Privacy Policy

Privacy Policy

1. Data collected

We only collect strictly necessary data:

• Email (for digital delivery + notifications)
• Postal address (only for canvas orders)
• Source photo of the child (only for portrait generation)
• Order metadata (chosen style, amount)

2. Photo storage and security

• All photos are encrypted at rest on Supabase Storage (AES-256)
• Access URLs are signed and temporary
• Source photos are automatically deleted 30 days after the order
• No photo is sold or shared with third parties

3. GDPR Compliance

In accordance with GDPR (General Data Protection Regulation):

• Right of access: you can request to see your data at any time
• Right to erasure: immediate deletion on request
• Right to portability: data export in JSON
• Right to rectification: modification of your data

To exercise these rights: contact@example.com

4. Cookies

We use strictly necessary cookies (checkout session) and analytics cookies (Vercel Analytics, Meta Pixel, Google Analytics). You can refuse them via your browser.

5. Subcontractors

• Stripe (payment) — USA, PCI-DSS compliant
• Supabase (storage) — EU
• Replicate / Black Forest Labs (AI generation) — USA, SOC 2 compliant
• Gelato (POD printing) — EU/Worldwide
• Resend (emails) — USA
• Vercel (hosting) — Worldwide

6. Contact

For any question: contact@example.com Data controller: [Company name], [Address]