Privacy Policy

Last updated: 2026-04-18

[COMPANY LEGAL NAME] Ltd ("we") is the controller of personal data processed through Carousel Studio. This policy explains what we collect, why, and your rights under UK GDPR and the Data Protection Act 2018.

1. What we collect

• Account data: email address, hashed password, account timestamps.
• Reference photos: images you upload to create a character, including facial images. Facial images are special category data (biometric data) under UK GDPR Article 9.
• Prompts and generated images: the text you enter and the images produced.
• Usage data: timestamps, IP address, error logs, and rate-limit counters, for security and service operation.

2. Lawful basis

• Contract (Art. 6(1)(b)): to provide the Service you have signed up for.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, and service improvement.
• Explicit consent (Art. 9(2)(a)): for processing biometric (facial) data. You give this consent by ticking the consent box at character creation.

3. How we use your data

• To generate the AI images you request.
• To run automated safety checks on uploads and prompts (see "Third parties" below).
• To rate-limit, detect abuse, and secure the Service.
• To communicate about your account and service changes.

We do not use your reference photos, prompts, or generated images to train AI models.

4. Third-party processors

• Supabase Inc. — authentication, database, and file storage. Hosted in EU regions.
• Vercel Inc. — application hosting.
• Anthropic PBC — content moderation on uploads and prompts (Claude API). Processes images and text; zero-retention on the API tier.
• APIYI — image generation proxy to Google Gemini. Processes images and prompts during generation.

All processors handle data under written Data Processing Agreements. Some processing may occur outside the UK; transfers rely on the UK International Data Transfer Addendum or equivalent safeguards.

5. Retention

• Reference photos: kept while the character exists. Deleted from storage when you delete the character.
• Generated images: kept in your history until you delete them, or for 30 days after account closure.
• Account data: deleted within 30 days of account closure, except where we must retain limited records for legal or accounting reasons (up to 6 years).
• Logs: up to 90 days.

6. Your rights

Under UK GDPR you have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• request deletion ("right to be forgotten");
• restrict or object to processing;
• request portability of data you provided;
• withdraw consent at any time (this does not affect prior lawful processing);
• complain to the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email [CONTACT_EMAIL]. We will respond within one month.

7. Cookies

We use only strictly necessary first-party cookies to keep you signed in. We do not use analytics or advertising cookies. No consent banner is required under PECR for strictly necessary cookies.

8. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is limited and audited. Row-level security is enforced at the database layer so users can only access their own data.

9. Changes

We will post updates here and notify you of material changes by email at least 14 days before they take effect.

10. Contact

Privacy questions or data requests: [CONTACT_EMAIL].