Privacy Policy

1. Scope and Definitions

“Personal data” has the meaning given to it in Article 4(1) of the GDPR.

“Service” refers to the ShotCrafted platform, including the website, application, AI generation tools, and all related features.

“Uploaded Content” refers to images or other material you submit to the Service.

“Generated Content” refers to images or other material produced by the Service using artificial intelligence.

“You” or “your” refers to the natural person whose personal data we process — typically the account holder using the Service.

This Policy applies to all users of the Service worldwide. Where you are in the European Economic Area (“EEA”), the United Kingdom, California, Canada, Australia, or another jurisdiction with specific data protection laws, you benefit from additional rights set out in Section 8 and the Regional Rights Addendum below.

2. The Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account data (collected when you register)

• Email address.
• Account credentials managed by our authentication provider (a password hash or an OAuth identifier — we never see or store your plain-text password).
• Display name and profile photo, if you sign up through a third party identity provider such as Google.
• A unique user identifier assigned by our authentication provider.
• The version of our Terms of Service you accepted and the timestamp of that acceptance.

2.2 Uploaded Content

• Images you upload to the Service, typically photographs of jewellery products you intend to generate lifestyle imagery from.
• Any text you provide alongside an upload, such as a product description, a custom prompt, or a revision instruction.
• Generation parameters you select — jewellery type, skin tone preference, lighting style, gender of the rendered model, and scene variation.

Uploaded Content may, in some cases, contain personal data if the images include identifiable people (for example, a hand wearing a ring). You are responsible for ensuring you have the legal right to upload any such content. See Section 3.5 on our guidance for special categories of data.

2.3 Generated Content

• The images produced by our AI models in response to your inputs.
• The internal prompt we constructed to produce them.
• Metadata linking the generation back to your account (user identifier, timestamp, and a reference to the Uploaded Content used).

Uploaded Content and Generated Content are stored on a content delivery network with object level public access controlled by an unguessable random identifier. We describe this further in Section 7.

2.4 Payment and transaction data

• Credit pack purchases, including amount, currency, timestamp, and the Stripe checkout session identifier associated with the purchase.
• Your credit balance and a ledger of credit transactions (purchase, bonus, and usage entries).
• We do not see, collect, or store your full payment card details. Card data is handled directly by Stripe, our PCI-compliant payment processor.

2.5 Technical and usage data

• IP address (used transiently by our hosting and authentication providers for security and fraud prevention, and by our hosting provider's edge network to infer your country for currency display).
• Approximate country derived from your IP address.
• Device and browser information (user agent, operating system, approximate screen size).
• Session cookies and authentication tokens issued by our authentication provider.
• Application logs recording authenticated API requests, errors, and generation outcomes.
• Rate limiting counters associated with your user identifier, stored in a short-lived cache.

2.6 Product analytics data

Where you have not opted out through our cookie banner (see Section 10), we process product analytics events using a self-serve analytics tool. These events describe how the Service is used — for example, which pages you visit, which buttons you click, and which generation flows you complete. Analytics events are associated with a pseudonymous user identifier, not with your email address directly. We configure our analytics tool to host this data in the European Union.

2.7 Communications data

• The content of any email you send us (for support, account closure, complaints, or any other reason) and our reply.

We do not knowingly collect any other categories of personal data. We do not deploy advertising cookies, cross site tracking pixels, or third party advertising identifiers.

3. How We Use Your Personal Data and Our Legal Basis

We process your personal data for the following purposes. For each purpose we identify the legal basis under Article 6 of the GDPR on which we rely.

3.1 To provide the Service (performance of a contract — Article 6(1)(b))

• Creating and maintaining your account.
• Authenticating you when you sign in.
• Accepting your Uploaded Content and passing it to our AI models.
• Returning Generated Content to you and displaying it in your gallery.
• Processing purchases of credit packs and maintaining your credit balance.
• Providing customer support.

3.2 To keep the Service secure, stable, and fair (legitimate interests — Article 6(1)(f))

• Preventing fraud, abuse, and unauthorised account access.
• Enforcing the rate limits documented in our Terms of Service.
• Diagnosing errors and investigating incidents.
• Defending ourselves against legal claims and enforcing our Terms.

Our legitimate interest is in operating a reliable, safe, and financially sustainable Service. We have assessed this interest against your rights and freedoms and consider that our processing is proportionate.

3.3 To understand and improve the Service (legitimate interests — Article 6(1)(f))

• Analysing aggregate usage patterns through our analytics tool.
• Diagnosing user experience issues and prioritising product improvements.
• Conducting internal research and development.

3.4 To train AI models in future (reserved right, no current processing)

We do not currently use Uploaded Content or Generated Content to train, fine tune, or develop artificial intelligence models. We reserve the right to do so in future, as permitted by the licence you grant us under Section 6 of our Terms of Service. Before we begin any such processing, we will: (a) update this Policy to reflect the change; (b) notify registered users by email or through the Service; and (c) offer you a mechanism to object under Section 8.5. The legal basis we anticipate relying on is our legitimate interests in improving the quality of the Service, balanced against your rights as described in Section 8.

3.5 To comply with legal obligations (Article 6(1)(c))

• Retaining records required under Irish and EU tax, accounting, and consumer protection law.
• Responding to lawful requests from public authorities, courts, and regulators.
• Maintaining records of your acceptance of our Terms of Service.

3.6 Special categories of data

Images you upload may, incidentally, reveal information about real people (for example, a person's skin tone or biometric characteristics such as a face). We do not intentionally process special categories of personal data within the meaning of Article 9 of the GDPR. The Service is designed for photographs of jewellery products, not portraits of real individuals.

You must not upload images of identifiable people unless you have a lawful basis to do so and the right to grant us the licences described in our Terms of Service. If we become aware that you have done so without that right, we may delete the content and suspend your account.

3.7 Automated decision making

We do not make any decision that produces legal or similarly significant effects about you based solely on automated processing within the meaning of Article 22 of the GDPR. The AI generation itself is a creative tool that produces an image from your inputs; it does not evaluate, score, or profile you.

4. Who We Share Your Personal Data With

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary for the purposes described above.

4.1 Service providers (data processors acting on our instructions)

• Clerk, Inc. — Authentication and user management. Data: email, credentials, OAuth identifiers, session tokens, user metadata including credit balance and Terms acceptance records. Location: United States.
• Stripe Payments Europe, Limited — Payment processing and checkout. Data: payment card details (collected directly by Stripe), billing email, purchase metadata. Location: Ireland.
• Google LLC (Gemini API) — AI image generation. Data: Uploaded Content and the text prompts we construct; we do not send your user identifier or email to Google. Location: United States.
• Cloudflare, Inc. (R2 object storage) — Storage of Uploaded Content and Generated Content. Data: Uploaded and Generated images, keyed by an opaque random identifier. Location: Western Europe region.
• MongoDB, Inc. (Atlas) — Database of generations, transactions, and metadata. Data: generation records, credit transactions, associated user identifiers. Location: Ireland (AWS eu-west-1).
• Vercel, Inc. — Application hosting and edge network. Data: request logs, IP-derived country, all traffic to the Service. Location: United States (global edge).
• Upstash, Inc. (Redis) — Rate limiting. Data: user identifier and a time-windowed counter only. Location: Ireland (AWS eu-west-1).
• PostHog, Inc. (EU Cloud) — Product analytics. Data: pseudonymous user identifier, page views, feature usage events. Location: European Union (Frankfurt).

Each of these providers acts as a data processor on our behalf and is bound by a written data processing agreement that satisfies Article 28 of the GDPR.

4.2 Professional advisers

We may share personal data with lawyers, accountants, auditors, and similar advisers where necessary for them to provide their services to us.

4.3 Authorities and successors

We may share personal data where required by law, court order, or a valid regulatory request, and with a successor entity in the event of a merger, acquisition, reorganisation, or sale of business assets. In any such case we will take reasonable steps to ensure your personal data continues to be protected to a standard consistent with this Policy.

4.4 No advertising partners and no sale of personal data

We do not share your personal data with advertising networks or data brokers, and we do not sell your personal data for monetary or other valuable consideration. We do not “share” personal data for cross context behavioural advertising, as that term is defined under the California Consumer Privacy Act.

5. International Transfers

The majority of your personal data is stored within the European Economic Area — in particular, your database records are held in Ireland, your Uploaded and Generated Content is held in a Western European region, your rate limiting counters are in Ireland, and your product analytics data is held in the European Union. However, some of our service providers are based in the United States, including our authentication provider (Clerk), our AI model provider (Google), and our hosting provider (Vercel).

When your personal data is transferred outside the EEA we rely on one of the following safeguards permitted by Chapter V of the GDPR:

• The European Commission's Standard Contractual Clauses, together with any supplementary measures required by applicable guidance; or
• An adequacy decision adopted by the European Commission in respect of the receiving country, where one is in force; or
• Another valid transfer mechanism recognised by the GDPR.

You may request a copy of the safeguards we have in place for any specific transfer by contacting us at ronan@shotcrafted.com.

6. How Long We Keep Your Personal Data

We keep personal data for no longer than is necessary for the purposes for which it was collected, subject to any longer retention required by law.

• Account data. For as long as your account is open, plus up to 24 months after closure for dispute resolution and fraud prevention purposes, unless a longer period is required by law.
• Uploaded Content and Generated Content. For as long as your account is open. On account closure we may retain the content for up to 90 days to allow reinstatement and to complete any in-flight processing, after which it will be deleted.
• Credit transactions and invoices. Retained for 6 years from the end of the relevant accounting period to comply with Irish tax and accounting obligations.
• Application logs. Retained for up to 90 days, then deleted or aggregated.
• Product analytics events. Retained for up to 12 months, then aggregated or deleted.
• Rate limiting counters. Expire automatically within hours of creation.
• Communications data. Retained for up to 24 months from the last correspondence, unless we need to keep it longer for a specific legal purpose.
• Terms of Service acceptance records. Retained for as long as your account is open, plus up to 6 years after closure, as a record of contract formation.

When retention ends, we will delete or anonymise the relevant personal data. Backups are overwritten on a rolling schedule.

7. How We Protect Your Personal Data

We take appropriate technical and organisational measures to protect your personal data, including:

• Transport encryption (HTTPS / TLS) for all communication between your browser and our infrastructure, and between our infrastructure and our service providers.
• Encryption at rest for our databases and object storage, provided by our hosting and storage partners.
• Authentication and access controls that restrict internal access to personal data to a limited number of authorised personnel.
• Signed, verified webhooks for events received from Stripe and our authentication provider to prevent spoofed requests reaching our servers.
• Rate limiting and abuse detection on generation endpoints.
• Regular review of our security posture and of the practices of our service providers.

Object storage URLs. Uploaded Content and Generated Content are stored on a content delivery network and served over HTTPS from URLs that contain a cryptographically random identifier (UUID v4). These identifiers are not guessable. Anyone who comes into possession of the full URL, however, can access the image. Do not share these URLs with anyone you do not intend to grant access to. If you become concerned that a URL has been exposed, contact us at ronan@shotcrafted.com and we will delete the underlying object.

No online service can be guaranteed secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission and, where required, affected users, in line with Articles 33 and 34 of the GDPR.

8. Your Rights

Where the GDPR or UK GDPR applies to your personal data, you have the following rights. You can exercise any of them by contacting us at ronan@shotcrafted.com. We will respond within one month, as required by Article 12(3) of the GDPR.

8.1 Right of access

You may ask us to confirm whether we process personal data about you and to provide a copy.

8.2 Right to rectification

You may ask us to correct inaccurate or incomplete personal data.

8.3 Right to erasure (“right to be forgotten”)

You may ask us to delete your personal data in the circumstances set out in Article 17 of the GDPR — for example, where it is no longer necessary for the purposes for which it was collected. Erasure may not always be possible where we need to retain data to comply with a legal obligation, to establish or defend legal claims, or where the data has been aggregated to a point where you can no longer be identified.

8.4 Right to restriction of processing

You may ask us to restrict our processing of your personal data in the circumstances set out in Article 18 of the GDPR.

8.5 Right to object

You may object to processing we carry out on the basis of our legitimate interests, including any future use of Uploaded Content and Generated Content for AI model improvement and internal research. If you object, we will stop that processing unless we demonstrate compelling legitimate grounds that override your interests, or we need to continue for the establishment, exercise, or defence of legal claims.

8.6 Right to data portability

You may ask us to provide your account data, Uploaded Content, and Generated Content in a structured, commonly used, machine readable format, or to transmit it to another controller where technically feasible.

8.7 Right to withdraw consent

Where we rely on your consent (for example, to place non essential cookies or to run product analytics), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8.8 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. Our lead supervisory authority is the Irish Data Protection Commission (www.dataprotection.ie). We would, however, appreciate the opportunity to address your concerns first — please contact us at ronan@shotcrafted.com before escalating.

9. Children

The Service is not directed to children. You must be at least 18 years of age to create an account or use the Service, as set out in Section 2 of our Terms of Service. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us at ronan@shotcrafted.com and we will promptly delete it.

10. Cookies and Similar Technologies

We use a small number of cookies and similar technologies that are strictly necessary to provide the Service. These include:

• Session cookies set by our authentication provider to keep you signed in across pages.
• Security cookies used to prevent cross site request forgery and detect fraudulent activity.
• A short lived cookie used by our payment provider during checkout.

Strictly necessary cookies do not require your consent under the ePrivacy Directive as implemented in Ireland, because they are essential for the Service you have requested.

Where we use product analytics (as described in Section 2.6), we do so on the basis of your consent, captured through a cookie banner on your first visit. You can withdraw your consent at any time through the cookie preferences link in the footer of our website. If you withdraw consent, we will stop collecting analytics events from your device.

We do not use advertising cookies, behavioural advertising trackers, or cross site tracking technologies.

11. AI-Specific Transparency

Because the Service is an AI tool, we want to be explicit about two points required by emerging EU AI regulation and good practice:

11.1 You are interacting with an AI system

The lifestyle photographs produced by the Service are generated by artificial intelligence models and do not depict real people, real events, or real photographs, even where the output appears photorealistic.

11.2 Use of your content for model training

We do not currently use Uploaded Content or Generated Content to train, fine tune, or develop AI models, as set out in Section 3.4. We reserve the right to do so in future, subject to giving you advance notice and an opportunity to object.

12. Changes to This Policy

We may update this Policy from time to time. When we make material changes we will update the “Last Updated” date at the top of this document, increment the version number, and, where appropriate, notify you by email or through the Service before the changes take effect. Your continued use of the Service after a change takes effect constitutes your acknowledgement of the updated Policy. The previous version will remain available on request.

13. Regional Rights Addendum

13.1 United Kingdom

If you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply to the processing of your personal data. The rights described in Section 8 apply to you on the same terms, and your supervisory authority is the Information Commissioner's Office (www.ico.org.uk).

13.2 California, United States

If you are a California resident, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) gives you the following rights in addition to those in Section 8:

• Right to know what categories and specific pieces of personal information we collect about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of recipients with whom it is shared. The disclosures in Sections 2, 3, and 4 satisfy this right in general terms; you may also request the specific pieces of information we hold about you.
• Right to delete your personal information, subject to the exceptions in the CCPA.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of personal information. We do not sell or share (as defined under the CCPA) your personal information, so this right does not currently require any action.
• Right to limit use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information beyond the purposes permitted by CCPA section 7027(m).
• Right to non discrimination. We will not discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at ronan@shotcrafted.com. We will verify your identity before fulfilling the request by asking you to confirm information we already hold about you. You may also authorise an agent to act on your behalf; we will require evidence of that authorisation.

We do not process personal information of California residents under the age of 16.

13.3 Other US states

Several other US states (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) have enacted comprehensive consumer privacy laws that provide rights broadly equivalent to those in the CCPA. If you are a resident of such a state we will honour those rights on the same basis as the CCPA rights described above.

13.4 Canada

If you are in Canada, your personal data is processed in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and, if you are in Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (“Law 25”). You have rights of access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or, in Quebec, the Commission d'accès à l'information (www.cai.gouv.qc.ca).

13.5 Australia

If you are in Australia, the Australian Privacy Principles (“APPs”) under the Privacy Act 1988 (Cth) apply. You have rights of access and correction, and the right to complain to the Office of the Australian Information Commissioner (www.oaic.gov.au). You may also complain to us directly at ronan@shotcrafted.com, and we will respond in accordance with APP 1.4.

14. Contact

If you have any questions about this Privacy Policy, or if you wish to exercise any of your rights under it, please contact us:

Finsho Limited
13 Steeple Crescent, Abbey View, Trim, Meath, Ireland, C15 F603
Email: ronan@shotcrafted.com