Privacy Policy

1. Data We Collect

We only process data required to provide and secure the car photo enhancement service.

• Account data: name, user ID, organization, access role.
• Birth date (day and month, optional): for personalized birthday greetings.
• Contact data: email address and support communication.
• Billing/payment metadata: subscription status, invoice/payment IDs from the payment provider (no full card details stored by us).
• Technical data: IP address, user-agent, login events, technical and security logs.
• Cookies and similar identifiers: session cookies, locale cookie, consent cookie, analytics identifiers (with consent).
• User content: uploaded car photos, masks, image metadata, generated/processed output images.

2. Purposes and Legal Bases (GDPR Art. 6)

We process data for the following purposes and legal bases:

• Service delivery and contract performance (Art. 6(1)(b)): account management, generation workflows, session history.
• Legal obligations (Art. 6(1)(c)): accounting/tax records and responses to lawful authority requests.
• Legitimate interests (Art. 6(1)(f)): abuse prevention, platform security, troubleshooting, fraud prevention.
• Consent (Art. 6(1)(a)): analytics and marketing cookies, where applicable.

3. Data Retention Periods

Retention depends on data category and processing purpose:

• Account/profile data: while the account is active and up to 30 days after deletion for technical closure.
• Uploaded and generated media: until user deletion or for subscription duration plus archive window {{RETENTION_MEDIA_PERIOD}}.
• Security/technical logs: typically 30–180 days depending on log type.
• Support records: up to {{RETENTION_SUPPORT_PERIOD}} for quality control and dispute resolution.
• Billing/accounting records: as required by applicable law in {{COUNTRY}}.
• TODO: Confirm exact statutory retention periods with local counsel/accounting team.

4. Recipients and Processors

We may share data with processors strictly as needed to provide the service.

• Supabase (authentication, database, and API infrastructure).
• Cloudflare R2 (object storage for uploads and generated assets).
• {{PROCESSORS_LIST}} (analytics, payment provider, email/support systems).
• Public authorities when disclosure is legally required.
• TODO: Add the final processor list and links to each DPA/Privacy Terms.

5. International Data Transfers

Data may be processed outside the user’s country where required by chosen providers.

If data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCC).

TODO: Document concrete transfer destinations and safeguards for each provider in {{PROCESSORS_LIST}}.

6. Account Deletion and Data Erasure Procedure

Account deletion can be requested via {{SUPPORT_EMAIL}} or through account settings (when available).

Deletion requests are completed within {{ACCOUNT_DELETION_PERIOD}} unless a longer retention period is legally required.

• Deleted in full: profile data, active sessions, and user-accessible generated artifacts where no legal hold exists.
• Retained where legally required: accounting/tax records, minimal security logs, and dispute-related records for statutory periods.
• TODO: Confirm exact deletion SLA and retention carve-outs with legal counsel.

7. Your GDPR Rights

You may exercise the following rights:

• Right of access.
• Right to rectification.
• Right to erasure.
• Right to restriction of processing.
• Right to data portability.
• Right to object (where processing relies on legitimate interests).
• Right to withdraw consent at any time (for consent-based processing).
• Right to lodge a complaint with a supervisory authority.

8. Security Measures

We use technical and organizational measures such as access controls, encrypted transport, logging, and least-privilege principles.

No system is absolutely secure, but we continuously improve our safeguards.

9. Privacy Contact

Support email: {{SUPPORT_EMAIL}}.

DPO/Privacy contact: {{DPO_CONTACT}}.

Postal address: {{LEGAL_ADDRESS}}.