SAM's AI Poster Logo
Toggle navigation
المميزاتكيفية العملالباقاتالأسئلة الشائعة
AI Automation
Telegram AIX AI
الشركاءتسجيل الدخولابدأ مجاناً
ابدأ مجاناً

INVEST.IN.TEK GmbH – Privacy Policy (Sam’s AI Poster)

Last updated: January 2026

This Privacy Policy explains how INVEST.IN.TEK GmbH (“INVEST.IN.TEK”, “we”, “us”) processes personal data when you use Sam’s AI Poster (the “Service”). The Service is offered globally. If you are located in the EU/EEA, Germany, the UK, Switzerland, or other jurisdictions with data protection laws, additional rights and rules may apply as described below.

This Policy should be read together with our Terms and Conditions and (for business users) our Data Processing Addendum (DPA).

1) Controller and contact

Controller: INVEST.IN.TEK GmbH

Address: Ludwig-Erhard-Straße 18, 20459 Hamburg, Germany

Commercial register: Amtsgericht Hamburg, HRB 173191

Managing Director(s): AmirSaman Vakili

Email: contact@investintek.com

Support: support@samsaiposter.com

Full provider information is available in our Impressum/Legal Notice (/impressum).

2) Scope

This Policy covers processing of personal data in connection with:

  • our websites and dashboard;
  • account creation and administration;
  • billing and payments;
  • support communications;
  • operation of the Service (including logs and security);
  • integrations (e.g., Telegram) and webhooks; and
  • optional AI features (LLM-based generation).

3) Definitions

  • Personal data: information relating to an identified or identifiable natural person.
  • Customer Content: data and materials you provide or connect to the Service (links, files, prompts, instructions, channel identifiers, etc.).
  • Output: AI-generated content produced from Customer Content.
  • Third-Party Services: services not operated by us (e.g., Telegram and AI/LLM providers).

4) What data we process

A) Account and profile data: name, email address, password hash (not plaintext), account settings, organization name (optional), role/permissions.

B) Billing and transaction data: billing address, VAT ID (optional), invoice data, subscription status, payment metadata. Payment cards are processed by Stripe; we do not store full card numbers.

C) Service usage and technical data: IP address, device/browser information, timestamps, pages/features used, diagnostic data, rate-limit events, security logs, and audit logs.

D) Integrations and credentials: channel identifiers (e.g., Telegram channel ID), bot tokens, webhook URLs you configure, and (optionally) API keys for AI providers. Secrets are stored using encryption and access controls.

E) Customer Content and Outputs: prompts, links, uploaded files/documents, scheduling instructions, and generated Outputs. Customer Content may contain personal data if you include it.

F) Support and communications: support messages, attachments, and troubleshooting information you send us.

5) Purposes and legal bases (EEA/UK where applicable)

Where GDPR/UK GDPR applies, we process personal data under:

  • Contract performance (Art. 6(1)(b) GDPR): providing the Service, managing accounts, delivering Outputs, operating integrations.
  • Legal obligations (Art. 6(1)(c)): accounting, tax, compliance.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, abuse detection, service improvement, enforcing Terms.
  • Consent (Art. 6(1)(a)): for non-essential cookies/trackers and certain marketing communications where required.

Where consent is required, you can withdraw it at any time.

6) Controller vs processor

  • For account administration, billing, security, and support, we act as controller.
  • For Customer Content you submit and process via the Service (which may contain personal data), you are typically the controller and we act as processor on your instructions. Business users can execute the DPA (/dpa).

7) AI/LLM processing

If you enable AI features, necessary prompts/excerpts from Customer Content may be sent to AI/LLM providers to generate Outputs.

Location and transfers: AI/LLM providers may process data outside the EU/EEA depending on provider and configuration. Where required, we rely on safeguards such as EU Standard Contractual Clauses (SCCs).

User vs platform keys: If you supply your own API keys, you choose the provider and configuration and are responsible for that choice. If you use platform-managed keys, we route to supported providers listed in the Service (e.g., OpenAI, Google Gemini, Anthropic, xAI/Grok) and apply appropriate safeguards where required.

Sensitive data: Do not include special-category/sensitive data unless you have a lawful basis and appropriate safeguards.

8) Hosting and data location

Hosting/app delivery: Vercel Inc. Database and file storage: Supabase (EU region). Email: Google Workspace (EU). Payments: Stripe. No analytics and no third-party support tool are used.

9) Recipients and subprocessors

Personal data may be shared with:

  • Vercel (hosting/app delivery);
  • Supabase EU (database/file storage);
  • Stripe (payments);
  • Google Workspace EU (email);
  • AI/LLM providers (only when AI features are enabled; provider depends on your key choice or platform-managed routing);
  • Authorities/legal advisors where required by law or to protect rights.

10) Cookies and similar technologies

We use cookies for essential functionality (login/session, security) and preferences. If non-essential cookies are introduced, we will request consent and allow preference management via the cookie banner.

Session cookies: When you log in, we set a session cookie to maintain your authentication. By default, this cookie expires after 1 day (24 hours). If you check "Remember me" during login, the session cookie will be extended to 30 days. Session cookies are essential for the Service to function and do not require consent under GDPR/ePrivacy Directive. You can end your session at any time by logging out, which immediately invalidates the session cookie.

Google Analytics (GA4)

We use Google Analytics (GA4) via analytics.google.com to measure website usage on the marketing site and logged-in app only after you give consent.

  • Service / Provider: Google Analytics (GA4); Google Ireland Limited (EU), Google LLC (USA).
  • Purpose: website usage analysis, performance measurement, and product/service improvement.
  • Legal basis: Consent (GDPR Art. 6(1)(a)). Analytics is blocked by default and loads only after you accept cookies/analytics.
  • Data processed (examples): truncated IP handling, device/browser information, pages visited, referrer, approximate location, event data.
  • Identifiers and retention: GA4 uses first-party cookies/identifiers with limited retention controlled in Google Analytics. We do not combine GA data with personal profiles in the app.
  • Transfers: Data may be processed in the USA by Google LLC. Google relies on EU Standard Contractual Clauses; we apply Consent Mode to reduce identifiers until you grant consent.
  • Control: You can grant or withdraw consent at any time via the cookie banner or the “Cookie settings” control in the app footer. Withdrawal stops further analytics events (Consent Mode updated to “denied”).
  • Opt-out: Use the on-site cookie settings to disable analytics. You may also use Google’s general opt-out options (e.g., https://tools.google.com/dlpage/gaoptout) and browser controls.

11) Retention

  • Customer Content: retained while the account is active; deleted within 30 days after account termination unless you delete earlier.
  • Outputs: retained with the account; deleted within 30 days after account termination unless you delete earlier.
  • Security logs: 90 days.
  • Backups: 35 days rolling retention.
  • Billing records and invoices are retained for 8 years (or longer if required in specific cases by applicable law).

12) Security

We use technical and organizational measures such as encryption in transit, encrypted storage for secrets, access controls, monitoring, and least-privilege access. No system is 100% secure; protect your credentials and configure integrations safely.

13) Your rights (EEA/UK and similar regimes)

Where GDPR/UK GDPR applies, you may have rights to access, rectification, deletion, restriction, portability, and to object to certain processing (including marketing). Where processing is based on consent, you can withdraw it at any time. You may lodge a complaint with a supervisory authority.

To exercise rights, contact support@samsaiposter.com. If we act as processor for your Customer Content, we may direct requests to you (the controller) or act per your instructions under the DPA.

14) International users

If you use the Service outside the EU/EEA/UK, local laws may grant additional rights. We respond to verified requests as required by applicable law.

15) Children

The Service is not intended for anyone under 18, and we do not knowingly collect personal data from children.

16) Automated decision-making

We do not use automated decision-making producing legal or similarly significant effects based solely on automated processing. AI Outputs require your review and decision before publication.

17) Changes to this Policy

We may update this Policy to reflect changes in the Service or legal requirements. The “Last updated” date will be updated accordingly.

18) Contact

Privacy questions and requests: support@samsaiposter.com