Privacy Policy

Last updated: November 30, 2025

This Privacy Policy explains how Kasayo e.K. ("Pixel Harbor", "we", "us", or "our") collects, uses, and protects your personal data when you use our image optimization service at pixelharbor.io.

Data Controller
Data We Collect
Legal Basis for Processing
How We Use Your Data
Cookies
Data Sharing & Subprocessors
International Data Transfers
Data Retention
Your Rights
Security
Children's Privacy
Changes to This Policy
Contact Us

1. Data Controller

The data controller responsible for your personal data is:

Kasayo e.K.
Nymphenburger Strasse 96
80636 Munich, Germany

Email: hello@kasayo.com
Phone: +49 176 41728509

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address
Name (if provided)
Password (stored as a secure hash)

2.2 Payment Data

Payments are processed by Stripe. We do not store your credit card number. Stripe provides us with:

Last four digits of your card
Card brand and expiration date
Billing address (if provided)
Transaction history

2.3 Usage Data

We automatically collect:

IP address
Browser type and version
Pages visited and features used
Time and date of access
Referring website

2.4 Content You Provide

When you use our service, we process:

URLs of websites you request us to crawl
Images discovered on those websites
Metadata about images (dimensions, format, file size)
Optimized versions of images

3. Legal Basis for Processing

Under GDPR, we process your data based on:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide our service, including account management, image optimization, and billing.
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and analytics.
Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and other legal requirements.
Consent (Art. 6(1)(a)): For optional marketing communications (you can withdraw consent at any time).

4. How We Use Your Data

We use your personal data to:

Provide and operate the image optimization service
Process payments and manage your subscription
Send service-related communications (e.g., account alerts, updates)
Respond to your support requests
Improve and develop new features
Detect and prevent fraud and abuse
Comply with legal obligations

5. Cookies

Cookies are small text files stored on your device. We use the following types:

Essential Cookies

Required for the service to function. Cannot be disabled.

Cookie	Purpose	Duration
`sb-*`	Authentication session	7 days
`theme`	Theme preference	1 year

Payment Cookies

Set by Stripe for secure payment processing and fraud prevention.

Cookie	Purpose	Provider
`__stripe_*`	Payment and fraud detection	Stripe

Managing Cookies

You can control cookies through your browser settings:

Note: Disabling essential cookies may prevent you from using some features.

6. Data Sharing & Subprocessors

We share your data with the following service providers who process data on our behalf:

Provider	Purpose	Location
Supabase Inc.	Database, authentication	EU (Frankfurt)
Amazon Web Services	Cloud infrastructure, storage	EU (Frankfurt)
Stripe Inc.	Payment processing	US (with SCCs)
Vercel Inc.	Web hosting, CDN	Global (EU primary)

All subprocessors are contractually bound to protect your data and only process it as instructed by us.

7. International Data Transfers

We primarily store and process your data within the European Union. When we transfer data outside the EU (e.g., to US-based service providers), we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with our service providers
Additional technical and organizational safeguards

8. Data Retention

We retain your data for as long as necessary to provide our services:

Account data: Until you delete your account, plus 30 days for backup purposes.
Processed images: According to your plan's retention period (2-90 days), then automatically deleted.
Payment records: 7 years (legal requirement for tax purposes).
Server logs: 90 days, then anonymized or deleted.

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Access: Request a copy of your personal data.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your data ("right to be forgotten").
Restriction: Request we limit how we process your data.
Portability: Receive your data in a machine-readable format.
Object: Object to processing based on legitimate interests.
Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at hello@kasayo.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

10. Security

We implement appropriate technical and organizational measures to protect your data:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest
Regular security updates and monitoring
Access controls and authentication
Regular backups with secure storage

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to hello@kasayo.com.

11. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or by posting a notice on our website. The "Last updated" date at the top indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us: