We have prepared this Privacy Policy (version 01.04.2026) in order to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR), what information we collect, how we use data, and what choices you have as a user of this platform.
When you visit our platform, our web server (the computer on which this platform is stored) automatically saves data such as
in files (web server log files).
Web server log files are generally stored for two weeks and then automatically deleted. We do not share this data, but cannot exclude that it may be viewed in the event of unlawful conduct.
The legal basis is Article 6(1)(f) GDPR (lawfulness of processing), as there is a legitimate interest in ensuring the error-free operation of this platform by recording web server log files.
We use Amazon Web Services (AWS) of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, and/or Amazon.com, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA, to provide QI Studio in a performant and secure manner. AWS acts as a sub-processor pursuant to Art. 28(2) GDPR. Data is therefore transferred to Amazon. The transfer of data to the USA is carried out on the basis of Standard Contractual Clauses (SCC) approved by the EU Commission pursuant to Art. 46(2)(c) GDPR and on the basis of the EU-U.S. Data Privacy Framework, under which AWS is certified. Note: The former EU-US Privacy Shield was declared invalid by the ECJ by judgment of 16 July 2020 (Schrems II) and is no longer applicable.
AWS holds a number of internationally recognised certifications, including ISO 27001, ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2 and SOC 3. Further information on data protection at AWS is available at: https://aws.amazon.com/compliance/eu-data-protection/
QI Studio is a cloud-based service that enables you to generate images and graphic content using artificial intelligence. The service is provided using AI image generation models via the Google Gemini API of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The models used may change within the Google Gemini API product family; we reserve the right to use the most suitable model within this offering at any given time.
The following data is processed in connection with the use of QI Studio:
The processing of prompt data, reference images and generated images is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract) for the purpose of providing the QI Studio service. The processing of technical usage data for the improvement and security of the service is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in ensuring the stable and secure operation of the platform. You have the right to object to this processing at any time pursuant to Art. 21 GDPR. In the event of a justified objection, we will cease the processing unless compelling legitimate grounds on our part override your interests.
The Customer is responsible for ensuring that no personal data within the meaning of Art. 4(1) GDPR is transmitted in prompts or reference images, unless a legal basis exists for such transmission. To the extent that prompts contain personal data in individual cases, their processing shall take place within the framework of data processing on behalf of the controller pursuant to Art. 28 GDPR on the basis of Art. 6(1)(b) GDPR (performance of a contract). The Customer may object to processing based on legitimate interest pursuant to Art. 21 GDPR.
To the extent that we process personal data of the Customer or its users in the course of providing the AI service, the parties shall conclude a data processing agreement pursuant to Art. 28 GDPR prior to commencement of use. Until such agreement is concluded, no personal data may be processed via the AI service.
For image generation, we transmit technical input data (prompts and reference images) to the Google Gemini API of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You are obligated to ensure that your prompts and reference images do not contain any personal data within the meaning of Art. 4(1) GDPR. To the extent that prompts contain personal data in individual cases, their processing shall take place on the basis of a data processing agreement concluded with us pursuant to Art. 28 GDPR. We have concluded a data processing agreement with Google pursuant to Art. 28 GDPR, which ensures that the transmitted data is processed exclusively in accordance with our instructions. The engagement of Google as a sub-processor pursuant to Art. 28(2) GDPR is carried out with the Customer's authorisation, which the Customer grants by concluding the contract.
Google LLC is headquartered in the USA. The transfer of input data to the USA is carried out on the basis of Standard Contractual Clauses (SCC) approved by the EU Commission pursuant to Art. 46(2)(c) GDPR and on the basis of the EU-U.S. Data Privacy Framework, under which Google is certified. Should the terms of the third-party provider change, we will notify you without undue delay and take the necessary data protection measures.
To the best of our knowledge, Google does not use the transmitted input data within the scope of the Gemini API to train its own AI models. We have contractually secured this commitment. With respect to training by other third-party providers, we refer to their respective privacy policies; the Customer will be informed accordingly.
We do not use your prompts, reference images or generated images to train our own AI models without your express written consent.
Generated images and prompt data are stored on our servers for an indefinite period, but for a minimum of 30 days after generation. Early deletion can be requested at any time by an informal written request to our Data Protection Officer (zimmermann@mobimedia.de) or via the deletion function in the customer portal. Deletion will be confirmed within five working days of receipt of the request. Clause 46.4 of the GTC shall otherwise apply.
All images generated by QI Studio are AI-generated content. Pursuant to Art. 50 of the EU AI Act, you as the user are obligated to label these images as AI-generated when passing them on to third parties or publishing them, where required by applicable law. We endeavour to provide generated images with technical labels (e.g. metadata in accordance with the C2PA standard or EXIF data) that make their AI origin recognisable. There is no entitlement to a specific technical labelling method.
The use of QI Studio for unlawful purposes is prohibited. In particular, it is prohibited to:
For further details, please refer to our General Terms and Conditions, Part 7, Clause 55.
You have the right at any time to obtain information about the prompt data and generated images stored about you (Art. 15 GDPR), to request their rectification (Art. 16 GDPR), to request their erasure (Art. 17 GDPR), to request restriction of processing (Art. 18 GDPR), to receive your data in a portable format (Art. 20 GDPR), and to object to processing on the basis of legitimate interest (Art. 21 GDPR). Please contact our Data Protection Officer for this purpose (contact details see below).
For the processing of payments in connection with the AI service, we use the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe").
During the payment process, the data required for payment processing is transmitted directly to Stripe and processed there. This includes in particular:
Stripe acts as an independent controller within the meaning of the GDPR for the processing of payment data. The legal basis for the processing is Art. 6(1)(b) GDPR (performance of a contract).
To the extent that data is transferred to the USA, this is carried out on the basis of Standard Contractual Clauses (SCC) approved by the EU Commission pursuant to Art. 46(2)(c) GDPR and on the basis of the EU-U.S. Data Privacy Framework, under which Stripe is certified.
Further information on data protection at Stripe is available at: https://stripe.com/privacy
To protect our login process against automated access, bots and abusive login attempts, we use the verification service Cloudflare Turnstile provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare Turnstile is a privacy-friendly alternative to classic CAPTCHA systems and enables the verification of human users without visual puzzle tasks.
The following data is processed in connection with the use of Cloudflare Turnstile:
The processing of the aforementioned data is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in protecting our platform against automated login attempts, credential stuffing attacks and other bot activities, as well as in ensuring system integrity for the protection of all registered users. You have the right to object to this processing pursuant to Art. 21 GDPR. In the event of a justified objection, we will cease the processing unless compelling legitimate grounds on our part override your interests. Please note that refusing the verification may restrict access to the platform.
For the purpose of carrying out the verification, we transmit technical device data to Cloudflare, Inc. Cloudflare processes this data exclusively for the purpose of verifying the authenticity of the site visitor. According to Cloudflare's privacy policy, the transmitted data is not used for advertising purposes and is not sold to third parties. The integration of Cloudflare is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR.
Cloudflare, Inc. is headquartered in the USA. The transfer of data to the USA is carried out on the basis of Standard Contractual Clauses (SCC) approved by the EU Commission pursuant to Art. 46(2)(c) GDPR and on the basis of the EU-U.S. Data Privacy Framework, under which Cloudflare is certified (available at: www.dataprivacyframework.gov). As Cloudflare operates a global network, data may be processed on servers within or outside the EU depending on the user's location.
The technical verification data generated in the course of the Turnstile verification process is not stored permanently on our systems after completion of the verification process. Data stored by Cloudflare is subject to the retention periods set out in Cloudflare's privacy policy.
Verification via Cloudflare Turnstile is a necessary prerequisite for accessing the platform. Refusal of the verification process may result in the login process not being completed. The verification is designed to be as unobtrusive as possible for the user and generally does not require any active interaction.
For further information on data processing by Cloudflare, please refer to Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
You have the right at any time to obtain information about the data processed about you in the course of the verification and to request its erasure (Art. 15, 17 GDPR). You also have the right to object pursuant to Art. 21 GDPR. Please contact our Data Protection Officer for this purpose (contact details see below).
Personal data that you transmit to us electronically on this platform, such as name, e-mail address, postal address or other personal details submitted via a form, is used by us together with the time of submission and the IP address solely for the stated purpose, stored securely and not passed on to third parties.
We use your personal data solely for communication with users who expressly wish to be contacted and for the processing of the services and products offered on this platform. We do not share your personal data without your consent, but cannot exclude that this data may be viewed in the event of unlawful conduct.
If you send us personal data by e-mail — i.e. outside of this platform — we cannot guarantee secure transmission and the protection of your data. We recommend that you never transmit confidential data in unencrypted form by e-mail.
The legal basis is Article 6(1)(a) GDPR (lawfulness of processing), as you give us your consent to process the data you have entered. You may withdraw this consent at any time — an informal e-mail is sufficient; you will find our contact details in the legal notice.
We use HTTPS to transmit data securely over the internet (privacy by design pursuant to Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we ensure the protection of confidential data. You can recognise the use of this data transmission security by the small padlock symbol in the top left of your browser and by the use of the HTTPS scheme (instead of HTTP) as part of our web address.
You are generally entitled to the following rights under the GDPR:
If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you may contact the competent data protection supervisory authority. For MobiMedia AG, this is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht – BayLDA), Promenade 18, 91522 Ansbach, Germany, Tel.: +49 (0) 981 180093-0, E-mail: poststelle@lda.bayern.de, Website: www.lda.bayern.de.
The controller within the meaning of the General Data Protection Regulation is:
MobiMedia Aktiengesellschaft
Dr.-Bachl-Str. 2
84347 Pfarrkirchen
Germany
Phone: +49 8561 96 16 0
Fax: +49 8561 96 16 96
E-mail: info@mobimedia.de
Website: https://portal.quintet24.com/
The Data Protection Officer of the controller is:
Alexander Zimmermann
MobiMedia AG
Dr.-Bachl-Str. 2
84347 Pfarrkirchen
Germany
zimmermann@mobimedia.de
+49 8561 96 16 – 25
Any data subject may contact our Data Protection Officer directly at any time with questions or suggestions regarding data protection.