Privacy Policy

1. Who we are

The data controller responsible for the personal data described in this policy is Ferran Martinez Condom, a sole trader established in Georgia, operating under the trade name "Beautique". Postal address: Boris Paichadze Street 1A, 0159 Tbilisi, Georgia. Tax identification number: 302359490.

For any privacy question or to exercise the rights described below, contact us at support@beautique.ink.

2. What we collect

We collect only what we need to run the Service:

• Account data: name, email address, password hash, language preference, and the authentication provider you signed up with (email or Google).
• Consent records: the date and time you accepted our Terms and Privacy Policy, the document versions you accepted, and whether you opted in to marketing email.
• Photos you upload: the original images you submit for enhancement and the enhanced outputs we return, stored privately on your account.
• Captions and hashtags: text generated for the photos you process (Annual plan only).
• Billing data: subscription plan, billing period, currency, and transaction history. Full card details are handled by our payment processor — we never see or store them.
• Usage and device data: basic telemetry such as enhancement counts, error logs, IP address, device type, and app version. Used to keep the Service working, diagnose problems, and enforce quota limits.
• Support messages: anything you send us through the contact form or by email. For unauthenticated support submissions we also record your IP address briefly so we can rate-limit abusive traffic.

3. How we use your data

• To provide the Service — processing your photos, storing your gallery, and delivering captions and hashtags.
• To manage your account, log you in, and send essential service emails (billing receipts, password resets).
• To process payments and apply the correct subscription limits.
• To respond to support requests and troubleshoot issues you report.
• To comply with legal obligations (for example, tax and accounting rules).
• To protect the Service against abuse, fraud, and security incidents.

We do not sell your data. We do not reuse your photos or captions for any purpose beyond producing the enhancements you request, and we do not share them with other users.

4. Photos and client images

Photos you upload are stored privately on your account in Supabase Storage. Row-level security on the bucket means no other Beautique user can see them. Only you, our automated processing systems, and the data controller (used solely to operate the manual review queue and investigate abuse reports) can access them.

Photos are transmitted to third-party AI image-processing providers — see §5 for the named list — strictly to produce the enhancement you requested. No other third party receives them.

We do not sell, share, or otherwise disclose your photos to anyone outside this flow. We do not use your photos to train AI models — ours or anyone else's.

You can delete any photo at any time from the Studio. Deleting a photo removes both the original and the enhanced version from your account. Deleting your account removes your entire library within 30 days (see §6).

You retain the unrestricted right to publish, post, sell, or otherwise use any enhanced output you download, subject to applicable law and any third-party rights in the underlying photo. You are responsible for making sure you have the right to upload and edit any photo of a client or third party.

5. Service providers

We rely on a small set of trusted providers to run the Service. Each is bound by a data processing agreement and may only use your data on our instructions:

• AI image-processing providers: To produce the enhancements you request, photos are transmitted to one or more of the following automated image-processing providers: Google (Gemini API, accessed via Google Cloud), OpenAI, and Anthropic. The specific provider used at any given time may change as we tune quality and reliability. Each is bound by its own data processing terms; none of them retains the photos beyond what is required to return the response, and none uses them to train models on identifiable user content. Caption and hashtag generation (Annual plan only) uses the same set of providers. If you wish to know which provider processed a specific photo of yours, contact us — we keep that record per generation.
• Supabase: hosting, database, authentication, and photo storage. Project provisioned in the EU (Ireland) region.
• Creem: subscription billing and payment processing. Creem is a European company based in Estonia.
• Resend: transactional email delivery. Account provisioned in the EU (Ireland) region.
• Sentry (Functional Software, Inc.): error monitoring and performance diagnostics. Receives event payloads including user email, IP address, browser/device metadata, HTTP request URL/headers/status, and breadcrumbs of user actions leading up to an error. Processed in the EU (Frankfurt region). Legal basis: legitimate interest under GDPR Art. 6(1)(f) — detecting, diagnosing, and fixing technical errors, and protecting the Service against abuse and security incidents. This data is used only for those purposes — we do not use Sentry data for marketing, profiling, advertising, analytics, or any commercial purpose. Default retention 90 days; older events are automatically purged.
• Vercel: hosting platform plus Vercel Analytics and Speed Insights. Server functions run primarily in the EU region; edge traffic is served globally for performance. Captures page views, navigation timing, and Web Vitals. Vercel Analytics is cookie-less by default; no personal identifiers or cross-site tracking are sent. Legal basis: legitimate interest under GDPR Art. 6(1)(f) — measuring performance and reliability of the Service.

6. Data retention

Account data and photos are kept for as long as your account is active. If you delete your account, we remove your personal data and photo library within 30 days, except where we are legally required to keep certain records (for example, billing records are retained for up to 10 years under applicable accounting law). Backup copies are rotated and fully purged on a rolling schedule.

7. Your rights

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Access a copy of the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights — including a copy of all data we hold about you in a portable format — email support@beautique.ink. We respond within 30 days.

8. Security

Your data is encrypted in transit (TLS) and at rest. Access to production systems is limited to authorised personnel and protected by multi-factor authentication. Row-level security on our database ensures that each user can only access their own records.

9. International transfers

Most of the personal data processed in connection with the Service is stored by our service providers inside the European Economic Area — Supabase (Ireland), Creem (Estonia), Resend (Ireland), Sentry (Germany), and Vercel (primarily EU region for server functions). The controller, however, is established in Georgia (Sakartvelo). This means that personal data stored by our EU-based processors is accessed by the controller from Georgia in the course of operating the Service, which under European Data Protection Board guidance constitutes an international data transfer.

Georgia is not currently the subject of a European Commission adequacy decision under GDPR Article 45. Georgia is, however, a party to the Council of Europe Convention 108+ on the Protection of Individuals with regard to Automatic Processing of Personal Data, which provides comparable safeguards.

The legal basis for the transfer to Georgia is twofold: (a) Article 49(1)(b) GDPR — the transfer is necessary for the performance of the contract between you and the controller (these Terms and your subscription, if any) — for data that is essential to deliver the Service; and (b) Article 49(1)(a) GDPR — your explicit consent, given when you accept this Privacy Policy at signup — for any other processing not strictly required to perform the contract. You may withdraw your consent at any time by deleting your account, which terminates the contract and triggers deletion of your personal data as described in §6.

In addition, some of our AI image-processing providers (see §5) may serve traffic from data centres outside the EEA. Each such provider is bound by Standard Contractual Clauses in their data processing terms with us; Google additionally is certified under the EU–US Data Privacy Framework where applicable.

10. Children

The Service is intended for professional use and is not directed at anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it. Our Terms set the same minimum age.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.

12. Contact

Questions about this policy or how we handle your data? Email us at support@beautique.ink.