Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and profile information provided through our authentication provider (Clerk). If you purchase a credit pack, payment information is collected and processed by Polar (polar.sh), our merchant of record; we do not store your full card details.

2.2 Uploaded Content

Product photos you upload for image generation are stored securely in Cloudflare R2 object storage. EXIF metadata is stripped from uploads before storage for your privacy. Your uploads are never used for AI model training.

2.3 Generated Images

Images generated by the Service are stored in Cloudflare R2 and associated with your account. You own your generated images and may download or delete them at any time.

2.4 Usage Data

We automatically collect technical and usage data, including IP address, browser type, operating system, pages visited, feature usage patterns, generation request metadata, and error logs. This data is used to improve the Service and diagnose issues.

2.5 WhatsApp Bot Data

If you interact with our WhatsApp bot, we collect your phone number, the product images you send, and generated output images. This data is processed through Twilio and stored in our database. You may opt out at any time by replying "STOP".

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR:

• Contract performance: Processing necessary to provide the Service, including account management, image generation, and billing.
• Legitimate interest: Processing for service improvement, security monitoring, fraud prevention, and analytics.
• Consent: Where we rely on your consent (e.g., marketing communications), you may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws, such as tax and accounting regulations.

4. How We Use Your Data

• To provide, maintain, and improve the Service, including AI image generation.
• To process payments and manage credit purchases via Polar.
• To communicate with you about your account, updates, and support requests.
• To monitor and prevent fraud, abuse, and security threats.
• To analyze usage patterns and improve user experience.
• To comply with legal obligations and enforce our Terms of Service.

5. Third-Party Services

We use the following third-party services to operate ProdVue. Each processes data as described:

Polar

Payment processing (merchant of record). Polar receives your name, email address, payment card details, billing address, and transaction information, and handles all tax compliance on our behalf. See Polar's Privacy Policy.

Clerk

Authentication and user management. Clerk processes your email address, name, and authentication credentials. See Clerk's Privacy Policy.

Fal.ai

AI image generation. Your uploaded product images are sent to Fal.ai's API for processing. Images are used solely for generation and are not retained by Fal.ai for training purposes. See Fal.ai's Privacy Policy.

Cloudflare R2

Object storage for uploaded and generated images. Data is stored with encryption at rest. Access is controlled via time-limited presigned URLs. See Cloudflare's Privacy Policy.

Supabase

Database hosting. Account data, project metadata, and generation records are stored in a Supabase-hosted PostgreSQL database with encryption at rest. See Supabase's Privacy Policy.

Inngest

Job orchestration. Generation tasks are queued and processed through Inngest. Only task metadata (IDs, status, timestamps) is shared; no image data is stored by Inngest. See Inngest's Privacy Policy.

Twilio

WhatsApp messaging. If you use our WhatsApp bot, your phone number and messages are processed through Twilio's API. See Twilio's Privacy Policy.

We have Data Processing Agreements (DPAs) in place with all sub-processors listed above.

6. Data Retention

• Account data: Retained for as long as your account is active and for a reasonable period thereafter (up to 90 days) to comply with legal obligations.
• Uploaded images: Retained until you delete them or until account deletion, whichever comes first.
• Generated images: Retained until you delete them or until account deletion.
• Usage and log data: Retained for up to 12 months for analytics and troubleshooting purposes.
• Payment records: Retained as required by tax and accounting regulations (typically 7–10 years). Payment records are held by Polar.
• WhatsApp data: Phone numbers and generation records retained until you opt out or request deletion.

7. Security

We implement appropriate technical and organizational measures to protect your personal data, including: HTTPS encryption for all data in transit, encryption at rest for stored images and database records, time-limited presigned URLs for image access, and access controls limiting employee access to personal data on a need-to-know basis.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to restrict processing: Request restriction of processing under certain circumstances.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at reiswich.alexander@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights (CCPA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information.
• Right to opt out of sale: We do not sell your personal information to third parties.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at reiswich.alexander@gmail.com.

10. Cookies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Used to understand how users interact with the Service and to improve functionality. These are set only with your consent.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent the Service from functioning correctly.

11. International Data Transfers

Your data may be processed by third-party services located outside the European Economic Area (EEA), including in the United States. When data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision. Data is stored on Cloudflare R2's global network with automatic placement. EU data residency is available upon request.

12. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at reiswich.alexander@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For material changes, we will provide notice via email or in-app notification. We encourage you to review this page periodically.

14. Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at: