Privacy Policy

Privacy Policy

How Good Fella Studio GmbH collects, uses, shares, and protects personal data when you use Annnimate. Last updated 2026-06-30.

1

Who we are

The controller of your personal data under Article 4(7) of the General Data Protection Regulation (GDPR) is Good Fella Studio GmbH, the company operating Annnimate. Our registered details are in the Legal Notice.

For all privacy matters, contact support@annnimate.com. We are not required to appoint a Data Protection Officer under Article 37 GDPR.

2

Personal data we collect

2.1

Data you give us

  • Account: email address (required for magic-link sign-in), name (optional), preferred motion framework (React/Vue/HTML/Webflow).
  • Billing: when you subscribe or buy a Landmark Kit, Stripe processes your payment data on our behalf. We receive a Stripe customer ID, the plan you bought, the last 4 digits of the card, the country, and the VAT identification if you provide one. We never see your full card number.
  • Support: when you email us, we keep the contents of your message and our reply.
  • Newsletter: if you subscribe to our newsletter, your email and the confirmation timestamp.
  • Showcase submission: if you submit a site to the Built-with showcase, the URL, screenshots, and your name or company you choose to display.
  • Roadmap participation: if you vote or suggest a component on our public roadmap without an account, a random identifier stored in a cookie on your device (see our Cookie Policy, anm_anon_id) so we can prevent duplicate votes. If you add the optional email to a suggestion, we use it solely to reply to you about that suggestion — it is not added to any mailing list.
  • How you heard about us (optional): if you answer the optional “how did you hear about us?” question after checkout, we store your answer on your user record to understand which channels bring us paying customers. We never pre-select an answer, and you can skip it.
2.2

Data we collect automatically

  • Server logs: IP address, user agent, requested URL, response code, timestamp — kept for 30 days for security and abuse prevention.
  • Product analytics (cookieless by default): page views, button clicks, copied components, framework choices, errors. When you are signed in, these events are linked to a pseudonymous account identifier (your user ID) and your subscription state so we can understand product usage per plan — your email and name are not stored in the analytics tool. See our Cookie Policy for the difference between cookieless and full-mode analytics.
  • First-touch attribution at checkout: which page you arrived from, the UTM parameters in the URL, and the referring domain — used to understand which marketing channels drive paid customers. Persisted on your user record.
2.3

Data we receive from third parties

  • Stripe sends us subscription state (active, canceled, past due), invoice amounts and dates, and refund records.
  • Kit sends us your subscription state for our newsletter and broadcasts (active, unsubscribed, bounced, complained).
  • Resend sends us delivery status for transactional emails we send to you (delivered, bounced, complained).
3

We process personal data on these legal bases under Article 6(1) GDPR:

  • Performance of a contract — Article 6(1)(b). To create your account, give you access to the Library and any Landmark Kit you bought, deliver receipts, process refunds, and provide support.
  • Compliance with a legal obligation — Article 6(1)(c). To retain billing records for 10 years per § 147 AO (German tax law) and to respond to lawful data-protection requests.
  • Legitimate interests — Article 6(1)(f). To run cookieless product analytics, debug errors, prevent fraud and abuse, recover and learn from abandoned checkouts (see 3.1), and improve the product. We balance our interest in running a sustainable product against your interests.
  • Consent — Article 6(1)(a). For full-mode analytics with cookies and session recordings, newsletter subscriptions, the optional reply email on roadmap suggestions, and any optional cookies. Consent is recorded with a timestamp and can be revoked any time.
3.1

Checkout abandonment recovery

If you start checkout on Annnimate and do not complete it, we may send you up to three emails — typically within 1–3 hours, around 24 hours, and around 72 hours — to (a) let you know your checkout session expired and offer a way back, (b) ask whether something blocked you so we can improve the product, and (c) follow up once with honest information about the offer. We process this on the basis of our legitimate interest in recovering and learning from abandoned checkouts (GDPR Article 6(1)(f); Recital 47). You can object at any time by clicking unsubscribe in any of these emails, replying with the word "stop", or writing to support@annnimate.com.

If you complete a checkout before a scheduled email fires, we cancel the remaining sends. If you abandon a second checkout within 30 days, we only send the first (resume-link) email and suppress the follow-ups.

4

Who we share your data with

We share your personal data only with processors that help us deliver the Service. Each has a data processing agreement (DPA) in place with us under Article 28 GDPR and processes data only on our instructions.

4.1

Current sub-processors

  • Stripe (US) — payments + invoicing. Certified under the EU-US Data Privacy Framework (DPF). DPA: stripe.com/legal/dpa.
  • Resend (US) — transactional email (sign-in links, receipts, support replies). Certified under the EU-US DPF. DPA: resend.com/legal/dpa.
  • Kit (US, formerly ConvertKit) — newsletter and broadcast email. DPA with Standard Contractual Clauses: kit.com/dpa.
  • Supabase (US-hosted database) — authentication and primary database. Standard Contractual Clauses in place. DPA: supabase.com/privacy.
  • PostHog (EU-hosted, eu.posthog.com) — product analytics. EU instance, no transfer outside the EEA. DPA: posthog.com/dpa.
  • Vercel (US) — hosting, serverless functions, edge network. Certified under the EU-US DPF. DPA: vercel.com.
  • IONOS (Germany) — inbound email infrastructure for the annnimate.com domain. Data stays in the EU.
  • GitHub (US, Microsoft) — source code, content, and configuration repository. Certified under the EU-US DPF.
4.2

Changes to the sub-processor list

We give you at least 30 days' notice (via the changelog and email to active subscribers) before adding a new sub-processor that processes your personal data, in line with Article 28(2) GDPR. You can object to the change by emailing support@annnimate.com.

5

International data transfers

Several of our sub-processors operate from the United States. When your data is transferred outside the European Economic Area, we rely on the EU-US Data Privacy Framework certification (Stripe, Resend, Vercel, GitHub) or the European Commission's Standard Contractual Clauses (Kit, Supabase). PostHog is hosted in the EU, so no transfer takes place for analytics data.

6

How long we keep your data

  • Account data: for the duration of your Subscription, plus 12 months after cancellation in case you reactivate.
  • Billing and invoice data: 10 years from the invoice date, as required by § 147 of the German Fiscal Code (Abgabenordnung / AO).
  • Newsletter subscribers: until you unsubscribe, plus 24 months thereafter as a record of consent.
  • Cookieless analytics events: 24 months from the event date.
  • Full-mode analytics (consent-based, including session recordings): 30 days for recordings, 24 months for events.
  • Server logs: 30 days.
  • Support email threads: 36 months after the last reply, then deleted.
  • Showcase submissions: until you withdraw them or the showcase is retired.
7

Your rights

Under the GDPR and the German Federal Data Protection Act (BDSG), you have the following rights regarding your personal data:

  • Right of access — to know what personal data we hold about you (Article 15 GDPR).
  • Right to rectification — to have inaccurate data corrected (Article 16).
  • Right to erasure — to have data deleted in certain circumstances (Article 17).
  • Right to restriction of processing — to limit how we use your data (Article 18).
  • Right to data portability — to receive your data in a portable format and have it transmitted to another controller (Article 20).
  • Right to object — to processing based on legitimate interests, and to direct marketing at any time (Article 21).
  • Right to withdraw consent — at any time, without affecting prior lawful processing (Article 7(3)).
  • Right to lodge a complaint — with the Bavarian Data Protection Authority (BayLDA) or your local supervisory authority (Article 77).
  • Right not to be subject to automated decision-making — including profiling that significantly affects you (Article 22). We do not make automated decisions about you.

To exercise any of these rights, email support@annnimate.com. We reply within one month per Article 12(3) GDPR. We may extend this by two months for complex requests and tell you within the first month. We may ask for proof of identity proportionate to the request.

8

Cookies and similar technologies

See our Cookie Policy for what we store on your device. Our analytics run in cookieless mode by default — no cookies, no localStorage. We only set cookies for sign-in, checkout, and any optional features you actively turn on.

9

Children

Annnimate is built for professional developers and is not directed at children. Under Germany's implementation of GDPR Article 8, the digital consent age in Germany is 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have, we delete the data without delay.

10

Marketing emails

You only receive marketing emails from us if you subscribed deliberately. We use double opt-in via Kit: when you submit your email, Kit sends a confirmation link, and your subscription becomes active only after you click it.

Every marketing email has an unsubscribe link at the bottom. You can also email support@annnimate.com to be removed. Unsubscribes are processed within a few minutes and we keep a record of the unsubscribe for 24 months as evidence of compliance.

11

Data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we notify the Bavarian Data Protection Authority (BayLDA) within 72 hours of becoming aware of it (Article 33 GDPR). If the risk is high, we notify affected users without undue delay (Article 34). We maintain an internal record of all data breaches regardless of risk level.

12

Changes to this policy

We update this policy when the way we process data materially changes (new processors, new categories of data, new purposes). Material changes are announced in our changelog and via email to active subscribers at least 30 days before they take effect. The last-updated date at the top of the page is always current.

13

Region-specific rights

13.1

European Economic Area and the UK

If you are in the EEA or the UK, you have all the GDPR rights listed in Section 7. UK residents can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13.2

California (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights.

We do not sell or share your personal information. To exercise your CCPA rights, email support@annnimate.com.

13.3

Other US states

We honor equivalent rights granted by state privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and others as they come into force. Email support@annnimate.com to exercise any equivalent right.

13.4

Canada

Canadian users have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). Email support@annnimate.com to exercise your rights, or contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

14

Complaints

We hope to address any concern you have directly. If you remain unsatisfied, you have the right to lodge a complaint with a supervisory authority. The competent authority for our company is:

  • Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
  • Promenade 18
  • 91522 Ansbach, Germany
  • Email: poststelle@lda.bayern.de
  • Website: lda.bayern.de

Privacy contact

For any privacy-related request — access, deletion, portability, objection, or to ask a question — email support@annnimate.com. A real person from our team responds within one business day.