Privacy Policy

§ 1 Controller

• Company: Patrick Stigler Tech, sole proprietorship
• Trade name: CutCue
• Owner: Patrick Stigler
• Address: Goethestraße 38, 70736 Fellbach, Germany
• Phone: +49 151 61488842
• Email: contact@cutcue.io
• Website: https://cutcue.io

Privacy enquiries and exercising data subject rights: contact@cutcue.io. Further information may be required to verify your identity.

§ 2 Overview of processed data

§ 3 Legal bases

• Art. 6 (1) lit. a GDPR – consent (newsletter)
• Art. 6 (1) lit. b GDPR – contract performance (audio analysis, Twitch import, account, emails)
• Art. 6 (1) lit. c GDPR – legal obligation (retention duties)
• Art. 6 (1) lit. f GDPR – legitimate interests (security, logs, Plausible, Cloudflare)
• § 25 (2) No. 2 TTDSG – technically necessary cookies (Cloudflare security cookies)

The Federal Data Protection Act (BDSG) applies additionally.

§ 4 Your rights as a data subject

To exercise the following rights, an email to contact@cutcue.io is sufficient. We respond within 30 days (Art. 12 (3) GDPR).

• Right of access – Art. 15 GDPR: information on all processed data, purposes, categories, recipients, and retention.
• Right to rectification – Art. 16 GDPR: prompt correction of inaccurate data or completion of incomplete data.
• Right to erasure – Art. 17 GDPR: erasure of your data where no statutory retention obligation applies. Account deletion via the dashboard irreversibly deletes all personal data and credits.
• Right to restriction – Art. 18 GDPR: restriction of processing.
• Right to data portability – Art. 20 GDPR: data in a structured, machine-readable format.
• Right to object – Art. 21 GDPR: to processing based on legitimate interests (Art. 6 (1) lit. f).
• Withdrawal – Art. 7 (3) GDPR: withdraw consent at any time with effect for the future (unsubscribe link or contact@cutcue.io).
• Right to lodge a complaint – Art. 77 GDPR: LfDI Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, www.baden-wuerttemberg.datenschutz.de
• No automated decision-making – Art. 22 GDPR: CutCue does not make solely automated decisions with legal effect.

§ 5 Hosting and infrastructure

5.1 IONOS SE – web hosting, API server, SMTP, S3 storage

Provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany

Privacy: https://www.ionos.de/terms-gtc/datenschutzerklaerung/

IONOS SE provides the following services on servers in Germany/the EU: web hosting, API server, SMTP (transactional emails), S3-compatible object storage (temporary storage of user audio uploads, max. 24 hours, AES-256 encrypted). Legal basis: Art. 6 (1) lit. b GDPR | lit. f (hosting). DPA concluded. No third-country transfer.

5.2 Netlify – frontend hosting

Provider: Netlify, Inc., 512 2nd Street, Suite 200, San Francisco, CA 94107, USA

Privacy: https://www.netlify.com/privacy/

Static frontend via Netlify. Requests are routed through Cloudflare; Netlify receives Cloudflare IPs. Legal basis: Art. 6 (1) lit. f GDPR. Third-country transfer: USA – DPF (Art. 45 GDPR) + SCC. DPF-certified.

5.3 Cloudflare – CDN, WAF, DDoS protection, DNS, Turnstile

Provider: Cloudflare, Inc., 101 Howard Street, San Francisco, CA 94105, USA | EU representative: Cloudflare Limited, Dublin

Privacy: https://www.cloudflare.com/privacypolicy/

CDN/reverse proxy, WAF, DDoS protection, Turnstile. Cloudflare cookies (§ 25 (2) No. 2 TTDSG): __cf_buid (30 days), cf_clearance (variable). No consent required. Legal basis: Art. 6 (1) lit. f GDPR. Third-country transfer: USA – DPF + SCC. DPF-certified.

§ 6 Trial / free tier

CutCue may offer new users a free trial period after registration. Processed data: account data, trial usage data, IP addresses. Trial data is carried over on upgrade; if no upgrade, deleted on account deletion or after 24 months of inactivity. Legal basis: Art. 6 (1) lit. b GDPR.

§ 7 Use of artificial intelligence

7.1 OpenAI – text processing and analysis

Contractual partner: OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, Dublin 1, Ireland

Privacy: https://openai.com/privacy/

CutCue uses the OpenAI API to process and analyse transcribed audio content (including Twitch VOD transcriptions and enriched analysis results). Contractual partner is OpenAI Ireland Ltd. (EU); processing may take place on US servers. Transfer secured by SCC (Art. 46 (2) lit. c GDPR) + DPA. CutCue has contractually disabled model training by OpenAI. Twitch chat and event raw data are not transmitted to OpenAI. Legal basis: Art. 6 (1) lit. b GDPR.

7.2 Deepgram – speech recognition (speech-to-text)

Provider: Deepgram, Inc., 1400 Fashion Island Blvd, Suite 302, San Mateo, CA 94404, USA

Privacy: https://deepgram.com/privacy

CutCue uses Deepgram's EU API endpoint to transcribe audio content (user uploads and Twitch VOD audio). Processing primarily on EU servers. SCC (Art. 46 (2) lit. c GDPR) + DPA pursuant to Art. 28 GDPR concluded.

Note on model improvement by Deepgram: Under the concluded data processing agreement (DPA), Deepgram is entitled to use transmitted audio data to improve its speech recognition models. Processing is secured by DPA pursuant to Art. 28 GDPR and SCC pursuant to Art. 46 GDPR and is GDPR-compliant. CutCue itself does not use user data for its own AI training. Users who have audio files processed that contain third-party content (e.g. employees, customers, viewers) must, as data protection controllers, inform the data subjects about this processing and ensure the necessary legal basis.

Legal basis: Art. 6 (1) lit. b GDPR. Third-country transfer: EU endpoint; SCC + DPA.

§ 8 Twitch integration (VOD import)

CutCue offers an optional feature to import Twitch VODs and related data. Use requires the user to connect their Twitch account to CutCue via OAuth 2.0 (via account settings in the dashboard).

8.1 Twitch, Inc. – data source

Provider: Twitch Interactive, Inc., 350 Bush Street, 2nd Floor, San Francisco, CA 94104, USA (subsidiary of Amazon.com, Inc.)

Privacy: https://www.twitch.tv/p/legal/privacy-notice/

Via the OAuth 2.0 connection, the user authorises CutCue to access the following data on their behalf:

• VOD audio: Downloaded directly from the Twitch server to the CutCue API server and processed exclusively in RAM. There is no persistent storage on disk or in object storage. Audio data is transmitted directly to Deepgram for transcription and then removed from RAM. Only analysis results (transcript, markers) are stored persistently.
• Chat replay data for the respective VOD: Emote patterns only for an engagement graph. Usernames are used solely as a volatile deduplication key in RAM — no persistent storage, no logging, no disclosure to sub-processors.
• Event data (donations, subs, raids): Timestamps and type for the engagement graph. Usernames solely as RAM deduplication keys, not stored persistently.

Legal basis: Art. 6 (1) lit. b GDPR (contract performance). Third-country transfer for OAuth communication: USA – Twitch Interactive, Inc. / Amazon; secured by SCC pursuant to Art. 46 (2) lit. c GDPR.

Notice pursuant to Art. 14 (5) lit. b GDPR: Chat and event data contain personal data of Twitch viewers who are not contractual partners of CutCue. Direct notification of these persons is practically impossible and disproportionately burdensome. Required transparency is ensured by this privacy policy. The CutCue user alone is responsible as data protection controller for the lawfulness of processing this third-party data.

Disconnect OAuth: at any time via CutCue account settings and at https://www.twitch.tv/settings/connections.

§ 9 Registration and user account

Use of CutCue requires a user account (email + password). By registering, the user confirms that they are acting as an entrepreneur within the meaning of § 14 BGB. Account deletion at any time via the dashboard; all data and credits are irreversibly deleted. Exception: statutory retention obligations (§ 147 German Fiscal Code / § 257 German Commercial Code, 10 years). Legal basis: Art. 6 (1) lit. b GDPR.

§ 10 Email communication

10.1 IONOS SMTP – transactional emails

System emails via IONOS SE (registration, password reset, credit warnings, rollover reminders). DPA concluded; processing in Germany. Legal basis: Art. 6 (1) lit. b GDPR.

10.2 Brevo – newsletter / launch notification

Provider: Brevo SAS, 7 rue de Madrid, 75008 Paris, France

Privacy: https://www.brevo.com/de/legal/privacypolicy/

Opt-in by actively ticking: "I agree to receive a notification email when CutCue registration opens. I can unsubscribe at any time." Consent is logged with timestamp and IP address (Art. 7 GDPR). Unsubscribe at any time via unsubscribe link or contact@cutcue.io. Legal basis: Art. 6 (1) lit. a GDPR. Retention: until withdrawal; thereafter up to 3 years (blocklist). No third-country transfer.

§ 11 Analytics services

11.1 Plausible Analytics

Provider: Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia

Privacy: https://plausible.io/privacy

Cookie-free reach measurement without personal data. IP addresses are used only for geographic resolution and immediately discarded. No cookie banner required. Legal basis: Art. 6 (1) lit. f GDPR.

§ 12 Payment processing

12.1 Lemon Squeezy – merchant of record

Provider: Lemon Squeezy, LLC, 222 S Main St, Suite 500, Salt Lake City, UT 84101, USA

Privacy: https://www.lemonsqueezy.com/privacy

Lemon Squeezy is an independent data protection controller as merchant of record. CutCue does not store payment data. Third-country transfer USA: own measures per Lemon Squeezy Privacy Policy.

§ 13 Support and community

Discord: Discord Inc., San Francisco, USA. Optional support server, voluntary use. DPF-certified. Art. 6 (1) lit. f GDPR. https://discord.com/privacy

§ 14 Social networks

LinkedIn: Joint responsibility with LinkedIn Ireland Unlimited Company for Page Insights data (Art. 26 GDPR). Legal basis: Art. 6 (1) lit. f GDPR.

§ 15 Server logs, data security and backups

15.1 Server logs

Server logs (IP address, timestamp, HTTP status code, resource, browser info) are stored for security reasons for 90 days, then automatically deleted. Legal basis: Art. 6 (1) lit. f GDPR.

15.2 Technical security measures

• TLS/SSL encryption of all data transfers (HTTPS)
• AES-256 encryption of user audio uploads at rest (IONOS S3)
• Twitch VOD audio: RAM processing only, no persistence on disk
• Access control on a least-privilege basis
• Cloudflare WAF and DDoS protection
• Automated deletion of S3 audio files (max. 24 hours after upload)
• Password hashing using established cryptographic methods
• Regular security updates

15.3 Backups

Regular encrypted backups. Database backups automatically deleted after max. 30 days.

§ 16 International data transfers

§ 17 Changes to this privacy policy

This privacy policy is updated as needed. Material changes will be announced by email.