• About us
  • Products
  • For You
  • FAQ
  • Contact
  • Book a demo
  • Sign in
  • About us
  • Products
  • For You
  • FAQ
  • Contact
Sign in
Book a demo

Privacy Policy

Version 2026-06-28 · Published 28 June 2026 · All versions

This is a non-binding English translation. The German version is the sole legally binding version.

Privacy Policy

Effective date: 2026-06-28

§ 1 Controller

The controller within the meaning of the GDPR is: iMonial GmbH, Kirchenstr. 3, 76344 Eggenstein-Leopoldshafen, Germany, represented by the management. Commercial register: HRB 757925, Local Court of Mannheim. VAT ID: DE461926119. E-mail: mail@imonial.com. Data protection inquiries: privacy@imonial.com

§ 2 General Information and Mandatory Disclosures

This Privacy Policy fulfils the information obligations under Art. 13 and Art. 14 GDPR in conjunction with the BDSG and the TTDSG. The iMonial platform connects talents and brands for marketing collaborations. Talents register on the platform, upload campaign material and training data (e.g. photos, videos, voice recordings) and take part in campaigns in the course of which marketing content is created. The central legal basis for the processing of personal data in the context of platform use is Art. 6(1)(b) GDPR (performance of a contract). For certain processing operations (in particular marketing communication, telephone contact for advertising purposes, and third-country transfers), Art. 6(1)(a) GDPR (consent) serves as the legal basis. Consent given may be withdrawn at any time with effect for the future; the withdrawal does not affect the lawfulness of the processing carried out up to that point.

Note on the beta version

The iMonial platform is in a beta phase. The scope of functions, service providers and processing operations may change. Material changes are communicated in accordance with § 14.

§ 3 Data Collection on Our Platform

3.1 Server log files

Each time our platform is accessed, our hosting provider automatically records data and information from the accessing system in so-called server log files. The following data is collected: IP address of the requesting computer (stored anonymised in log files; for proof of consent pursuant to Art. 7(1) GDPR the full IP address is stored, see the table "Retention period by data category" at the end of this Privacy Policy), date and time of access, name and URL of the accessed resource, HTTP status code, volume of data transferred, referrer URL (previously visited page), browser and operating system used. Storage is technically necessary for the delivery of the platform content, system security and the prevention of misuse. Legal basis: Art. 6(1)(f) GDPR. The log files are deleted after 30 days, unless further retention is required for evidentiary purposes.

3.2 Technically necessary data

In addition, the following technical data is processed for the use of the platform: device type and screen resolution (for responsive display), browser language settings (for language selection), session identifiers (for maintaining the session). Legal basis: Art. 6(1)(b) GDPR (performance of a contract) as well as Art. 6(1)(f) GDPR (legitimate interest in a user-friendly display and the technically flawless delivery of the platform content).

§ 4 Registration and User Account

4.1 Data collected upon registration

For registration on the iMonial platform we collect the following data: Mandatory information: first and last name, e-mail address, password (stored encrypted) or OAuth login. Extended profile information (for talents): telephone number, postal address (street, house number, postal code, city, country), date of birth, profile picture, biographical information and portfolio details, preferences regarding campaign types. Legal basis: Art. 6(1)(b) GDPR, since registration is a prerequisite for using the platform. The provision of the mandatory information (name, e-mail, date of birth, country, telephone number) is necessary for the conclusion of the contract and the use of the platform. Without this information, no user account can be created and the platform cannot be used. The provision of the extended profile information is voluntary; however, it enables full participation in campaigns.

4.2 Authentication service provider

For user login and account management we use a specialised authentication service provider. On our behalf, this provider processes: e-mail address, name, profile picture (with OAuth), password hash and session data. A data processing agreement (DPA) pursuant to Art. 28 GDPR exists with the authentication service provider. Appropriate data protection safeguards pursuant to Art. 44 et seq. GDPR are in place for the data transfer.

§ 5 Login via Third-Party Providers (OAuth)

In addition to direct registration, we offer login via Apple, Google, Facebook and Microsoft (OAuth). In this process, the following data is transmitted by the respective provider: name (first and last name), e-mail address, profile picture (if stored in the provider's account; not with Apple). Your password with the third-party provider is not disclosed to us. Note on Apple Sign-In: Apple offers the "Hide My Email" feature. This is supported by our platform. The relay address generated by Apple forwards e-mails to your actual e-mail address. Further information on the data protection practices of the respective providers can be found at: Apple: [1] | Google: [2] | Meta: [3] | Microsoft: [4]. The data transmitted by OAuth providers is used exclusively for account creation and authentication. Legal basis: Art. 6(1)(b) GDPR.

§ 6 Campaign Material, Training Data and AI Processing

6.1 Campaign material and training data

Campaign material or training data (e.g. photos, videos, voice recordings) can be uploaded directly by the talent or created by the brand or iMonial in the course of a shoot. This data may include: photos and images of the face and body, videos with voice and movement, voice recordings. iMonial processes this data to create marketing content (directly or AI-assisted). Processing for the purpose of identifying or authenticating natural persons does not take place. Legal basis: for platform functions Art. 6(1)(a) GDPR (consent, given in the Talent Agreement § 6); for campaign-specific processing Art. 6(1)(b) GDPR (performance of a contract pursuant to the Campaign Agreement). The processing takes place within the scope of the Talent Agreement and, where applicable, the Campaign Agreement. The talent may terminate the contract in accordance with the termination provisions of the Talent Agreement. Where a data transfer to third countries is necessary, separate consent pursuant to Art. 49(1)(a) GDPR is obtained in the Campaign Agreement.

6.2 Purpose limitation of AI processing

The uploaded campaign material and training data are processed exclusively for the following purposes: creation of profile content and platform functions (e.g. profile optimisation, matching preview), creation of campaign material and AI-assisted content within the scope of specific campaigns, use of service providers for AI-assisted content creation within the scope of campaigns (no resale, no disclosure to third parties), quality assurance and preview of the content created. No use beyond the purposes stated takes place.

6.3 Service providers used for AI-assisted content creation

For AI-assisted content creation within the scope of platform functions, iMonial uses processors with whom DPAs pursuant to Art. 28 GDPR exist. Processing takes place on the basis of Art. 6(1)(b) GDPR and appropriate data protection safeguards pursuant to Art. 44 et seq. GDPR. Within the scope of individual campaigns, further service providers (AI-assisted content creation) may be used. Where this requires data processing that needs separate consent, such consent is obtained in the respective Campaign Agreement.

6.4 Personal data of third parties in campaign material

Where further natural persons are recognisably depicted or audible in campaign material or training data uploaded by the talent, iMonial processes their personal data. Categories of affected data: likeness, voice, name (where recognisable). Source of the data: upload by the talent via the platform. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the contractually compliant performance of the campaign). Pursuant to § 7(3)(e) of the Talent Agreement, the talent is obliged to obtain explicit consent from recognisably depicted or audible third parties for the contractually intended use and to present such consent to iMonial upon request. Where information of the affected third parties pursuant to Art. 14 GDPR is required, iMonial supports the talent in fulfilling this obligation. The retention period is governed by the respective Campaign Agreement.

§ 7 Legal Bases of Processing

An overview of the main processing purposes, the applicable legal basis in each case and the intended retention period is provided by the table "Overview of legal bases" at the end of this Privacy Policy.

§ 8 Recipients and Processors

Personal data is only disclosed to third parties for the performance of the contract, in the case of a legitimate interest, a legal obligation or with your consent.

8.1 Categories of recipients and processors

Contracts pursuant to Art. 28 GDPR exist with all processors. The table "Categories of recipients" at the end of this Privacy Policy shows which categories of recipients may obtain access to personal data.

8.2 Other recipients

Beyond this, personal data may be transferred to the following categories of recipients: brands: receive access to assets and campaign material in accordance with the respective Campaign Agreement. Tax advisors and auditors: where legally required. Authorities: where legally obliged (e.g. tax authorities, law enforcement authorities).

8.3 Sub-processor management

Our processors are contractually obliged to inform us about the use or change of sub-processors. A current list can be requested at privacy@imonial.com. Campaign-specific service providers are disclosed in the respective Campaign Agreement.

§ 9 Data Transfer to Third Countries

A transfer of personal data to third countries (outside the EEA) only takes place in compliance with the requirements of Art. 44–49 GDPR.

9.1 Data transfer to service providers outside the EEA

Where service providers process data outside the EEA, iMonial ensures appropriate safeguards (adequacy decisions, standard contractual clauses, supplementary technical measures).

9.2 Campaign-specific data transfer to third countries

Within the scope of individual campaigns, a data transfer to service providers (AI-assisted content creation) in third countries may be necessary for which no adequate safeguards pursuant to Art. 44 et seq. GDPR exist. The use of such service providers takes place exclusively on a case-by-case basis for individual campaigns, not as regular processing. Before each use, iMonial checks whether equivalent service providers with appropriate data protection safeguards are available. The transfer then takes place exclusively on the basis of explicit consent pursuant to Art. 49(1)(a) GDPR, which is obtained separately for each campaign. Consent is voluntary and revocable at any time. The details follow from the respective Campaign Agreement.

§ 10 Retention Period and Deletion Concept

In principle, we store personal data only for as long as it is necessary for the respective processing purpose or as long as statutory retention obligations exist. After expiry of the retention period, data is deleted or anonymised. Upon account deletion, all personal data is deleted without undue delay, with the exception of data subject to statutory retention obligations (§ 257 HGB: 10 years; § 147 AO: 6 years). Such data is blocked and deleted after expiry of the period.

§ 11 Your Rights as a Data Subject

As a data subject you have the following rights under the GDPR. To exercise these rights, please contact: privacy@imonial.com or by post at the controller's address stated above.

11.1 Right of access (Art. 15 GDPR)

You have the right to request information about the personal data we process concerning you, including the information listed in Art. 15 GDPR.

11.2 Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data without undue delay.

11.3 Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data, provided a ground under Art. 17 GDPR applies. This right does not exist where statutory retention obligations conflict with it.

11.4 Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if a condition under Art. 18 GDPR is met.

11.5 Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, provided the requirements of Art. 20 GDPR are met.

11.6 Right to object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR. We will then no longer process the data unless we can demonstrate compelling legitimate grounds.

11.7 Right to withdraw consent given (Art. 7(3) GDPR)

You can withdraw consent given at any time with effect for the future, without affecting the lawfulness of the previous processing. Address the withdrawal to privacy@imonial.com or use the function in your user account.

11.8 Automated decision-making (Art. 22 GDPR)

Automated decision-making with legal effect or similarly significant impairment pursuant to Art. 22 GDPR does not take place. The AI-assisted matching creates non-binding suggestions; the decision on participation in a campaign is made by the talent itself. The legal basis for the matching is Art. 6(1)(b) GDPR (performance of a contract) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in the efficient placement of suitable campaigns). AI-assisted content creation is always subject to human review and approval by the talent and the brand.

§ 12 Notifications and Communication

12.1 Campaign-related notifications

We send you notifications via a chat in the platform as well as by e-mail, push notification and/or telephone about campaigns, status updates and contract-relevant information. Legal basis: Art. 6(1)(b) GDPR.

12.2 Marketing communication

We send promotional communication exclusively with your consent (Art. 6(1)(a) GDPR in conjunction with § 7 UWG). You can withdraw your consent at any time, e.g. via the unsubscribe link or by e-mail to privacy@imonial.com.

12.3 Telephone contact

Telephone contact for advertising purposes takes place exclusively with your consent (Art. 6(1)(a) GDPR in conjunction with § 7 UWG). Urgent campaign-related communications may take place on a contractual basis (Art. 6(1)(b) GDPR), provided telephone availability has been agreed.

§ 13 Cookies and Technical Storage

Our platform uses exclusively technically necessary cookies which, pursuant to § 25(2) No. 2 TTDSG, do not require consent. Language setting cookie: stores the language you have selected (German/English) for the duration of your visit or up to one year, in order to display the platform to you in the selected language. Session cookies: for maintaining your logged-in session. These cookies are automatically deleted after the end of the browser session. Analytical cookies, marketing cookies or tracking technologies are not used in the current beta version of the platform. Should this change in the future, we will inform you in advance and, where applicable, obtain your consent.

§ 14 Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy in the event of a changed legal situation or changes to our services. This applies in particular during the beta phase. We will inform you of material changes in good time in an appropriate form, in particular: by e-mail notification to the e-mail address stored in your account; by a clearly visible notice on the platform at your next login. Where changes concern consent-based processing, we will obtain renewed consent where necessary. The respective current version of this Privacy Policy can be viewed at any time on our platform.

§ 15 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your data infringes the GDPR (Art. 77 GDPR). The supervisory authority responsible for us is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Phone: +49 711 615541-0, E-mail: poststelle@lfdi.bwl.de, Website: [5]. We recommend that you first contact our data protection contact at privacy@imonial.com. This Privacy Policy is provided in German and English. Only the German version is legally binding for the conclusion of the contract.

Overview of legal bases

Processing purpose Legal basis Retention period
Provision of the platform, server log files Art. 6(1)(f) GDPR (legitimate interest) 30 days (log files)
Registration and account creation Art. 6(1)(b) GDPR (performance of a contract) Duration of account use or until deletion
OAuth login (Apple, Google, Facebook, Microsoft) Art. 6(1)(b) GDPR (performance of a contract) Duration of account use
Processing of campaign material and training data (photos, videos, voice recordings) Art. 6(1)(b) GDPR (performance of a contract); for platform functions Art. 6(1)(a) GDPR (consent) Until end of contract or account deletion, possibly deviating per Campaign Agreement
Content creation (platform functions) Art. 6(1)(a) GDPR (consent pursuant to Talent Agreement § 6) Duration of the campaign or account use
Content creation (campaign-specific) Art. 6(1)(b) GDPR; for third-country transfer possibly Art. 49(1)(a) GDPR (consent) Duration of the campaign or until deletion
Campaign notifications (e-mail/push/telephone) Art. 6(1)(b) GDPR (performance of a contract) Duration of account use
Marketing communication (newsletter, offers) Art. 6(1)(a) GDPR (consent, opt-in) Until withdrawal
Telephone contact (advertising purposes) Art. 6(1)(a) GDPR (consent) Until withdrawal
Technical cookies (language setting) § 25(2) No. 2 TTDSG (strictly necessary) End of session or 1 year
Accounting and bookkeeping Art. 6(1)(c) GDPR (legal obligation) 10 years (§ 257 HGB) 6 years (§ 147 AO)
Proof of consent (IP, user agent, timestamp) Art. 6(1)(f) GDPR (obligation to provide proof pursuant to Art. 7(1) GDPR) 3 years after withdrawal or account deletion

Categories of recipients

Category Purpose Data protection safeguards
Hosting and infrastructure providers Operation of the platform, databases, storage DPA, processing within the EEA
Authentication service provider User login, account management DPA, DPF and/or SCCs
Processors (AI-assisted content creation, platform) Content creation for platform functions DPA, SCCs or own infrastructure
Service providers (AI-assisted content creation, campaign) Content creation within the scope of campaigns Campaign Agreement; possibly consent pursuant to Art. 49(1)(a) GDPR
E-mail and notification service providers Sending of e-mails, push notifications DPA, processing within the EEA or SCCs
Brands Access to assets and campaign material (per Campaign Agreement) Campaign Agreement

Retention period by data category

Data category Retention period Justification
Account data (name, e-mail, telephone, date of birth, country) Until account deletion by the user Performance of a contract (Art. 6(1)(b) GDPR)
Extended profile data (address, further information) Until account deletion or erasure request Performance of a contract
Campaign material and training data (photos, videos, voice recordings) Until end of contract or account deletion, possibly deviating per Campaign Agreement Performance of a contract (Art. 6(1)(b) GDPR)
Assets (approved content) Per Campaign Agreement or until erasure request Performance of a contract; iMonial retains usage rights pursuant to the Campaign Agreement
Server log files 30 days Legitimate interest (security)
Invoice data and business documents 10 years from the end of the calendar year § 257 HGB (statutory obligation)
Tax-relevant data 6 years from the end of the calendar year § 147 AO (statutory obligation)
Proof of consent (IP, user agent, timestamp) 3 years after withdrawal or account deletion Obligation to provide proof pursuant to Art. 7(1) GDPR

References

[1] https://www.apple.com/legal/privacy/

[2] https://policies.google.com/privacy

[3] https://www.facebook.com/privacy/policy/

[4] https://privacy.microsoft.com/de-de/privacystatement

[5] https://www.baden-wuerttemberg.datenschutz.de

Digital identities. Real brands. The marketplace with the AI platform of the future, connecting digital identities and clubs with brands for authentic, scalable marketing.

Platform

  • About us
  • Products
  • For You

For You

  • Brands & Sponsors
  • Clubs & Federations
  • Athletes & Creators

Legal

  • Privacy Policy
  • Terms of Service
  • Talent Agreement
  • Imprint
  • Withdrawal
© 2026 imonial. All rights reserved.
FAQContact