Molixa
Legal

GDPR

EU data protection rights and our compliance posture. We are a small team that takes this seriously. Plain English, no legalese unless required.

Last updated: May 1, 2026

TL;DR

  • EU residents have full GDPR rights at Molixa: access, rectification, erasure, portability, objection, restriction.
  • We hold the minimum data needed (account email, hashed password, brand voice profile if saved). We do not log prompts or files.
  • We sign a Data Processing Agreement (DPA) for any business or organization that asks. Free.
  • Servers are in Germany (Hetzner, EU jurisdiction). AI inference sub-processors are in the US under SCCs.
  • 72-hour breach notification policy. We will tell you and the supervisory authority within the legal window if anything goes wrong.

Data controller

For the purposes of GDPR, the data controller is:

WeboTech Studio
Riyadh, Saudi Arabia
Email: [email protected]

Our EU representative under Article 27 GDPR is appointed and contactable through the same email. We will provide their name and address on request.

What data we hold

The personal data we process falls into three buckets:

For all visitors (anonymous)

  • IP address (kept 7 days in server logs, then rotated)
  • User-agent string (same retention)
  • Anonymous tool usage counts (24-hour rolling, used to enforce free-tier caps)

For account holders

  • Email address
  • Bcrypt-hashed password (we cannot recover or read your password)
  • Display name and avatar (if signed up via Google OAuth)
  • Brand voice profile if you saved one
  • Favorited tools and tool usage timestamps (your dashboard, not our analytics)

For Premium subscribers

  • Stripe customer ID (no card data; that lives with Stripe)
  • Subscription status and billing email

What we never hold

  • The content of your prompts to AI tools
  • The files you uploaded
  • The QR codes you generated or scanned
  • The output our tools produced for you

Lawful basis for each activity

ActivityLawful basis
Running the tools you requestPerformance of contract (Art. 6(1)(b))
Storing your account + brand voicePerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Server logs for securityLegitimate interest (Art. 6(1)(f)):operating a secure platform
Anonymous aggregate analyticsLegitimate interest (Art. 6(1)(f)):improving the product, no individual profiling
Marketing email (if you opt in to newsletter)Consent (Art. 6(1)(a)):withdraw anytime
Responding to legal requestsLegal obligation (Art. 6(1)(c))

Your rights under GDPR

You have the right to:

  • Access (Art. 15): get a copy of all personal data we hold on you. Self-serve from your dashboard or email [email protected].
  • Rectification (Art. 16): correct inaccurate data. Edit from your dashboard.
  • Erasure / right to be forgotten (Art. 17): delete your data. Self-serve, instant.
  • Restriction (Art. 18): pause our processing of your data while a dispute is being resolved.
  • Portability (Art. 20): export your data in a machine-readable format (JSON).
  • Object (Art. 21): object to processing based on legitimate interest (server logs, analytics). We will stop unless we can show overriding legitimate grounds.
  • Withdraw consent: for anything you opted into (newsletter), unsubscribe anytime. We forget your email immediately.
  • Lodge a complaint: with your national supervisory authority. See the “Complaint” section.

We respond to all rights requests within 30 days. If we need more time (rare), we will tell you and explain why.

Data Processing Agreement (DPA) for businesses

If you are a business customer who needs Molixa to act as a data processor for personal data you submit (for example, generating cold emails for your customers), we sign a GDPR-compliant DPA at no cost.

Our standard DPA is based on the EU Commission’s Standard Contractual Clauses (June 2021) plus the IAPP’s recommended Article 28 schedule. Email [email protected] with your company name and the data categories you will process. We countersign within 5 business days.

International data transfers

Our servers are at Hetzner Online GmbH in Germany, fully within EU jurisdiction. Account data, server logs, and rate-limit counters never leave the EU.

AI inference (the actual model calls) happens at:

  • Primary AI inference sub-processor, United States. Transfer governed by the EU Standard Contractual Clauses (Module 2: Controller to Processor). Provider name disclosed on request to [email protected].
  • Writing AI inference sub-processor, United States. Same SCCs. Available on request.
  • Failover AI inference sub-processor, United States. Same SCCs. Available on request.

Each AI provider receives only the prompt for the duration of the request, performs inference, returns the output, and drops the prompt. None retain copies (verified in our DPAs with each).

Stripe handles payment data in the United States with EU-US Data Privacy Framework certification.

Data breach response

If we discover a personal data breach, we will:

  1. Contain it (revoke compromised credentials, rotate keys, etc.) within hours.
  2. Notify the affected supervisory authority within 72 hours per Art. 33 GDPR if the breach is likely to result in a risk to your rights and freedoms.
  3. Notify affected users without undue delay per Art. 34 GDPR if the risk is high.
  4. Publish a public post-mortem on the blog within 14 days (anonymized to protect ongoing investigation if needed).

Filing a complaint

Contact us first: [email protected]. We respond to GDPR concerns within 5 business days and aim to resolve within 30.

If we cannot resolve it, you have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is at edpb.europa.eu.