Privacy Policy

The controller responsible for data processing under the General Data Protection Regulation (GDPR) is PicturaLabs, Email: support@picturalabs.com.

We take the protection of your personal data very seriously. This Privacy Policy explains how we collect, process, and protect personal data when you access or use www.picturalabs.com and related services (the "Service"). Personal data refers to any information that can be used to identify you directly or indirectly, such as your name or email address. Information that does not identify you is considered non-personal data, and where personal and non-personal data are combined, such data will be treated as personal data. This Privacy Policy applies only to services operated by PicturaLabs; third-party services that we integrate with are governed by their own privacy policies.

We process personal data on the following legal bases under the GDPR: Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(c) GDPR (compliance with legal obligations), Art. 6(1)(f) GDPR (legitimate interests, e.g. security, service stability, abuse prevention), and Art. 6(1)(a) GDPR (consent, where explicitly required).

Depending on how you use the Service, we may process account and contact information (e.g. email address), authentication and account-related data, user-submitted content, prompts and generated images, technical and log data (e.g. IP address, browser and device information), and payment and transaction data (processed exclusively by Paddle).

Our website and Service are hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Vercel processes technical data such as IP addresses, access logs, and system metadata to ensure the secure and reliable operation of the Service, and data is processed on servers located in the United States (US East region). Data transfers to the United States are safeguarded through Vercel's participation in the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs).

We use Supabase Inc. as a backend service provider for user authentication, database management, and data storage. When you create an account, we process personal data such as your email address, authentication credentials, and account-related metadata, and Supabase processes personal data solely on our instructions as a data processor under Art. 28 GDPR. Depending on configuration, data may be processed within or outside the European Union, and any international transfers are protected by appropriate safeguards, including SCCs.

To provide AI-powered image generation, we use third-party AI infrastructure providers. Prompts, uploaded content, and technical request data are processed temporarily to generate the requested images, and user content and generated images are not used to train, fine-tune, or improve general-purpose artificial intelligence models. Data is processed strictly for the purpose of providing the Service, ensuring security, preventing abuse, and complying with legal obligations.

Payments are processed by Paddle, which acts as the Merchant of Record (MoR). When you purchase a subscription, Paddle processes payment-related data such as billing details and transaction information, and PicturaLabs does not store or process payment card information. Paddle acts as an independent controller for payment processing under applicable data protection laws.

We share personal data only where necessary to operate and provide the Service, including with hosting providers, infrastructure and AI service providers, and payment processors, all of whom are bound by contractual data protection obligations. We may also disclose personal data where required by law or legal process, or to protect the rights, safety, or security of PicturaLabs, our users, or the Service. We do not sell personal data.

Where personal data is transferred outside the European Union or European Economic Area, we ensure appropriate safeguards are in place, including participation in the EU-US Data Privacy Framework and the use of Standard Contractual Clauses (SCCs) approved by the European Commission.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Account data is retained for the duration of your account and deleted or anonymized after account termination, unless statutory retention obligations apply.

You have the following rights under the GDPR: right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to data portability (Art. 20 GDPR), and right to object to processing (Art. 21 GDPR). You also have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence or place of work. Requests may be submitted to: support@picturalabs.com.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. In the event of a personal data breach, we will notify affected users and relevant authorities where required by applicable law.

We may update this Privacy Policy from time to time to reflect changes in legal requirements or our Service. The most current version will always be available on the Site, and the effective date will be updated accordingly.