Last updated: March 2026
Document maintained pursuant to Article 30 of the General Data Protection Regulation (EU) 2016/679. Published for transparency.
Organization: Katoads SAS
Address: [Registered office address to be completed]
Contact: contact@katoads.com
Data Protection Officer: [DPO name and contact to be completed]
| Purpose of Processing | Creation and management of user accounts, authentication, and access control to the Katoads platform. |
| Legal Basis | Performance of a contract (Article 6(1)(b) GDPR) |
| Data Subjects | Registered users of the platform (individuals, agency employees, B2B client staff) |
| Categories of Data | Name, email address, avatar URL, language preference, phone (optional), authentication identifiers (Clerk ID) |
| Recipients / Transfers | Clerk (authentication), Supabase (database storage) |
| Retention Period | Duration of the account + 3 years after last activity |
| International Transfers | USA (Clerk — EU DPF certified), EU (Supabase Frankfurt) |
| Purpose of Processing | Processing of product data through AI models to generate advertising creatives (images, videos, marketing copy). |
| Legal Basis | Performance of a contract (Article 6(1)(b) GDPR) |
| Data Subjects | Users who submit product data for generation |
| Categories of Data | Product images, product descriptions, product URLs, brand information (logos, colors, fonts), generation preferences, generated outputs (image/video URLs) |
| Recipients / Transfers | Google Gemini (product analysis, image generation), fal.ai (video generation), Vercel Blob (output storage) |
| Retention Period | Generated content retained for the duration of the account. Deleted within 60 days of account closure. |
| International Transfers | USA/Global (Google Gemini — SCCs + DPF), USA/EU (fal.ai), USA/EU (Vercel Blob) |
| Purpose of Processing | Processing of subscription payments, credit pack purchases, and invoicing. |
| Legal Basis | Performance of a contract (Article 6(1)(b) GDPR) and legal obligation for tax records (Article 6(1)(c) GDPR) |
| Data Subjects | Paying users (subscribers and credit pack purchasers) |
| Categories of Data | Stripe customer ID, subscription ID, payment status, subscription tier, credit balance. Card details are processed exclusively by Stripe and never stored by Katoads. |
| Recipients / Transfers | Stripe (payment processing) |
| Retention Period | Payment records retained for 10 years as required by French tax law (Code général des impôts). |
| International Transfers | USA / Ireland (Stripe — EU DPF certified, EU entity in Ireland) |
| Purpose of Processing | Collection of usage analytics for platform improvement and error monitoring for service reliability. |
| Legal Basis | Legitimate interest (Article 6(1)(f) GDPR) — improving platform performance and reliability |
| Data Subjects | All platform users |
| Categories of Data | Event logs (anonymized user ID, event type, timestamp, page views), error traces (stack traces, request metadata), IP address (hashed), user agent |
| Recipients / Transfers | Sentry (error monitoring), internal analytics (Supabase) |
| Retention Period | Analytics data: 24 months. Error logs: 90 days. |
| International Transfers | USA (Sentry — EU DPF certified, EU data residency option), EU (Supabase) |
| Purpose of Processing | Sending in-app notifications, web push notifications, and service-related communications to users. |
| Legal Basis | Performance of a contract (Article 6(1)(b) GDPR) for service notifications; consent (Article 6(1)(a) GDPR) for push notifications |
| Data Subjects | Users who have enabled notifications |
| Categories of Data | User ID, notification preferences, push subscription endpoint and keys, notification history (type, title, read status) |
| Recipients / Transfers | Web Push API (browser vendor), Supabase (real-time delivery) |
| Retention Period | Notification history: 12 months. Push subscriptions: until revoked by user. |
| International Transfers | EU (Supabase), browser vendor infrastructure (push delivery) |
© 2026 Katoads. All rights reserved.