Privacy Policy
Last updated: February 27, 2026
1. Data Controller
The data controller responsible for your personal data is [TODO: COMPANY_DATA].
Contact email: contact@productshot.pro
2. Data We Collect
- Account data: email address, first name, last name, password (or Google OAuth identifier).
- Generated content: product descriptions, source images you upload, and AI-generated images.
- Payment data: processed entirely by Stripe. We do not store your card details — only Stripe Customer ID and transaction records (amount, date, credit pack).
- Usage data: credit balance, generation history, preferences (default provider, default style).
- Technical data: IP address, browser type, and timestamps for security, rate limiting, and error monitoring.
3. Legal Basis for Processing (GDPR Art. 6)
| Legal basis | Purpose |
|---|---|
| Contract performance (Art. 6(1)(b)) | Account management, image generation, credit transactions, email verification, password reset. |
| Legitimate interest (Art. 6(1)(f)) | Security measures, fraud prevention, rate limiting, error monitoring (Sentry), service improvement. |
| Consent (Art. 6(1)(a)) | Optional marketing communications (if introduced in the future). You may withdraw consent at any time. |
| Legal obligation (Art. 6(1)(c)) | Retention of transaction records for tax and accounting purposes under Polish law. |
4. Third-Party Processors
| Processor | Location | Purpose | Data shared |
|---|---|---|---|
| Stripe Inc. | Ireland / USA | Payment processing | Email, payment details |
| OpenAI Inc. | USA | AI image generation | Text prompts, source images (no personal data) |
| Stability AI | UK | AI image generation (Flux Pro) | Text prompts, source images (no personal data) |
| Cloudflare Inc. | USA | R2 object storage, CDN | Generated images, uploaded source images |
| Resend Inc. | USA | Transactional email delivery | Email address, first name (for verification, password reset, purchase confirmation emails) |
| Plausible Analytics | EU | Privacy-friendly website analytics | Aggregated page views only. No cookies, no personal data, no tracking. |
| Sentry | USA | Error monitoring | Error logs, IP addresses (scrubbed where possible) |
5. International Data Transfers
Some of our processors are based in the USA (OpenAI, Cloudflare, Resend, Sentry) or the UK (Stability AI). We ensure adequate protection through:
- EU-US Data Privacy Framework — for processors certified under the DPF (Stripe, Cloudflare).
- Standard Contractual Clauses (SCCs) — for processors not covered by adequacy decisions (OpenAI, Resend, Sentry).
- UK adequacy decision — the EU has recognized the UK as providing adequate data protection.
6. Data Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- Generated images: retained while your account is active. You can delete individual images from your gallery at any time.
- Transaction records: retained for 5 years as required by Polish tax law (Ordynacja podatkowa).
- Error logs (Sentry): retained for 90 days.
- Anonymization: in some cases, we may anonymize your personal data rather than delete it, where we have a legitimate need to retain non-identifiable statistical data for service improvement. Anonymized data cannot be linked back to you and is no longer considered personal data under GDPR.
7. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access your personal data (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data — "right to be forgotten" (Art. 17).
- Restrict processing (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time where processing is based on consent (Art. 7(3)).
To exercise any of these rights, contact us at contact@productshot.pro. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
https://uodo.gov.pl
8. Children
The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
9. Cookies & Local Storage
ProductShot does not use tracking cookies. We use browser localStorage for essential functionality only:
- Authentication token — essential for login sessions.
- Theme preference — user convenience.
Plausible Analytics, our analytics provider, does not use cookies and does not collect personal data.
For more details, see our Cookie Policy.
10. Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption, access controls, and security monitoring. Despite these measures, no system is 100% secure. If you discover a vulnerability, please contact us at contact@productshot.pro.
We are not responsible for data breaches, security incidents, or unauthorized access that occur within the systems of our third-party processors (Stripe, OpenAI, Stability AI, Cloudflare, Resend, Sentry). Each processor is independently responsible for the security of data within their systems, subject to their own security policies and data processing agreements.
11. Data Accuracy
You are responsible for ensuring that the personal data you provide is accurate and up to date. We are not liable for issues arising from inaccurate data provided by you.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect.
13. Contact
Questions about this Privacy Policy? Contact us at contact@productshot.pro.