Privacy Policy

Last updated: 2026-06-16

This Privacy Policy explains how Pictage.ai Inc. (“we”, “us”, “our”) collects, uses, and shares personal data when you use pictage (the “Service”) at https://pictage.ai and https://pictage.com.

1. Data we collect

Information you provide:

• Email address (required for account creation)
• Name (optional)
• Profile and studio information you choose to add (display name, business name, website, social links, public bio)
• Content you submit to the Service, including photographs and images you upload, which may depict you and other identifiable individuals (such as your clients and their guests), along with related shoot, gallery, client, and project details
• Payment information (handled by Stripe; we never store full card details)

Information collected automatically:

• Log data (IP address, browser type, pages visited, timestamps)
• Usage analytics (which features you use, how often)
• Cookies and similar technologies (see our Cookie Policy at /cookies)

Information from third parties:

• Authentication provider data (if you sign in with Google, GitHub, etc.) limited to email + display name + avatar
• Stripe payment status and subscription details
• Anthropic, Google, OpenAI, and other AI or image-processing providers: when you enable or generate AI outputs, the relevant prompts, images, or derived inputs may be sent to the configured provider under commercial terms and our provider policy

2. How we use data

We use the data described above to:

• Create and manage your account
• Provide and improve the Service
• Process payments and send transactional emails (receipts, password resets, magic links)
• Respond to support requests
• Detect, prevent, and address fraud, abuse, or technical issues
• Enforce our content policy, including review or removal of content reported or flagged as full nudity, sexually explicit, exploitative, or otherwise prohibited
• Comply with legal obligations

We do NOT:

• Sell your personal data
• Share your content with other users without your consent
• Use your content to train AI models without explicit opt-in

3. Legal basis for processing (GDPR)

If you are in the European Economic Area, our legal basis for processing your data depends on the data and context:

• Contract: processing necessary to provide the Service you signed up for
• Legitimate interest: improving the Service, fraud prevention, basic analytics
• Consent: marketing emails, optional analytics cookies
• Legal obligation: tax records, responding to lawful requests

You may withdraw consent at any time without affecting prior processing.

4. Sharing data with third parties

We share data with:

• Stripe (payment processing): card details, billing address, transaction history
• Supabase (database hosting): all account + content data, encrypted at rest
• Vercel (application hosting): logs, request data
• Cloudflare (object storage and delivery): uploaded originals, derivatives, thumbnails, and related storage metadata
• Anthropic, Google, OpenAI, and similar AI providers: the inputs you submit to AI features, which for image culling, retouch, enhancement, captioning, and similar vision features may include downscaled versions of the photographs being analyzed (full-resolution originals are not sent). We do not use Your Content to train AI models. We send only the minimum needed for each task, under commercial provider terms with no-training settings. These providers may retain the inputs we send for up to 30 days for abuse monitoring, safety, security, and diagnostics before deleting them; we do not operate these providers under zero-retention terms. Where Your Content depicts your clients or other individuals, you act as the controller of that personal data and we process it as your service provider on your instructions
• Google Analytics (web analytics): pseudonymized usage data; can be disabled via cookie settings
• Service providers under contract: email delivery, error monitoring, with confidentiality obligations

We disclose data when required by law (court orders, subpoenas, government requests).

5. Data retention

• Account data: retained while your account is active and for 90 days after deletion to comply with audit and legal requirements
• Logs: retained for 30 days unless required for security investigations
• Payment records: retained for 7 years for tax compliance
• Incomplete, abandoned, duplicate, or failed uploads: may be deleted sooner to control storage cost, security risk, or system reliability
• Backups: retained per our backup schedule, max 30 days
• AI provider inputs: downscaled images, metadata, and text we send to third-party AI providers may be retained by those providers for up to 30 days for abuse monitoring, safety, and security before deletion, and are not used to train their models

You can delete your account from Settings at https://pictage.ai/dashboard/settings/danger; this triggers a hard delete of your account, content, and most associated data within 24 hours, with the exception of legally required retention as noted above.

6. Your rights

Depending on where you live you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (“right to be forgotten”)
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent
• Lodge a complaint with a supervisory authority

To exercise these rights, email support@pictage.ai. We respond within 30 days.

7. International transfers

Your data may be transferred to and processed in the United States or other countries where we or our service providers operate. We rely on Standard Contractual Clauses or equivalent safeguards for transfers from the European Economic Area.

8. Children’s privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected such data, contact support@pictage.ai and we will delete it.

9. Security

We use industry-standard measures to protect your data, including:

• TLS encryption in transit
• AES-256 encryption at rest (Supabase + Stripe)
• Row-level security on database tables
• Audit logging of admin actions
• Regular security reviews

No system is perfectly secure. If you suspect a breach affecting your account, contact support@pictage.ai immediately.

10. Changes to this policy

We may update this policy periodically. Material changes will be communicated via the Service or via email at least 14 days before they take effect.

11. Contact

Questions about this policy or your data? Email support@pictage.ai.

For GDPR/UK GDPR data-protection inquiries, use the same address with subject line “Data Protection”.