Privacy Policy
Last updated: June 2025 · Effective: June 2025 · Contact: [email protected]
Picshoot is committed to your privacy. This policy explains exactly what data we collect, why we collect it, who we share it with, and what rights you have. We do not sell your data. We do not use your garment images or AI-generated outputs to train shared AI models.
1. Who We Are
Picshoot ("we," "us," "our") is an AI fashion commerce platform that transforms flat garment photos into professional AI model photoshoots and generates Shopify-ready product listings. We operate at picshoot.app and through the Shopify App Store.
Data controller contact: [email protected]
2. Data We Collect
2.1 Account Information
- Email address — required to create an account
- Name — optional display name
- Password — stored as a salted scrypt hash, never in plain text
- OAuth identifiers — Google sub-ID or Shopify shop domain when you sign in with Google or Shopify
- Subscription plan — your current plan (Free, Starter, Growth, Pro, Agency)
- Credit balance — monthly credit usage and PRO cap tracking
2.2 Shopify Store Data
When you connect your Shopify store, we receive and store:
- Store domain (e.g., yourstore.myshopify.com)
- Store name and owner email
- API access token — used only to publish products to your store on your instruction
2.3 Garment & Image Data
- Garment photos you upload — stored securely on Cloudflare R2
- AI-generated model images — generated from your garments, stored on Cloudflare R2
- Scene images — editorial scenes generated for your products
- Product listings — AI-generated titles, descriptions, SEO copy, and tags
Your garment images and AI-generated outputs are private to your account and are never used to train shared AI models.
2.4 Usage Data
- Pipeline actions (try-on, scene, listing generations) and their credit costs
- Feature usage patterns (for product improvement)
- Session tokens and authentication timestamps
- Browser type, device type, and general location (country-level)
2.5 Billing Data
For Shopify App Store users, billing is handled entirely by Shopify Billing API. We do not store payment card details. For website users paying via Paddle, payment data is processed by Paddle (the merchant of record) — we receive only subscription status and plan information.
3. How We Use Your Data
- Providing the service — processing your garment images through AI pipelines, generating listings, publishing to Shopify
- Account management — authentication, session management, credit tracking
- Billing — plan enforcement, subscription status, usage limits
- Product improvement — understanding which features are used (aggregated, anonymised)
- Security — detecting abuse, rate limiting, preventing unauthorised access
- Customer support — responding to your requests and resolving issues
- Legal compliance — meeting obligations under GDPR, Shopify Partner requirements, and applicable law
We do not use your data for advertising, profiling, or selling to third parties.
4. Legal Bases for Processing (GDPR)
- Contract performance — processing necessary to provide the service you subscribed to
- Legitimate interests — security monitoring, fraud prevention, product analytics (balanced against your rights)
- Legal obligation — compliance with applicable law, responding to lawful requests
- Consent — marketing emails (you can withdraw at any time)
5. Third-Party Services
We use the following processors to operate the service:
- Shopify — OAuth authentication, App Store billing, product publishing API
- Google / Gemini AI — AI image generation (try-on, scenes, zoom). Your garment images are processed through Google's Gemini API. Google's AI usage policies apply.
- Anthropic / Claude AI — AI text generation for product listing copy and garment analysis
- Cloudflare R2 — Image and asset storage. All user images are stored in Cloudflare's object storage.
- Railway — Application hosting and database (SQLite). Hosted in the United States.
- Paddle — Payment processing for website subscriptions (where applicable)
Each processor is bound by a data processing agreement and appropriate security standards. All third parties are prohibited from using your data for their own purposes beyond providing their services to us.
6. Data Retention
- Active accounts — retained while your account is active and for 2 years after your last login
- Garment and generated images — retained while you have an active account; deleted within 90 days of account deletion request
- Product listings — retained until you delete them or your account is deleted
- Billing records — retained for 7 years for financial compliance
- Server logs — retained for 30 days for security monitoring
7. Your Rights
Under GDPR and applicable privacy law, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your account and personal data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Restrict processing — request we limit how we use your data
- Withdraw consent — withdraw consent for marketing at any time
To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Cookies & Local Storage
We use a single session cookie (ps_session) to keep you logged in. This is an httpOnly, secure cookie — it cannot be accessed by JavaScript. We also use browser localStorage to remember your preferences (theme, pipeline mode). See our Cookie Policy for full details.
9. Data Security
We use industry-standard security practices: HTTPS everywhere, password hashing with scrypt, httpOnly cookies, prepared SQL statements to prevent injection, rate limiting on authentication endpoints, and R2 bucket access controls. No system is 100% secure, but we actively maintain and monitor our security posture.
10. Children's Privacy
Picshoot is a business-to-business platform intended for merchants and brands. We do not knowingly collect personal data from individuals under 18. If you believe a minor has created an account, contact us immediately.
11. Changes to This Policy
We may update this policy as our practices evolve. For material changes, we will notify you by email (to the address on your account) at least 14 days before the change takes effect. Continued use of Picshoot after the effective date constitutes acceptance.
12. Contact
For privacy questions, data requests, or concerns: [email protected]
For general support: [email protected]