, device configuration
Storage Duration: Until deletion by user or withdrawal of consent
Location: Germany (EU servers at AWS Frankfurt)
§ 5a PXL Studio - AI Chat Feature
Purpose: Providing the AI-assisted chat feature in PXL Studio for creating and editing pixograms Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) - transmission to the providers named below is a technically necessary part of this core feature; PXL Studio cannot be used without this processing Data: Your chat messages, the code currently being edited, your login identifier Storage Duration: Your chat history remains stored until you delete it yourself or have your account deleted (see § 9 on your rights)
(a) Access and storage of your chat history PXL Studio requires a login. Your chats, messages, and saved drafts are stored on our own servers, tied exclusively to your user account (same hosting providers as in § 2, Recipients (a), in particular Fly.io).
(b) Forwarding to OpenRouter and AI model providers To generate AI responses, we transmit your chat messages as well as the code currently being edited to OpenRouter, Inc., 169 Madison Avenue, New York, NY 10016, USA (https://openrouter.ai/privacy). OpenRouter technically forwards the request to the AI model provider you selected. According to OpenRouter’s own statements, OpenRouter itself does not use your inputs/outputs to train its own models; however, the respective model provider may act under its own terms, independent of OpenRouter, including possible storage or use for training purposes.
Which model providers are currently available can be seen directly in the model picker within PXL Studio; this selection may change. It currently also includes providers based outside the EU and USA, including in China. Alternatively, a server we operate ourselves (Germany) is available, where no data is transmitted to OpenRouter or third parties.
(c) International data transfer - legal review still pending [Note for internal review prior to publication, not legally binding text: according to its own privacy policy, OpenRouter processes data partly as a controller, not as a processor within the meaning of Art. 28 GDPR, and by its own account only provides a signed Data Processing Agreement to enterprise customers. For forwarding to model providers based in countries without an adequacy decision by the European Commission (e.g. China), there is currently no confirmed safeguard in place. To be clarified before publication: (1) whether and how a Data Processing Agreement with OpenRouter can be obtained, (2) whether separate consent under Art. 49 para. 1 lit. a GDPR is required for models based in third countries without an adequacy decision, or (3) whether access to such models should be restricted for EU users - e.g. by using OpenRouter’s EU routing (eu.openrouter.ai) or by restricting to providers that, according to OpenRouter, do not train on user inputs.]
(d) Necessary login cookie The login area of PXL Studio sets a technically necessary cookie to maintain your login session (provider: Auth0, LLC / Okta, Inc., 100 First Street, Floor 6, San Francisco, CA 94105, USA). Legal basis: § 25 para. 2 no. 2 TTDSG (technically necessary). Further information: https://www.okta.com/legal/privacy-policy/
(e) Usage restriction The AI chat feature is intended solely for creating and editing pixograms. You are contractually obligated not to enter personal data of third parties, special categories of personal data, or other confidential or sensitive content (details: EULA § 4 para. 3). This restriction reduces, but does not replace, the transmission of your actual inputs described under (b) and (c).
§ 6 Mobile App (optional)
Purpose: Remote control and configuration of PXL Clock
Legal Basis: Art. 6 para. 1 lit. a GDPR (consent)
Data: App usage data, device communication
Storage Duration: Until app uninstallation
Permissions: Network access (for device communication)
§ 7 Software Updates
Purpose: Maintaining functionality and security
Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)
Data: Firmware version, installation status
Storage Duration: For the duration of update provision obligation (according to § 327f BGB)
Automatic Updates: Require separate consent
§ 8 Newsletter and Advertising (optional)
If you subscribe to our newsletter, we process:
Purpose: Sending product information and updates
Legal Basis: Art. 6 para. 1 lit. a GDPR (consent)
Data: Email address, registration time, IP address at registration
Double Opt-In: We use the double opt-in procedure
Withdrawal: You can withdraw your consent at any time via the unsubscribe link in each newsletter or by email to info@cuminandpotato.com
§ 9 Data Subject Rights
You have the following rights:
- Access to processed data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure of data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing (Art. 21 GDPR)
- Withdrawal of consent (Art. 7 GDPR)
Exercise of Rights: Email to datenschutz@cuminandpotato.com
§ 10 Data Security
We implement technical and organizational measures:
- Encryption of data transmission (TLS 1.2+)
- Encryption of data storage (AES-256)
- Access control and authentication
- Regular security updates
- Privacy by design
§ 11 International Data Transfers
Data transfers outside the EU only occur:
- On the basis of the EU-US Data Privacy Framework (e.g. Stripe, Google)
- With EU Standard Contractual Clauses according to Art. 46 para. 2 lit. c GDPR (e.g. GitHub/Microsoft)
- With your explicit consent
§ 12 Deletion and Storage Duration
- Contract data: 10 years after contract termination (legal retention obligations)
- Telemetry data: 24 months from collection
- Cloud data: Until active deletion by user
- App data: Until uninstallation
- Newsletter data: Until withdrawal of consent
§ 13 Changes to this Privacy Policy
This Privacy Policy may be adapted in case of changes to data processing or legal requirements. Material changes will be communicated by email.
§ 14 Contact
For questions regarding data protection, contact:
- Email: datenschutz@cuminandpotato.com
- Phone: +49 6151 7866583
- Mail: Cumin & Potato GmbH, Holzhofallee 21, 64295 Darmstadt
§ 15 Right to Complain
You have the right to file a complaint with the competent supervisory authority:
Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
Status: July 2026, Version 3
Change History:
- Version 3 (July 2026): New § 5a on the AI chat feature in PXL Studio (chat history storage, forwarding to OpenRouter and AI model providers, necessary login cookie, usage restriction); scope in § 1 extended to cover PXL Studio.
- Version 2 (May 2026): Migration to self-hosted infrastructure (Hetzner / Fly.io / Heroku) and Stripe; removal of Wix platform references; description of consent mechanism; update of cookie/localStorage documentation and international data transfers.
- Version 1 (July 2025): Initial version.
© 2026 Cumin & Potato GmbH. All rights reserved.