Privacy Policy

Last updated: February 11, 2026

1. Introduction

This Privacy Policy explains how MageXo s.r.o., operating the PhotoneAI platform at photoneai.com, collects, uses, stores, shares, and protects your personal data when you use our AI-powered product photography service.

This policy applies to all users of PhotoneAI, whether you access the service as a registered user, a guest, or a visitor to our website. It covers our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

By using PhotoneAI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our service.

2. Data Controller

The data controller responsible for your personal data is:

MageXo s.r.o. Prosecká 855/68 190 00 Praha 9 Czech Republic

IČ (Registration Number): 24771406 Email: info@photoneai.com

We have not appointed a Data Protection Officer (DPO) as our processing activities do not require one under Article 37 of the GDPR. For any data protection inquiries, please contact us at the email address above.

3. Information We Collect

Data Category	Examples	When Collected	Retention
Account Data	Email address, full name, password (stored as bcrypt/Argon2 hash), avatar URL	At registration	Until account deletion
Payment Data	Stripe customer ID, subscription ID, plan type, subscription status. We do not store credit card numbers -- Stripe handles all payment card data under PCI DSS Level 1 compliance.	When you subscribe or purchase credits	Until account deletion
Product Data	Product URLs, uploaded product images (JPEG/PNG/WebP, max 10 MB), product name, description, attributes (dimensions, weight, color, material, brand, SKU, category)	When you create a generation job	30 days (auto-deleted)
Generated Content	AI-generated lifestyle images (stored in private cloud storage with signed URLs), user-created Styles (mood, color palette, photography style, lighting, composition, target audience, reference images), Scenes (visual configurations with mood, lighting, background, emotional target)	When you generate images or create Styles/Scenes	Generated images: 30 days. Styles and Scenes: until you delete them.
Shop Analysis Data	Homepage screenshots, brand identity, product categories, buyer personas, price positioning, cultural context, product images, navigation structure, logos. Includes `consent_given_at` timestamp and `consent_ip`.	When you submit a website URL for brand analysis	Until you delete the analysis
Guest Session Data	Anonymous session token (UUID stored in localStorage), generation count, domain rate limits	When you use the service without an account	30 days. If you create an account, the session is linked to your new account.
Credit Transaction Data	Credit purchases, generation costs, refunds, bonuses -- with amounts, reference IDs, balance snapshots, descriptions (may include product URLs)	When credit-related events occur	7 years (Czech accounting obligation)
AI Interaction Logs	AI provider, model name, operation type, token counts, estimated cost, request summary (first 50 characters), duration, success/failure status, error messages	During every AI API call	Indefinite (admin-only access, operational purposes)
Contact Form Data	Name, email, company, website, use cases, volume, message	When you submit a trial request or contact form	Duration of business relationship
Technical/Analytics Data	Vercel Analytics: cookieless, anonymous, aggregated page views and performance metrics -- no personal identifiers, no fingerprinting. Google Analytics 4: page views, scroll depth, button clicks, session duration, device/browser type, geographic region (country-level) -- collected only after explicit consent; IP anonymization enabled by default. hCaptcha tokens: processed by hCaptcha, not stored by us.	During website usage	Aggregated metrics retained by Vercel per their policy. GA4 data retained for 14 months. hCaptcha tokens are ephemeral.

4. Legal Bases for Processing (GDPR Article 6)

Processing Activity	Legal Basis	Explanation
Account creation and authentication	Contract performance (Art. 6(1)(b))	Necessary to provide you with access to the service you signed up for
Image generation and delivery	Contract performance (Art. 6(1)(b))	Core service functionality you request when creating a job
Payment processing via Stripe	Contract performance (Art. 6(1)(b))	Necessary to fulfill paid subscription and credit purchases
Credit tracking and balance management	Contract performance (Art. 6(1)(b))	Necessary to manage the credit system that governs service usage
Email notifications (verification, password reset, job completion)	Contract performance (Art. 6(1)(b))	Necessary transactional communications for service operation
Style and Scene management	Contract performance (Art. 6(1)(b))	User-initiated features integral to the service
Shop/brand analysis	Contract performance (Art. 6(1)(b))	Performed at your explicit request as part of the service
Guest session tracking	Legitimate interest (Art. 6(1)(f))	Service delivery and enforcement of free-tier limits; minimal data collected
Rate limiting and anti-abuse measures	Legitimate interest (Art. 6(1)(f))	Protecting the service and all users from abuse and unauthorized access
Anonymous analytics (Vercel)	Legitimate interest (Art. 6(1)(f))	Understanding aggregate usage patterns to improve the service; no personal data processed
Analytics cookies (Google Analytics 4)	Consent (Art. 6(1)(a))	Placed only after you explicitly accept analytics cookies via our consent banner. You can withdraw consent at any time by clearing your browser's site data.
hCaptcha bot detection	Legitimate interest (Art. 6(1)(f))	Protecting authentication endpoints from automated attacks
AI interaction logging	Legitimate interest (Art. 6(1)(f))	Operational monitoring, debugging, and cost management
Credit transaction records (7-year retention)	Legal obligation (Art. 6(1)(c))	Required by Czech accounting law (Act No. 563/1991 Coll.)

5. How We Use Your Data

We use your personal data for the following purposes:

Provide, maintain, and improve the PhotoneAI service, including account management, authentication, and feature development
Process your product images and URLs to generate AI-powered lifestyle marketing photos
Analyze submitted e-commerce websites for brand style extraction when you use the Shop Analysis feature
Create and manage your photography Styles and Scenes, storing your creative preferences for reuse across generation jobs
Process payments and manage subscriptions via Stripe, including plan upgrades, downgrades, and cancellations
Track credit usage and transaction history, maintaining accurate records of credit purchases, deductions, refunds, and bonuses
Send transactional emails: account verification, password resets, and generation result notifications with image previews
Detect and prevent abuse, fraud, and unauthorized access, including rate limiting, bot detection, and monitoring for suspicious activity
Monitor service performance and API costs, ensuring reliability and managing our infrastructure efficiently
Respond to support requests and contact form submissions in a timely manner
Comply with legal obligations, including tax record retention and responding to lawful requests from authorities

6. AI Processing

When you use PhotoneAI, your data is processed by third-party AI models to generate images and analyze content. This section explains what data is involved and how it is handled.

Data Sent to Google Gemini API

Product images (compressed to a maximum of 2048px on the longest side)
Product names, descriptions, and physical attributes (dimensions, weight, color, material, brand, SKU, category)
Website screenshots and brand analysis data (when you use the Shop Analysis feature)
Style reference images (up to 2 per generation)
AI-generated prompts describing the desired photographic output
Regeneration feedback (if you request modifications to a previous result)

Data Returned by Google

AI-generated lifestyle images based on your product and style inputs
Structured product analysis (name, description, attributes, target group)
Brand identity analysis (colors, mood, typography, target audience)

Processing Terms

Google processes this data under their Cloud Data Processing terms. We use the Google Gemini API (a cloud/enterprise service), not consumer-facing Google products. Google's data handling for the Gemini API is governed by separate terms from their consumer services.

No Automated Decision-Making

We do not use AI to make decisions that produce legal or similarly significant effects on you as defined under GDPR Article 22. AI is used solely for creative image generation and content analysis at your direction.

Buyer Persona and Emotional Targeting

Our AI analyzes products and brands to determine appropriate photographic mood and styling (e.g., "luxury minimalist" or "vibrant lifestyle"). This analysis is used exclusively for image aesthetics and does not constitute profiling of you as an individual. No decisions about you are made based on this analysis.

7. Web Scraping and Third-Party Website Data

How Shop Analysis Works

When you use the Shop Analysis feature, you submit a URL and we crawl the target website on your behalf. Our system extracts:

Homepage and product page screenshots
Product images, logos, and brand assets
Navigation structure and site layout
Structured data (JSON-LD, Open Graph, meta tags)
Visual identity elements (colors, typography, imagery style)

This data is then processed by Google Gemini to generate brand analysis reports and style recommendations for your photography.

Your Responsibilities

By submitting a URL for analysis, you warrant that you have the right to analyze the submitted website and that doing so does not violate any applicable laws or the target website's terms of service. We process this data on your behalf -- you are the data controller for any third-party data obtained through the scraping process.

Sharing Analysis Reports

You may generate a shareable link for your analysis report. You are solely responsible for determining who you share it with and ensuring that sharing is appropriate.

Data Storage

Downloaded images and screenshots from analyzed websites are stored in our systems and may be visible within your analysis reports. This data is retained until you delete the associated shop analysis.

8. Third-Party Service Providers (Sub-Processors)

We share your data with the following third-party service providers who process data on our behalf:

Provider	Purpose	Data Accessed	Location	Safeguards
Supabase Inc.	Database, authentication, file storage	All account, job, and content data	US (AWS infrastructure)	Standard Contractual Clauses (SCCs), SOC 2 Type II
Google LLC (Gemini API)	AI image generation and content analysis	Product images, descriptions, URLs, screenshots, prompts	US	EU-US Data Privacy Framework, Google Cloud Data Processing Addendum
Stripe Inc.	Payment processing	Email, Stripe customer ID, payment method details (PCI DSS)	US	EU-US Data Privacy Framework, Stripe DPA, PCI DSS Level 1
Resend Inc.	Transactional email delivery	Email addresses, email content (job results, image preview URLs)	US	Standard Contractual Clauses (SCCs), Resend DPA
Vercel Inc.	Website hosting, CDN, cookieless analytics	Anonymous aggregated metrics only	US (global edge network)	EU-US Data Privacy Framework, Vercel DPA
Google LLC (Google Analytics 4)	Web analytics (consent-based)	Anonymized page views, interactions, device info, geographic region (country-level). Collected only with your explicit consent.	US	EU-US Data Privacy Framework, Google Ads Data Processing Terms
Intuition Machines Inc. (hCaptcha)	Bot detection on login and signup pages	IP address, browser characteristics (processed by hCaptcha, not stored by us)	US/EU	Standard Contractual Clauses (SCCs), hCaptcha DPA

Each sub-processor is contractually obligated to process your data only for the purposes described above and to implement appropriate security measures.

For full details, see our Sub-Processor List.

9. International Data Transfers

MageXo s.r.o. is based in the Czech Republic, a member state of the European Union. Your data is primarily processed within the EU/EEA. However, some of our sub-processors are based in or operate from the United States.

Transfer Mechanisms

For transfers of personal data from the EU/EEA to the United States, we rely on:

EU-US Data Privacy Framework (DPF) -- where the sub-processor is certified under the DPF (Google, Stripe, Vercel)
Standard Contractual Clauses (SCCs) -- adopted by the European Commission under Decision 2021/914, incorporated into our data processing agreements with sub-processors
Supplementary technical and organizational measures where appropriate, including encryption in transit and at rest

UK Transfers

For transfers of personal data from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

Requesting Documentation

You may request a copy of the relevant transfer safeguards by contacting us at info@photoneai.com.

10. Data Retention

Data Type	Retention Period	Basis
Generated images and job data	30 days from creation (auto-deleted)	Service design
Guest session data	30 days	Service design
Account profile	Until account deletion	Contract
Styles and Scenes	Until you delete them	Contract
Shop analysis reports	Until you delete them	Contract
Style reference images	Until you delete the associated Style	Contract
Credit transaction records	7 years	Czech accounting law (Act No. 563/1991 Coll.)
AI interaction logs	Indefinite	Legitimate interest (operational monitoring)
Contact form submissions	Duration of business relationship	Legitimate interest

When you delete your account, we cascade-delete your profile, Styles, Scenes, shop analyses, and all associated data. Generated images and job data expire automatically after 30 days regardless of account status.

11. Cookies and Local Storage

We believe in transparency about tracking technologies. Here is a complete inventory of what we use.

Cookies

Cookie	Type	Purpose	Duration
Supabase authentication cookies	Essential (strictly necessary)	Required to maintain your authenticated session. Set by our authentication provider (Supabase). Cannot be disabled without losing access to your account.	Session-based
`_ga`	Analytics (consent required)	Google Analytics 4 client ID. Used to distinguish unique visitors. Only set after you accept analytics cookies.	2 years
`_ga_<container-id>`	Analytics (consent required)	Google Analytics 4 session state. Only set after you accept analytics cookies.	2 years

Local Storage

Key	Purpose	Duration
`photone_guest_token`	Anonymous guest session identifier (UUID). Used to track the free generation limit for non-authenticated users. Cleared when you create an account.	30 days
`preferred_currency`	Stores your preferred display currency for convenience. Optional.	No expiry
`photone_cookie_consent`	Stores your cookie consent preference (accepted/declined, timestamp, version).	No expiry

What We Do NOT Use

No advertising or marketing cookies
No third-party tracking cookies (beyond the analytics cookies described above, which require your consent)
No fingerprinting or persistent client-side identifiers
No Facebook Pixel or similar advertising trackers
Our first-party analytics solution (Vercel Analytics and Speed Insights) remains completely cookieless and anonymous -- it collects only aggregated page view and performance metrics with no personal identifiers

Your Consent Choices

When you first visit our website, we present a cookie consent banner. You may:

Accept analytics cookies: Google Analytics 4 will collect anonymized usage data to help us improve the service
Decline analytics cookies: Only strictly necessary cookies (authentication) will be used
Change your mind: Clear the photone_cookie_consent entry from your browser's localStorage, or clear all site data. The consent banner will reappear on your next visit.

Because we use analytics cookies that are not strictly necessary, we present a cookie consent banner as required by the ePrivacy Directive and GDPR.

12. Your Rights

If You Are in the EU/EEA (Under GDPR)

You have the following rights regarding your personal data:

Right of Access (Art. 15) -- Request a copy of the personal data we hold about you
Right to Rectification (Art. 16) -- Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17) -- Request deletion of your personal data ("right to be forgotten")
Right to Restriction of Processing (Art. 18) -- Request that we limit how we process your data
Right to Data Portability (Art. 20) -- Receive your data in a structured, commonly used, machine-readable format
Right to Object (Art. 21) -- Object to processing based on our legitimate interests
Right to Withdraw Consent -- Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to Lodge a Complaint -- You may file a complaint with the Czech Data Protection Authority:

Urad pro ochranu osobnich udaju (UOOU) Pplk. Sochora 27, 170 00 Praha 7, Czech Republic www.uoou.cz

You may also lodge a complaint with your local supervisory authority if you reside in a different EU/EEA member state.

If You Are in the UK (Under UK GDPR)

You have equivalent rights as described above under the UK General Data Protection Regulation. You may lodge a complaint with:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom ico.org.uk

For All Users

Regardless of your jurisdiction, you can:

Access your data through your account dashboard, including your profile, Styles, Scenes, generation jobs, and credit history
Delete your account at any time via Settings -> Delete Account. This cancels your Stripe subscription and cascade-deletes your profile and associated data.
Request a data export by contacting us at info@photoneai.com
Opt out of non-essential processing by contacting us at the same address

We will respond to data subject requests within 30 days. If a request is particularly complex or we receive a high volume of requests, we may extend this period by an additional 60 days, and we will notify you of any such extension within the initial 30-day period.

13. Account Deletion

When you delete your account via Settings -> Delete Account, the following occurs:

Your active Stripe subscription is cancelled immediately
Your Supabase authentication account is deleted
Your profile, Styles, Scenes, and shop analyses are cascade-deleted
Generated images and job data expire automatically within their 30-day retention window
Credit transaction records are retained for 7 years as required by Czech accounting law (Act No. 563/1991 Coll.)

Account deletion is permanent and cannot be reversed. We recommend exporting any data you wish to keep before deleting your account.

14. Children's Privacy

PhotoneAI is a business-oriented service and is not intended for children under 16 years of age (or under 13 in jurisdictions where that is the applicable minimum age under GDPR Article 8 or equivalent local law).

We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us immediately at info@photoneai.com and we will promptly delete such data.

15. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption in transit -- All connections to PhotoneAI use HTTPS/TLS. HTTP Strict Transport Security (HSTS) is enabled with a 2-year max-age directive.
Encryption at rest -- Database and file storage are encrypted at rest via Supabase/AWS infrastructure.
Password security -- Passwords are hashed using bcrypt or Argon2. Passwords are never stored in plain text and are never accessible to our staff.
Database isolation -- Row-Level Security (RLS) policies ensure that each user can only access their own data at the database level.
Content Security Policy -- Strict CSP headers limit which sources can execute scripts and load resources on our pages.
SSRF protection -- Private IP ranges, localhost, and internal network addresses are blocked for all URL submission endpoints.
Rate limiting -- IP-based rate limits are enforced on authentication, generation, and other sensitive endpoints.
Access controls -- Role-based access control throughout the application. Administrative access is restricted and audited.
Secure HTTP headers -- X-Frame-Options (DENY), X-Content-Type-Options (nosniff), strict Referrer-Policy, and restricted Permissions-Policy headers are set on all responses.

No system is 100% secure. Despite our best efforts, we cannot guarantee absolute security. If you discover a security vulnerability in PhotoneAI, please report it responsibly to info@photoneai.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

Update the "Last updated" date displayed at the top of this page
Where appropriate, notify you via email or an in-app notice before the changes take effect

We encourage you to review this page periodically. Your continued use of PhotoneAI after changes to this Privacy Policy constitutes your acceptance of the updated policy. If you disagree with any changes, you should stop using the service and delete your account.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how we handle your data, please contact us:

MageXo s.r.o. Prosecká 855/68 190 00 Praha 9 Czech Republic

IČ: 24771406

Email: info@photoneai.com Phone: +420 739 698 038

Supervisory Authority:

Urad pro ochranu osobnich udaju (UOOU) Pplk. Sochora 27, 170 00 Praha 7 Czech Republic www.uoou.cz