Privacy policy
Last updated June 2026
WheelOwl is software for pottery studios, operated by ByteZoo Labs UG (haftungsbeschränkt). This privacy policy explains what personal data we process when you visit our website or use the app — and what rights you have.
Data controller
ByteZoo Labs UG (haftungsbeschränkt), Domenica-Niehoff-Twiete 2, 22765 Hamburg, Germany. Managing director: Kai Granaß. For all privacy requests, reach us at wheelowl@bytezoolabs.com.
Our role for studio data
For data a studio enters about its members in WheelOwl (e.g. names, visits, firing charges), that studio is the data controller — we process this data on its behalf as a processor. For your user account and the website waitlist, we are the controller ourselves.
What we collect
We only process the data needed to run WheelOwl:
- Waitlist: if you sign up on the website, we store your email address, language preference, and which form you used. To prove your consent (GDPR Art. 7(1)), we also log the time and IP address of your signup and — after you confirm via the email link — the time and IP address of that confirmation. We only contact you after confirmation. Unconfirmed entries are deleted after 30 days.
- User account: email address, password (stored encrypted by our auth provider), name, and language preference.
- Studio data: what your studio enters in the app — member profiles (name, email, phone), plans, check-in times, firings with pieces and firing charges, monthly statements, plus guest and order data for the firing service.
- Technical: session cookies for login, a cookie for your language choice, and server logs (e.g. IP address) for security and troubleshooting. We do not use third-party analytics or advertising trackers.
Legal bases
We process data only on the following GDPR legal bases:
- Performance of contract (Art. 6(1)(b) GDPR): user-account and studio data needed to provide WheelOwl.
- Consent (Art. 6(1)(a) GDPR): the waitlist and the AI features. You can withdraw consent at any time with effect for the future.
- Legitimate interest (Art. 6(1)(f) GDPR): server logs for the secure and reliable operation of the service and to defend against attacks.
We make no automated decisions within the meaning of Art. 22 GDPR. Suggestions from the optional AI features are advisory and always reviewed by a person.
Who processes your data
We only share data with providers we need to run the service:
- Supabase — database, login, and file storage. The infrastructure is located in the EU (Frankfurt).
- Cloudflare — hosting and delivery of the application.
- Resend — sends transactional emails, e.g. “firing finished” notifications, booking confirmations, and monthly statements.
- Anthropic — only if your studio has explicitly enabled the AI features (off by default). The content needed for the feature (e.g. CSV columns or photos) is then sent to Anthropic for processing.
We never sell data and never share it for advertising.
Data transfers to third countries
Some of our providers are US companies. We safeguard transfers to the USA as follows:
- Cloudflare and Resend are certified under the EU-US Data Privacy Framework (adequacy decision, Art. 45 GDPR); Standard Contractual Clauses apply in addition. Resend dispatches our emails from EU infrastructure (Ireland) but stores service data in the USA.
- Supabase and Anthropic (only when the AI features are enabled) rely on the EU Standard Contractual Clauses (Art. 46 GDPR). Supabase's infrastructure is in the EU (Frankfurt); the clauses cover any access from outside.
How long we keep your data
Data is stored for as long as the account or studio is active. When a member is removed, we delete or overwrite their name, email address, phone number, and profile-picture link, and disconnect the login. Billing records of firings that were already charged and the recipient address of notifications that were already sent remain stored as immutable records (billing and statutory retention). When a studio is deleted, the studio profile and all members are cleaned up the same way.
Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and objection; you can withdraw any consent at any time with effect for the future. Much of this works directly in the app:
- Data export: members download their own data as a CSV in their settings; studio admins can export an individual member's data.
- Erasure of member data: studio admins remove members from the members page — personal details are cleaned up as described above.
- Account and studio deletion: you can delete your user account in the account settings; studio admins can delete the entire studio in the studio settings.
You can also lodge a complaint with a data protection supervisory authority, e.g. the Hamburg Commissioner for Data Protection and Freedom of Information.
Contact
Questions about privacy or your rights? Email us at wheelowl@bytezoolabs.com.