Data Privacy Policy

Solutions

ImageTwin AI GmbH

Last updated: May 15, 2025

This Privacy Policy document contains types of information that is collected and recorded by ImageTwin and how we use it.

Data controller: ImageTwin AI GmbH, Taubstummengasse 11, 1040 Vienna, Austria, [email protected] (referred to as “ImageTwin” or “we”). 

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

This Privacy Policy applies only to our online activities and is valid for visitors to our website with regards to the information that they shared and/or collect in ImageTwin. This policy is not applicable to any information collected offline or via channels other than this website.

Consent

By using our website, you (also referred to as “customer” or “user”) hereby consent to our Privacy Policy and agree to its terms.

Direct Contact

If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

Log Files

ImageTwin follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and are a part of hosting services’ analytics. The information collected by log files includes internet protocol (IP) addresses, browser type, internet service provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.

Third Party Privacy Policies

ImageTwin’s Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may include their practices and instructions about how to opt-out of certain options.

You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites.

Processing of Images and PDFs

After submitting images or a PDF (referred to as the data) to our detection service, the data is treated as follows:

  • The data is transferred via TLS-encryption to the server.
  • The data is processed to identify image integrity issues. The results are returned to the User.
  • After submitting images, PDFs, or DOCX files (collectively referred to as “documents”) to our detection service, the data is transferred via TLS encryption to the server and processed to identify potential integrity issues. The results are then returned to the user.
    By default, these documents are deleted after the results are delivered. However, users may optionally choose to retain their documents for 30 days by selecting a checkbox during upload. These documents are stored securely and deleted automatically after the selected retention period.

Types of data processing

To use our services, you need to create a user account. The following data will be requested:

  • E-Mail-Address
  • Name
  • Address
  • Organization (optional)

How we use your information

We use the information we process in various ways, including to:

  • Provide our services and fulfill our contractual obligations
  • Provide, operate, and maintain our website
  • Improve, personalize, and expand our website
  • Promote our products, services, and other offerings
  • Understand and analyze how you use our website
  • Develop new features, and functionality

Consent for Marketing Communications

When you sign up for our services or interact with our platform, you will be asked to provide explicit consent to receive marketing communications from Imagetwin. This includes updates on new features, company news, and other promotional content.

You can opt in by selecting the appropriate checkbox when creating your account, using our newsletter or form submissions, or updating your preferences. If you choose not to opt in, we will not send you marketing emails.

You may withdraw your consent at any time by using the “unsubscribe” link in our emails or by contacting us directly at [email protected].

Record Keeping of Consent

In compliance with the GDPR, we will record and maintain a record of your consent to receive marketing communications electronically. This includes details of the time and date when consent was given, the method by which consent was obtained (such as a checkbox or email confirmation), and any preferences you may have set.

This record will be stored securely and can be accessed or updated by you at any time by contacting us directly at [email protected]. You may withdraw your consent at any time, and we will immediately update our records to reflect your updated preferences.

Legal bases of data processing & storage period

Below you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. 

  • Consent (Art. 6 para. 1 p. 1 lit. a. GDPR) – You have given his/her consent to the processing of personal data relating to you for a specific purpose or purposes.
  • Consent for Marketing: We process personal data for marketing purposes based on your consent (Art. 6 para. 1 p. 1 lit. a. GDPR). You can withdraw this consent at any time.
  • Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR) – The processing is necessary for the performance of a contract to which you are a party, or for the performance of pre-contractual measures, which are carried out at your request.
  • Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate interests (Art. 6 (1) p. 1 lit. f. GDPR) – Processing is necessary to protect our legitimate interests or a third party’s legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data. 
  • Documents voluntarily saved by the user or stored in an organizational database will be retained for the duration of the active subscription, unless the user or organization requests earlier deletion.


The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations.

According to § 132 BAO, for example, we are legally obligated to store accounting documents (e.g. invoices, receipts) for a period of at least 7 years (longer in the case of legal disputes).

Uploaded documents (image, PDFs and DOCX files, etc.) are not saved by default. You may have the option to save documents with the associated found plagiarism/manipulations and load them again later within the web application. Whether a document should be saved is optionally selectable by you. The document will then be stored on our server for a maximum of one month and then deleted. Uploaded and saved documents are used by us exclusively for the fulfillment of our contractual obligations.

National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Austria. These include the Federal Act on the Protection of Individuals regarding the Processing of Personal Data (Data Protection Act – DSG). In particular, the Data Protection Act contains special regulations on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transmission, and automated decision-making in individual cases.

Web analysis, monitoring and optimization

Web analytics (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization.

In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, e.g. data summarized for a usage process, may be created for these purposes and information may be stored in a browser, or in a terminal device, and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If you have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed.

The IP address of you as the user is also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect you as the user. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. That is, we as well as the providers of the software used do not know the actual identity of you as the user, but only the information stored in your profile for the purposes of the respective procedures.

Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).

Data subjects: You as the user (e.g., website visitors, users of online services).

Purposes of processing: reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behavior-based profiling, use of cookies); provision of our online offer and user experience.

Security measures: IP masking (pseudonymization of the IP address).

Legal basis: consent (Art. 6 para. 1 p. 1 lit. a) GPDR.

Further notes on processing processes, procedures, and services:

Google Analytics: web analysis, reach measurement as well as measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); 

Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Order processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://business.safety.google/adsprocessorterms; Opt-out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://adssettings.google.com/authenticated; Further Information: https://privacy.google.com/businesses/adsservices (types of processing as well as data processed). 

Firebase: Google Firebase is a platform for developers of applications for mobile devices and websites. Google Firebase offers a variety of functions for testing applications, monitoring their functionality and optimizing them (which are presented on the following overview page: https://firebase.google.com/products). The functions include, among other things, the storage of applications including personal data of the app users, such as content created by them or information regarding their interaction with the apps (so-called “cloud computing”). Google Firebase also provides interfaces that allow interaction between application users and other services, e.g. authentication using services such as Facebook, Twitter or using an email password combination; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://firebase.google.com; privacy policy: https://policies.google.com/privacy.

PostHog: We use PostHog to collect pseudonymized usage data to better understand how users interact with our platform and to improve performance, usability, and feature development. The data collected may include page visits, session duration, user interactions, and basic device information. No personally identifiable information is stored without user consent.
Service Provider: PostHog Inc., 965 Mission Street, San Francisco, CA 94103, USA
Website: https://posthog.com
Privacy Policy: https://posthog.com/privacy

Monitoring & Debugging Tools: 

Sentry: We use Sentry for real-time error tracking, logging, and monitoring of application performance. Sentry helps us identify technical issues, improve platform stability, and troubleshoot software bugs more efficiently. Diagnostic data collected may include device and browser type, timestamps, and technical error traces. This information is pseudonymized and not linked to personal identities.
Service Provider: Functional Software, Inc. (Sentry), 132 Hawthorne Street, San Francisco, CA 94107, USA
Website: https://sentry.io
Privacy Policy: https://sentry.io/privacy/

Payment Procedure

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers for this purpose in addition to banks and credit institutions (collectively, “payment service providers”).

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed by the payment service providers and stored with them. I.e., we do not receive any account or credit card related information, but only information with confirmation or negative information of the payment. Under certain circumstances, the payment service providers transmit the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. In this regard, we refer to the terms and conditions and the privacy notices of the payment service providers (see below).

For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.

Types of data processed: inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, time data, identification numbers, consent status).

Data subjects: you as a customer or prospective customer.

Purposes of processing: provision of contractual services and customer service.

Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).

Further notes on processing processes, procedures, and services:

Stripe: Payment services (technical connection of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy.

Microsoft Azure: We host our application and user data on Microsoft Azure, a secure cloud platform operated by Microsoft Corporation. Data is stored on Azure’s Western Europe servers located in the Netherlands, ensuring that user information remains within the EU. All data transfers and storage are encrypted in accordance with industry standards and GDPR requirements.
Service Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
Website: https://azure.microsoft.com
Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement

Custom User Databases for Document Comparison

Custom Document Databases for Comparison
In addition to standard comparison checks against publicly available documents and external publications, ImageTwin allows users and organizations to create private, custom databases of previously uploaded content (such as images, PDFs, and DOCX files). New uploads may be automatically compared against these private repositories to detect similarities and duplications.

These custom databases may be accessible either individually (by the user who created them) or shared across authorized members of an organization. Documents stored within these custom databases are retained for the duration of the active subscription, unless explicitly deleted earlier by the user or administrator.

Users have full control over which documents are saved and whether organizational sharing is enabled. Data stored in these repositories is securely encrypted and never shared with third parties without consent.

Email Communications and Notifications

Postmark: We use Postmark to deliver transactional emails, including login notifications, password resets, and system alerts.
Service Provider: Wildbit LLC (now ActiveCampaign), 230 N. 2nd Street, Suite 300, Philadelphia, PA 19106, USA
Website: https://postmarkapp.com
Privacy Policy: https://postmarkapp.com/privacy-policy

To Unsubscribe From Our Communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link located at the bottom of our e-mails or by contacting us via email to [email protected] or postal mail to ImageTwin AI GmbH, Taubstummengasse 11, 1040 Vienna, Austria. Customers cannot opt-out of receiving transactional emails related to their account with us.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.

The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.

The right to erasure – You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.