Privacy Policy

This Privacy Policy explains how Palmou Studio("Palmou", "we") collects, uses, and protects your personal data when you use https://palmou.com(the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and the Spanish data-protection law (LOPDGDD).

1. Data controller

The data controller is Palmou Studio, based in Spain. Contact: palmoustudio@gmail.com.

2. What data we collect

• Account data: email, full name, profile picture, and Google ID — provided by Google OAuth when you sign in.
• Billing data: Stripe customer ID, subscription status, plan, transaction history. We do NOT store card numbers; Stripe handles payment data.
• Uploaded images: photos you upload to process, stored encrypted at rest in Supabase EU region.
• Generated outputs: processed images returned by the AI pipeline, stored alongside your uploads.
• Usage data: timestamps of jobs, credit consumption, error logs (technical only — no image content).
• Cookies: see our Cookie Policy.

3. Why we use it (legal basis)

• To provide the Service (Art. 6(1)(b) GDPR — contract performance): authenticating you, processing your images, billing your plan.
• To prevent abuse (Art. 6(1)(f) — legitimate interest): rate limiting, content moderation, fraud detection.
• To comply with law (Art. 6(1)(c)): tax records, responding to lawful requests.
• Public Community feed (Art. 6(1)(a) — consent): only if you explicitly publish a generated image.

4. We do NOT train AI on your data

Your uploads, outputs, and prompts are never used to train any AI model. They are sent to third-party inference APIs (see Section 6) only to produce your output and are not retained for training by us or, per their terms, by them.

5. How long we keep it

• Account data: while your account exists; deleted within 30 days of account deletion.
• Images: until you delete them or your account, whichever comes first. You can delete any image from the gallery.
• Billing records: 6 years (Spanish tax law requirement) after the last transaction.
• Error logs: 90 days.

6. Who we share data with

We use the following processors (sub-processors). Each is bound by a data-processing agreement and provides GDPR-compliant transfers:

• Supabase (Frankfurt, EU) — auth, database, storage.
• Vercel (US, EU edge) — hosting and serverless functions. SCCs in place for any US transfer.
• Stripe (US/Ireland) — payments. PCI-DSS compliant.
• Replicate (US) — AI model inference. Images are sent over TLS, processed, returned, and not retained for training.
• Google (US/EU) — OAuth sign-in only.
• Resend (EU) — transactional emails (when used).

We do not sell your data to anyone, ever.

7. International transfers

Some processors (Vercel, Stripe, Replicate, Google) may transfer data to the US. These transfers rely on the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).

8. Your rights

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict or object to processing.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time (without affecting prior processing).
• Lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.

To exercise any right, email palmoustudio@gmail.com. We respond within 30 days.

9. Security

Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is limited to authorized personnel via role-based controls. Passwordless authentication (Google OAuth) reduces credential-leak risk. Despite reasonable measures, no system is 100% secure; if a breach occurs we will notify affected users within 72 hours per Art. 33 GDPR.

10. Children

The Service is not intended for users under 16. If you believe a minor created an account, contact us to remove it.

11. Changes to this policy

Material changes will be announced by email and on this page at least 14 days before they take effect. The "Last updated" date reflects the current version.

12. Contact

Questions or rights requests: palmoustudio@gmail.com.

This Privacy Policy is written in plain language and reflects Palmou AI's actual practices. It is not legal advice. We recommend consulting a qualified data-protection lawyer if you operate in a regulated sector.