This English version of the Privacy Policy is provided for reading and comprehension purposes only. The legally binding version is the German version, which can be found here: www.chamelaion.com/de/privacy-policy.
Version: 03 March 2026
Introduction
Protecting your privacy and your personal data is very important to CHAMELAION.
CHAMELAION therefore collects and uses your personal data exclusively within the scope of the applicable legal provisions, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”), as well as the German Federal Data Protection Act of 30 June 2017 (Bundesdatenschutzgesetz, “BDSG”) and the German Telecommunications and Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, “TDDDG”).
For more detailed information about how our services work and their functional scope, please refer to our product pages at https://www.chamelaion.com/plans and to the Terms and Conditions linked to our services at https://www.chamelaion.com/terms (in particular the current service description available there).
With this Privacy Policy, we would like to inform you - regardless of whether you create a user account with us, take out a subscription, or simply visit our website - about the nature, scope and purposes of the collection, use and processing of your personal data by us.
If you have any questions, you can reach us at any time using the contact details below (see Section 1).
Data Protection Officer
We have appointed an external Data Protection Officer (DPO). You can reach them at:
Martin Bastius
Schützenstraße 5
10117 Berlin
Germany
Phone: +49 8941 325320
E-mail: datenschutz@heydata.eu
The DPO has been appointed since 01 December 2025 and performs their duties on the basis of a service agreement pursuant to Art. 37 et seq. GDPR.
CONTENT
1 Controller and Contact
2 Definitions
3 Scope of Data Protection; Own Authorization
4 Automatic Data Collection When Accessing the Website
5 Contacting CHAMELAION
6 CHAMELAION’s Social Media Presence
7 Creating an Account and Taking Out a Subscription
8 Processing of Submitted Data; Metadata
9 Use of Services by Google, ElevenLabs, DeepL and OpenAI
10 Use of Cookies and Other Technologies
11 Further Purposes of Processing
12 Other Recipients of Data
13 Data Security
14 General Information on Data Deletion and Retention Periods
15 Your Rights
16 No Obligation to Provide Data
17 No Automated Decision-Making / Profiling
18 Changes to This Privacy Policy
1 Controller and Contact
The controller responsible for data processing within the meaning of the GDPR, the BDSG, the TDDDG, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:
CHAMELAION GmbH
Berger Straße 342
D-60385 Frankfurt am Main
Federal Republic of Germany
A limitedliability company (GmbH) under German law, registered with the Commercial Register at the Local Court (Amtsgericht) Frankfurt am Main under registration number HRB 136581, VAT ID DE450519324
(hereinafter "CHAMELAION").
CHAMELAION is represented by:
Management: Pascal Fischer (Managing Director, CEO)
Yannik Rover (Authorized Signatory (Prokurist), COO)
Tel. (mainoffice) +49 162 4536164
E-mail: privacy@chamelaion.com
If you have questions or concerns about data protection, please contact us using the above contact details, preferably via the e-mail address specifically set up for data protection requests: privacy@chamelaion.com.
For general questions about our products, please contact sales@chamelaion.com.
Further information on data processing in connection with contacting CHAMELAION can be found in Section 5.
2 Definitions
In this Privacy Policy, we use the following defined terms:
2.1 “Account” means an individual user account accessible via the internet on the CIT systems, which enables the customer to book a subscription and provides personalised access to our services;
2.2 “Terms and Conditions” (“T&Cs”) means CHAMELAION’s General Terms and Conditions, available on our website at https://www.chamelaion.com/terms;
2.3 “BDSG” has the meaning assigned in the Introduction;
2.4 “CHAMELAION” has the meaning assigned in Section 1;
2.5 “CIT systems” means the entirety of the IT system infrastructure operated by CHAMELAION for providing the services, including all hardware and software components;
2.6 “DeepL” means DeepL SE, Maarweg 165, 50825 Cologne, Federal Republic of Germany, website: https://www.deepl.com, including its affiliated companies;
2.7 “Service” means any service provided to customers via our CIT systems, in particular the automated processing of Submitted Data by means of audio and moving-image recognition, transcription and translation of content including audio and video generation based on Submitted Data, including the optional lip synchronisation (“LipSync”) as part of the synchronisation of image and sound, as well as the software tools required for manual post-editing by the customer;
2.8 “DPA” means a data processing agreement with a subcontractor (Data Processing Addendum);
2.9 “GDPR” has the meaning assigned in the Introduction;
2.10 “Submitted Data” means all data and files that are sent, uploaded or otherwise entered by the customer into our CIT systems to be processed by our CIT systems in accordance with the service description;
2.11 “ElevenLabs” means Eleven Labs Inc., 169 Madison Ave 2484, New York, NY 10016, United States of America, website: https://elevenlabs.io, including its affiliated companies;
2.12 “Google” means Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, website: https://www.google.com, including its affiliated companies such as Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
2.13 “Service Description” means the list of functionalities and specifications of the services, as agreed with the customer upon contract conclusion in accordance with the T&Cs;
2.14 “LipSync” means a feature of the services in which video content is automatically processed so that the visible mouth/lip movements in the video better match the generated audio track; for this purpose, in particular image sequences (frames) and timing information from audio/video may be processed;
2.15 “OpenAI” means OpenAI, LP, 3180 18th Street, San Francisco, CA 94110, USA, website: https://www.openai.com, including its affiliated companies;
2.16 “Project” means a project created by the customer on the CIT systems during use of the services, within which Processed Content is generated as part of our services on the basis of Submitted Data;
2.17 “USA” means the United States of America;
2.18 “TDDDG” has the meaning assigned in the Introduction;
2.19 “Processed Content” means all content resulting from the processing of Submitted Data on the CIT systems (in particular video files generated on the CIT systems);
2.20 “Website” means the website accessible under the domain https://www.chamelaion.com, unless otherwise indicated by the context;
2.21 “Payment service provider” is Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.
3 Scope of Data Protection; Own Authorization
3.1 Data protection relates to personal data as defined by the GDPR, i.e., any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific characteristics.
3.2 The website or the CIT systems allow you, in some places, to enter personal data into input fields (e.g., during an ordering process or in our editor / dubbing studio). CHAMELAION’s services also allow you (after creating an account) to upload video files - especially in the formats MP4, MOV, MP3, WAV - to our CIT systems; such files may also contain your personal data as a customer as well as personal data of third parties.
3.3 If you use the LipSync function, the video files you upload may also contain images of persons (e.g., face/mouth area). Processing is carried out exclusively for generating or improving lip synchronisation and not for the purpose of identifying persons. Please note: If your uploads contain personal data of third parties (e.g., persons depicted or audible), you may have them processed only if you have a valid data protection legal basis for this, as described above.
3.4 If files that you intend to upload to our CIT systems contain personal data of third parties, you may upload them to our CIT systems (i.e., use them as Submitted Data) only if you have a valid data protection legal basis vis-à-vis the third party concerned (e.g., their consent within the meaning of Art. 6(1) sentence 1 lit. a GDPR). For this reason, our T&Cs also provide for the obligation to conclude a data processing agreement (see Section 10.3 of the T&Cs).
4 Automatic Data Collection When Accessing the Website
4.1 Regardless of whether you have already created an account on our CIT systems or not, whether you are logged into an account or not, and whether you use our CIT systems for a fee or free of charge, your device automatically transmits certain data for technical reasons when you access our website https://www.chamelaion.com.
The following data that you may transmit to us is stored when you access the website:
(i) Date and time of your access;
(ii) Browser type (manufacturer) and browser version used by you;
(iii) Operating system used by you;
(iv) URL of the previously visited website;
(v) Amount of data transmitted;
(vi) Accessed domain;
(vii) Notification of successful data retrieval;
(viii) Search term when using a web browser;
(ix) Shortened/anonymised IP address;
(x) Full IP address;
(xi) Diagnostic information in the event of errors.
If you visit our website to obtain information about our products and services or to use them, the legal basis for the temporary storage and processing of access data is Art. 6(1) sentence 1 lit. b GDPR (processing for the performance of a contract or to take steps prior to entering into a contract). In all other cases, processing is carried out under Art. 6(1) sentence 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website. The data is stored for purely technical reasons. We use website access data for error analysis, ensuring the security of our systems, logging access within subscriptions, and improving our services. Using geolocation based on your IP address, we also determine which region you are visiting our website from. We use this information to check whether we can offer our services in your region; this corresponds to our legitimate interests under Art. 6(1) sentence 1 lit. f GDPR. The full IP address is stored for users of our free services for a maximum period of fourteen (14) days, which is also justified by our legitimate interest in achieving the purposes listed above (Art. 6(1) sentence 1 lit. f GDPR). The storage of IP addresses of users of paid services for the duration of the contract is justified under Art. 6(1) sentence 1 lit. b GDPR. This data is not merged with other data sources, and it is not evaluated for marketing purposes.
5 Contacting CHAMELAION
We offer you the option to contact us by e-mail via our website. Please note that if messages and attachments are sent unencrypted by e-mail, confidentiality cannot be guaranteed by us for technology-related reasons - even though we use state-of-the-art technologies.
5.1 Sales and support requests
If you send us a sales or support request to obtain further information about our services and subscription plans or to initiate contract negotiations, you may use the contact details (e-mail, telephone) provided on our website. For both support and sales requests, Art. 6(1) sentence 1 lit. b GDPR serves as the legal basis for processing the personal data you provide to us, including any subsequent correspondence, because the processing is necessary for initiating and concluding a contract and for performing our (future) contract. Art. 6(1)sentence 1 lit. b GDPR also justifies processing of personal data that may be included in documents sent to our support team. We store your data for the duration of our business relationship and there after for the duration of statutory retention periods, if required. Processing of your personal data within our customer database and analyses of our customer-related processes is based on Art. 6(1) sentence 1 lit. f GDPR, as this is in our legitimate interest in efficient customer management and communication. The above also applies accordingly to deletion.
5.2 Data protection requests
If you have questions or concerns about data protection, you may contact CHAMELAION at privacy@chamelaion.com. We process the data we receive from you in this context under Art. 6(1) sentence 1 lit. a GDPR on the basis of your voluntary consent implicitly granted by sending the message. We store your data for the duration of our business relationship and thereafter for the duration of statutory retention periods, if required.
5.3 Applications
You may apply to us via career@chamelaion.com. The purpose of data collection in this case is applicant selection for the possible establishment of an employment relationship. For processing your application, we collect the data you provide (usually first and last name, e-mail address, application documents such as certificates and CV, earliest possible job start date, and salary expectations). Please note that confidentiality cannot be guaranteed if applications are sent unencrypted by e-mail. In general, you may also apply for open positions by post or in person. The legal basis for processing your application documents is Art. 6(1) sentence 1 lit. b and Art. 88(1) GDPR in conjunction with Section 26(1) sentence 1 BDSG. We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we store your applicant data for aslong as it is required for the employment relationship and to the extent that statutory provisions require retention. If we reject your application, we store your applicant data for no longer than four (4) months after rejecting your application, unless you consent to longer storage. If you have separately consented, we will store the data submitted as part of your application for a further twelve (12) months after completion of the application process in order to identify and, if appropriate, contact you about other potentially suitable positions. After expiry of this period, the data will be deleted. You can revoke this consent at any time by e-mail to privacy@chamelaion.com.
6 CHAMELAION’s Social Media Presence
6.1 We operate several social media profile pages on various social networks, namely YouTube, Facebook, Instagram, Twitter/X and LinkedIn. On these profile pages, we regularly publish posts about our services, new features, and new job offers. If you interact with these pages or contact us via them and area member of the respective social network, we may receive and process data that can identify you or your social media presence. As the operator of these social media profile pages, we can also view anonymised statistics about visitor interactions with our profile pages (analytics functions of the platform operators). For this purpose, social network operators collect your interactions with our profile pages using cookies and similar technologies. Further information on data processing can be found in the respective platform operator’s privacy policies.
The legal basis for using our profile pages and the analysis functions of the social media providers is our legitimate interest under Art. 6(1) sentence 1 lit. f GDPR in using the respective page as an information channel about CHAMELAION and our services. With regard to the social media providers’ analysis functions, we have a legitimate interest in understanding visits, usage and interactions with our own profile pages in order to respond to them more specifically and further improve our public presence. Where users have given consent to data processing within the respective social platform, processing is based on that consent. Data deletion is carried out in accordance with the social network’s data protection rules.
6.2 Please note that we and the operator of the respective social network are jointly responsible for the processing operations triggered when you visit our profile pages. However, the social network operators may also process the data collected in this context for their own purposes, which are not covered by this privacy policy. It is also possible that data collected about you will be transferred to third countries, in particular the USA. We have no influence on these processing operations and therefore refer you to the privacy information of the respective social networks. In principle, you can assert your rights both against us and against the operator of the respective social platform. We would like to point out that, despite joint responsibility, these rights can be asserted most effectively with the social network operators. If you need helpin this regard, please feel free to contact us.
7 Creating an Account and Taking Out a Subscription
7.1 Creating an account on our CIT systems
(a) You can create an account via our website. An account - along with taking out a (paid or free) subscription under the T&Cs - is a prerequisite for using our services. To create your account, the following personal data is stored:
(i) E-mail address;
(ii) chosen password;
(iii) IP address;
(iv) Username;
We process your e-mail address and chosen password on the basis of Art. 6(1) sentence 1 lit. b GDPR in connection with the user agreement concluded. We process your IP address on the basis of Art. 6(1) sentence 1 lit. f GDPR, as it corresponds to our legitimate interests to compare your IP address for fraud prevention purposes with IP addresses that have previously misused our service.
(b) Please note that creating an account is a prerequisite for using our services; however, creating an account does not oblige you to purchase a paid subscription. If you do not take out a paid subscription after creating an account, the account will remain in place and - e.g., under a free subscription - generally remains usable. You can delete your account at any time by sending an e-mail with your request to support@chamelaion.com.
(c) We may introduce a single sign-on (SSO) solution so that separate registration on our CIT systems is not required; for example, your company or organisation could transmit your e-mail address as well as your first and last name directly to us, and we would then enable your access without registration. We would process this data on the basis of Art. 6(1) sentence 1 lit. b GDPR. In any case, we would oblige your company or organisation beforehand to comply with its data protection obligations toward you.
7.2 Contract conclusion and performance for paid subscriptions
(a) If you take out a paid subscription after creating an account, the following personal data is additionally collected and processed for the purpose of concluding and performing the contract (Art. 6(1) sentence 1 lit. b GDPR):
(i) First name, last name, where applicable company name;
(ii) address;
(iii) payment data;
(iv) where applicable tax number(s);
(v) selected subscription option;
(vi) any other additional data you provide during registration to process the booking and payment transaction.
(b) We also collect your payment data if you start a (paid) subscription within a free trial period (if offered). Despite such a free trial period, processing of your payment data is required at the time of contract conclusion within the meaningof Art. 6(1) sentence 1 lit. b GDPR because you are concluding a paid subscription that is only free of charge during the trial period to allow you to test the paid subscription without costs initially. If you do not cancel within the trial period, the subscription will continue automatically as a paid subscription - exactly as agreed at the time of contract conclusion - and the payment method you provided will be charged at the time stated during the booking process.
(c) To process payments, we pass the required payment data on to our payment service provider Stripe. If you make a payment via our subscription system, the payment data you enter is transmitted directly to Stripe and processed there. As part of payment processing, Stripe collects and processes personal data such as payment information (credit card details, bank account data), name, address, and other information required for payment. Processing is based on performance of our contract under Art. 6(1) lit. b GDPR, as payment is required to book a subscription and Stripe is a proven provider for online payment processing. Stripe also processes personal data on the basis of its own privacy policy and the user’s consent under Art. 6(1) lit. a GDPR within Stripe’s payment processing process insofar as this is necessary for payment processing. We have concluded a data processing agreement (DPA) with Stripe; Stripe may therefore process the data only on our instructions and not for its own purposes. A copy of this DPA is available at: https://stripe.com/en-es/legal/dpa. Stripe stores personal data only for as long as necessary to fulfil contractual obligations and as long as statutory retention obligations exist (e.g., under tax or commercial law). After expiry of statutory retention periods, Stripe deletes the data unless longer retention is required by law. Stripe is a provider based in the USA; therefore, personal data may be transferred to third countries. Stripe has taken appropriate measures to ensure an adequate level of data protection, such as using EU standard contractual clauses (EU SCCs), and is also certified under the EU–US Data Privacy Framework (more details on DPF and EU SCCs in Section 9). Further information on data collection and processing by Stripe and Stripe’s privacy policy can be found at: https://stripe.com/de/privacy.
(d) In addition to the above data, we process further (usage) data relevant to providing and billing our services, such as hashes, time of subscription conclusion, billing period, successful payment processing, log-ins, number of processed contents, subscription upgrades and downgrades. Processing and storage of this data is necessary for concluding and performing the contract and is therefore legitimate under Art. 6(1) sentence 1 lit. b GDPR. If you are not yourself a party to the contract, but access to our CIT systems is provided to you by your employer or an organisation you belong to, we base processing of the data and usage data described above on Art. 6(1) sentence 1 lit. f GDPR, as processing is necessary to conduct the business relationship with our direct customer/contractual partner (i.e., your employer/organisation), which has assured us in the individual SaaS agreement that it has obtained the necessary consent from you and will respect your data protection rights.
(e) We store the data for the duration of the contract term and thereafter, where applicable, for the duration of statutory retention periods, if these require retention for the respective categories of data. We delete your account if you request this after cancellation of your subscription. Otherwise, we initially keep the account available to you as an account with a free subscription or without a subscription, so that it can be used again if you subscribe again without requiring re-registration. This is in both your and our interests in the smoothest possible use of our services (Art. 6(1) sentence 1 lit. f GDPR).
(f) In your account, you can also view data about your usage behaviour in various sections, in particular - depending on the subscription - previously used subscription quotas and remaining quotas/tokens. We justify this processing either under Art. 6(1) sentence 1 lit. b GDPR insofar as it is required for contract performance (in particular for billing and tax transparency purposesand to manage remaining service quotas/tokens), or - where it goes beyond what is strictly required for the contract - under our legitimate interests pursuant to Art. 6(1) sentence 1 lit. f GDPR, because we want to provide transparent visualisations of usage behaviour and support customers in selecting the best subscription package.
(g) If you are not yourself a party to the contract, but access is provided by your employer/organisation, it is also possible that we share data about your usage behaviour (e.g., consumed tokens, last login date) with your employer/organisation at their request. This corresponds to our legitimate interests and those of our customers/direct contractual partners in obtaining information about the use of subscriptions they pay for and the currently available usage volumes for all users within the organisation (Art. 6(1) sentence 1 lit. f GDPR). We note that your employer/organisation is itself subject to data protection obligations toward you; if you have concerns about processing by your employer/organisation, you may also contact them directly.
8 Processing of Submitted Data; Metadata
8.1 We process Submitted Data transmitted by you to our CIT systems only temporarily, insofar as this is necessary to provide our services to you under the agreement made with you (subscription model, service description) or due to your active use of a test function. The processing is therefore justified underArt. 6(1) sentence 1 lit. b GDPR, as it serves to fulfil our contractual obligations toward you; in the case of a test function, it is additionally based on your prior specific consent under Art. 6(1) sentence 1 lit. a GDPR. Your Submitted Data and Processed Content are not stored permanently on our servers (within the scope of the contractual agreements and as explained in this Privacy Policy) and, after the contractually owed service has been performed or a project has ended, are marked for deletion and deleted without undue delay unless overriding statutory retention obligations prevent this (in which case deletion will take place immediately once the statutory retention obligations have expired and no other legal basis for retention exists). An exception applies only if you actively click a button within our CIT systems to temporarily save a current project for later processing. In this case, Submitted Data and (preliminary) Processed Content can be stored on our servers and kept available for you to retrieve at any time until the project is ended, at which point secure deletion takes place. A saved project can also be deleted by you at any time.
8.2 LipSync (lip synchronisation). If you activate the LipSync function within a project, we additionally process the Submitted Data transmitted by you (in particular video and audio files) in such a way that timing information from audio/video as well as image information (in particular from the mouth/face area) may be analysed in order to generate the video content produced or output in a more lip-synchronised manner. The legal basis is - as with the other service - Art. 6(1) sentence 1 lit. b GDPR (performance of the contract); for features explicitly provided as a test function, processing may additionally be based on Art. 6(1) sentence 1 lit. a GDPR (consent), insofar as such consent is obtained. Processing is - as described in this section - only temporary and the data is marked for deletion and deleted after completion of the project, unless overriding retention obligations prevent this.
8.3 When providing our services for customers, we act as a processor in the case described in Section 3 (processing of personal data of third parties). Processing of your data is therefore based on the data processing agreement concluded with you before you use our services accordingly.
8.4 To reduce server capacity, files may also be stored briefly in the local hardware memory on the customer side to ensure smooth performance of the services.
8.5 Depending on your subscription, we may also provide features enabling you to retain selected Submitted Data and/or Processed Content even after a project is ended for later projects within your account (e.g., as templates). If you use such features, the processing is required to perform our contract and is therefore also justified under Art. 6(1) sentence 1 lit. b GDPR.
8.6 Regardless of whether you use our services for a fee or free of charge, we also collect and store the following data for each project:
(i) Project name assigned by you;
(ii) status and progress of the project;
(iii) file names and file types of Submitted Data;
(iv) for audio/video: length of the medium;
(v) errors that occurred during processing of the project (including Submitted Data) on our CIT systems.
We process this information under Art. 6(1) sentence 1 lit. f GDPR based on our legitimate interest in improving the functionality of our products, as it helps identify potential sources of errors more easily. The data is stored in a database accessible only to selected CHAMELAION employees (who are obliged to maintain data protection and confidentiality) and is automatically deleted after fourteen (14) days.
8.7 Further information on processing your data can be found in the remaining sections of this Privacy Policy and in our T&Cs.
9 Use of Services by Google, ElevenLabs, DeepL and OpenAI
9.1 Google Firebase
We use Google Firebase services on our CIT systems to create and manage user accounts and to authenticate users on our CIT systems. If you log in via Firebase or create an account, Google Firebase processes personal data. As part of the use of Google Firebase for account creation and login, personal data such as your name, e-mail address, profile picture (if you use a Google account), IP address and other identifiers are processed to provide you access and manage your login. Firebase also uses cookies and other technologies to verify and authenticate your account.
The legalbasis is Art. 6(1) lit. b GDPR, as processing is necessary to perform the contract for providing an account and access.
Google acts as a processor and processes your data in accordance with Google’s privacy policies and our instructions. Google stores data related to account management and authentication for as long as your account is active/existent. Data required for authentication/account management is deleted when you delete your account or it has not been used for a certain period.
Since Google Firebase is a Google product operated worldwide, your data may be transferred to countries outside the EU/EEA, in particular to the United States. However, Google has implemented appropriate safeguards to ensure that your data is processed in accordance with the requirements of the GDPR. Google is an active participant in the EU–US Data Privacy Framework (“DPF”), which governs the lawful and secure transfer of personal data of EU residents to the United States (see https://www.dataprivacyframework.gov). In this respect, the European Commission currently confirms - by its adequacy decision pursuant to Art. 45(3) GDPR of 10 July 2023 (reference C(2023) 4745) - a level of data protection that is comparable to the EU/EEA standard under the GDPR. You can find the decision, among other places, on the official website of EU law: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
For detailed information about how Google Firebase processes your data and about your rights under the GDPR, you can review Google Firebase’s privacy notice at https://firebase.google.com/support/privacy and Google’s privacy policy at https://policies.google.com/privacy.
In addition, Google uses so-called Standard Contractual Clauses. Standard Contractual Clauses are model clauses issued by the European Commission and are intended to ensure that your data continues to be processed in accordance with European data protection standards even if it is transferred to and stored in third countries (such as the United States) (Standard Contractual Clauses – “EUSCCs”, cf. Art. 46(2) and (3) GDPR). You can find the decision and the relevant Standard Contractual Clauses, among other places, on the official EU law website at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
By participating in the DPF and by using the Standard Contractual Clauses, Google therefore undertakes to maintain the European level of data protection when processing the relevant data, even if the data is stored, processed and administered in the United States.
9.2 ElevenLabs
We use ElevenLabs services on our CIT systems for speech synthesis (text-to-speech) and voice cloning. If submitted files contain personal data (e.g., names, spoken words or other identifiable information), this data may be processed by ElevenLabs. ElevenLabs processes the data solely for the stated purpose. ElevenLabs may also use the data to improve the quality of its AI-based speech technologies.
The legal basis is Art. 6(1) lit. b GDPR, as processing is necessary to perform the contract for providing our services.
Data is transferred to ElevenLabs within the scope of processing on behalf (data processing). We have concluded a data processing agreement with ElevenLabs (Data Processing Addendum, “DPA-EL”): https://elevenlabs.io/dpa.
Under the DPA-EL, data is stored only for as long as necessary to provide the commissioned services. Further information on retention periods is available in ElevenLabs’ privacy policy: https://elevenlabs.io/privacy-policy.
As ElevenLabs is headquartered in the USA, it may process data on servers in third countries outside the EU/EEA, in particular the USA. ElevenLabs is currently not a member of the DPF. However, we have agreed appropriate safeguards with ElevenLabs within the DPA-EL, including the EU SCCs, to ensure compliance withArt. 44 et seq. GDPR.
9.3 DeepL
We use DeepL services on our CIT systems to provide machine translations. When using these services, data you transmit to us is transferred to DeepL to create the requested translations. In this context, personal data contained in submitted files may be processed, including text data processed by DeepL to deliver the requested translation. DeepL processes your data solely for the purpose of providing the translations you request and improving translation quality.
The legal basis is Art. 6(1) lit. b GDPR, as processing is necessary to perform the contract for providing our services.
Data is transferred to DeepL within the scope of processing on behalf. We have concluded a data processing agreement with DeepL (Data Processing Addendum, “DPA-DeepL”), available at: https://www.chamelaion.com/de/dpa-deepl.
DeepL stores the processed data only for as long as necessary to provide the commissioned services. The exact retention period depends on DeepL’s specific requirements; see DeepL’s privacy policy: https://www.deepl.com/de/privacy.
9.4 OpenAI
We use OpenAI services on our CIT systems for “context refinement” to improve the quality of translations and make them sound more natural (i.e., appropriate to context and language usage). For this purpose, parts of your Submitted Data are transmitted to OpenAI to generate such context refinement. Personal data contained in the submitted files may be processed when using OpenAI services.
OpenAI processes your data solely for the purpose of providing the translations you request and improving translation quality.
The legal basis is Art. 6(1) lit. b GDPR, as processing is necessary to perform the contract for providing our services.
Data is transferred to OpenAI within the scope of processing on behalf. We have concluded a data processing agreement with OpenAI (Data Processing Addendum, “DPA-OAI”), available at: https://openai.com/policies/data-processing-addendum/. TheDPA-OAI also includes the EU SCCs.
OpenAI stores the processed data only for as long as necessary to provide the commissioned services. Details can be found in OpenAI’s “row” privacy policy: https://openai.com/policies/row-privacy-policy/.
As OpenAI is headquartered in the USA, it may process data on servers in third countries outside the EU/EEA. OpenAI is currently not a member of the DPF. However, we have agreed appropriate safeguards with OpenAI within the DPA-OAI, including the EU SCCs, to ensure compliance with Art. 44 et seq. GDPR. Further information can be found in OpenAI’s privacy policy: https://openai.com/policies/privacy-policy/.
10 Use of Cookies and Other Technologies
10.1 Use of cookies and other technologies on https://www.chamelaion.com
(a) We use cookies, web storage objects and other technologies to provide you with arange of functionalities and to improve your user experience. If you do not want us to use such technologies, you can change the relevant settings in your browser. Please consult your browser manufacturer’s help pages or support for instructions. Please note that the functionality and scope of our website maybe impaired if you completely disable cookies, web storage objects or other technologies.
(b) In particular, we use such technologies in the following categories:
(i) Necessary: These cookies or web storage objects are necessary for our website to function properly and to enable smooth navigation and access to our core functions. This includes providing important functions for the security and accessibility of our services and user interface preferences, e.g., display language of the website and the language used for translation or text improvement, as well as processing subscription orders. The collection of data via necessary cookies/web storage objects is justified under Section 25(2) no. 2 TDDDG. Further processing of this data is justified either under Art. 6(1)sentence 1 lit. b GDPR (contract performance) or under Art. 6(1) sentence 1 lit. f GDPR based on our legitimate interest in presenting our products and our company.
(ii) Performance: The data collected from these cookies allows us to measure how our website/CIT systems are used. We use this information to improve our website and services, for example, how often users return and which functions they use. We and our external service providers set these cookies/web storage objects only with your explicit consent on the basis of Section 25(1) TDDDG. Further processing is also based on your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
(iii) Functional: These cookies enable us to make use of our website more convenient and personalised for you. For example, we can personalise your user experience based on the pages you have visited. We set these cookies/webstorage objects only with your explicit consent on the basis of Section 25(1) TDDDG. Further processing is also based on your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
(iv) Marketing: These cookies and other technologies are used to display advertising that is more relevant to you and your interests. By selecting this category, you also agree that CHAMELAION transfers your data to third parties outside the EU (e.g., Google), including the sharing of hashed e-mail addresses. In accordance with Section 25(1) TDDDG and Art. 6(1) sentence 1 lit. a GDPR, we use these cookies/web storage objects/other technologies and process the data obtained only with your explicit consent.
(c) The following table lists the different types of cookies, web storage objects and other technologies that may be used when using our website/CIT systems. Cookies/web storage objects are stored until the defined expiry date or until you delete them in your browser, or - if a session object - until the session expires. You can revoke your consent for the use of cookies/web storage objects/other technologies in the categories Performance, Functional and Marketing at any time. You can do this by activating/deactivating the slider button in the relevant category at the top right of the table.
10.2 Analysis of usage behaviour
To better understand how our services are used and to align them more closely with our customers’ needs and wishes, we analyse - based on pseudonymised data - how our customers use CHAMELAION’s website/CIT systems. This enables us to understand general usage habits and to derive different target and user groups. We can then address these groups more specifically, for example by informing them about features of our products that they have not yet used or were not aware of and helping them choose the subscription that suits them. In this way, we enable our customers to learn about and make appropriate use of all features of CHAMELAION’s CIT systems and improve the overall user experience.
This corresponds to our legitimate interests under Art. 6(1) sentence 1 lit. f GDPR. Data is explicitly not transferred to third parties.
11 Further Purposes of Processing
11.1 Compliance with legal obligations: We also process your personal data to comply with other legal obligations that may apply to us in connection with our business activities, in particular commercial, trade or tax law retention obligations. We process your personal data under Art. 6(1) sentence 1 lit. c GDPR to fulfil a legal obligation.
11.2 Enforcement of rights: We also process your personal data to assert our rights and enforce our legal claims, as well as to defend against legal claims. We also process your personal data insofar as this is necessary to prevent or prosecute criminal offences. We process your personal data to safeguard our legitimate interests under Art. 6(1) sentence 1 lit. f GDPR (legitimate interest) insofar as we assert legal claims, defend ourselves in legal disputes, or prevent/investigate criminal offences.
11.3 Consent: If you have given us consent to process personal data for certain purposes (e.g., sending information materials and offers), that processing is lawful on the basis of your consent. You may revoke consent at any time. Please note that revocation only takes effect for the future and does not affect processing carried out before the revocation.
12 Other Recipients of Data
Beyond the data uses described in detail above, the following applies:
12.1 Within CHAMELAION, those departments receive access to your data that require it to fulfil our contractual and legal obligations. Service providers and agents used by us may also receive data for these purposes. We always limit the sharing of your personal data to what is necessary, taking into account data protection requirements. Some recipients receive your personal data as processors within the EU and are then strictly bound by our instructions. Other recipients act independently as controllers and are also obliged to comply with the GDPR and other data protection laws.
12.2 In individual cases, we also transfer personal data to our advisors in legal or tax matters; these recipients are obliged to maintain special confidentiality and secrecy due to their professional status.
13 Data Security
Your connections to our website are protected using encryption techniques in line with the current state of the art. The level of protection also depends on which encryption your browser or IT device supports. You can recognise whether an individual page of our website is transmitted in encrypted form by the closed key/lock symbol in your browser’s status bar. We also implement appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
14 General Information on Data Deletion and Retention Periods
14.1 We ensure through internal processes that your personal data is stored only for as long as necessary. Please note that we as a company are subject to statutory retention periods (e.g., tax and commercial law), which may require selective storage of data for a certain period (e.g., regarding payment processing and invoicing), see also Section 11.1 and the following Section 14.2. Further details on your rights, in particular your right to deletion, can be found in Section 15 below.
14.2 We process and store your personal data initially for the duration required by the respective purpose of use (see the individual sections on processing purposes). This may include the periods of initiating a contract (pre-contractual relationship) and processing a contract. On this basis, personal data is regularly deleted when we have fulfilled our contractual and/or legal obligations, unless temporary further processing is required forthe following purposes:
(a) To fulfil statutory retention obligations arising, for example, from the German Commercial Code (HGB) (Sections 238, 257(4) HGB) and the German Fiscal Code(AO) (Section 147(3), (4) AO). Retention/documentation periods may be up to ten years.
(b) Preservation of evidence taking into account limitation periods. Under Sections 194 et seq. of the German Civil Code (BGB), limitation periods may be up to thirty years, while the regular limitation period is three years.
15 Your Rights
Subject to the statutory requirements, you have the following rights as a data subject:
15.1 Right of access: Under Art. 15 GDPR, you may request confirmation as to whether personal data concerning you is processed by us; if so, you have the right to information about such personal data and certain additional information (including purposes of processing, categories of personal data, categories of recipients, planned storage duration, origin of the data, use of automated decision-making, and - where data is transferred to third countries -the appropriate safeguards), as well as a copy of your data. The limitations of Section 34 BDSG apply.
15.2 Right to rectification: Under Art. 16 GDPR, you may request that we rectify personal data stored about you if it is inaccurate or incorrect.
15.3 Right to erasure: Under Art. 17 GDPR, you may request that we delete personal data concerning you without undue delay. The right to erasure does not apply, among other things, where processing is necessary, e.g., to comply with a legal obligation (e.g., statutory retention obligations) or for the establishment, exercise or defence of legal claims. The limitations of Section 35 BDSG also apply.
15.4 Right to restriction of processing: Under Art. 18 GDPR, you may request restriction of processing of your personal data.
15.5 Right to data portability: Under Art. 20 GDPR, you may request that we provide you with the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format.
15.6 Right to withdraw consent: You may withdraw consent you have given to the processing of personal data at any time. Please note that withdrawal only takes effect for the future. Processing carried out before withdrawal is not affected. Informal notice, e.g., by e-mail, is sufficient.
15.7 Right to object: Under Art. 21 GDPR, you may object to processing of your personal data, meaning we must stop processing. The right to object exists only within the limits of Art. 21 GDPR. Moreover, our interests may outweigh your request to stop processing, so we may be entitled to continue processing despite your objection. We will implement an objection to direct marketing measures immediately and without further balancing of interests.
Informationon your right to object pursuant to Art. 21 GDPR: You have the right to object at any time to the processing of your data based on Art. 6(1) sentence 1 lit. f GDPR (processing based on a balancing of interests) or Art. 6(1) sentence 1 lit. e GDPR (processing in the public interest) if there are reasons arising from your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. The objection may be made informally and should preferably be addressed to privacy@chamelaion.com or, alternatively, to the other contact details stated above.
15.8 Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with a supervisory authority regarding processing of your personal data, for example with the data protection supervisory authority responsible for us: The Hessian Commissioner for Data Protection and Freedom of Information, P.O. Box 3163, D-65021 Wiesbaden, Germany; Tel.: +49(0)611-14080; E-mail: poststelle@datenschutz.hessen.de.
If you would like to exercise any of the above rights, simply write to us at privacy@chamelaion.com - we will be happy to help.
16 No Obligation to Provide Data
In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we may not be able to make our website and services fully available to you or answer your enquiries (correctly). Personal data that we do not strictly need for the processing purposes stated above is marked as voluntary information.
17 No Automated Decision-Making / Profiling
We do not use automated decision-making or profiling (i.e., an automated analysis of your personal circumstances).
18 Changes to This Privacy Policy
Our website/CIT systems are continuously developed and equipped with new or improved features. We therefore reserve the right to amend this Privacy Policy accordingly. The current version of this Privacy Policy can be accessed at anytime on our website at https://www.chamelaion.com/de/privacy-policy.
© 2025 CHAMELAION GmbH
.avif)