Privacy Policy

This English version of the Privacy Policy is provided for reading and comprehension purposes only. The legally binding version is the German version, which can be found here: www.chamelaion.com/de/privacy-policy.

VERSION: 10.02.2025

INTRODUCTION

Protecting your privacy and personal data is of utmost importance to CHAMELAION.

Therefore, CHAMELAION collects and uses your personal data solely in accordance with applicable legal provisions, particularly:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR");
  • The German Federal Data Protection Act (Bundesdatenschutzgesetz, "BDSG"), enacted on June 30, 2017 (as amended from time to time); and
  • The German Telecommunications-Telemedia Data Protection Act ("TDDDG"), which governs data protection and privacy in telecommunications and digital services.

For more detailed information on the functionality and scope of our services, please refer to our product pages at www.chamelaion.com/subscriptions and the General Terms and Conditions ("T&Cs") at www.chamelaion.com/terms (including the current service description available there).

This Privacy Policy is intended to inform you—whether you create a user account, subscribe to our services, or simply visit our website—about the type, scope, and purposes of collecting, using, and processing your personal data by CHAMELAION.

If you have any questions, you can contact us at any time using the contact details provided below (see Section 1).

CONTENTS

  1. Responsibility and Contact Information
  2. Definitions
  3. Scope of Data Protection; Authorization to Act on Own Behalf
  4. Automatic Data Collection via Website Access
  5. Contacting CHAMELAION
  6. CHAMELAION’s Presence on Social Media
  7. Creating an Account and Subscribing to a Plan
  8. Processing of Submitted Data and Metadata
  9. Use of Services by Google, ElevenLabs, DeepL, and OpenAI
  10. Use of Cookies and Other Technologies
  11. Additional Processing Purposes
  12. Other Recipients of Data
  13. Data Security
  14. General Data Deletion and Retention Periods
  15. Your Rights
  16. No Obligation to Provide Data
  17. No Automated Decision-Making / Profiling
  18. Changes to the Privacy Policy

1 RESPONSIBILITY AND CONTACT

The controller responsible for data processing within the meaning of the GDPR, BDSG, TDDDG, and other applicable data protection laws in the European Union Member States is:

CHAMELAION GmbH
Berger Straße 342
D-60385 Frankfurt am Main
Federal Republic of Germany

A limited liability company under German law, registered with the Commercial Register of the Local Court of Frankfurt am Main under registration number HRB 136581, with VAT Identification Number DE450519324
(hereinafter referred to as "CHAMELAION").

CHAMELAION is represented by:
Management:

  • Pascal Fischer (Managing Director, CEO)
  • Yannik Rover (Authorized Representative, COO)
  • Julian Wustl (Authorized Representative, CTO)

Phone (Head Office): +49 162 4536164
Email: privacy@chamelaion.com

For questions or concerns regarding data protection, please contact us using the details provided above, preferably via the dedicated email address for data protection inquiries: privacy@chamelaion.com.

For general inquiries about our products, please contact sales@chamelaion.com.

Further information on data processing related to contacting CHAMELAION can be found in Section 5.

2 DEFINITIONS

In this Privacy Policy, the following defined terms are used:

2.1 "Account" refers to an individual user account accessible via the internet on the CIT Systems, which allows the customer to subscribe to a plan and access our services in a personalized manner.

2.2 "T&Cs" refers to CHAMELAION’s General Terms and Conditions, which can be accessed at www.chamelaion.com/terms.

2.3 "BDSG" has the meaning assigned in the Introduction.

2.4 "CHAMELAION" has the meaning assigned in Section 1.

2.5 "CIT Systems" refers to the entire IT system infrastructure operated by CHAMELAION to provide its services, including all hardware and software components.

2.6 "DeepL" refers to DeepL SE, Maarweg 165, 50825 Cologne, Germany, Web: www.deepl.com, including its affiliated companies.

2.7 "Service" refers to any service provided to customers via CHAMELAION’s CIT Systems, particularly: Automated processing of submitted data, including audio and video recognition, Transcription and translation of content, Audio and video generation based on submitted data, and Software tools necessary for manual post-editing by the customer.

2.8 "DPA" refers to a Data Processing Addendum with a subcontractor.

2.9 "GDPR" has the meaning assigned in the Introduction.

2.10 "Submitted Data" refers to all data and files that the customer sends, uploads, or otherwise enters into the CIT Systems to be processed by CHAMELAION's CIT Systems in accordance with the service description.

2.11 "ElevenLabs" refers to Eleven Labs Inc., 169 Madison Ave 2484, New York, NY 10016, USA, Web: www.elevenlabs.io, including its affiliated companies.

2.12 "Google" refers to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, Web: www.google.com, including its affiliated companies, in particular Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

2.13 "Service Description" refers to the list of functionalities and specifications of the services, as agreed upon at the time of contract conclusion in accordance with the T&Cs.

2.14 "OpenAI" refers to OpenAI, LP, 3180 18th Street, San Francisco, CA 94110, USA, Web: www.openai.com, including its affiliated companies.

2.15 "Project" refers to a project created by the customer within the CIT Systems as part of service usage, in which processed content is generated based on submitted data.

2.16 "USA" refers to the United States of America.

2.17 "TDDDG" has the meaning assigned in the Introduction.

2.18 "Processed Content" refers to all content resulting from the processing of submitted data on the CIT Systems (particularly video files generated on the CIT Systems).

2.19 "Website" refers to the website accessible at www.chamelaion.com, unless otherwise stated in the respective context.

2.20 "Payment Service Provider" refers to Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

3 SCOPE OF DATA PROTECTION; OWN AUTHORIZATION

3.1 Data protection applies to personal data as defined by the GDPR, i.e., any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

3.2 The website and the CIT Systems allow you, in certain cases, to enter personal data into input fields (e.g., during the ordering process or within our Editor / Dubbing Studio). Additionally, after creating an account, CHAMELAION's services allow you to upload video files in the following formats:

MP4, MOV, WMV, MP3, WAV. Such files may contain personal data about you as a customer as well as personal data of third parties.

3.3 If the files you intend to upload to our CIT Systems contain personal data of third parties, you may only upload them (i.e., use them as Submitted Data) if you have a valid legal basis for doing so under data protection laws, such as the explicit consent of the affected third party in accordance with Article 6(1)(a) GDPR. For this reason, our T&Cs also require the conclusion of a Data Processing Agreement (DPA) (see Clause 10.3 of the T&Cs).

4 AUTOMATIC DATA COLLECTION VIA WEBSITE ACCESS

4.1 Regardless of whether you have created an account on our CIT Systems, are logged into an account, or use our CIT Systems free of charge or as a paid service, your device automatically transmits certain data for technical reasons when you access our website at www.chamelaion.com.

The following data may be transmitted and stored when accessing our website:

  1. Date and time of your access
  2. Browser type (manufacturer) and browser version
  3. Operating system used
  4. URL of the previously visited website
  5. Amount of data transmitted
  6. Accessed domain
  7. Notification of successful data retrieval
  8. Search term used when accessing via a search engine
  9. Shortened/anonymized IP address
  10. Full IP address
  11. Diagnostic information in case of errors

If you visit our website to learn more about our products and services or to use them, the legal basis for the temporary storage and processing of access data is Article 6(1)(b) GDPR, which permits data processing for the performance of a contract or for pre-contractual measures. In all other cases, data processing is carried out in accordance with Article 6(1)(f) GDPR, based on our legitimate interest in improving the stability and functionality of our website. The above-mentioned data is stored for purely technical reasons. Website access data is used for error analysis, ensuring the security of our systems, logging access in subscriptions, and improving our services. Additionally, we determine your geographic region using geolocation based on your IP address to check whether we can offer our services in your region, which corresponds to our legitimate interest under Article 6(1)(f) GDPR. The full IP address of users of our free services is stored for a maximum of fourteen (14) days, which is also justified by our legitimate interest in achieving the aforementioned purposes under Article 6(1)(f) GDPR. The IP addresses of users of our paid services are stored for the duration of the contract, which is justified under Article 6(1)(b) GDPR. There is no merging of this data with other data sources, and the data is not analyzed for marketing purposes.

5 CONTACTING CHAMELAION

On our website, we offer you the option to contact us via email. Please note that when sending unencrypted messages or attachments via email, confidentiality cannot be fully guaranteed due to technological constraints, despite the use of modern security technologies.

5.1 Sales and Support Inquiries

If you submit a sales or support inquiry to request further information about our services and subscription plans or to initiate contract negotiations, you may use the contact details (email, phone) provided on our website.

For both support and sales inquiries, the legal basis for processing your personal data, including any subsequent correspondence, is Article 6(1)(b) GDPR, as the processing is necessary for contract initiation, conclusion, and execution.

Article 6(1)(b) GDPR also justifies the processing of personal data contained in documents submitted to our support team.

We store your data for the duration of our business relationship and subsequently for the legally required retention period, if applicable.

Processing your personal data within our customer database and for customer-related process analyses is based on Article 6(1)(f) GDPR, as it serves our legitimate interest in efficient customer management and communication. The aforementioned deletion policy applies accordingly.

5.2 Data Protection Inquiries

If you have questions or concerns regarding data protection, you may contact privacy@chamelaion.com. Data received in this context is processed pursuant to Article 6(1)(a) GDPR based on your implicit voluntary consent through message submission. We store your data for the duration of our business relationship and subsequently for the legally required retention period, if necessary.

5.3 Job Applications

We offer you the opportunity to apply for a position at CHAMELAION by emailing careers@chamelaion.com. The purpose of data collection in this case is to select applicants for a potential employment relationship. To process your application, we collect the data you provide, typically including: First and last name, Email address, Application documents (certificates, résumé/CV), Preferred start date, Salary expectations. Please note that when sending unencrypted applications via email, confidentiality cannot be fully guaranteed. You may also apply by postal mail or in person. The legal basis for processing your application documents is: Article 6(1)(b) GDPR and Article 88(1) GDPR, in conjunction with Section 26(1) Sentence 1 BDSG (Federal Data Protection Act, Germany). We store your personal data upon receipt of your application. If your application is successful and results in employment, we will store your applicant data for as long as necessary for the employment relationship and as required by legal retention obligations.

If your application is rejected, we will store your applicant data for a maximum of four (4) months after rejection, unless you consent to longer storage.

If you have explicitly consented, we will store your data for an additional twelve (12) months after the application process to identify potential future job opportunities and contact you accordingly. After this period, your data will be deleted. You may withdraw your consent at any time by emailing privacy@chamelaion.com.

6 CHAMELAION’S PRESENCE ON SOCIAL MEDIA

6.1 We operate multiple social media profile pages on various platforms, specifically: YouTube, Facebook, Instagram, Twitter (X), LinkedIn. On these profiles, we regularly post updates about our services, new features, and job opportunities. If you interact with these pages or contact us through them while being a member of the respective social network, we may receive and process data that allows us to identify you or your social media presence.

As the operator of these social media profiles, we also have access to anonymous statistics regarding visitor interactions (analytics functions provided by the platform operators). The operators of social networks collect data about your interactions with our profile pages using cookies and similar technologies. For more details on data processing, please refer to the privacy policies of the respective platform operators. The legal basis for using our social media profiles and the analytics functions provided by these platforms is our legitimate interest under Article 6(1)(f) GDPR, namely: Using these profiles as an information channel for CHAMELAION and our services. Understanding visitor engagement, usage, and interactions to enhance our public presence. If users explicitly provide consent for data processing within the respective social media platforms, processing is based on this consent. The deletion of data follows the privacy policies of the respective social network.

6.2 Please note that we share joint responsibility with the respective social network operators for the data processing triggered by visits to our profile pages. However, social network operators may also process your data for their own purposes, which are not covered by this Privacy Policy.

Additionally, data collected about you may be transferred to third countries, particularly the USA. We do not have control over these data processing activities and refer to the respective social media platforms’ privacy policies for further details. You may exercise your data protection rights both against us and against the operators of the respective social platform. However, we recommend that you directly contact the platform operators for more efficient enforcement of your rights. If you require assistance, you may contact us at any time.

7 CREATING AN ACCOUNT AND SUBSCRIBING TO A PLAN

7.1 Creating an Account on Our CIT Systems

(a) You can create an account via our website. An account is required to use our services under our Terms & Conditions, regardless of whether you choose a free or paid subscription.

When you register an account, we store the following personal data:

  • Email address
  • Chosen password
  • IP address
  • Username

We process your email address and password under Article 6(1)(b) GDPR as part of the user agreement.
Your IP address is processed under Article 6(1)(f) GDPR, as we have a legitimate interest in using it for fraud prevention by comparing it with previously flagged IP addresses.

(b) Creating an account is a prerequisite for using our services. However, it does not obligate you to purchase a paid subscription. If you choose not to subscribe after account creation, your account will remain active, allowing you to use free-tier services (such as the Free Subscription Plan). You can delete your account at any time by sending an email to support@chamelaion.com.

(c) We may implement a Single Sign-On (SSO) solution, allowing account creation without manual registration. For example, your company or organization may provide us with your: Email address, First and last name. This enables us to activate your access without separate registration. In such cases, we process your data under Article 6(1)(b) GDPR, as it is necessary to fulfill our contractual obligations. Your company/organization will be legally required to ensure compliance with data protection regulations before transmitting your data to us.

7.2 Contract Conclusion and Execution for Paid Subscriptions

(a) If you subscribe to a paid plan after creating an account, we will additionally process the following personal data for the purpose of contract conclusion and execution (Article 6(1)(b) GDPR):

  • First and last name (and company name, if applicable)
  • Address
  • Payment information
  • Tax identification number (if applicable)
  • Chosen subscription plan
  • Additional data provided during registration and payment processing

(b) If we offer a free trial for a paid subscription, we will still collect and process your payment details at the time of subscription registration.

Although the trial period is free of charge, payment details are required under Article 6(1)(b) GDPR since you are entering into a contract for a paid subscription that continues automatically unless canceled before the trial period ends. If no cancellation occurs, your provided payment method will be charged automatically at the specified time during the checkout process.

(c) We use Stripe as our payment service provider. When you make a payment through our subscription system, your payment data is directly transferred to Stripe for processing. Stripe collects and processes the following personal data: Payment information (credit card or bank account details), Name and address, Other necessary payment-related details. This processing is legally based on Article 6(1)(b) GDPR, as payment is necessary for contract fulfillment. Additionally, Stripe processes data under its own Privacy Policy and your explicit consent (Article 6(1)(a) GDPR) as part of the Stripe payment process. We have signed a Data Processing Agreement (DPA) with Stripe, ensuring that Stripe processes your data only under our instructions and not for its own purposes. A copy of this DPA is available at: Stripe Data Processing Agreement. Stripe retains personal data only as long as necessary for contract execution and legal compliance (e.g., tax or accounting requirements). Since Stripe is a US-based company, personal data may be transferred to third countries. However, Stripe has implemented appropriate safeguards, including: EU Standard Contractual Clauses (EU-SCCs), Certification under the Data Privacy Framework (DPF). For further details, please refer to Stripe’s Privacy Policy: Stripe Privacy Policy.

(d) In addition to subscription details, we process usage-related data such as: Hashed login details, Subscription start date, Billing period, Payment status, Login timestamps, Number of processed contents, Subscription upgrades/downgrades. Processing and storing this data is required for contract execution and invoicing (Article 6(1)(b) GDPR). If you access our services via your employer/organization, data processing is justified under Article 6(1)(f) GDPR, as it is necessary for business relationships with our contractual partners (i.e., your employer/organization). Your employer/organization must ensure legal compliance and obtain your consent before granting you access.

(e) We store your personal data for the duration of your subscription and for the legally required retention period afterward. If you cancel your subscription, you may request account deletion by contacting support@chamelaion.com. By default, your account will remain active (either as a free account or without an active subscription) to facilitate future reactivation. Keeping inactive accounts benefits both you and us by ensuring seamless service access without requiring re-registration (Article 6(1)(f) GDPR).

(f) Within your account dashboard, you can view various usage statistics, including: Past and remaining subscription quotas, Token usage (for token-based subscriptions). Processing this data is based on Article 6(1)(b) GDPR, as it is necessary for contract execution, invoicing, and tax compliance. For additional data processing beyond contract execution, we rely on Article 6(1)(f) GDPR, as we have a legitimate interest in: Providing transparency on subscription usage, Helping customers select the most suitable subscription plan (e.g., upgrades/downgrades).

(g) If your subscription is provided by your employer/organization, we may share data such as: Token usage, Last login date, Sharing this data aligns with our legitimate interests and those of our business customers under Article 6(1)(f) GDPR. This allows organizations/employers to: Monitor subscription usage, Manage user allocations. Your employer/organization is responsible for complying with data protection laws. If you have concerns about how your organization processes your data, please contact them directly.

8 PROCESSING OF SUBMITTED DATA; METADATA

8.1 We process the submitted data you transmit to our CIT systems only temporarily, to the extent necessary for providing our services in accordance with the agreement concluded with you (subscription model, service description) or utilizing test functions you actively request. This processing is lawful under Article 6(1)(b) GDPR, as it is required to fulfill our contractual obligations to you. If processing is related to a test function, it is additionally based on your explicit consent under Article 6(1)(a) GDPR. Your submitted data and processed content are not permanently stored on our servers. They are marked for deletion and promptly deleted after providing the agreed-upon service or upon the completion of a project. Exceptions apply if legal retention obligations require us to store the data for a specific period, in which case we will delete it as soon as permissible. Another exception applies if you actively save an ongoing project using the "Save" button, in which case your submitted data and (preliminary) processed content will remain stored on our servers until the project is completed or manually deleted by you. You can delete any saved project manually at any time.

8.2 When we process third-party personal data (as described in Section 3.3), we act as a data processor on your behalf. This means the processing of such data is based on the Data Processing Agreement (DPA) concluded with you before using our services.

8.3 To reduce server load, files may be temporarily cached locally on your device. This ensures a smooth user experience and uninterrupted service delivery.

8.4 Certain subscription plans may offer features that allow you to store selected submitted data and/or processed content beyond a project's completion, for example, saving content as templates for future use or reusing processed audio/video files. If you choose to use these features, the processing is necessary for contract fulfillment and is therefore lawful under Article 6(1)(b) GDPR.

8.5 Regardless of whether you use our services for free or paid, the following metadata is collected and stored for each project: project name (as assigned by you), project status and progress, file names and file types of submitted data, duration of audio/video files, and errors encountered during processing. This data is processed under Article 6(1)(f) GDPR, as we have a legitimate interest in improving our product functionality and identifying potential errors in the processing workflow. This metadata is stored in a secure database, accessible only to selected CHAMELAION employees who are bound by data protection and confidentiality obligations. The metadata is automatically deleted after fourteen (14) days.

8.6 For further information on data processing, please refer to other sections of this Privacy Policy and our Terms & Conditions (T&C).

9 Use of Services from Google, ElevenLabs, DeepL, and OpenAI

9.1 Google Firebase

We use Google Firebase services on our CIT systems to create and manage user accounts and authenticate users. When you log in via Firebase or create an account, Google Firebase processes personal data. As part of account creation and authentication through Google Firebase, personal data such as your name, email address, profile picture (if using a Google account), IP address, and other identifying characteristics are processed to enable access to your user interface and manage your login. Firebase also uses cookies and other technologies for account verification and authentication. The processing of your personal data by Google Firebase is for the purpose of creating and managing user accounts, authentication, and providing a secure login process. Firebase enables us to ensure that only authorized users gain access to certain services while keeping their account information securely stored.

The legal basis for processing your personal data through Firebase services is Article 6(1)(b) GDPR, as the processing is necessary to fulfill the contract we have with you for account creation and access provision. Google acts as a data processor and processes your data according to Google’s privacy policies. Google has committed to processing your data exclusively according to our instructions and in compliance with applicable data protection laws. Google stores data related to account management and authentication as long as your account is active or in existence. Data required for authentication or account management is deleted when you delete your account or when it remains unused for a certain period.

Since Google Firebase is a globally operated product, your data may be transferred to countries outside the EU/EAA, particularly the United States. However, Google has taken appropriate security measures to ensure that your data is processed in accordance with GDPR requirements. Google is an active participant in the EU-US Data Privacy Framework ("DPF"), which regulates the correct and secure transfer of personal data from EU citizens to the US (see https://www.dataprivacyframework.gov). In this regard, the European Commission, through its adequacy decision under Article 45(3) GDPR dated July 10, 2023 (Case C (2023) 4745), currently certifies a level of data protection comparable to the EU/EAA GDPR standard. You can find the decision on the official pages of the European legislator: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32023D1795.

For detailed information about how Google Firebase processes your data and your rights under the GDPR, you can view Google Firebase’s privacy policy at https://firebase.google.com/support/privacy and Google’s general privacy policy at https://policies.google.com/privacy.

Additionally, Google uses so-called Standard Contractual Clauses (SCCs). These are templates provided by the European Commission to ensure that your data is handled according to European data protection standards, even when transferred and stored in third countries (such as the US). You can find the European Commission's decision and relevant Standard Contractual Clauses at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

Through both the DPF and Standard Contractual Clauses, Google commits to maintaining European data protection levels when processing relevant data, even when data is stored, processed, and managed in the US.

9.2 ElevenLabs

We use ElevenLabs services on our CIT systems for speech synthesis (text-to-speech) and voice cloning. If submitted files contain personal data (e.g., names, spoken words, or other identifiable information), ElevenLabs may process such data. The processing of your data by ElevenLabs is exclusively for the purpose stated above. ElevenLabs may also use the data to improve the quality of its AI-powered voice technologies.

The legal basis for processing your personal data within ElevenLabs services is Article 6(1)(b) GDPR, as the processing is necessary to fulfill the contract we have with you for providing our services.

The transfer of data to ElevenLabs occurs within the framework of data processing agreements. This means that ElevenLabs processes data solely according to our instructions, in compliance with applicable data protection regulations, and does not use the data for its own purposes. To this end, we have entered into a Data Processing Addendum (DPA-EL) with ElevenLabs, which ensures that your data is processed in accordance with GDPR requirements and that ElevenLabs implements appropriate security measures to protect transferred data. This agreement can be reviewed in its latest version at https://elevenlabs.io/dpa.

The data processed by ElevenLabs is retained under the DPA-EL only as long as necessary to provide the requested services. Detailed information regarding retention periods can be found in ElevenLabs’ privacy policy at https://elevenlabs.io/privacy-policy.

Since ElevenLabs is headquartered in the United States, it may process data on servers located outside the EU or EAA, particularly in the US. ElevenLabs is currently not a participant in the DPF. However, we have established appropriate safeguards with ElevenLabs through the DPA-EL to ensure that data transfer and processing comply with GDPR requirements under Articles 44 and following, including the use of EU Standard Contractual Clauses (EU-SCCs).

For detailed information on how ElevenLabs processes your data and your rights, you can refer to the DPA-EL linked above or review ElevenLabs' privacy policy at https://elevenlabs.io/privacy.

9.3 DeepL

We use DeepL services on our CIT systems to provide machine translations. When using these services, the data you submit to us is transmitted to DeepL to generate the requested translations. As part of using DeepL, personal data contained in the submitted files may be processed. This includes the processing of text data handled by DeepL’s translation service to provide the requested translation. The processing of your data by DeepL is exclusively for the purpose of delivering the video content translations you requested and improving the quality of translations.

The legal basis for processing your personal data when using DeepL services is Article 6(1)(b) GDPR, as the processing is necessary to fulfill the contract we have with you for providing our services.

The transfer of data to DeepL occurs within the framework of a data processing agreement. This means that DeepL processes the data exclusively according to our instructions, in compliance with applicable data protection regulations, and does not use the data for its own purposes. To this end, we have entered into a Data Processing Addendum (DPA-DeepL) with DeepL, which ensures that your data is processed in accordance with GDPR requirements and that DeepL implements appropriate security measures to protect transferred data. You can review this agreement in its latest version at https://www.chamelaion.com/dpa-deepl.

The data processed by DeepL is retained under the DPA-DeepL only as long as necessary to provide the requested services. The exact retention period depends on DeepL’s specific requirements; please refer to the provisions in DeepL’s privacy policy at https://www.deepl.com/privacy.

For detailed information on how DeepL processes your data and your rights, you can review the privacy policy at https://www.deepl.com/privacy.

9.4 OpenAI

We use OpenAI services on our CIT systems for "context refinement" to improve the quality of generated translations and make them more natural (i.e., aligned with contextual linguistic usage). Parts of your submitted data are transmitted to OpenAI to generate this context refinement. When using OpenAI services, personal data contained in the submitted files may be processed.

The processing of your data by OpenAI is exclusively for the purpose of delivering the requested video content translations and improving the quality of translations.

The legal basis for processing your personal data when using OpenAI services is Article 6(1)(b) GDPR, as the processing is necessary to fulfill the contract we have with you for providing our services.

The transfer of data to OpenAI occurs within the framework of a data processing agreement. This means that OpenAI processes the data exclusively according to our instructions, in compliance with applicable data protection regulations, and does not use the data for its own purposes. To this end, we have entered into a Data Processing Addendum (DPA-OAI) with OpenAI, which ensures that your data is processed in accordance with GDPR requirements and that OpenAI implements appropriate security measures to protect transferred data. You can review this agreement in its latest version at https://openai.com/policies/data-processing-addendum/. The DPA-OAI also includes the EU Standard Contractual Clauses (EU-SCCs).

The data processed by OpenAI is retained under the DPA-OAI only as long as necessary to provide the requested services. The exact retention period depends on OpenAI’s specific requirements; further details can be found in OpenAI’s privacy policy at https://openai.com/policies/row-privacy-policy/.

Since OpenAI is headquartered in the United States, OpenAI may process data on servers located outside the EU or EEA. OpenAI is currently not a participant in the DPF. However, we have established appropriate safeguards with OpenAI under the DPA-OAI to ensure that data transfer and processing comply with GDPR requirements under Articles 44 and following, including the use of EU-SCCs.

For detailed information on how OpenAI processes your data and your rights, you can review the DPA-OAI linked above or OpenAI's privacy policy at https://openai.com/policies/privacy-policy/.

10 Use of Cookies and Other Technologies

10.1 Use of Cookies and Other Technologies on www.chamelaion.com

(a) We use cookies, web storage objects, and other technologies to provide you with a variety of functionalities and enhance your user experience. If you do not want us to use such technologies, you can change your browser settings accordingly. For instructions on how to adjust the relevant settings in your browser, please consult the help pages or support resources of your browser provider. Please note that disabling the use of cookies, web storage objects, or other technologies entirely may impair the functionality and range of features available on our website.

(b) Specifically, we use such technologies in the following categories:

(i) Necessary: These cookies or web storage objects are essential for our website to function properly and to ensure smooth navigation and access to our core features. This includes providing key security and accessibility features, as well as user interface preferences such as the display language of the website, the language used for translation or text enhancement, and the processing of subscription orders. The collection of data through necessary cookies or web storage objects is justified under Section 25(2) No. 2 TDDDG. The further processing of this data is either necessary for the execution of the concluded contract pursuant to Article 6(1)(b) GDPR or justified based on our legitimate interest in presenting our products and our company overall pursuant to Article 6(1)(f) GDPR.

(ii) Performance: The data collected from these cookies allows us to measure how our website or CIT systems are used. We use this information to improve our website and services. For example, we measure how often users return and which features they use. We and our external service providers only use these cookies or web storage objects with your explicit consent based on Section 25(1) TDDDG. The further processing of this data is also justified under Article 6(1)(a) GDPR based on your consent.

(iii) Functional: The use of these cookies enables us to make our website experience more convenient and personalized for you. For example, we can personalize your user experience based on the pages you have visited. We only use these cookies or web storage objects with your explicit consent based on Section 25(1) TDDDG. The further processing of this data is also justified under Article 6(1)(a) GDPR based on your consent.

(iv) Marketing: These cookies and other technologies are used to display advertisements that are more relevant to you and your interests. By selecting this category, you also agree that CHAMELAION may transfer your data to third parties outside the EU (e.g., Google), including the transfer of hashed email addresses. In accordance with Section 25(1) TDDDG and Article 6(1)(a) GDPR, we use these cookies, web storage objects, and other technologies and process the data obtained from them only with your explicit consent.

(c) The table below lists the different types of cookies, web storage objects, and other technologies that may be used when you visit our website or CIT systems. The storage of cookies or web storage objects occurs until the designated expiration time or until you delete them in your browser or, in the case of a session object, until the session expires. You also have the option to withdraw your consent for the use of cookies, web storage objects, and other technologies in the Performance, Functional, and Marketing categories (see the categories described in section 10.1(b) above) at any time. You can do this by toggling the slide button in the relevant category in the table below.

Overview of the cookies and web storage objects used by CHAMELAION

Context ID Description Technology Expiration Creator
A. Necessary
_cfuvid 1001 Calendly sets this cookie via Webflow's CDN to track users across sessions, ensuring consistent session handling and providing a seamless, personalized user experience. Cookie Session Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA
usprivacy 1002 This cookie stores the CCPA consent string, indicating whether a user is a California consumer and whether they have opted out of the sale of their personal data. Cookie 1 year Dailymotion SA, 140 boulevard Malesherbes, 75017 Paris, France
__cf_bm, __cfduid (and others, depending on integration) 1003 Cloudflare is used as a content delivery network (CDN) and security service. It optimizes website performance, protects against malicious traffic, and may set cookies to identify trusted web traffic and manage rate-limiting policies. Cookie Session to 30 days (depending on the cookie) Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
B. Performance
C. Functional
None (requests are sent directly from the user's browser to Google's servers) 1004 Google Fonts is used to display external fonts on the website. When a user accesses a page, their browser may load the fonts directly from Google’s servers. This may involve the transmission of the user's IP address and browser information to Google. Remote content / API request (no cookie) Session Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
None (files are loaded via CDN, but IP address and browser data may be transmitted) 1005 Google Hosted Libraries is used to load JavaScript libraries (e.g. jQuery) from Google's content delivery network (CDN). This improves website performance and availability. When used, the user's IP address and browser information may be transmitted to Google. Remote content / API request (no cookie) Session Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
tawkUUID, TawkConnectionTime (and others, dynamically set) 1006 Used to enable the live chat function and allow users to interact with support in real time. Cookies are set to maintain chat sessions, store the chat ID, and associate users across page visits. Cookie / Local Storage Session to 6 months (depending on the cookie) tawk.to inc., 187 East Warm Springs Rd, SB298, Las Vegas, NV, 89119, USA
D. Marketing
_lfa, _lfa_expiry 1007 This cookie is set to identify the IP addresses of devices visiting the website. It enables Leadfeeder to associate multiple visits from the same company and supports retargeting based on visitor behavior. Cookie 1 year Leadfeeder (Liidio Oy), Mikonkatu 17 C, 00100 Helsinki, Finland
CLID, _clck, _clsk, SM, ANONCHK, MR (.c.clarity.ms), _cltk 1008 Microsoft Clarity sets these cookies to analyze user interactions with the website. This includes session recordings, user ID linking, click tracking, and session status to enhance user experience and website performance. Cookie Between 10 minutes and 1 year (depending on the cookie) Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
bcookie, li_gc, lidc 1009 LinkedIn sets these cookies to enable the use of LinkedIn features, manage user consent for cookies, support data center selection, and track the usage of embedded LinkedIn services on the website. Cookie Between 1 day and 1 year (depending on the cookie) LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA
MUID (.bing.com), MUID (.clarity.ms), MR (.bing.com), SRM_B, ANONCHK 1010 Microsoft Bing sets these cookies to identify unique browsers, synchronize user IDs across Microsoft domains, track user interactions with ads and search results, and support reporting and personalization for advertising and analytics purposes. Cookie Between 10 minutes and 1 year 24 days (depending on the cookie) Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
E. Other
_iub_cs-s3957087-uspr 1011 This cookie is used to store user cookie consent preferences and ensure compliance with applicable data protection regulations. Cookie 1 year iubenda s.r.l., Via San Raffaele, 1 – 20121 Milan, Italy

10.2 Analysis of User Behavior

To better understand how our services are used and tailor them to the needs and preferences of our customers, we analyze, based on pseudonymized data, how customers interact with the CHAMELAION website and CIT systems. Through this analysis, we can identify general usage patterns and derive different target and user groups. We can then address these identified user groups more specifically, for example, by informing them about features of our products they have not yet used or are unaware of, and by helping them choose the subscription that best suits their needs. This allows our customers to fully explore all features of the CHAMELAION CIT systems and optimize their usage while enhancing their overall experience with our services. This analysis aligns with our legitimate interests under Article 6(1)(f) GDPR. The collected data is explicitly not shared with third parties.

11 Additional Processing Purposes

11.1 Compliance with Legal Regulations: We also process your personal data to fulfill legal obligations that may arise in connection with our business activities. These obligations include, in particular, commercial, trade, or tax-related retention periods. In this context, we process your personal data under Article 6(1)(c) GDPR to fulfill a legal obligation to which we are subject.

11.2 Legal Enforcement: We process your personal data to assert and enforce our legal claims. Additionally, we process your personal data to defend ourselves against legal claims. Furthermore, we process your personal data when necessary to prevent or investigate criminal offenses. In these cases, we process your personal data to protect our legitimate interests under Article 6(1)(f) GDPR, particularly when asserting legal claims, defending ourselves in legal disputes, or preventing and investigating criminal offenses.

11.3 Consent: If you have given us consent to process your personal data for specific purposes (e.g., sending informational materials and offers), the processing is legally justified based on your consent. You can revoke your consent at any time. Please note that the revocation is only effective for the future and does not affect any processing carried out before the revocation.

12 Other Data Recipients

Beyond the data processing activities detailed in the preceding sections related to our core business, the following additional provisions apply:

12.1 Internal Data Recipients: Within CHAMELAION, access to your data is granted only to employees and departments that require it to fulfill contractual and legal obligations. Additionally, service providers and agents we engage may receive data for these purposes. We always limit the disclosure of your personal data to the necessary extent while complying with data protection regulations. In some cases, recipients act as EU data processors and are strictly bound by our instructions regarding the handling of your personal data. In other cases, recipients act independently as data controllers and are equally obligated to comply with the GDPR and other applicable data protection regulations.

12.2 Legal and Tax Advisors: In specific cases, we may share personal data with our legal or tax advisors. These recipients are subject to strict confidentiality and secrecy obligations due to their professional legal standing.

13 Data Security

Your connections to our website are protected using encryption techniques that comply with the current state of technology. The level of protection also depends on the encryption capabilities of your internet browser and the IT device you use. You can determine whether a specific page on our website is transmitted in an encrypted manner by checking for the closed key or lock symbol in the status bar of your browser. Furthermore, we employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological advancements.

14 General Information on Data Deletion and Retention Periods

14.1 We have established internal processes to ensure that your personal data is stored only as long as necessary. Please note that, as a company, we are subject to statutory retention periods (e.g., tax and commercial regulations), which may require selective data storage for a specific period (e.g., for payment processing and invoicing purposes), as outlined in Section 11.1 and the following Section 14.2. Further details regarding your rights, particularly your right to data deletion, can be found in Section 15.

14.2 We process and store your personal data for as long as required for the intended purpose (see respective sections on processing purposes). This may also include the timeframes related to contract initiation (pre-contractual legal relationship) and contract fulfillment. Based on this principle, personal data is regularly deleted in accordance with our contractual and/or legal obligations unless temporary further processing is required for the following reasons:

(a) zCompliance with statutory retention obligations—Certain retention periods are mandated by German commercial and tax laws, such as the German Commercial Code (§§ 238, 257 (4) HGB) and the German Fiscal Code (§ 147 (3), 4 AO). The prescribed retention and documentation periods extend up to ten years.

(b) Preservation of evidence under statute of limitations—Under §§ 194 ff. of the German Civil Code (BGB), limitation periods may be as long as thirty years, although the standard limitation period is three years.

15 Your Rights

Under the legal provisions, you have the following rights as a data subject:

15.1 Right of Access: You have the right, under Article 15 GDPR, to request confirmation from us as to whether we process personal data concerning you. If this is the case, you are also entitled to obtain access to this personal data as well as certain additional information (including processing purposes, categories of personal data, categories of recipients, planned storage duration, the origin of the data, the use of automated decision-making, and in the case of third-country transfers, the appropriate safeguards). You are also entitled to receive a copy of your data. The restrictions of § 34 BDSG apply.

15.2 Right to Rectification: Under Article 16 GDPR, you have the right to request that we correct inaccurate or incorrect personal data stored about you.

15.3 Right to Erasure: You have the right, under Article 17 GDPR, to request the immediate deletion of personal data concerning you. However, the right to erasure does not apply if the processing of personal data is necessary, for example, to comply with a legal obligation (such as statutory retention periods) or to assert, exercise, or defend legal claims. Additionally, the restrictions of § 35 BDSG apply.

15.4 Right to Restriction of Processing: Under Article 18 GDPR, you have the right to request that we restrict the processing of your personal data under certain conditions.

15.5 Right to Data Portability: Under Article 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format.

15.6 Right to Withdraw Consent: You may withdraw your consent to the processing of personal data at any time. Please note that withdrawal applies only to future processing. Any processing that took place before the withdrawal remains unaffected. To withdraw your consent, you only need to send us an informal message, e.g., via email.

15.7 Right to Object: Under Article 21 GDPR, you have the right to object to the processing of your personal data, requiring us to stop processing your data. However, this right only applies within the limits set out in Article 21 GDPR. In certain cases, we may still be entitled to continue processing your personal data despite your objection, for example, if our legitimate interests override your interests. An objection to direct marketing activities, however, will always be honored immediately without further balancing of interests.

15.8 Information on Your Right to Object under Article 21 GDPR: You have the right to object at any time to the processing of your data that is based on Article 6 (1) sentence 1 lit. f) GDPR (processing based on legitimate interests) or Article 6 (1) sentence 1 lit. e) GDPR (processing in the public interest) if there are reasons arising from your particular situation.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
Objections can be made informally and should preferably be sent to privacy@chamelaion.com or alternatively to the other contact details provided at the beginning of this policy.

15.9 Right to Lodge a Complaint with a Supervisory Authority: You also have the right to file a complaint with a supervisory authority regarding the processing of your personal data. The relevant supervisory authority for us is: The Hessian Commissioner for Data Protection and Freedom of Information, P.O. Box 3163, D-65021 Wiesbaden, Germany, Phone: +49 (0)611-14080, Email: . If you wish to exercise any of the above rights, simply contact us at privacy@chamelaion.com - we are happy to assist you.

16 No Obligation to Provide Data

GIn general, you are not required to provide us with your personal data. However, if you choose not to do so, we may not be able to provide you with unrestricted access to our website and services, or we may be unable to respond to your inquiries correctly. Personal data that we do not strictly require for the processing purposes mentioned above is marked accordingly as voluntary information.

17 No Automated Decision-Making / Profiling

We do not use automated decision-making or profiling (i.e., automated analysis of your personal circumstances).

18 Changes to This Privacy Policy

Our website and CIT systems are continuously evolving and being enhanced with new or improved features. Therefore, we reserve the right to modify this privacy policy accordingly. The latest version of this privacy policy is always available on our website at www.chamelaion.com/privacy.

Privacy PoliciesTerms & ConditionsImprintinfo@chamelaion.com

© 2025 CHAMELAION GmbH