Imagineo Studio - AI-Powered Photoshoot Generation

1. Introduction

Welcome to Imagineo Studio, an AI-powered photoshoot generation platform operated by MagicusPrime LDA ("we," "us," "our," or "Company"). We are committed to protecting your privacy and ensuring the security of your personal data in accordance with the General Data Protection Regulation (GDPR), the Portuguese Data Protection Law (Lei n.º 58/2019), and other applicable data protection legislation.

This Privacy Policy explains how we collect, use, store, protect, and share your personal information when you use our platform at imagineoai.com (the "Service"). By using our Service, you acknowledge that you have read and understood this Privacy Policy.

Important: We do not use your uploaded images or generated content to train our AI models or any third-party AI models. Your creative work remains yours.

2. Data Controller Information

Company Name: MagicusPrime LDA

Registered Address: Rua Dom Manuel 115, Mindelo, Portugal

Email: support@imagineoai.com

Data Protection Inquiries: privacy@imagineoai.com

Country of Establishment: Portugal (European Union)

As a company established in Portugal, we are subject to GDPR and supervised by the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD).

3. Data We Collect

3.1 Account Information

Email address (required for account creation)
Name (if provided)
Profile picture (if provided via authentication provider)
Authentication credentials managed by Clerk (our authentication provider)
Organization/team information (if applicable)

3.2 User-Uploaded Content

Images you upload (products, portraits, objects, etc.)
Reference images for talent/model creation
Generated photoshoot images
Metadata associated with your uploads (file names, dimensions, upload timestamps)

3.3 Usage Data

Photoshoot creation history and preferences
Style and scene selections
Feature usage patterns
Device information (browser type, operating system)
IP address (for security and fraud prevention)
Access logs and timestamps

3.4 Payment Information

Billing address
Payment method details (processed securely by Stripe - we do not store full card numbers)
Transaction history and invoices
Subscription status

3.5 Communication Data

Support ticket correspondence
Feedback and survey responses
Email communication preferences

4. How We Use Your Data

4.1 Service Delivery

Process and analyze your uploaded images using AI to generate photoshoots
Store and display your generated images in your gallery
Provide AI-powered style, scene, and talent recommendations
Enable image downloads and exports

4.2 Account Management

Create and maintain your account
Authenticate your identity
Process subscription payments and billing
Manage your organization and team members (if applicable)

4.3 Service Improvement

Analyze usage patterns to improve features (using anonymized/aggregated data)
Debug technical issues and optimize performance
Develop new features based on user feedback

4.4 Communication

Send transactional emails (account verification, password reset, payment receipts)
Respond to support inquiries
Send service updates and important notices
Marketing communications (only with your explicit consent)

4.5 Security & Compliance

Prevent fraud and abuse
Enforce our Terms of Service
Comply with legal obligations
Maintain audit trails for security purposes

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b)): Processing necessary to provide our Service to you, including account management, image processing, and generating photoshoots.
Legitimate Interests (Article 6(1)(f)): Processing for our legitimate business interests, such as improving our Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications or optional analytics.
Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as tax regulations and responding to lawful requests from authorities.

6. AI Processing & No Training Policy

Our Commitment: No AI Training on Your Data

We do NOT use your uploaded images, generated content, or any personal data to train our AI models or any third-party AI models. Your creative work and personal images remain exclusively yours.

6.1 How AI Processing Works

When you use Imagineo Studio, your images are processed by AI models to:

Analyze image content, composition, and subjects
Generate style and scene recommendations
Create new photoshoot variations
Generate AI talent portraits

6.2 AI Service Providers

We use the following AI service providers for image processing:

Google Gemini: For image analysis and generation. Google's API terms prohibit training on API input data. We use API configurations that explicitly opt out of any data training.
OpenAI: For text-based AI features. OpenAI's API does not train on customer data by default, and we maintain opt-out configurations.
Replicate: For specialized image processing models. Processing is ephemeral and data is not retained for training purposes.

6.3 Our Technical Safeguards

We explicitly opt out of model training programs with all AI providers
We use API-based processing only (no custom model training on user data)
Images are processed ephemerally - not stored by AI providers beyond processing
We regularly audit our AI provider agreements for data protection compliance

7. Data Sharing & Third-Party Services

We share your data only with trusted third-party service providers who help us operate our Service. All providers are contractually bound to protect your data and use it only for specified purposes.

7.1 Service Providers

Provider	Purpose	Data Processed	Location
Clerk	Authentication	Email, name, auth tokens	USA (SCCs)
Amazon Web Services (S3)	File storage	Uploaded and generated images	EU (Frankfurt)
Google Cloud (Gemini)	AI image processing	Images (ephemeral processing)	USA (SCCs)
OpenAI	AI text processing	Prompts, descriptions	USA (SCCs)
Stripe	Payment processing	Billing info, payment methods	USA/EU (SCCs)
PostHog	Product analytics	Usage data, feature interactions	EU
PostgreSQL (Managed)	Database	Account data, metadata	EU

7.2 We Never Sell Your Data

We do not sell, rent, or trade your personal information or uploaded content to third parties for their marketing purposes or any other commercial use.

7.3 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety, or that of our users or the public.

8. Data Retention

We retain your data only for as long as necessary to provide our Service and fulfill the purposes described in this policy:

Account Data: Retained while your account is active and for 30 days after account deletion to allow for recovery.
Uploaded Images & Generated Content: Retained while your account is active. Permanently deleted within 30 days of account deletion.
Payment Records: Retained for 7 years as required by Portuguese tax law and EU financial regulations.
Usage Logs: Retained for 90 days for security and debugging purposes, then anonymized or deleted.
Support Communications: Retained for 2 years to maintain service quality and resolve disputes.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access (Article 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Article 18)

Request limitation of how we process your data in certain circumstances.

Right to Data Portability (Article 20)

Receive your data in a structured, commonly used format (JSON/CSV).

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent (Article 7)

Withdraw consent at any time where processing is based on consent.

Right to Lodge a Complaint

File a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.

To exercise any of these rights, contact us at privacy@imagineoai.com or support@imagineoai.com. We will respond within 30 days as required by GDPR.

10. Data Deletion Requests

48-Hour Resolution Commitment

We are committed to processing all data deletion requests within 48 hours of receipt. Your privacy is our priority.

How to Request Data Deletion

Email Request: Send an email to support@imagineoai.com with the subject line "Data Deletion Request" including:
- Your account email address
- Whether you want full account deletion or specific data removal
- Any specific content you want deleted (optional)
Verification: We will verify your identity by sending a confirmation email to your registered account.
Processing: Upon verification, we will process your request within 48 hours.
Confirmation: You will receive email confirmation once deletion is complete.

What Gets Deleted

All uploaded images and generated photoshoots
Account information and profile data
Usage history and preferences
Saved styles, scenes, and talents
All associated metadata

What May Be Retained

Payment records (required by law for 7 years)
Anonymized, aggregated analytics data
Legal hold data (if applicable)
Backup copies (automatically purged within 30 days)

11. Security Measures

We implement robust technical and organizational measures to protect your data:

Technical Safeguards

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest in our databases and storage
Secure, time-limited presigned URLs for file access (5-minute expiry)
Regular security audits and penetration testing
Web Application Firewall (WAF) protection
DDoS mitigation

Access Controls

Role-based access control (RBAC) for all systems
Multi-factor authentication for administrative access
Principle of least privilege for employee access
Comprehensive audit logging of all data access

Operational Security

Regular security training for all team members
Incident response procedures and breach notification protocols
Regular backup and disaster recovery testing
Vendor security assessments

12. Cookies & Tracking Technologies

Essential Cookies

Required for the Service to function. These include:

Authentication session cookies (Clerk)
Security tokens and CSRF protection
Load balancing and performance cookies

Analytics Cookies

We use PostHog for product analytics to understand how users interact with our Service. This data helps us improve the user experience. You can opt out of analytics tracking in your account settings.

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of our Service.

13. International Data Transfers

While we are based in the European Union (Portugal), some of our service providers are located outside the EU, primarily in the United States.

Transfer Safeguards

For transfers to countries without an EU adequacy decision, we rely on:

Standard Contractual Clauses (SCCs): EU-approved contract terms that provide adequate data protection guarantees.
EU-U.S. Data Privacy Framework: For US providers certified under this framework.
Supplementary Measures: Additional technical and organizational measures where necessary.

14. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information immediately.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@imagineoai.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes:

We will update the "Last Updated" date at the top of this policy
We will notify you by email at least 30 days before material changes take effect
We may display a prominent notice within our Service
For significant changes, we may request renewed consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MagicusPrime LDA

Rua Dom Manuel 115

Mindelo, Portugal

General Inquiries: support@imagineoai.com

Privacy Inquiries: privacy@imagineoai.com

Data Deletion Requests: support@imagineoai.com (48-hour response)

Supervisory Authority: You have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados - CNPD) at www.cnpd.pt or with your local EU supervisory authority.