Member of STM and COPE · Supporting research and publication integrity
ImageTwin AI GmbH
Last updated: June 8, 2026
This Privacy Policy document contains types of information that is collected and recorded by ImageTwin and how we use it.
Data controller: ImageTwin AI GmbH, Taubstummengasse 11, 1040 Vienna, Austria, [email protected] (referred to as “ImageTwin” or “we”).
If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.
This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect in ImageTwin. This policy is not applicable to any information collected offline or via channels other than this website.
By using our website, you (also referred to as “customer” or “user”) hereby consent to our Privacy Policy and agree to its terms.
If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.
ImageTwin follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and are a part of hosting services’ analytics. The information collected by log files includes internet protocol (IP) addresses, browser type, internet service provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.
ImageTwin’s Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may include their practices and instructions about how to opt-out of certain options.
You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites.
After submitting images or a PDF (referred to as the data) to our detection service, the data is treated as follows:
When you sign up for our services or interact with our platform, you will be asked to provide explicit consent to receive marketing communications from Imagetwin. This includes updates on new features, company news, and other promotional content.
You can opt in by selecting the appropriate checkbox when creating your account, using our newsletter or form submissions, or updating your preferences. If you choose not to opt in, we will not send you marketing emails.
Marketing emails are sent only to users who have explicitly opted in and confirmed their subscription. For this purpose, we use third-party service providers acting as processors on our behalf.
You may withdraw your consent at any time by using the “unsubscribe” link in our emails or by contacting us directly at [email protected].
In compliance with the GDPR, we will record and maintain a record of your consent to receive marketing communications electronically. This includes details of the time and date when consent was given, the method by which consent was obtained (such as a checkbox or email confirmation), and any preferences you may have set.
This record will be stored securely and can be accessed or updated by you at any time by contacting us directly at [email protected]. You may withdraw your consent at any time, and we will immediately update our records to reflect your updated preferences.
Below you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply.
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations.
According to § 132 BAO, for example, we are legally obligated to store accounting documents (e.g. invoices, receipts) for a period of at least 7 years (longer in the case of legal disputes).
Uploaded documents (images, PDFs, DOCX files, etc.) are not saved by default. You may have the option to save documents with the associated found plagiarism/manipulations and load them again later within the web application. Whether a document should be saved is optionally selectable by you. If you choose this option, the uploaded document will be stored on our server for a maximum of 90 days and then deleted, while the associated PDF report of the results will be retained securely on our server for a period of 5 years. Uploaded and saved documents, as well as the retained PDF reports, are used by us exclusively for the fulfillment of our contractual obligations.
National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Austria. These include the Federal Act on the Protection of Individuals regarding the Processing of Personal Data (Data Protection Act – DSG). In particular, the Data Protection Act contains special regulations on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transmission, and automated decision-making in individual cases.
Web analytics (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization.
In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components.
Unless otherwise stated below, profiles, e.g. data summarized for a usage process, may be created for these purposes and information may be stored in a browser, or in a terminal device, and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If you have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed.
The IP address of you as the user is also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect you as the user. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. That is, we as well as the providers of the software used do not know the actual identity of you as the user, but only the information stored in your profile for the purposes of the respective procedures.
Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
Data subjects: You as the user (e.g., website visitors, users of online services).
Purposes of processing: reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behavior-based profiling, use of cookies); provision of our online offer and user experience.
Security measures: IP masking (pseudonymization of the IP address).
Legal basis: consent (Art. 6 para. 1 p. 1 lit. a) GPDR.
Further notes on processing processes, procedures, and services:
Google Analytics: web analysis, reach measurement as well as measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR);
Website: https://marketingplatform.google.com/intl/de/about/analytics/;
Privacy policy: https://policies.google.com/privacy;
Order processing agreement: https://business.safety.google/adsprocessorterms;
Standard contractual clauses (ensuring level of data protection for processing in third countries): https://business.safety.google/adsprocessorterms;
Opt-out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de,
Ad Display Settings: https://adssettings.google.com/authenticated;
Further Information: https://privacy.google.com/businesses/adsservices (types of processing as well as data processed).
Firebase: Google Firebase is used primarily for user authentication and secure account access, including email-password authentication and session management. Google Firebase offers a variety of functions for testing applications, monitoring their functionality and optimizing them (which are presented on the following overview page: https://firebase.google.com/products). The functions include, among other things, the storage of applications including personal data of the app users, such as content created by them or information regarding their interaction with the apps (so-called “cloud computing”). Google Firebase also provides interfaces that allow interaction between application users and other services, e.g. authentication using services such as Facebook, Twitter or using an email password combination; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://firebase.google.com; privacy policy: https://policies.google.com/privacy.
PostHog: We use PostHog to collect pseudonymized usage data to better understand how users interact with our platform and to improve performance, usability, and feature development. The data collected may include page visits, session duration, user interactions, and basic device information. No personally identifiable information is stored without user consent.
Service Provider: PostHog Inc., 965 Mission Street, San Francisco, CA 94103, USA
Website: https://posthog.com
Privacy Policy: https://posthog.com/privacy
Monitoring & Debugging Tools:
Sentry: We use Sentry for real-time error tracking, logging, and monitoring of application performance. Sentry helps us identify technical issues, improve platform stability, and troubleshoot software bugs more efficiently. Diagnostic data collected may include device and browser type, timestamps, and technical error traces. This information is pseudonymized and not linked to personal identities.
Service Provider: Functional Software, Inc. (Sentry), 132 Hawthorne Street, San Francisco, CA 94107, USA
Website: https://sentry.io
Privacy Policy: https://sentry.io/privacy/
Content Delivery & Security:
Cloudflare: We use Cloudflare, Inc. as a content delivery network (CDN) and security provider to protect our website and improve performance. Cloudflare may process technical connection data such as IP addresses, request metadata, and security logs for the purpose of threat detection, traffic optimization, and content delivery.
Service Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA
Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR) and consent where applicable.
In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers for this purpose in addition to banks and credit institutions (collectively, “payment service providers”).
The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e., we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. In this regard, we refer to the terms and conditions and the privacy notices of the payment service providers (see below).
For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.
Types of data processed: inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time data, identification numbers, consent status).
Data subjects: you as a customer or prospective customer.
Purposes of processing: provision of contractual services and customer service.
Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Stripe: Payment services (technical connection of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy.
OVHcloud: We host our application and user data on OVHcloud, a secure cloud platform operated by OVH Groupe SA. Data is stored on OVHcloud’s servers located in France, ensuring that user information remains strictly within the European Union. All data transfers and storage are encrypted in accordance with industry standards and GDPR requirements.
Service Provider: OVH Groupe SA, 2 rue Kellermann, 59100 Roubaix, France
Website: https://www.ovhcloud.com
Privacy Policy: https://www.ovhcloud.com/en/terms-and-conditions/privacy-policy/
Custom Document Databases for Comparison
In addition to standard comparison checks against publicly available documents and external publications, ImageTwin allows users and organizations to create private, custom databases of previously uploaded content (such as images, PDFs, and DOCX files). New uploads may be automatically compared against these private repositories to detect similarities and duplications.
These custom databases may be accessible either individually (by the user who created them) or shared across authorized members of an organization. Documents stored within these custom databases are retained for the duration of the active subscription, unless explicitly deleted earlier by the user or administrator.
Users have full control over which documents are saved and whether organizational sharing is enabled. Data stored in these repositories is securely encrypted and never shared with third parties without consent.
Postmark: We use Postmark to deliver transactional emails, including login notifications, password resets, and system alerts.
Service Provider: Wildbit LLC (now ActiveCampaign), 230 N. 2nd Street, Suite 300, Philadelphia, PA 19106, USA
Website: https://postmarkapp.com
Privacy Policy: https://postmarkapp.com/privacy-policy
We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.
The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
The right to a complaint to a data protection authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the requirements of the GDPR.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please feel free to contact us.