buust

Privacy Policy

This policy informs you about which personal data we process when you visit https://buust.de, create an account with Buust, or use our services. We process only what we need — and only for as long as we need it.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:
Buust, owner: Felix Dennis Wittmann
c/o STARTPLATZ, Im Mediapark 5
50670 Köln
Germany
Email: info@buust.de

Please direct data protection inquiries to info@buust.de. We are currently not subject to a legal obligation to appoint a data protection officer.

2. Definitions and Principles

"Personal data" means any information relating to an identified or identifiable person — e.g. your name, your email address, or your IP address. We process this data solely on the basis of the GDPR and the German Federal Data Protection Act (BDSG). We do not sell data, we do not trade data, and we do not use data for third-party advertising profiling.

3. Accessing the Website (Server Logs)

When you simply visit our website, data transmitted by your browser is automatically recorded: IP address, date and time of the request, the URL accessed, referrer, browser type, and language. The processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest) to ensure operation, stability, and security. IP addresses are truncated or deleted after a maximum of 30 days, unless a specific security incident requires longer retention.

4. Hosting and Technical Service Providers

We do not run Buust ourselves on our own server under the desk; instead, we rely on established European and transatlantic infrastructure. All processors are contractually bound in accordance with Art. 28 GDPR; for transfers to third countries, Standard Contractual Clauses (SCC) and supplementary safeguards apply.

5. Account, Registration, and Login

When you create an account, we process the data necessary for authentication: email address, optionally your name, and — with password login — a password value hashed using bcrypt/scrypt. We additionally offer magic-link login (sending a one-time link by email) and, where applicable, OAuth login via third-party providers (e.g. Google), provided this is enabled. Legal basis: Art. 6(1)(b) GDPR (initiation and performance of a contract).

When you change your password, old sessions are automatically invalidated. In the event of repeated failed login attempts, a rate limit applies (protection against brute force, Art. 6(1)(f) GDPR).

6. Marketplace Connections (eBay, Shopify, Amazon)

So that Buust can generate videos from your listings and, on request, play them back into the listings, you connect your marketplace account via OAuth. In doing so, we store:

We access only the scopes necessary for the respective function (read listings, upload videos, read orders — depending on the marketplace). You can disconnect a connection at any time in the dashboard; the associated tokens are then immediately invalidated and hard-deleted from our database after a maximum of 30 days. Legal basis: Art. 6(1)(b) GDPR.

7. Social Connections (YouTube, Instagram, TikTok, Facebook, Pinterest, LinkedIn, X, Threads)

As with marketplaces, for social connections we store only the OAuth tokens (encrypted) and platform IDs. Content that we publish comes exclusively from the render jobs you have created — we do not generate or post anything without your explicit instruction. Legal basis: Art. 6(1)(b) GDPR.

8. Rendering and Video Generation

When you start a render job, we transmit to our render worker an immutable JSON specification of the video (texts, image URLs, template, music selection) — but no login data and no tokens. The worker generates the MP4, uploads it to our storage, and reports completion back. The generated video is assigned to your account and remains available to you until the account is deleted.

9. Payments (Stripe and Shopify Billing)

Payments are handled by Stripe Payments Europe Ltd. (Ireland) or, when using the Shopify app channel, by Shopify International Ltd. (Ireland). From Stripe we receive only a customer ID, the payment status, and invoice data — no complete payment instrument data (card number or similar). Legal basis: Art. 6(1)(b) GDPR. Tax and commercial-law retention obligations (6/10 years, §§ 257 HGB, 147 AO, German Commercial Code / Fiscal Code) remain unaffected.

10. Email Delivery

We send transactional emails (login links, render confirmations, account notices, invoices) and product-related lifecycle emails (help emails when a feature is unused) as well as — on request — newsletters via Resend, Inc. (USA, with EU region). Transactional emails: Art. 6(1)(b) GDPR. Lifecycle/marketing to existing customers: Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG (German Unfair Competition Act) (soft opt-in) or consent (Art. 6(1)(a) GDPR). You will find a one-click unsubscribe link in every marketing email.

11. Demo Feature on the Homepage

When you use the free demo feature on buust.de, we process the following data solely to provide your demo video:

This data is automatically deleted after 30 days; the rendered video is removed from our storage at the same time. If you create an account following the demo, your previous demo entry is assigned to your new account and is retained for as long as the account exists. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure at your request) or Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).

To protect against automated requests, we use Cloudflare Turnstile — a cookieless bot protection method that does not process any personal data for profiling.

12. Cookies, Local Storage, and Similar Technologies

We use only technically necessary cookies or local storage entries, in particular to maintain your session after login and for CSRF protection. We do not set any cookies for tracking, advertising, or reach-analysis purposes. Legal basis: § 25(2) no. 2 TDDDG (technically necessary storage) and Art. 6(1)(f) GDPR. A cookie banner is therefore not required.

13. Recipients of the Data

Recipients are the processors named in Sections 4, 9 and 10, as well as — at your initiative — the marketplace and social platforms you have connected. Disclosure to other third parties takes place only where required by law (e.g. providing information to law enforcement authorities) or where you have expressly consented.

14. Third-Country Transfers

Some of our processors are based in the USA. Insofar as personal data is thereby transferred to a third country, this takes place on the basis of the EU-US Data Privacy Framework (where the recipient is certified), supplementarily on the basis of the Standard Contractual Clauses (SCC, Implementing Decision (EU) 2021/914), and subject to additional technical protective measures (encryption in transit and at-rest, pseudonymized scope of processing).

15. Retention Period

16. Data Security

All transmissions are TLS-encrypted. Sensitive secrets (marketplace and social OAuth tokens) are encrypted in the database at-rest with a key derived per organization via HKDF; a single database leak therefore reveals no usable tokens. Worker calls between the web app and the render worker run via two independent secrets (bearer auth + HMAC-signed dispatch token), so that one component alone is not sufficient to forge jobs or callbacks.

17. Your Rights as a Data Subject

You have the following rights:

Simply write to us at info@buust.de to exercise these rights. For account deletion there is additionally a self-service option in the dashboard.

18. Right to Lodge a Complaint

You have the right at any time to lodge a complaint with a data protection supervisory authority about the processing of your data — in particular with the state data protection authority responsible for your place of residence or with the authority responsible for our registered office.

19. Automated Decisions, Profiling

Solely automated decision-making within the meaning of Art. 22 GDPR (in particular profiling) does not take place at Buust.

20. Changes to This Policy

We adapt this policy when we introduce new features or when legal requirements change. You can always find the current version here at buust.de/legal/privacy.

Last updated: July 2026

Privacy Policy — Buust · Buust