Privacy.
Last updated: 2 June 2026
How we process personal data: short, complete, within the scope of GDPR.
Controller
The party responsible for the processing of personal data is:
Saizew Kapital UG (haftungsbeschränkt)
Grenzstraße 45, 26382 Wilhelmshaven, Germany
Email: [email protected]
What data we process
We process the following types of data:
- Account data: name, email, password hash, profile picture.
- Organization data: name, slug, logo, members.
- Channel and broadcast data: title, description, roster, session history.
- Audio streams: live transmission in real time.
- Session recordings: when recording is enabled, we store the mixed audio of the active speakers (host, co-hosts, guest speakers, OBS input) of a live session as an audio file. Listen-only participants send no audio and are not part of the recording.
- Connection data: IP address and user agent are processed when the site is accessed in order to deliver the application, to mitigate abuse and to ensure stream quality. They are not joined into profiles and are not retained for tracking purposes.
Legal basis
We process data on the following legal bases under GDPR:
- Art. 6 (1)(b) GDPR - performance of contract (providing the studio).
- Art. 6 (1)(f) GDPR - legitimate interest (security, abuse prevention, log files).
- Art. 6 (1)(a) GDPR - consent (where explicit consent is required).
- Art. 6 (1)(c) GDPR - legal obligations (e.g. accounting).
Retention
We retain account data for as long as your account exists. After deletion of your account, personal data is removed within 30 days unless statutory retention obligations apply.
Session recordings remain stored until an org admin deletes them. When the associated organization is deleted, its recordings are removed with it.
Recipients of the data
We share data with carefully selected processors that support us in operating the service. Hosting of the application, the database, real-time transmission and file storage take place exclusively on servers within the European Union.
- Server infrastructure: netcup GmbH, Germany.
- Protection and delivery: Cloudflare as an upstream protection and delivery service.
- Analytics: operated on our own infrastructure, no transfer to third parties (details on /legal/cookies).
- Transactional email: operated on our own infrastructure within the EU (e.g. login, invites). No transfer to external email providers.
- Payment processing: Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Dublin, Ireland. Processed data includes name, billing/shipping address, email, VAT ID where applicable, and the data required for the payment (e.g. card number, IBAN). Legal basis: Art. 6 (1)(b) GDPR. Transfers to Stripe Inc. (USA) take place on the basis of EU Standard Contractual Clauses and under the EU-US Data Privacy Framework.
- AI Add-Ons (optional, opt-in per organization, "Wallet" mode): OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland. Processed data: audio of active speakers (host, co-hosts, guest speakers), either in real time during the stream or afterwards from a stored session recording, for transcription, translation, subtitling and translated voice-over (voice). The voice-over uses a generic, synthetic voice; the speakers' own voices are not cloned (no voice cloning). Listen-only participants (listeners) send no audio technically and are not subject to processing. Legal basis: Art. 6 (1)(b) GDPR (contract performance towards the organization activating AI Add-Ons) and consent of the affected speakers (Art. 6 (1)(a) GDPR), which the stream host must obtain. A Data Processing Addendum (DPA) is in place with OpenAI, including EU Standard Contractual Clauses (Module 2: Controller-to-Processor, EU Commission version of 4 June 2021). Any onward transfer to OpenAI OpCo, LLC (1455 3rd Street, San Francisco, CA 94158, USA) takes place exclusively on the basis of those SCCs. Current sub-processor list: platform.openai.com/subprocessors. OpenAI Data Protection Officer: [email protected]. Retention: per OpenAI API policy, inputs are not used for model training by default and are retained for at most 30 days for abuse monitoring. "BYOK" mode (the organization's own OpenAI key): OpenBooth acts only as a technical relay. The organization itself is the controller, processing under its own contract with OpenAI; our DPA and the sub-processor setup above do not apply in BYOK mode.
Data processing agreements under Art. 28 GDPR are in place with all processors.
Transfers to third countries
Where data is transferred to third countries, this only happens on the basis of EU Standard Contractual Clauses or an adequacy decision of the EU Commission.
Your rights
You have the following rights:
- Access to your data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of given consent (Art. 7 (3))
- Complaint to a supervisory authority (Art. 77), e.g. BlnBDI in Berlin.
To exercise your rights, contact [email protected].
Cookies and local storage
We use only technically necessary cookies and local storage entries for login sessions, language and UI preferences. No marketing cookies, no advertising trackers and no third-party analytics tools are used. Details on /legal/cookies.
Data security
Connections to the studio are TLS-encrypted end to end. Passwords are stored as hashes. We use measures appropriate to the state of the art to protect your data against loss, manipulation and unauthorized access.
Session recordings are stored on servers in Germany and are accessible only to authorized org members (the host of the respective channel and org admins) over access-controlled, TLS-encrypted connections. The audio files are not additionally encrypted at rest.
Help assistant (AI chatbot)
In short: the assistant only helps with using the platform, does not store your inputs and does not analyze anything.
On our public pages we offer an AI-powered help assistant that answers questions about using OpenBooth based on our help and legal pages.
The question you enter is sent to the AI service provider listed above under "Recipients" in order to generate the answer. The same contractual safeguards (data processing agreement incl. EU standard contractual clauses) apply as for the AI add-ons. Per that provider's API policy, content is not used for training and is retained for at most 30 days for abuse detection.
We do not store your inputs or the answers in our database, we do not analyze the content and we do not build profiles. For abuse prevention we only process short-lived, content-free request counters per IP address.
The legal basis is our legitimate interest in providing a functioning help service (Art. 6(1)(f) GDPR) and your consent through your active use of the assistant (Art. 6(1)(a) GDPR).
Please do not enter any personal data in the chat. Legal information given by the assistant is general information and not legal advice; the relevant legal texts on these pages prevail.