Privacy Policy

Last updated: November 30, 2025

This Privacy Policy explains how Kasayo e.K. ("Pixel Harbor", "we", "us", or "our") collects, uses, and protects your personal data when you use our image optimization service at pixelharbor.io.

Data Controller
Data We Collect
Legal Basis for Processing
How We Use Your Data
Cookies
Data Sharing & Subprocessors
International Data Transfers
Data Retention
Your Rights (GDPR)
California Privacy Rights (CCPA)
Security
Children's Privacy
Changes to This Policy
Contact Us

1. Data Controller

The data controller responsible for your personal data is:

Kasayo e.K.
Nymphenburger Strasse 96
80636 Munich, Germany

Email: hello@kasayo.com
Phone: +49 176 41728509

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address
Name (if provided)
Password (stored as a secure hash)

2.2 Payment Data

Payments are processed by Stripe. We do not store your credit card number. Stripe provides us with:

Last four digits of your card
Card brand and expiration date
Billing address (if provided)
Transaction history

2.3 Usage Data

We automatically collect:

IP address
Browser type and version
Pages visited and features used
Time and date of access
Referring website

2.4 Content You Provide

When you use our service, we process:

URLs of websites you request us to crawl
Images discovered on those websites
Metadata about images (dimensions, format, file size)
Optimized versions of images

3. Legal Basis for Processing

Under GDPR, we process your data based on:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide our service, including account management, image optimization, and billing.
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and analytics.
Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements.
Consent (Art. 6(1)(a)): For optional marketing communications (you can withdraw consent at any time).

4. How We Use Your Data

We use your personal data to:

Provide and operate the image optimization service
Process payments and manage your subscription
Send service-related communications (e.g., account alerts, updates)
Respond to your support requests
Improve and develop new features
Detect and prevent fraud and abuse
Comply with legal obligations

5. Cookies

Cookies are small text files stored on your device. We use the following types:

Essential Cookies

Required for the service to function. Cannot be disabled.

Cookie	Purpose	Duration
`sb-*`	Authentication session	7 days
`theme`	Theme preference	1 year

Payment Cookies

Set by Stripe for secure payment processing and fraud prevention.

Cookie	Purpose	Provider
`__stripe_*`	Payment and fraud detection	Stripe

Managing Cookies

You can control cookies through your browser settings:

Note: Disabling essential cookies may prevent you from using some features.

6. Data Sharing & Subprocessors

We share your data with the following service providers who process data on our behalf:

Provider	Purpose	Location
Supabase Inc.	Database, authentication	EU (Frankfurt)
Amazon Web Services	Cloud infrastructure, storage	EU (Frankfurt)
Stripe Inc.	Payment processing	US (with SCCs)
Vercel Inc.	Web hosting, CDN	Global (EU primary)
AI service providers	AI image processing (when using AI features)	US/EU (with SCCs)

All subprocessors are contractually bound to protect your data and only process it as instructed by us.

AI Feature Data Handling

When you use AI-powered features (such as background removal, upscaling, or image editing), your images are temporarily processed by third-party AI service providers. These providers:

Do not store your images beyond the processing duration
Do not use your images for AI training
Delete your images immediately after processing completes
Process images solely to deliver the requested service

You can request details about specific AI subprocessors by contacting us at hello@kasayo.com.

7. International Data Transfers

We primarily store and process your data within the European Union. When we transfer data outside the EU (e.g., to US-based service providers), we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with our service providers
Additional technical and organizational safeguards

8. Data Retention

We retain your data for as long as necessary to provide our services:

Account data: Until you delete your account, plus 30 days for backup purposes.
Processed images: According to your plan's retention period (2-90 days), then automatically deleted.
Payment records: 7 years (legal requirement for tax purposes).
Server logs: 90 days, then anonymized or deleted.

9. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Access: Request a copy of your personal data.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your data ("right to be forgotten").
Restriction: Request we limit how we process your data.
Portability: Receive your data in a machine-readable format.
Object: Object to processing based on legitimate interests.
Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at hello@kasayo.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Your California Privacy Rights

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of your personal information, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Information We Collect

Identifiers (email address, name, account ID)
Commercial information (subscription history, transaction records)
Internet activity (pages visited, features used, images processed)
Geolocation data (approximate location from IP address)

How to Exercise Your Rights

To submit a request, email us at hello@kasayo.com with "California Privacy Request" in the subject line. We will verify your identity and respond within 45 days.

You may also designate an authorized agent to make requests on your behalf. We may require verification that you authorized the agent to act for you.

11. Security

We implement appropriate technical and organizational measures to protect your data:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest
Regular security updates and monitoring
Access controls and authentication
Regular backups with secure storage

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to hello@kasayo.com.

12. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or by posting a notice on our website. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us: