Blitzergram

Privacy Policy

Last updated: April 29, 2026

1. Who We Are

Blitzergram is operated by Private Enterprise “ISMA-SERVICE” (ПП “ІСМА-СЕРВІС”), EDRPOU 33927324, registered in Ukraine. When we say “Blitzergram,” “we,” “us,” or “our,” we mean PP “ISMA-SERVICE.”

For privacy-related questions, contact us at support@blitzergram.de.

EU Representative (Art. 27 GDPR):
To be appointed before launch — contact details will be published here.

2. Information We Collect

2.1 Information you provide

Account data: Email address when you create an account via magic link authentication.

Fine documents: When you upload a fine (Bußgeldbescheid), the document is processed client-side for OCR extraction. You may then apply a blur zone to any area of the cropped photo (plate, face, etc.) before the image is saved. We store only the cropped image (with any blur you applied) and extracted structured data (amount, points, speed over limit, date, city, Bundesland). We do not store the original full document, your name, address, or case reference number (Aktenzeichen) on our servers.

Payment data: When you purchase Pro, payment is processed entirely by Stripe. We never see or store your full card number. We store the transaction reference and amount.

Profile data: Username (auto-generated, editable), avatar choice, and display preferences.

2.2 Information collected automatically

Usage data: Pages visited, features used, and session duration via Vercel Analytics.

Device data: Browser type, operating system, screen resolution, and IP address.

Cookies: Authentication session cookies (Supabase) and analytics (Vercel Analytics). See Section 9.

2.3 Client-side processing

Blitzergram uses your device's processing power for sensitive operations:

  • OCR (Tesseract.js): Text extraction runs entirely in your browser. The extracted text is used to pre-fill form fields and is not transmitted to our servers in raw form.
  • Manual blur zone: You can apply a pixelation blur to any area of the photo (plate, face, etc.) directly in your browser before upload. Only the image with your applied blur is saved to our servers.

AI-assisted extraction (optional):If client-side OCR produces insufficient results, structured data may be extracted via Mistral AI. In this case, the document image is sent to Mistral's API for processing. Mistral acts as a data processor under our instructions and does not retain your data beyond the processing request. See Section 6.

3. How We Use Your Information

  • Provide, maintain, and improve the Blitzergram service
  • Process payments and manage your account
  • Generate anonymized fine cards for the public gallery (only with your consent)
  • Calculate statistics, scores, and leaderboard positions
  • Send transactional communications (magic links, purchase confirmations)
  • Respond to your support requests
  • Analyze usage patterns to improve performance and user experience
  • Prevent fraud, abuse, and enforce rate limits
  • Moderate shared content for policy compliance
  • Comply with legal obligations

We do not use your data for automated decision-making or profiling.

4. Legal Basis for Processing (GDPR)

If you are in the EU/EEA, we process your data under these bases:

Processing activityLegal basis
Account creation & authenticationContract performance (Art. 6(1)(b))
Fine document processing & storageExplicit consent (Art. 6(1)(a), Art. 9(2)(a))
Public gallery sharingConsent (Art. 6(1)(a))
Payment processingContract performance (Art. 6(1)(b))
AnalyticsConsent (Art. 6(1)(a))
Security & fraud preventionLegitimate interest (Art. 6(1)(f))
Tax & regulatory recordsLegal obligation (Art. 6(1)(c))

Special category data: Traffic fines constitute data relating to administrative offenses (Art. 10 GDPR, § 24 BDSG). We process this data solely on the basis of your explicit consent, which you provide when uploading a fine document. You may withdraw consent at any time by deleting the fine or your account.

5. How We Share Your Information

We do not sell, rent, or trade your personal data. We share data only with:

Supabase — authentication and database hosting (AWS infrastructure, EU region Frankfurt). See supabase.com/privacy.

Vercel — application hosting (Frankfurt region) and performance analytics. See vercel.com/legal/privacy-policy.

Stripe — payment processing. Stripe collects transaction data and device identifiers under its own privacy policy. See stripe.com/privacy.

Mistral AI — AI-assisted data extraction from fine documents (when client-side OCR is insufficient). Mistral processes data as a processor under contract and does not retain inputs beyond the API request. See mistral.ai/terms.

6. International Data Transfers

Your data is primarily processed on servers in the EU (Frankfurt, Germany) via Vercel and Supabase. Where data is transferred to the United States (Stripe, some Supabase infrastructure), these transfers are protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses. Mistral AI is based in France and processes data within the EU.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Fine data & blurred images: Retained while your account is active. Deleted upon account deletion or individual fine deletion.
  • Public cards: Visible until you unpublish or delete your account. Removed from gallery immediately upon request.
  • Payment records: Retained for 7 years as required by tax and commercial law.
  • Analytics data: Anonymized, retained per Vercel Analytics defaults.
  • Client-side data: OCR and blurring data exists only in browser memory during processing (typically milliseconds) and is never persisted.

8. Data Security

We protect your data with TLS encryption in transit, encrypted databases at rest (Supabase on AWS), Row Level Security (RLS) policies ensuring you can only access your own data, and client-side processing for sensitive operations. Payment card data is handled entirely by Stripe (PCI-DSS Level 1 certified).

The privacy architecture is designed so that sensitive document data (names, addresses, case references) are excluded at the crop stage and never stored. You control whether to apply additional blur to any visible plates or faces before your fine is saved.

9. Cookies & Tracking

Essential cookies (no consent required)

  • Supabase authentication tokens (access token, refresh token) — required for login
  • Sidebar state preference — required for UI function

Analytics cookies (consent required)

  • Vercel Analytics — helps us understand usage patterns and improve the service

Analytics cookies are only set after you give consent via our cookie banner. You can withdraw consent at any time through the cookie settings accessible in the site footer.

You can also manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

10. Your Rights

All users

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and all associated data
  • Object to processing of your data
  • Withdraw consent at any time

EU/EEA residents (GDPR)

  • Right to data portability (export your data in machine-readable format)
  • Right to restrict processing
  • Right to lodge a complaint with your local data protection authority

How to exercise your rights

Self-service: You can delete individual fines, unpublish cards, or delete your entire account from your profile settings. Account deletion removes all associated data within 30 days.

Contact us: For data export, access requests, or any other privacy rights, email support@blitzergram.de. We will respond within 30 days.

11. Children's Privacy

Blitzergram is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Content Reporting

If you believe content on Blitzergram reveals your identity or violates your privacy rights (e.g., an insufficiently blurred image showing you or your vehicle), please contact support@blitzergram.de with the URL of the content. We will review and remove confirmed violations within 72 hours.

13. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the site at least 14 days before changes take effect. Your continued use of Blitzergram after the effective date constitutes acceptance of the updated policy.

14. Contact Us

Private Enterprise “ISMA-SERVICE” (ПП “ІСМА-СЕРВІС”)
EDRPOU: 33927324
Email: support@blitzergram.de

EU Representative (Art. 27 GDPR):
To be appointed — details will be published here.