Privacy Policy
This policy informs you about which personal data we process when you visit https://buust.de, create an account with Buust, or use our services. We process only what we need — and only for as long as we need it.
1. Controller
The controller within the meaning of Art. 4(7) GDPR is:
Buust, owner: Felix Dennis Wittmann
c/o STARTPLATZ, Im Mediapark 5
50670 Köln
Germany
Email: info@buust.de
Please direct data protection inquiries to info@buust.de. We are currently not subject to a legal obligation to appoint a data protection officer.
2. Definitions and Principles
"Personal data" means any information relating to an identified or identifiable person — e.g. your name, your email address, or your IP address. We process this data solely on the basis of the GDPR and the German Federal Data Protection Act (BDSG). We do not sell data, we do not trade data, and we do not use data for third-party advertising profiling.
3. Accessing the Website (Server Logs)
When you simply visit our website, data transmitted by your browser is automatically recorded: IP address, date and time of the request, the URL accessed, referrer, browser type, and language. The processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest) to ensure operation, stability, and security. IP addresses are truncated or deleted after a maximum of 30 days, unless a specific security incident requires longer retention.
4. Hosting and Technical Service Providers
We do not run Buust ourselves on our own server under the desk; instead, we rely on established European and transatlantic infrastructure. All processors are contractually bound in accordance with Art. 28 GDPR; for transfers to third countries, Standard Contractual Clauses (SCC) and supplementary safeguards apply.
- Vercel Inc. (USA) — hosting of the web application. Data processing in the Frankfurt region. Legal basis: Art. 6(1)(b) and (f) GDPR.
- Neon Inc. (USA) — managed PostgreSQL database, EU region.
- Upstash Inc. (USA) — Redis cache, workflow engine, and QStash scheduler, each with endpoints in the EU.
- Cloudflare, Inc. (USA) — CDN, DDoS protection, and bot protection via Turnstile. Turnstile works cookielessly and does not create any profiling; see Section 11 for details.
- Our own render workers on Hetzner servers in Germany — they receive only anonymized render specifications, no credentials.
5. Account, Registration, and Login
When you create an account, we process the data necessary for authentication: email address, optionally your name, and — with password login — a password value hashed using bcrypt/scrypt. We additionally offer magic-link login (sending a one-time link by email) and, where applicable, OAuth login via third-party providers (e.g. Google), provided this is enabled. Legal basis: Art. 6(1)(b) GDPR (initiation and performance of a contract).
When you change your password, old sessions are automatically invalidated. In the event of repeated failed login attempts, a rate limit applies (protection against brute force, Art. 6(1)(f) GDPR).
6. Marketplace Connections (eBay, Shopify, Amazon)
So that Buust can generate videos from your listings and, on request, play them back into the listings, you connect your marketplace account via OAuth. In doing so, we store:
- OAuth access and refresh tokens — encrypted with a key derived per organization via HKDF,
- your merchant ID or shop domain,
- listing data imported by you (title, description, images, aspects).
We access only the scopes necessary for the respective function (read listings, upload videos, read orders — depending on the marketplace). You can disconnect a connection at any time in the dashboard; the associated tokens are then immediately invalidated and hard-deleted from our database after a maximum of 30 days. Legal basis: Art. 6(1)(b) GDPR.
7. Social Connections (YouTube, Instagram, TikTok, Facebook, Pinterest, LinkedIn, X, Threads)
As with marketplaces, for social connections we store only the OAuth tokens (encrypted) and platform IDs. Content that we publish comes exclusively from the render jobs you have created — we do not generate or post anything without your explicit instruction. Legal basis: Art. 6(1)(b) GDPR.
8. Rendering and Video Generation
When you start a render job, we transmit to our render worker an immutable JSON specification of the video (texts, image URLs, template, music selection) — but no login data and no tokens. The worker generates the MP4, uploads it to our storage, and reports completion back. The generated video is assigned to your account and remains available to you until the account is deleted.
9. Payments (Stripe and Shopify Billing)
Payments are handled by Stripe Payments Europe Ltd. (Ireland) or, when using the Shopify app channel, by Shopify International Ltd. (Ireland). From Stripe we receive only a customer ID, the payment status, and invoice data — no complete payment instrument data (card number or similar). Legal basis: Art. 6(1)(b) GDPR. Tax and commercial-law retention obligations (6/10 years, §§ 257 HGB, 147 AO, German Commercial Code / Fiscal Code) remain unaffected.
10. Email Delivery
We send transactional emails (login links, render confirmations, account notices, invoices) and product-related lifecycle emails (help emails when a feature is unused) as well as — on request — newsletters via Resend, Inc. (USA, with EU region). Transactional emails: Art. 6(1)(b) GDPR. Lifecycle/marketing to existing customers: Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG (German Unfair Competition Act) (soft opt-in) or consent (Art. 6(1)(a) GDPR). You will find a one-click unsubscribe link in every marketing email.
11. Demo Feature on the Homepage
When you use the free demo feature on buust.de, we process the following data solely to provide your demo video:
- Your email address — so that we can deliver the video link to you.
- The listing URL you entered (eBay or Shopify).
- A one-way hashed value of your IP address (no plaintext logging) to protect against abuse.
- Browser identifier (user agent) and referrer — for spam forensics.
This data is automatically deleted after 30 days; the rendered video is removed from our storage at the same time. If you create an account following the demo, your previous demo entry is assigned to your new account and is retained for as long as the account exists. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure at your request) or Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).
To protect against automated requests, we use Cloudflare Turnstile — a cookieless bot protection method that does not process any personal data for profiling.
12. Cookies, Local Storage, and Similar Technologies
We use only technically necessary cookies or local storage entries, in particular to maintain your session after login and for CSRF protection. We do not set any cookies for tracking, advertising, or reach-analysis purposes. Legal basis: § 25(2) no. 2 TDDDG (technically necessary storage) and Art. 6(1)(f) GDPR. A cookie banner is therefore not required.
13. Recipients of the Data
Recipients are the processors named in Sections 4, 9 and 10, as well as — at your initiative — the marketplace and social platforms you have connected. Disclosure to other third parties takes place only where required by law (e.g. providing information to law enforcement authorities) or where you have expressly consented.
14. Third-Country Transfers
Some of our processors are based in the USA. Insofar as personal data is thereby transferred to a third country, this takes place on the basis of the EU-US Data Privacy Framework (where the recipient is certified), supplementarily on the basis of the Standard Contractual Clauses (SCC, Implementing Decision (EU) 2021/914), and subject to additional technical protective measures (encryption in transit and at-rest, pseudonymized scope of processing).
15. Retention Period
- Account master data: until the account is deleted.
- OAuth tokens after disconnection: a maximum of 30 days (soft delete + purge).
- Video jobs and generated videos: until the account is deleted or until you delete them.
- Demo entries without a subsequent account: 30 days.
- Server logs: up to 30 days.
- Invoice and accounting data: 6 or 10 years (legal obligation).
- Webhook/audit logs: up to 12 months (forensics, fraud prevention).
16. Data Security
All transmissions are TLS-encrypted. Sensitive secrets (marketplace and social OAuth tokens) are encrypted in the database at-rest with a key derived per organization via HKDF; a single database leak therefore reveals no usable tokens. Worker calls between the web app and the render worker run via two independent secrets (bearer auth + HMAC-signed dispatch token), so that one component alone is not sufficient to forge jobs or callbacks.
17. Your Rights as a Data Subject
You have the following rights:
- access to the data we have stored about you (Art. 15 GDPR),
- rectification of inaccurate data (Art. 16 GDPR),
- erasure ("right to be forgotten", Art. 17 GDPR),
- restriction of processing (Art. 18 GDPR),
- data portability in a structured, commonly used format (Art. 20 GDPR),
- objection to processing based on legitimate interest (Art. 21 GDPR),
- withdrawal of consent given, with effect for the future (Art. 7(3) GDPR).
Simply write to us at info@buust.de to exercise these rights. For account deletion there is additionally a self-service option in the dashboard.
18. Right to Lodge a Complaint
You have the right at any time to lodge a complaint with a data protection supervisory authority about the processing of your data — in particular with the state data protection authority responsible for your place of residence or with the authority responsible for our registered office.
19. Automated Decisions, Profiling
Solely automated decision-making within the meaning of Art. 22 GDPR (in particular profiling) does not take place at Buust.
20. Changes to This Policy
We adapt this policy when we introduce new features or when legal requirements change. You can always find the current version here at buust.de/legal/privacy.
Last updated: July 2026