Legal · GDPR

Privacy Policy

This policy explains what data we collect, why we collect it, where it goes, and what rights you have. We keep it short and concrete — no dark patterns, no buried clauses.

Last updated: 16 May 2026

Data Controller

Foth Group GmbH
Seehofstraße 137, 14167 Berlin, Germany
HRB 163989 B (Amtsgericht Charlottenburg)
Email: kontakt@fothgroup.de
Phone: +49 30 89000652

Foth Group GmbH operates spicyemilia.com and is the controller of personal data processed through this service within the meaning of Art. 4(7) GDPR.

What We Collect

We deliberately collect only what we need to run the service:

Account data — email address (for magic-link sign-in), age confirmation, optional language preference, account creation timestamp
Chat content — messages you send and replies generated by our AI characters, including any images or voice notes attached or generated within a conversation. Because the service is explicitly adult in nature, chat content may include data about your sexual life or preferences (special category data under Art. 9 GDPR)
Persona / intensity state — the mood you selected at sign-up and how that adapts over time
Generated media — selfies and clips produced by our generative-AI tools at your request, associated with your account
Push notification subscriptions — if you opt in to web push notifications, your browser-issued push endpoint and VAPID public key
Technical logs — IP address, user agent, request timestamps, error traces. Retained 14 days for security and abuse-prevention only
Essential cookies — a single signed session cookie issued at sign-in (HttpOnly, Secure, SameSite=Lax) and a small language preference cookie. No marketing, advertising or analytics cookies are set

We do not use any third-party analytics, social-media trackers, advertising pixels, or fingerprinting. No data is shared with advertisers or data brokers. Ever.

Why We Process It (Legal Basis)

Purpose	Legal basis
Creating and securing your account, delivering chat replies, generating images you request, sending magic-link sign-in emails	Performance of contract — Art. 6(1)(b) GDPR
Processing intimate or sexual content within your chats (Art. 9 special category)	Your explicit consent given at sign-up — Art. 9(2)(a) GDPR. You can withdraw consent at any time by deleting your account
Security monitoring, rate-limiting, fraud and abuse prevention	Our legitimate interest — Art. 6(1)(f) GDPR
Complying with statutory obligations (tax, recordkeeping, lawful requests)	Legal obligation — Art. 6(1)(c) GDPR

Where Your Data Lives — Processors & Sub-Processors

We use a small number of carefully selected providers. All have signed data-processing agreements (Art. 28 GDPR) with us:

Provider	Role	Location
Hetzner Online GmbH	Hosting, database, file storage	Falkenstein, Germany (EU)
BytePlus Pte. Ltd.	AI inference for chat replies and image generation	Singapore (third country)
Resend, Inc.	Transactional email (magic links, account notifications)	United States (third country)

International Transfers

BytePlus (Singapore) and Resend (United States) process data outside the EU/EEA. Singapore has been recognised by the European Commission as offering an adequate level of protection for the categories of data we transmit (no special category data is transmitted to Resend; chat content sent to BytePlus is processed transiently for inference and not retained by BytePlus per their data-processing terms). For the US transfer to Resend we rely on the EU-US Data Privacy Framework and, as a fallback, the EU Standard Contractual Clauses (Module 2) plus supplementary technical and organisational measures.

Your chat messages are transmitted to BytePlus only as needed to generate a reply. We do not allow BytePlus to retain, train on, or otherwise reuse the content of your conversations.

How Long We Keep It

Account, chat history, generated media — until you delete your account, or until 24 months of complete inactivity, whichever comes first. After deletion, content is removed from production within 7 days and from rolling backups within 30 days
Technical logs — 14 days
Billing and accounting records — 10 years (German tax law, § 147 AO)
Backups — rolling 30-day window

Your Rights

Under the GDPR you have the following rights, exercisable free of charge:

Access (Art. 15) — request a copy of the data we hold about you
Rectification (Art. 16) — ask us to correct inaccurate data
Erasure (Art. 17) — ask us to delete your account and associated data
Restriction (Art. 18) — ask us to pause processing in defined circumstances
Portability (Art. 20) — receive a machine-readable export of your data
Objection (Art. 21) — object to processing based on legitimate interest
Withdraw consent (Art. 7(3)) — for processing based on consent, withdraw at any time without affecting prior lawfulness
Complain to a supervisory authority (Art. 77) — typically the data protection authority of your habitual residence; for us that is the Berliner Beauftragte für Datenschutz und Informationsfreiheit

To exercise any of these rights, email kontakt@fothgroup.de. We respond within one month as required by Art. 12(3) GDPR.

Account Deletion

You can delete your account at any time from within the app, which triggers irreversible deletion of your messages, generated media, persona state and account record. Backups containing prior states cycle out within 30 days.

Age

This service is strictly for adults. You must be at least 18 years old (or the higher age of majority in your jurisdiction) to sign up. We do not knowingly collect data from minors. If you believe a minor has accessed the service, please contact us immediately at kontakt@fothgroup.de.

Content Standards & Reporting

All content on spicyemilia is generated by AI. Our generation pipeline and policy explicitly exclude content depicting minors, non-consensual scenarios, real-person deepfakes, violence against persons, and any content prohibited under §§ 130, 184a–c German Criminal Code or § 4 of the German Interstate Treaty on the Protection of Minors (JMStV). User prompts targeting such content are filtered server-side and may result in immediate account termination.

If you encounter content on this site that you believe violates these standards or applicable law, please report it to kontakt@fothgroup.de. Include a URL or screenshot, the reason for your report, your contact details for follow-up, and whether you are reporting as a private individual, an EU trusted flagger within the meaning of Art. 22 DSA, or a public authority. We acknowledge receipt within 24 hours and issue a reasoned decision within 72 hours, together with information on remedies and internal complaint mechanisms pursuant to Art. 16, 17 and 20 of the EU Digital Services Act.

Automated Decision-Making & AI Disclosure (Art. 22 GDPR · Art. 50 EU AI Act)

Conversations on spicyemilia are conducted with an artificial-intelligence character. The persona's replies, generated images and adaptive intensity setting are produced by AI models, not by a human writing in real time. We do not use the data we hold about you to make decisions that produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR.

Security

We use TLS for all connections, encrypted storage at rest, hashed and salted credentials, and strict access controls. No system is perfectly secure, but we apply industry-standard safeguards proportionate to the sensitivity of the data we hold.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email to your registered address and announced in the app at least 14 days before they take effect. Continued use of the service after that period constitutes acceptance of the updated policy.

Contact

Privacy questions, rights requests, complaints:
kontakt@fothgroup.de
Foth Group GmbH, Seehofstraße 137, 14167 Berlin, Germany