Privacy Policy

1. Introduction

aimily is operated by StudioNN Agency S.L. (NIF: B42978130, VAT: ESB42978130), with registered address in Alicante, Spain ("aimily," "we," "our," or "us"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the aimily platform at aimily.app. This policy complies with the EU General Data Protection Regulation (GDPR), Spain's Organic Law 3/2018 (LOPDGDD), Spain's Law 34/2002 (LSSI-CE), the California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, company name, and password
• Collection planning data: SKU details, product descriptions, financial projections, notes
• Uploaded content: reference images, sketches, moodboards, and design files
• Payment information: processed exclusively by Stripe (we never store card numbers or CVVs)
• Communication data: support messages, feedback, and correspondence

2.2 Information Collected Automatically

When you use the platform, we automatically collect:

• Device and browser information (type, version, OS)
• IP address and approximate location
• Usage data: pages visited, features used, timestamps

We use cookies and similar technologies as described in our Cookie Policy.

3. How We Use Your Information

We process your data for the following purposes and legal bases:

• To provide and operate the Service — Legal basis: performance of contract (Art. 6(1)(b) GDPR)
• To process AI-generated content (sketches, colorways, renders) — Legal basis: performance of contract
• To process payments and manage subscriptions — Legal basis: performance of contract
• To communicate with you about your account and service updates — Legal basis: legitimate interest
• To improve and optimize the platform — Legal basis: legitimate interest
• To comply with legal obligations (tax, regulatory) — Legal basis: legal obligation (Art. 6(1)(c) GDPR)

4. Data Sharing & Sub-Processors

We do NOT sell your personal information. We do NOT share your data for advertising purposes. We share data only with the following service providers (sub-processors) as strictly necessary to operate the platform:

• OpenAI (OpenAI, Inc., San Francisco, USA) — AI image generation (sketch generation, colorization, 3D rendering). Images sent for processing are not used to train OpenAI models per our API agreement.
• Supabase (Supabase, Inc.) — Database hosting, authentication, file storage, and user management
• Stripe (Stripe, Inc.) — Payment processing, subscription billing, and tax calculation
• Google (Google LLC) — AI text processing (Gemini), OAuth authentication
• Anthropic (Anthropic PBC) — AI text generation (Claude) for design assistance and content generation
• Perplexity (Perplexity AI, Inc.) — AI-powered web research for trend and market analysis
• Resend (Resend, Inc.) — Transactional email delivery
• Vercel (Vercel, Inc.) — Application hosting, serverless functions, and CDN
• We may also disclose data when required by law, court order, or to protect our legal rights.

All sub-processors are bound by data processing agreements (DPAs) and comply with applicable data protection regulations. For international data transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or the sub-processor's participation in recognized frameworks.

5. Payment Data

Payment information is processed directly and exclusively by Stripe, Inc. We do not store credit card numbers, CVVs, or full payment details on our servers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy for details on how Stripe handles your payment information.

6. AI Data Processing

When you use AI-powered features, the following data processing occurs:

• Reference images you upload are sent to OpenAI's API for sketch generation, colorization, and 3D rendering. These images are processed in real-time and are NOT stored by OpenAI for training purposes under our API terms.
• Text prompts and product descriptions may be sent to Google Gemini or Anthropic Claude for AI-assisted content generation. These are processed in real-time and not retained for model training.
• aimily does NOT use your content, designs, or any uploaded materials to train, fine-tune, or improve any AI model, whether owned by aimily or by any third party.
• AI-generated outputs (sketches, colored designs, 3D renders) are stored in your account on our infrastructure (Supabase). You may delete them at any time.
• We do not create user profiles based on AI usage patterns, nor do we sell or share AI processing data with any party beyond the sub-processors listed above.

7. Data Security

We implement industry-standard security measures to protect your data, including: encryption in transit (TLS 1.2+) and at rest; secure authentication via Supabase Auth with HTTP-only cookies; role-based access control for all API endpoints; regular security audits and code reviews; server-side validation and input sanitization; and secure file upload processing with type and size validation. No system is 100% secure, and we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@aimily.app.

8. Your Rights

8.1 EU/EEA Users (GDPR)

Under the GDPR, you have the right to:

• Access — Obtain a copy of all personal data we hold about you
• Rectification — Correct inaccurate or incomplete data
• Erasure ("Right to be forgotten") — Request permanent deletion of your account and all associated data from your account settings
• Portability — Export your data in a structured, machine-readable format (JSON)
• Objection — Object to processing based on legitimate interest
• Restriction — Request limitation of processing in certain circumstances
• Disconnect integrated third-party accounts (Pinterest, Google) at any time

To exercise any of these rights, visit your account settings or contact us at privacy@aimily.app.

You have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD, www.aepd.es) or with the supervisory authority in your country of residence.

8.2 California Users (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do NOT sell your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• To exercise your CCPA rights, contact us at privacy@aimily.app or use the deletion feature in your account settings.

8.3 Brazilian Users (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD), including: confirmation of data processing; access to your data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary data; data portability; information about shared data; and the right to revoke consent. Contact privacy@aimily.app to exercise these rights.

8.4 Other Latin American Users

Users in Mexico (LFPDPPP), Argentina (Ley 25.326), Colombia (Ley 1581/2012), Chile, Peru, and other Latin American countries with data protection legislation may exercise their rights under applicable local law by contacting privacy@aimily.app.

9. Data Retention

We retain your data for as long as your account is active. Upon account deletion, all personal data and associated content (collections, designs, AI outputs) are permanently deleted within 30 days. Payment records are retained for the period required by Spanish tax law (minimum 5 years). Anonymized, aggregated usage statistics may be retained indefinitely for service improvement.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our sub-processors are located. For all such transfers, we ensure adequate safeguards through: Standard Contractual Clauses (SCCs) approved by the European Commission; the sub-processor's compliance with recognized data protection frameworks; and contractual data processing agreements. By using the Service, you acknowledge these international transfers as necessary for service delivery.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Data Controller

The data controller responsible for your personal data is:

• StudioNN Agency S.L.
• NIF: B42978130 | VAT: ESB42978130
• Alicante, Spain
• Data Protection Contact: privacy@aimily.app
• Supervisory Authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es

13. Contact Us

For privacy-related questions, data subject requests, or complaints, contact us at: privacy@aimily.app

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.