Privacy Policy
Last updated: July 9, 2026
Responsible party: Bissekkou Karim-Julian & Weber Raphael GbR, trading as Cueing Ventures, Drachenseestr. 10, 81373 Munich, Germany.
1. Overview
We built Glassline to help photographers present, manage, and share galleries without giving up control of their work. This policy explains what personal data we process, why we process it, which providers help us operate the service, and how you can exercise your rights.
- We collect only what we need to provide and improve Glassline.
- Your photos and gallery content remain yours.
- We do not sell personal data.
- You can request access, correction, deletion, and export.
2. Who We Are
Bissekkou Karim-Julian & Weber Raphael GbR, trading as Cueing Ventures, Drachenseestr. 10, 81373 Munich, Germany.
Privacy contact: privacy@cueing.ventures. You can also use our contact form.
3. Legal Bases
We process personal data under the GDPR on these legal bases:
- Contract: to create accounts, host galleries, deliver images, process subscriptions, and provide support.
- Consent: for optional analytics, optional functional diagnostics, and other processing where we ask for consent.
- Legitimate interests: to secure the service, prevent abuse, fix errors, understand basic service performance, and improve Glassline where your rights do not override those interests.
- Legal obligations: for tax, accounting, statutory retention, and legally required disclosures.
4. What Data We Process
4.1 Account Data
We process your name, email address, login data, optional profile information, optional biography, and optional social links to create and manage your account. This data is stored with Supabase in an EU region and kept until you delete your account, unless statutory retention applies.
4.2 Photos, Galleries, and Metadata
We process uploaded photos, gallery structure, EXIF data, access settings, visitor access records, comments, favorites, download/order activity, and related metadata so you can organize, present, and share galleries. Photos are stored on Amazon Web Services in an EU region and encrypted at rest. Images may be delivered worldwide through Amazon CloudFront, whose edge locations may be outside the EEA.
Gallery content is kept until you delete it, delete your account, or the account is terminated, subject to backup deletion cycles and legal retention where applicable.
4.3 Payments and Invoicing
Polar.sh processes billing details, payment method information, invoice data, transactions, amounts, and dates for subscriptions and invoicing. We do not receive your complete payment card details. Payment and invoice records are generally retained for 10 years where required by law.
4.4 Technical Data and Cookies
Necessary cookies keep you logged in, remember gallery access, and store cookie-consent preferences so your choices persist across visits. Necessary cookies are required for the service.
CDN delivery and security logs may include IP address, user agent, timestamp, requested file path, and related request metadata. We use this data for security, abuse prevention, delivery, troubleshooting, and performance monitoring.
Analytics via PostHog only runs after analytics consent. It can include feature usage, device/browser information, approximate location, and, when you are logged in and have consented, account-linked usage events.
Error and performance diagnostics via PostHog may run without functional consent in a non-persistent mode without account identification. Functional consent enables additional diagnostic context, such as persistence, account linking, and session replay, to help us investigate errors and performance issues.
4.5 Feedback and Support
If you send feedback, support requests, or contact-form messages, we process the information you provide and related technical context so we can respond and improve Glassline. Feedback may be stored in PostHog; transactional and service emails are sent through Resend.
4.6 Cookies on Galleries and Custom Domains
Glassline operates every Glassline gallery, including galleries a photographer publishes on a custom domain. That means Glassline sets the cookies described above on those pages, and the Glassline cookie banner governs non-essential cookies there too. Non-essential cookies are set only after consent.
Photographers using a custom domain remain responsible for their own privacy notice and legal notice shown to their visitors.
5. Providers and Recipients
We use trusted providers to operate Glassline:
- Supabase: account data, authentication, and database services in an EU region.
- Amazon Web Services: photo and file storage in an EU region.
- Amazon CloudFront: global image delivery through CDN edge locations.
- Vercel: website and app hosting in the United States and globally.
- PostHog: analytics, feedback, error diagnostics, and performance monitoring using PostHog's EU infrastructure.
- Resend: transactional and service emails from the United States.
- Polar.sh: payments, billing, invoicing, and subscription administration.
Our current processor and subprocessor list is available at Subprocessors.
5a. Data Processing Agreement for Photographers
If you use Glassline to process personal data for your own clients or gallery visitors, such as client contact details, gallery activity, or photos of identifiable people, you are generally the controller and Glassline is your processor for that Customer Personal Data. Our Data Processing Agreement applies automatically to all accounts and all plans. Accepting the Terms of Service includes accepting the DPA.
6. Data Transfers Outside the EEA
Most processing is hosted in the EEA. Where personal data is processed outside the EEA, we use appropriate safeguards such as the EU Standard Contractual Clauses, the UK Addendum for UK data, Swiss amendments for Swiss data, and supplementary technical and organizational measures such as encryption and access controls.
- Supabase: database and authentication data are hosted in the selected EU project region; any non-EEA processing is covered by the signed Supabase DPA and SCCs.
- PostHog: analytics and feedback data are processed in PostHog Cloud EU; any non-EEA processing is covered by applicable transfer safeguards.
- Vercel: United States/global; covered by Vercel's DPA, SCCs where applicable, and supplementary measures.
- AWS and CloudFront: photos are stored in an EU region; CDN delivery may use global edge locations and is covered by the AWS DPA, SCCs, and supplementary measures.
- Resend: United States; covered by Resend's DPA, SCCs, and supplementary measures.
- Polar.sh: United States/global for payments and billing; covered by applicable adequacy decisions, SCCs, and supplementary safeguards where required.
7. Your Rights
You can request access, correction, deletion, restriction, objection, and data portability where available under applicable law. You can export your photos from Glassline and request further assistance at privacy@cueing.ventures.
Account deletion can be started in account settings. Active account and content data is deleted within 30 days unless longer retention is legally required. Backup copies are isolated from active processing and deleted on the routine backup cycle.
8. Security
We use TLS encryption in transit, encryption at rest for photos, access controls, least-privilege access, monitoring, backups, vendor security checks, and documented incident response. We review and adapt these measures as Glassline evolves.
9. Retention
- Account data: until account deletion, subject to legal retention.
- Photos and gallery data: until deletion or account termination.
- Payment and invoice data: generally 10 years where required.
- Technical logs and diagnostics: generally 30 days.
- Session cookies: usually until browser close; consent preferences are retained so choices persist across visits.
10. Minors
Glassline is intended for users aged 18 and older.
11. Changes
We may update this Privacy Policy when Glassline, our providers, or applicable law changes. We will inform users by email about important changes. If a change requires consent, we will ask for consent before the relevant processing begins.
12. Right to Complain
You may complain to a data protection authority. Our competent supervisory authority is the Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, Germany, poststelle@lda.bayern.de.
13. Contact
Privacy questions: privacy@cueing.ventures.
Mail: Bissekkou Karim-Julian & Weber Raphael GbR, Drachenseestr. 10, 81373 Munich, Germany.