Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data:

• Account data: email address, name, and authentication information when you sign up
• Photos you upload for AI portrait generation
• Payment information processed securely through Stripe (we do not store card details)
• Usage data: pages visited, features used, and interaction logs via PostHog analytics
• Order and fulfillment data: shipping address for canvas print orders via Gelato
• Device and browser information for security and performance

We use your personal data for the following purposes:

• Providing and improving our AI portrait generation service
• Processing payments and fulfilling orders
• Sending transactional emails (order confirmations, download links)
• Authenticating your account and maintaining security
• Analyzing usage to improve our product
• Complying with legal obligations

We process your data on the following legal grounds under GDPR: (a) performance of a contract — to provide the service you have signed up for; (b) legitimate interests — for analytics and fraud prevention; (c) consent — for optional marketing communications, which you may withdraw at any time; and (d) legal obligation — to comply with tax, accounting, and consumer protection laws.

We share data with the following trusted third-party processors, each bound by data processing agreements:

• Supabase — database and authentication (EU-hosted)
• Stripe — payment processing (global, with Standard Contractual Clauses)
• Replicate — AI image generation (USA, with Standard Contractual Clauses)
• Gelato — print fulfillment (EU-hosted)
• Resend — transactional email delivery
• PostHog — product analytics (EU-hosted option available)

We retain your account data for as long as your account is active, or as needed to provide our services. Uploaded photos used for generation are deleted from our processing pipeline within 30 days. Order data is retained for 7 years to comply with Swedish accounting law. You may request deletion of your account and associated data at any time.

As a data subject, you have the following rights:

• Right of access — request a copy of the data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data ('right to be forgotten')
• Right to restriction of processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY)

To exercise any of these rights, contact us at privacy@renderedart.io. We will respond within 30 days.

We use essential cookies for authentication and session management. We use analytics cookies (PostHog) to understand how our service is used. You can disable non-essential cookies in your browser settings. A detailed cookie notice is displayed on your first visit.

We implement industry-standard security measures including TLS encryption in transit, encrypted storage, access controls, and regular security reviews. However, no method of internet transmission is 100% secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a prominent notice on our website. The date at the top of this page indicates the most recent revision.

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact our Data Protection contact: