Legal
Privacy Policy
Last updated: 2026-04-28
1. Controller (Verantwortlicher)
The controller responsible for the processing of personal data under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:
{{LEGAL_ENTITY_NAME}}
{{POSTAL_ADDRESS}}
Germany
Email: privacy@useora.co
Commercial register: {{COMMERCIAL_REGISTER}}
VAT ID: {{VAT_ID}}
Responsible person (§55 RStV / §18 MStV):
{{RESPONSIBLE_PERSON}}
We have not appointed a Data Protection Officer (DPO) because we are not legally required to do so under Art. 37 GDPR / §38 BDSG. You can reach our privacy contact via the email above.
2. Scope
This Privacy Policy applies to all personal data we process when you visit or use:
-
logoo.useora.co— our public website -
api.logoo.useora.co— our brand logo API -
dashboard.logoo.useora.co— the customer dashboard
This policy does not cover third-party websites linked from our service.
3. Definitions
We use the terms defined in Art. 4 GDPR. In short: "personal data" is any information relating to an identified or identifiable natural person; "processing" is any operation performed on personal data (collection, storage, use, deletion, etc.); the "controller" is the entity that decides why and how personal data is processed.
4. What We Process and Why
We only collect personal data we actually need to provide and operate the service. For each purpose, we list the legal basis under Art. 6(1) GDPR.
Account data
Email address, name, hashed password, and (if you sign in via OAuth) your provider user ID.
Purpose: creating and managing your account. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Authentication & session data
Session identifiers stored in a strictly-necessary cookie set by Better Auth, plus session metadata (creation time, expiry, IP at login, user agent).
Purpose: keeping you signed in and protecting your account. Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR (legitimate interest in account security).
Billing & subscription
Customer ID, plan, subscription status, invoice metadata. We never see or store your full payment card details — those are handled directly by our billing processor (Polar).
Purpose: processing payments, issuing invoices, managing subscriptions. Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (compliance with tax and accounting obligations).
Transactional email
Your email address and the content of messages we send (e.g. email verification, password reset, billing receipts).
Purpose: communicating about your account and the service. Legal basis: Art. 6(1)(b) GDPR.
Server logs & abuse prevention
Truncated IP address, user agent, request timestamp, requested URL, response status, and rate-limit counters.
Purpose: keeping the service available, preventing abuse, debugging incidents. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a stable, secure service).
Public API requests
Our public logo API (api.logoo.useora.co/<domain>) does not require a sign-in for free tier usage. We log the
requesting IP address (truncated) and the requested brand domain
to apply rate limits and detect abuse. We do not combine these
logs with account data unless you sign in.
Legal basis: Art. 6(1)(f) GDPR.
5. Cookies
We use only strictly necessary cookies. Specifically, when you sign in we set a session cookie issued by Better Auth. This cookie is required to keep you signed in and to protect your account from CSRF attacks.
Because no analytics, advertising, or other non-essential cookies are set, we do not display a cookie consent banner. This is permitted under Art. 5(3) of the ePrivacy Directive (and §25(2) TTDSG in Germany).
6. Third-Party Processors (Auftragsverarbeiter)
We use carefully selected third-party processors under written Data Processing Agreements (Art. 28 GDPR). Each one only processes the data needed to perform their service.
Cloudflare, Inc.
Hosting (Workers), object storage (R2 — brand logos), database (D1 — user accounts), DNS, edge caching, and transactional email via Email Sending. Cloudflare is our primary infrastructure provider; one DPA covers all of these uses.
Headquarters: San Francisco, CA, USA (with EU regional infrastructure). Transfer mechanism: EU Standard Contractual Clauses + EU–US Data Privacy Framework certification. Privacy policy: cloudflare.com/privacypolicy.
Polar Software Inc.
Billing, subscription management, and invoicing. Card data is tokenized by Polar (and their underlying payment processor) and never touches our systems.
Privacy policy: polar.sh/legal/privacy.
AI & web-data providers (server-side only)
We use OpenAI, Anthropic, Firecrawl, and Exa to discover and classify publicly available brand assets (e.g. fetching a company's homepage to identify its logo). These services are called only from our backend and only with public brand domains and public web content. No end-user account data, IPs, or PII are sent to these providers.
7. International Data Transfers
Some of our processors are based in the United States. When we transfer personal data outside the European Economic Area, we rely on one of the following safeguards under Chapter V GDPR:
- The EU–US Data Privacy Framework, where the recipient is certified;
- EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision 2021/914), supplemented by additional technical and organisational measures where necessary.
8. How Long We Keep Your Data
We keep personal data only as long as necessary for the purposes above, or as required by law:
- Account data — for as long as your account is active. After you delete your account, we erase your account data within 30 days, except where statutory retention obligations apply.
- Server & API logs — 30 to 90 days for security and abuse prevention.
- Billing & tax records — 10 years as required by §147 of the German Tax Code (Abgabenordnung, AO).
- Commercial correspondence — 6 years as required by §257 of the German Commercial Code (HGB).
9. Your Rights Under the GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure / "right to be forgotten" (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR), in particular to processing based on legitimate interests
- Right to withdraw consent at any time (where processing is based on consent), without affecting the lawfulness of prior processing
To exercise any of these rights, email privacy@useora.co. We will respond within one month (Art. 12(3) GDPR).
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For controllers established in Germany, the competent authority is the data protection authority of the federal state in which we are established, or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
10. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).
11. Children
Our service is intended for businesses and developers and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
12. Security
We apply appropriate technical and organisational measures to protect your personal data (Art. 32 GDPR), including:
- TLS encryption for all traffic to and from our service
- Cloudflare network protections (DDoS, WAF, bot mitigation)
- Industry-standard password hashing for stored credentials
- Encryption at rest for our object storage and database
- Strict access controls and the principle of least privilege
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be communicated by email or in-product notice where required by law.
14. Contact
For privacy questions, data-subject requests, or any other concerns about this policy, contact: