This Privacy Policy describes how ShelfPic ("we", "us", or "our") collects, uses, shares, retains, and protects your personal information when you visit shelfpic.com (the "Site") or use our AI e-commerce visual content platform and related services (the "Service").
ShelfPic is a company registered in Delaware, United States of America. For purposes of the EU/UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA", as amended by the California Privacy Rights Act, "CPRA"), and equivalent regulations in other jurisdictions, ShelfPic is the data controller of personal information processed in connection with the Service, except where we act as a data processor for content you upload (in which case you are the controller).
This Privacy Policy is incorporated by reference into the Terms of Service. Capitalized terms used here without definition have the meanings given to them in the Terms of Service.
This Privacy Policy applies to:
It does not apply to:
You may contact our Data Protection Officer at [email protected] for any privacy-related inquiry, including exercise of your rights described in Section 10.
We collect personal information in three ways:
(a) Account Information. When you register an Account, we collect:
(b) Subscription and Billing Information. When you subscribe or purchase a Boost Pack, our payment processors (currently configured to support Creem, Stripe, and PayPal, depending on checkout availability) collect payment information directly. We do not store full card numbers, expiry dates, or CVV/CVC codes on our servers. We may receive and store from the payment processor:
(c) Uploaded Content. When you upload images, videos, audio, prompt text, brand assets, reference media, or other materials to the Service, we receive and store that content as described in Section 2.4.
(d) Communications. When you contact us via support, sales, or feedback channels, we receive:
(e) Promotional and Survey Responses. When you respond to surveys, participate in beta programs, or interact with promotional features, we collect the information you choose to provide.
When you interact with the Service, our systems automatically collect certain technical and usage information.
(a) Network Identifiers.
user table (last-known IP) and in the session table (per-session IP). IP addresses are used for security (fraud detection, account abuse detection, geographic compliance), legal compliance, and aggregate analytics.session table.(b) Device and Browser Information.
(c) Usage Data.
(d) Cookies and Similar Technologies. See Section 7 and our Cookie Policy for the full list of cookies and the categories we use.
(e) Diagnostics and Error Reports. When the Service encounters an error, we may collect a stack trace, error code, and minimal context to diagnose and resolve the issue. We make a reasonable effort to scrub diagnostics of personal information before storage.
(a) OAuth Providers. When you choose to sign in with Google, GitHub, or another OAuth provider we make available, that provider shares with us the data scopes you authorize, typically: email, name, profile picture URL, and a stable user identifier. We do not receive your provider password.
(b) Payment Processors. We receive transaction records, customer references, metadata, and webhook events from payment processors such as Creem, Stripe, and PayPal about checkout status, subscription status, renewal outcomes, refunds, chargebacks, and payment failures.
(c) AI Providers. When an AI Provider completes your generation request, we receive the generated output and any diagnostic metadata required to settle credits. We do not receive personal information from AI Providers about other users.
(d) Analytics, Ads, Affiliate, and Customer-Support Providers. If you have consented to non-essential cookies or similar technologies, we may receive analytics, advertising conversion, affiliate attribution, and support-chat signals from providers configured for the Site, such as Vercel Analytics, Google Analytics, Microsoft Clarity, Plausible, OpenPanel, Google AdSense, Affonso, PromoteKit, Crisp, and Tawk.
(e) Anti-Fraud and Security Providers. We may receive risk signals from Cloudflare (bot management, DDoS protection) about the IP address or session attempting to access the Service.
We store the following in Cloudflare R2 or other configured S3-compatible object storage:
We store associated metadata in our PostgreSQL database (Supabase), including:
Uploaded Content and Generated Content are scoped per Account in the Service UI and are not intentionally listed to other users (other than via explicit sharing features, when available). Some media may be delivered through public or provider-hosted URLs with unguessable paths so AI Providers, browsers, and download tools can retrieve them. You should treat those URLs as sensitive and avoid sharing them unless you intend the recipient to access the media.
For Users in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on one or more of the following legal bases under GDPR Article 6(1):
We process your data when necessary to perform the contract you entered into by accepting the Terms of Service, including:
We rely on legitimate interest for processing where the interest is not overridden by your fundamental rights, including:
You may object to legitimate-interest processing under Section 10.
We rely on consent for:
You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
We process your data to comply with legal obligations, including:
In rare circumstances, we may process personal data to protect vital interests, for example to report imminent threats to life or safety to authorities.
We use the personal information we collect for the following purposes:
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing within the meaning of GDPR Article 22. AI content moderation that determines whether to allow a generation is a safety control, not a decision producing such effects. If we introduce any such automated decision-making in the future, we will provide additional transparency, safeguards, and your right to contest the decision per Section 13.
We share your personal information only with the parties listed below, and only for the purposes described. We do not sell your personal information for money. Where advertising, analytics, or affiliate technologies are enabled and could be treated as "sharing" for cross-context behavioral advertising under CCPA/CPRA, we treat them as non-essential technologies and do not load them unless you accept non-essential cookies. We also honor Global Privacy Control as described in Section 16.
The following Sub-processors process your personal information on our behalf, depending on the features and providers enabled for your Account or for the Site. Where applicable, we seek to enter into data processing terms, including standard contractual clauses (SCCs) for international transfers.
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase / PostgreSQL | Primary database and application records | Account, session, billing metadata, generation, chat, credit records | US |
| Cloudflare R2 / S3-compatible storage | Object storage and media delivery | Uploaded files, Generated outputs, thumbnails, provider output copies | Global edge |
| Vercel | Application hosting and edge network | Request metadata and all in-transit data | Global edge |
| Cloudflare | Bot management, DDoS protection, CDN | IP address, User-Agent, request metadata | Global edge |
| Creem, Stripe, PayPal | Checkout, payment processing, subscription billing | Email, name, payment details handled processor-side, order metadata | US/Global |
| KIE, Replicate, Fal | AI image, video, audio, and creative generation | Prompt text, Uploaded Content URLs, reference media, parameters | US/Global |
| OpenAI / OpenRouter | Prompt augmentation, chat, model routing | Prompt text, chat messages, settings, reasoning/search options | US/Global |
| Google (Gemini) | Multimodal model access | Prompt text, Uploaded Content, reference media, parameters | US/Global |
| Google OAuth / GitHub OAuth | Federated authentication | Email, name, profile URL, OAuth identifier | US/Global |
| Resend | Transactional and lifecycle email | Email address, message content, delivery metadata | US/Global |
| Vercel Analytics, Google Analytics, Microsoft Clarity, Plausible, OpenPanel | Analytics and product performance | Cookie IDs, route usage, device/browser metadata, interaction telemetry | US/Global |
| Google AdSense | Advertising and conversion measurement, if enabled | Cookie IDs, ad interaction and conversion metadata | US/Global |
| Affonso / PromoteKit | Affiliate attribution and referral tracking | Referral IDs, email or account attribution metadata, conversion events | US/Global |
| Crisp / Tawk | Customer support chat, if enabled | Chat messages, email or contact details, device/request metadata | US/Global |
We will update this table as Sub-processors are added or changed. Material changes are announced at least thirty (30) days in advance via this Privacy Policy and, where reasonable, by in-product notice.
We do not intentionally use your Uploaded Content or Generated Content to train ShelfPic-owned foundation models unless we present a separate, explicit opt-in. AI Providers process your prompts, media URLs, settings, and outputs under their own terms and our applicable commercial arrangements. Where a provider exposes a no-training, retention-reduction, or enterprise privacy setting, we use commercially reasonable efforts to configure it for production traffic. We do not represent that every third-party provider offers identical controls.
If a provider's posture or our configuration changes in a way that materially affects user data, we will update this Privacy Policy and notify you under Section 14.
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your personal information may be transferred as part of the transaction. We will require any successor entity to honor the commitments in this Privacy Policy, and we will notify you of any material change in data control.
We may disclose your personal information without your consent where we believe in good faith that disclosure is necessary to:
We may share your personal information for any other purpose with your prior consent.
We may share aggregated, de-identified information (data that cannot reasonably be re-identified) with anyone, for any purpose, including for benchmarking, research, marketing, or industry reporting.
ShelfPic is based in the United States, and our primary Sub-processors store data in the United States or operate global edge networks. If you are located outside the United States, your personal information will be transferred to and processed in the United States and other countries where our Sub-processors operate.
For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries, we rely on:
We continue to monitor evolving guidance on transatlantic data transfers (e.g., the EU-US Data Privacy Framework) and will update our transfer mechanisms accordingly.
Where required by GDPR and supervisory authority guidance, we conduct transfer impact assessments to evaluate the laws of the destination country and the practical risk of government access. Our current assessment is that the combination of contractual safeguards, encryption, and limited per-request data exposure provides an adequate level of protection.
We do not currently offer data residency in regions other than where our Sub-processors operate. If your jurisdiction requires local data residency for the categories of data you intend to upload, you should evaluate whether the Service is compatible with your obligations before subscribing.
We use cookies, web storage, and similar technologies as described in our Cookie Policy. Categories include:
See Cookie Policy for details and instructions on managing cookie preferences.
We retain personal information only as long as necessary for the purposes set out in this Privacy Policy, subject to specific retention rules below. Where multiple rules apply, we retain to the longest applicable period.
If we receive a legal preservation order or anticipate litigation, we may extend retention beyond the periods above as required by law.
We take the security of your personal information seriously and apply industry-standard technical and organizational measures.
Even with strong technical and organizational measures, no system is invulnerable. You play a critical role in security:
Depending on your jurisdiction, you have specific rights regarding your personal information. We honor recognized data-subject rights globally, on a best-effort basis where not strictly required by law.
You have the following rights under GDPR Articles 13-22:
You have the following rights under the CCPA and CPRA:
Where similar rights are available under the laws of your jurisdiction (e.g., PIPEDA in Canada, LGPD in Brazil, POPIA in South Africa, PDPA in Singapore, Australia Privacy Act, China PIPL, UAE Personal Data Protection Law), we honor those rights to the extent required by law and apply best-effort equivalence where not strictly required.
To exercise any of the rights above:
You may authorize an agent to make requests on your behalf. We require:
We may deny requests submitted by an agent that cannot provide such authorization.
We do not charge a fee for fulfilling standard rights requests. We may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive, particularly if it is repetitive, in accordance with GDPR Article 12(5) and equivalent provisions.
The Service is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction, if higher — for example, 16 in some EU member states). We do not knowingly collect personal information from children under the age of 13.
If you are a parent or legal guardian and you believe a child under 13 has provided personal information to us, please contact [email protected] and we will take steps to delete the information from our systems.
We comply with the United States Children's Online Privacy Protection Act ("COPPA"). If we learn that we have collected personal information from a child under 13 in the United States without verifiable parental consent, we will delete that information promptly.
Account registration includes a representation that you are at least 18 years of age, consistent with the Terms of Service. We do not provide a separate child-account flow.
We have implemented an incident response plan to detect, contain, investigate, and remediate security incidents involving personal information.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. Where notification cannot be made within 72 hours, we will document the reasons for the delay.
Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34. Notification will be made by email to the address on file with your Account.
In the United States and other jurisdictions, we will provide notification consistent with applicable breach notification laws (e.g., state-specific laws in the U.S., the FTC Health Breach Notification Rule where applicable).
Breach notifications will include, to the extent known and required by law:
We maintain internal records of all personal data breaches, including those not requiring authority or individual notification, to demonstrate compliance and improve incident response.
As stated in Section 4.7, we do not subject you to decisions producing legal or similarly significant effects based solely on automated processing.
We use a combination of application checks, AI Provider safety systems, abuse signals, and manual review to help enforce our Acceptable Use Policy. Not every upload is pre-screened before storage, and provider-side safety systems may block or refuse a generation before output is produced. A positive trigger may block a specific generation but does not, by itself, terminate your Account. Repeated or serious violations are reviewed before Account-level action is taken where feasible (see Section 11 of the Terms of Service and the enforcement process in the Acceptable Use Policy).
We use automated signals (IP reputation, multi-account heuristics, payment-card velocity) to flag suspected fraud. Confirmed determinations that result in Account suspension or termination are reviewed by a human and are subject to your right to appeal (email [email protected]).
We do not use personal information to set personalized pricing. All Users see the same published Plan prices for their currency and jurisdiction.
You have the right to obtain human intervention, to express your point of view, and to contest automated decisions (where they produce legal or similarly significant effects). Contact [email protected].
We may update this Privacy Policy from time to time. The current version is reflected in the effective_date and version fields in the document frontmatter at the top of this page.
For changes that materially affect:
we will provide at least thirty (30) days' notice by email to your registered address, by a prominent in-product banner, or both.
Your continued use of the Service after the effective date of revised Terms constitutes your acknowledgement of the revised Privacy Policy. If you do not agree to the revised Policy, you must stop using the Service and may cancel your subscription per Section 11 of the Terms of Service.
Non-material changes (formatting, clarification, typo correction, Sub-processor list updates with no change in data category or purpose) may take effect upon posting without thirty (30) days' notice. The version field is incremented for all changes.
For significant historical versions, we maintain a changelog upon request to [email protected].
We send marketing emails (product updates, feature announcements, occasional promotions) only:
Every marketing email includes an unsubscribe link. Clicking the link removes you from the marketing list within ten (10) Business Days. You may also email [email protected] to be removed.
Opting out of marketing does not affect transactional emails (receipts, security notices, payment failures, terms changes), which you continue to receive while you maintain an active Account.
We do not currently send marketing SMS or push notifications. If we introduce such channels, separate opt-in will be obtained.
In addition to the rights described in Section 10.2, the following disclosures are made for California residents under CCPA/CPRA.
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, OAuth ID | Yes |
| Customer records | Billing address, payment method token | Yes |
| Commercial information | Transaction history, Plan history | Yes |
| Internet or other network activity | Pages viewed, click data, request logs | Yes |
| Geolocation data | Approximate location from IP | Yes (coarse only) |
| Sensory data | Audio/visual (uploaded by user) | Yes (Uploaded Content) |
| Professional/employment | Not collected | No |
| Education | Not collected | No |
| Inferences | Plan tier categorization, segment for product analytics | Yes |
| Sensitive personal information (CPRA) | Login credentials, precise location, racial/ethnic origin | Limited. We store authentication credentials in hashed/tokenized form and may process sensitive information if you choose to include it in Uploaded Content, prompts, chat messages, or support requests. We do not intentionally collect precise GPS location. |
See Section 4.
See Section 5.
We do not sell personal information for money. If advertising, affiliate, or analytics technologies enabled on the Site are considered "sharing" for cross-context behavioral advertising under CCPA/CPRA, we treat them as non-essential, load them only after cookie consent where required, and honor recognized opt-out signals such as Global Privacy Control.
See Section 8.
California Civil Code § 1798.83 ("Shine the Light") permits California residents to request information about a business's disclosure of personal information to third parties for the third parties' direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes without your consent.
For any privacy-related question, request, or complaint:
If we cannot resolve your concern, you have the right to lodge a complaint with your local data protection supervisory authority, particularly in the EU/UK/Switzerland.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.