This is a non-binding English translation. The German version is the sole legally binding version.
Privacy Policy
Effective date: 2026-06-28
§ 1 Controller
The controller within the meaning of the GDPR is: iMonial GmbH, Kirchenstr. 3, 76344 Eggenstein-Leopoldshafen, Germany, represented by the management. Commercial register: HRB 757925, Local Court of Mannheim. VAT ID: DE461926119. E-mail: mail@imonial.com. Data protection inquiries: privacy@imonial.com
§ 2 General Information and Mandatory Disclosures
This Privacy Policy fulfils the information obligations under Art. 13 and Art. 14 GDPR in conjunction with the BDSG and the TTDSG. The iMonial platform connects talents and brands for marketing collaborations. Talents register on the platform, upload campaign material and training data (e.g. photos, videos, voice recordings) and take part in campaigns in the course of which marketing content is created. The central legal basis for the processing of personal data in the context of platform use is Art. 6(1)(b) GDPR (performance of a contract). For certain processing operations (in particular marketing communication, telephone contact for advertising purposes, and third-country transfers), Art. 6(1)(a) GDPR (consent) serves as the legal basis. Consent given may be withdrawn at any time with effect for the future; the withdrawal does not affect the lawfulness of the processing carried out up to that point.
Note on the beta version
The iMonial platform is in a beta phase. The scope of functions, service providers and processing operations may change. Material changes are communicated in accordance with § 14.
§ 3 Data Collection on Our Platform
3.1 Server log files
Each time our platform is accessed, our hosting provider automatically records data and information from the accessing system in so-called server log files. The following data is collected: IP address of the requesting computer (stored anonymised in log files; for proof of consent pursuant to Art. 7(1) GDPR the full IP address is stored, see the table "Retention period by data category" at the end of this Privacy Policy), date and time of access, name and URL of the accessed resource, HTTP status code, volume of data transferred, referrer URL (previously visited page), browser and operating system used. Storage is technically necessary for the delivery of the platform content, system security and the prevention of misuse. Legal basis: Art. 6(1)(f) GDPR. The log files are deleted after 30 days, unless further retention is required for evidentiary purposes.
3.2 Technically necessary data
In addition, the following technical data is processed for the use of the platform: device type and screen resolution (for responsive display), browser language settings (for language selection), session identifiers (for maintaining the session). Legal basis: Art. 6(1)(b) GDPR (performance of a contract) as well as Art. 6(1)(f) GDPR (legitimate interest in a user-friendly display and the technically flawless delivery of the platform content).
§ 4 Registration and User Account
4.1 Data collected upon registration
For registration on the iMonial platform we collect the following data: Mandatory information: first and last name, e-mail address, password (stored encrypted) or OAuth login. Extended profile information (for talents): telephone number, postal address (street, house number, postal code, city, country), date of birth, profile picture, biographical information and portfolio details, preferences regarding campaign types. Legal basis: Art. 6(1)(b) GDPR, since registration is a prerequisite for using the platform. The provision of the mandatory information (name, e-mail, date of birth, country, telephone number) is necessary for the conclusion of the contract and the use of the platform. Without this information, no user account can be created and the platform cannot be used. The provision of the extended profile information is voluntary; however, it enables full participation in campaigns.
4.2 Authentication service provider
For user login and account management we use a specialised authentication service provider. On our behalf, this provider processes: e-mail address, name, profile picture (with OAuth), password hash and session data. A data processing agreement (DPA) pursuant to Art. 28 GDPR exists with the authentication service provider. Appropriate data protection safeguards pursuant to Art. 44 et seq. GDPR are in place for the data transfer.
§ 5 Login via Third-Party Providers (OAuth)
In addition to direct registration, we offer login via Apple, Google, Facebook and Microsoft (OAuth). In this process, the following data is transmitted by the respective provider: name (first and last name), e-mail address, profile picture (if stored in the provider's account; not with Apple). Your password with the third-party provider is not disclosed to us. Note on Apple Sign-In: Apple offers the "Hide My Email" feature. This is supported by our platform. The relay address generated by Apple forwards e-mails to your actual e-mail address. Further information on the data protection practices of the respective providers can be found at: Apple: [1] | Google: [2] | Meta: [3] | Microsoft: [4]. The data transmitted by OAuth providers is used exclusively for account creation and authentication. Legal basis: Art. 6(1)(b) GDPR.
§ 6 Campaign Material, Training Data and AI Processing
6.1 Campaign material and training data
Campaign material or training data (e.g. photos, videos, voice recordings) can be uploaded directly by the talent or created by the brand or iMonial in the course of a shoot. This data may include: photos and images of the face and body, videos with voice and movement, voice recordings. iMonial processes this data to create marketing content (directly or AI-assisted). Processing for the purpose of identifying or authenticating natural persons does not take place. Legal basis: for platform functions Art. 6(1)(a) GDPR (consent, given in the Talent Agreement § 6); for campaign-specific processing Art. 6(1)(b) GDPR (performance of a contract pursuant to the Campaign Agreement). The processing takes place within the scope of the Talent Agreement and, where applicable, the Campaign Agreement. The talent may terminate the contract in accordance with the termination provisions of the Talent Agreement. Where a data transfer to third countries is necessary, separate consent pursuant to Art. 49(1)(a) GDPR is obtained in the Campaign Agreement.
6.2 Purpose limitation of AI processing
The uploaded campaign material and training data are processed exclusively for the following purposes: creation of profile content and platform functions (e.g. profile optimisation, matching preview), creation of campaign material and AI-assisted content within the scope of specific campaigns, use of service providers for AI-assisted content creation within the scope of campaigns (no resale, no disclosure to third parties), quality assurance and preview of the content created. No use beyond the purposes stated takes place.
6.3 Service providers used for AI-assisted content creation
For AI-assisted content creation within the scope of platform functions, iMonial uses processors with whom DPAs pursuant to Art. 28 GDPR exist. Processing takes place on the basis of Art. 6(1)(b) GDPR and appropriate data protection safeguards pursuant to Art. 44 et seq. GDPR. Within the scope of individual campaigns, further service providers (AI-assisted content creation) may be used. Where this requires data processing that needs separate consent, such consent is obtained in the respective Campaign Agreement.
6.4 Personal data of third parties in campaign material
Where further natural persons are recognisably depicted or audible in campaign material or training data uploaded by the talent, iMonial processes their personal data. Categories of affected data: likeness, voice, name (where recognisable). Source of the data: upload by the talent via the platform. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the contractually compliant performance of the campaign). Pursuant to § 7(3)(e) of the Talent Agreement, the talent is obliged to obtain explicit consent from recognisably depicted or audible third parties for the contractually intended use and to present such consent to iMonial upon request. Where information of the affected third parties pursuant to Art. 14 GDPR is required, iMonial supports the talent in fulfilling this obligation. The retention period is governed by the respective Campaign Agreement.
§ 7 Legal Bases of Processing
An overview of the main processing purposes, the applicable legal basis in each case and the intended retention period is provided by the table "Overview of legal bases" at the end of this Privacy Policy.
§ 8 Recipients and Processors
Personal data is only disclosed to third parties for the performance of the contract, in the case of a legitimate interest, a legal obligation or with your consent.
8.1 Categories of recipients and processors
Contracts pursuant to Art. 28 GDPR exist with all processors. The table "Categories of recipients" at the end of this Privacy Policy shows which categories of recipients may obtain access to personal data.
8.2 Other recipients
Beyond this, personal data may be transferred to the following categories of recipients: brands: receive access to assets and campaign material in accordance with the respective Campaign Agreement. Tax advisors and auditors: where legally required. Authorities: where legally obliged (e.g. tax authorities, law enforcement authorities).
8.3 Sub-processor management
Our processors are contractually obliged to inform us about the use or change of sub-processors. A current list can be requested at privacy@imonial.com. Campaign-specific service providers are disclosed in the respective Campaign Agreement.
§ 9 Data Transfer to Third Countries
A transfer of personal data to third countries (outside the EEA) only takes place in compliance with the requirements of Art. 44–49 GDPR.
9.1 Data transfer to service providers outside the EEA
Where service providers process data outside the EEA, iMonial ensures appropriate safeguards (adequacy decisions, standard contractual clauses, supplementary technical measures).
9.2 Campaign-specific data transfer to third countries
Within the scope of individual campaigns, a data transfer to service providers (AI-assisted content creation) in third countries may be necessary for which no adequate safeguards pursuant to Art. 44 et seq. GDPR exist. The use of such service providers takes place exclusively on a case-by-case basis for individual campaigns, not as regular processing. Before each use, iMonial checks whether equivalent service providers with appropriate data protection safeguards are available. The transfer then takes place exclusively on the basis of explicit consent pursuant to Art. 49(1)(a) GDPR, which is obtained separately for each campaign. Consent is voluntary and revocable at any time. The details follow from the respective Campaign Agreement.
§ 10 Retention Period and Deletion Concept
In principle, we store personal data only for as long as it is necessary for the respective processing purpose or as long as statutory retention obligations exist. After expiry of the retention period, data is deleted or anonymised. Upon account deletion, all personal data is deleted without undue delay, with the exception of data subject to statutory retention obligations (§ 257 HGB: 10 years; § 147 AO: 6 years). Such data is blocked and deleted after expiry of the period.
§ 11 Your Rights as a Data Subject
As a data subject you have the following rights under the GDPR. To exercise these rights, please contact: privacy@imonial.com or by post at the controller's address stated above.
11.1 Right of access (Art. 15 GDPR)
You have the right to request information about the personal data we process concerning you, including the information listed in Art. 15 GDPR.
11.2 Right to rectification (Art. 16 GDPR)
You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data without undue delay.
11.3 Right to erasure (Art. 17 GDPR)
You have the right to request the erasure of your personal data, provided a ground under Art. 17 GDPR applies. This right does not exist where statutory retention obligations conflict with it.
11.4 Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing if a condition under Art. 18 GDPR is met.
11.5 Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, provided the requirements of Art. 20 GDPR are met.
11.6 Right to object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR. We will then no longer process the data unless we can demonstrate compelling legitimate grounds.
11.7 Right to withdraw consent given (Art. 7(3) GDPR)
You can withdraw consent given at any time with effect for the future, without affecting the lawfulness of the previous processing. Address the withdrawal to privacy@imonial.com or use the function in your user account.
11.8 Automated decision-making (Art. 22 GDPR)
Automated decision-making with legal effect or similarly significant impairment pursuant to Art. 22 GDPR does not take place. The AI-assisted matching creates non-binding suggestions; the decision on participation in a campaign is made by the talent itself. The legal basis for the matching is Art. 6(1)(b) GDPR (performance of a contract) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in the efficient placement of suitable campaigns). AI-assisted content creation is always subject to human review and approval by the talent and the brand.
§ 12 Notifications and Communication
12.1 Campaign-related notifications
We send you notifications via a chat in the platform as well as by e-mail, push notification and/or telephone about campaigns, status updates and contract-relevant information. Legal basis: Art. 6(1)(b) GDPR.
12.2 Marketing communication
We send promotional communication exclusively with your consent (Art. 6(1)(a) GDPR in conjunction with § 7 UWG). You can withdraw your consent at any time, e.g. via the unsubscribe link or by e-mail to privacy@imonial.com.
12.3 Telephone contact
Telephone contact for advertising purposes takes place exclusively with your consent (Art. 6(1)(a) GDPR in conjunction with § 7 UWG). Urgent campaign-related communications may take place on a contractual basis (Art. 6(1)(b) GDPR), provided telephone availability has been agreed.
§ 13 Cookies and Technical Storage
Our platform uses exclusively technically necessary cookies which, pursuant to § 25(2) No. 2 TTDSG, do not require consent. Language setting cookie: stores the language you have selected (German/English) for the duration of your visit or up to one year, in order to display the platform to you in the selected language. Session cookies: for maintaining your logged-in session. These cookies are automatically deleted after the end of the browser session. Analytical cookies, marketing cookies or tracking technologies are not used in the current beta version of the platform. Should this change in the future, we will inform you in advance and, where applicable, obtain your consent.
§ 14 Changes to this Privacy Policy
We reserve the right to adapt this Privacy Policy in the event of a changed legal situation or changes to our services. This applies in particular during the beta phase. We will inform you of material changes in good time in an appropriate form, in particular: by e-mail notification to the e-mail address stored in your account; by a clearly visible notice on the platform at your next login. Where changes concern consent-based processing, we will obtain renewed consent where necessary. The respective current version of this Privacy Policy can be viewed at any time on our platform.
§ 15 Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your data infringes the GDPR (Art. 77 GDPR). The supervisory authority responsible for us is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Phone: +49 711 615541-0, E-mail: poststelle@lfdi.bwl.de, Website: [5]. We recommend that you first contact our data protection contact at privacy@imonial.com. This Privacy Policy is provided in German and English. Only the German version is legally binding for the conclusion of the contract.
Overview of legal bases
| Processing purpose | Legal basis | Retention period |
|---|---|---|
| Provision of the platform, server log files | Art. 6(1)(f) GDPR (legitimate interest) | 30 days (log files) |
| Registration and account creation | Art. 6(1)(b) GDPR (performance of a contract) | Duration of account use or until deletion |
| OAuth login (Apple, Google, Facebook, Microsoft) | Art. 6(1)(b) GDPR (performance of a contract) | Duration of account use |
| Processing of campaign material and training data (photos, videos, voice recordings) | Art. 6(1)(b) GDPR (performance of a contract); for platform functions Art. 6(1)(a) GDPR (consent) | Until end of contract or account deletion, possibly deviating per Campaign Agreement |
| Content creation (platform functions) | Art. 6(1)(a) GDPR (consent pursuant to Talent Agreement § 6) | Duration of the campaign or account use |
| Content creation (campaign-specific) | Art. 6(1)(b) GDPR; for third-country transfer possibly Art. 49(1)(a) GDPR (consent) | Duration of the campaign or until deletion |
| Campaign notifications (e-mail/push/telephone) | Art. 6(1)(b) GDPR (performance of a contract) | Duration of account use |
| Marketing communication (newsletter, offers) | Art. 6(1)(a) GDPR (consent, opt-in) | Until withdrawal |
| Telephone contact (advertising purposes) | Art. 6(1)(a) GDPR (consent) | Until withdrawal |
| Technical cookies (language setting) | § 25(2) No. 2 TTDSG (strictly necessary) | End of session or 1 year |
| Accounting and bookkeeping | Art. 6(1)(c) GDPR (legal obligation) | 10 years (§ 257 HGB) 6 years (§ 147 AO) |
| Proof of consent (IP, user agent, timestamp) | Art. 6(1)(f) GDPR (obligation to provide proof pursuant to Art. 7(1) GDPR) | 3 years after withdrawal or account deletion |
Categories of recipients
| Category | Purpose | Data protection safeguards |
|---|---|---|
| Hosting and infrastructure providers | Operation of the platform, databases, storage | DPA, processing within the EEA |
| Authentication service provider | User login, account management | DPA, DPF and/or SCCs |
| Processors (AI-assisted content creation, platform) | Content creation for platform functions | DPA, SCCs or own infrastructure |
| Service providers (AI-assisted content creation, campaign) | Content creation within the scope of campaigns | Campaign Agreement; possibly consent pursuant to Art. 49(1)(a) GDPR |
| E-mail and notification service providers | Sending of e-mails, push notifications | DPA, processing within the EEA or SCCs |
| Brands | Access to assets and campaign material (per Campaign Agreement) | Campaign Agreement |
Retention period by data category
| Data category | Retention period | Justification |
|---|---|---|
| Account data (name, e-mail, telephone, date of birth, country) | Until account deletion by the user | Performance of a contract (Art. 6(1)(b) GDPR) |
| Extended profile data (address, further information) | Until account deletion or erasure request | Performance of a contract |
| Campaign material and training data (photos, videos, voice recordings) | Until end of contract or account deletion, possibly deviating per Campaign Agreement | Performance of a contract (Art. 6(1)(b) GDPR) |
| Assets (approved content) | Per Campaign Agreement or until erasure request | Performance of a contract; iMonial retains usage rights pursuant to the Campaign Agreement |
| Server log files | 30 days | Legitimate interest (security) |
| Invoice data and business documents | 10 years from the end of the calendar year | § 257 HGB (statutory obligation) |
| Tax-relevant data | 6 years from the end of the calendar year | § 147 AO (statutory obligation) |
| Proof of consent (IP, user agent, timestamp) | 3 years after withdrawal or account deletion | Obligation to provide proof pursuant to Art. 7(1) GDPR |
References
[1] https://www.apple.com/legal/privacy/
[2] https://policies.google.com/privacy
[3] https://www.facebook.com/privacy/policy/