Privacy Policy & GDPR Notice
Effective date: 11 April 2026
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
Креатив Идеа ЕООД (Creative Idea Ltd)EIK / VAT: BG207742401
7700 Targovishte, 50 Trapezitsa St, Ent. A, Fl. 1, Apt. 2
Republic of Bulgaria
Email: privacy@creative-image.site
We operate the AI portrait generation service available at creative-image.site ("the Service"). This policy explains what personal data we collect, why, and your rights under the General Data Protection Regulation (EU) 2016/679 (GDPR) and Bulgarian personal data protection law.
2. What Data We Collect and Why
2.1 Account Data
When you register, we collect your email address and a securely hashed password (managed by Supabase Auth). This is necessary to create and manage your account.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
2.2 Portrait Photos You Upload
To generate an AI portrait, you upload a photo of yourself or another person. This photo is:
- Temporarily stored in our secure cloud storage (Supabase Storage).
- Analysed by OpenAI's API to extract a brief, anonymised facial description (hair colour, eye colour, skin tone) used solely to improve face-matching in the generated image.
- Sent as a reference URL to NanoBanana AI to generate your portrait.
- Automatically deleted from our storage as soon as NanoBanana confirms it has finished processing — typically within a few minutes. We do not retain your original photos.
Portrait photos may constitute biometric data under GDPR. We process them exclusively for the purpose of providing the generation service you requested and do not use them for any other purpose, including training AI models.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)); explicit consent is implied by you voluntarily uploading the photo for this specific purpose.
2.3 Generated Images
The AI-generated portrait produced from your request is stored and linked to your account so you can view and download it from your gallery. You may delete individual generations at any time.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
2.4 Generation History
We store metadata about each generation: the style/prompt used, resolution, credits consumed, status, and timestamp. This data is used to display your gallery and to verify credit deductions.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
2.5 Payment & Transaction Records
Payments are processed exclusively by Stripe. We never see or store your card details. We do store transaction records including: amount paid, credits purchased, date, and a Stripe payment reference. These records are required for accounting and legal compliance.
Legal basis: Legal obligation (GDPR Art. 6(1)(c)) — Bulgarian Accountancy Act (7-year retention); performance of a contract (GDPR Art. 6(1)(b)).
2.6 Notification Preferences
If you opt in, we store a flag indicating you wish to be notified by email when new features (such as video portraits) become available. You can withdraw this consent at any time from your account settings.
Legal basis: Consent (GDPR Art. 6(1)(a)).
2.7 Technical & Usage Data
Our hosting provider (Vercel) may collect standard server logs including IP addresses, browser type, and pages accessed. This data is used solely for security, performance monitoring, and abuse prevention, and is governed by Vercel's privacy policy.
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) — ensuring the security and proper functioning of the Service.
3. Sub-Processors and International Data Transfers
To provide the Service, we share data with the following third-party processors. Where processors are located outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission or other appropriate safeguards.
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Ireland) / US | Account data, generation history, temporary photo storage |
| OpenAI, LLC | Photo analysis — facial description for face-matching | US | Temporary URL of your uploaded photo; no data is retained by OpenAI for model training under our API agreement |
| AI generation infrastructure | AI image generation | International | Text prompt, temporary URL of your uploaded photo (retained on generation servers for up to 14 days); generated images served from generation CDN for up to 14 days; server logs retained for up to 2 months |
| Stripe, Inc. | Payment processing | US / Ireland | Payment data (card details handled exclusively by Stripe) |
| Vercel Inc. | Web hosting and CDN | US / global edge | Server logs, request metadata |
We do not sell, rent, or otherwise disclose your personal data to any third party for their own marketing or commercial purposes.
4. Data Retention
| Data | Retention period |
|---|---|
| Uploaded portrait photos | Deleted within minutes of generation completing |
| Account data (email, preferences) | Until you delete your account |
| Generated images & generation history | Until you delete them or your account |
| Transaction records | 7 years (Bulgarian Accountancy Act) |
| Server logs | Up to 90 days (Vercel policy) |
5. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — ask us to correct inaccurate data.
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction of processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent (e.g. marketing notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making — we do not make legally significant automated decisions about you.
To exercise any of these rights, email us at privacy@creative-image.site. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.
6. Right to Lodge a Complaint
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the competent supervisory authority:
Commission for Personal Data Protection (CPDP)2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg
Email: kzld@cpdp.bg
You may also lodge a complaint with the supervisory authority of your EU member state of residence.
7. Cookies
We use only a single first-party session cookie set by Supabase Auth to keep you logged in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is required for strictly necessary session cookies.
8. Children's Privacy
The Service is intended for users aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately at privacy@creative-image.site and we will delete the account.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email (if you have notifications enabled) or by a notice on the Service. Continued use of the Service after the updated policy takes effect constitutes acceptance of the new terms.
10. Contact
For any privacy-related questions or requests: privacy@creative-image.site
Креатив Идеа ЕООД7700 Targovishte, 50 Trapezitsa St, Ent. A, Fl. 1, Apt. 2
Republic of Bulgaria