Privacy Policy

Zestio ("we", "us", "our") operates the website zestio.de and the associated AI-powered real estate media platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and comply with the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Responsible party: Christian Karber, contactable at kontakt@zestio.de

Account data: When you register, we collect your email address, name, and authentication credentials (managed by Supabase Auth).

Content you upload: Images, listing data, and scripts you submit for processing. These are stored temporarily in Supabase Storage and on our processing infrastructure.

Usage data: Information about how you use the Service, including features used, credits consumed, and processing results. This is stored in our PostgreSQL database.

Payment data: Subscription and billing information processed by Paddle (our payment provider). We do not store credit card details — Paddle handles all payment data in compliance with PCI-DSS.

Technical data: Essential cookies for authentication (Supabase session tokens). With your consent, we may also use Google Analytics cookies for anonymized usage analytics. We do not use advertising cookies or third-party tracking pixels.

Scraping data: Apify is used for web scraping in the video pipeline to fetch property listing images from real estate listing portals for processing.

We process your data for the following purposes:

• Service delivery: To process your images, generate videos, create descriptions, and provide all features of the platform
• Account management: To authenticate you, manage your subscription, and track credits
• Communication: To send service-related notifications (billing, account updates)
• Security: To protect against fraud and unauthorized access
• Legal compliance: To meet our legal obligations under applicable law

We process your data based on the following legal grounds:

• Contract performance: Processing necessary to provide the Service you signed up for
• Legitimate interest: Security, fraud prevention, and service improvement
• Consent: Where you have given explicit consent for specific processing
• Legal obligation: Where processing is required by law

Your uploaded images and data are processed by the following AI service providers to generate results:

• Replicate Inc. (USA) — Primary AI infrastructure. All image enhancement (Flux Kontext Pro, Ideogram v2, SDXL), interior design virtual staging (adirik/interior-design, MIT license), depth estimation (Marigold, MIT license; Flux Depth Pro, staging), video generation (Kling v2.1), text-to-speech (MiniMax Speech 2.8 HD), and upscaling (Real-ESRGAN) run on Replicate's infrastructure. Replicate processes data solely on our instructions as a data processor. Data Processing Agreement (DPA): available on Enterprise plan. Training policy: Replicate does NOT train on customer data.
• Anthropic PBC (USA) — Claude Sonnet 4-6 for AI Chat and listing description generation. Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) is automatically incorporated into Anthropic's Commercial Terms of Service. Training policy: Anthropic does NOT train on API customer data.
• KIRI Innovation (Hongkong) Ltd. (Hong Kong) — 3D Gaussian Splatting for virtual property tours (Tour Scans). Users upload 20–300 room photos; KIRI generates a photorealistic 3D walkthrough model. Data Processing Agreement (DPA): pending. Training policy: pending confirmation. Note: Hong Kong does not have an EU adequacy decision (GDPR Art. 45). Standard Contractual Clauses (SCCs) are required for data transfers.
• Apify (Czech Republic, EU-based) — Web scraping for the video pipeline to fetch property listing images from real estate portals. EU-based (GDPR Art. 45 compliant). Data Processing Agreement (DPA): pending. Training policy: N/A (scraping only, no ML training).

All images and data are transmitted securely via HTTPS/TLS encryption. AI providers process data solely on our instructions as data processors. For Replicate, KIRI, and Apify, we are actively pursuing formal Data Processing Agreements. Anthropic's DPA is automatically incorporated into their Commercial Terms of Service. A complete list of AI models and their providers is available in our AI processing documentation.

• Account data: Retained for the duration of your account plus 30 days after deletion
• Uploaded images: Stored in Supabase Storage until you delete them or close your account
• Generated content: Stored in your account until you delete it
• AI processing data: Not stored by AI providers after processing completes
• Payment records: Retained as required by tax and accounting regulations (typically 10 years)

All data is stored on Supabase Cloud infrastructure (hosted in the EU) and Vercel (which processes requests in the EU region by default).

Zestio uses the following cookies:

• Essential cookies: Supabase session tokens (HTTP-only, secure) — necessary to keep you logged in and secure your account. These do not require consent under §25 TTDSG.
• Analytics cookies (optional): Google Analytics — anonymized usage statistics to improve the Service. Only loaded with your explicit consent via the cookie banner.

We do not use:

• Advertising or third-party tracking cookies
• Social media tracking pixels

A cookie consent banner is shown on first visit. You can accept analytics cookies or choose only essential cookies. Your preference is stored for 12 months.

You can also block cookies at the browser level or delete them at any time.

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with:

• Service providers: Companies that help us operate the platform (Supabase, Vercel, Paddle, Apify, AI model providers) — bound by data processing agreements
• Legal requirements: When required by law, regulation, or legal process

Under the EU Artificial Intelligence Act (Regulation 2024/1689), Zestio's AI-powered image processing features are classified as minimal risk under Article 95a and Annex III. Our services do not fall into any high-risk category (biometric identification, critical infrastructure, law enforcement, employment, or essential services).

Transparency (Art. 50): All AI-generated or AI-modified images are clearly labeled with an "AI-generated" indicator. Users can always distinguish between original and AI-processed content.

Risk assessment: Image enhancement, virtual staging, and sky replacement are creative tools for real estate marketing. They do not make consequential decisions about individuals and require human review before publication. A documented risk assessment is available upon request.

Human oversight: Human oversight is preserved throughout — all AI outputs are reviewed by the user prior to publication or distribution.

In compliance with the transparency obligations under Article 50(2) of the EU AI Act, Zestio labels all AI-generated and AI-modified content with a visible "AI-generated" indicator. This applies to:

• AI-enhanced images (lighting, denoising, sky replacement)
• Virtually staged images
• AI-generated renovations and visualizations
• AI-generated listing descriptions and captions

Content that undergoes substantial human editing or serves only as input for further processing may be exempt from labeling requirements under Art. 50(2) sentence 3.

We implement appropriate technical and organizational measures to protect your data:

• All data transmitted via HTTPS/TLS encryption
• Database protected by Supabase Row Level Security (RLS)
• Authentication via Supabase Auth with secure session management
• Payment data processed by Paddle (PCI-DSS Level 1 certified)
• Regular security reviews and dependency updates

Under GDPR, you have the following rights:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate or incomplete data
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Restriction (Art. 18): Limit how we process your data
• Portability (Art. 20): Receive your data in a structured, machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interest
• Withdraw consent (Art. 7): Withdraw consent at any time where processing is based on consent
• Complaint: Lodge a complaint with a supervisory authority (e.g., Bayerisches Landesamt für Datenschutzaufsicht)

To exercise any of these rights, contact us at kontakt@zestio.de. We will respond within 30 days.

To request deletion of your data including all AI-processed images stored with third-party providers, use the account deletion function in your dashboard settings or contact us at kontakt@zestio.de. We will confirm deletion within 30 days and provide confirmation from all sub-processors.

Some of our AI processing partners are located outside the EU/EEA (United States). Data transfers to these partners are covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. We ensure that all transfers include adequate safeguards as required by GDPR Chapter V.

The Service is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service. We encourage you to review this page periodically.

For privacy questions, data requests, or to exercise your rights, contact us at:

kontakt@zestio.de

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in your EU member state.