CoupleLock

Privacy Policy

Last updated: 20 April 2026

This privacy policy explains how CoupleLock ("we", "us") collects, uses and protects your personal data when you use our website at couplelock.com (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and Dutch privacy law.

1. Who we are

The controller of your personal data is Studio Mate (trading as CoupleLock), based in the Netherlands. You can reach us at support@couplelock.com.

Company details: Studio Mate, KvK: 97439479. Postal address available on request via email.

2. What data we collect

  • Photos you upload: facial images you provide to generate a wallpaper. Because these contain biometric characteristics, they qualify as a special category of personal data under GDPR Article 9.
  • Email address: used to deliver your order, send transactional emails and (if you opt in) refund claim communication.
  • Order details: team/club, jersey numbers, scene choice, names shown on the wallpaper.
  • Payment data: processed directly by Stripe. We receive only the last four digits, card brand, amount, currency and payment status. We do not store full card numbers.
  • Usage data: pages visited, buttons clicked, device, browser, IP address. Used to analyse and improve the Service.
  • Cookies: technical cookies for session management and rate limiting, and analytics cookies (see section 8).

3. Why we process your data

  • Service delivery (legal basis: performance of a contract, GDPR Art 6(1)(b)) — generating your wallpaper, processing payment, sending the download link.
  • Photo processing by AI (legal basis: your explicit consent, GDPR Art 9(2)(a)) — you give this consent by uploading a photo to the Service.
  • Legal obligations (Art 6(1)(c)) — retaining invoices and tax records for 7 years.
  • Fraud prevention & abuse (Art 6(1)(f), legitimate interest) — rate limiting by IP/email, detecting duplicate accounts.
  • Product improvement & analytics (Art 6(1)(a), consent via cookie banner) — aggregate usage statistics.

4. How long we keep your data

  • Uploaded photos: processed in memory to generate the wallpaper and then discarded. We do not store raw uploaded photos on our servers after generation.
  • Generated wallpapers: kept in Vercel Blob Storage for up to 30 days so you can re-download them, then deleted.
  • Order & invoice data: 7 years (Dutch tax law).
  • Email list: until you unsubscribe, and no longer than 3 years after your last interaction.
  • Usage analytics: aggregated data retained for up to 12 months in PostHog.

5. Who we share data with

We use the following processors, each bound by a Data Processing Agreement:

  • Vercel Inc. (USA) — hosting, edge network, storage. Transfers covered by EU Standard Contractual Clauses.
  • Google LLC / Gemini API (USA) — AI image generation. Photos are sent once to the model and not retained by Google for training per their API terms. SCCs apply.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing.
  • PostHog, Inc. (EU region) — product analytics.
  • Loops & Google Sheets — email list management and order log.
  • Resend — transactional email delivery.

We do not sell your personal data to third parties.

6. International transfers

Some processors are located outside the European Economic Area (primarily the United States). Transfers are safeguarded by EU Standard Contractual Clauses and, where available, additional measures such as encryption in transit and at rest.

7. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data ("right to be forgotten");
  • restrict or object to processing;
  • receive your data in a portable format;
  • withdraw consent at any time;
  • lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, email support@couplelock.com. We respond within 30 days.

8. Cookies

We use the following cookies:

  • Essential — session management, rate limiting, CSRF protection. No consent required.
  • Analytics (PostHog) — only set after you accept the cookie banner. Used to understand how people use the Service.
  • Payment (Stripe)— set by Stripe's embedded checkout for fraud prevention.

9. Security

Data is transmitted over HTTPS, stored encrypted at rest where supported by the processor, and access is limited to authorised personnel. Despite reasonable measures no internet transmission is 100% secure; by using the Service you acknowledge this residual risk.

10. Children

The Service is not intended for anyone under 16. If you believe a child has used the Service and given us personal data, contact us and we will delete it.

11. AI-generated content

Wallpapers are generated by an AI model (Google Gemini). The resulting image is a synthetic interpretation of your photo and may not be an accurate representation. Generated images are watermarked until payment is completed and are not used to train AI models.

12. Changes

We may update this policy. Material changes will be announced on this page with a new "last updated" date. Continued use of the Service after changes constitutes acceptance.