PRIVACY POLICY

1. Controller

The controller of personal data processed via the Service is the Fruits operator. Contact details for data-protection requests are listed in the Contact section below.

2. Categories of personal data we process

• Account data: email address, display name, optional profile fields (e.g. home city, promo URL), hashed password (managed by Supabase Auth) or OAuth identifier.
• Provider keys (BYOK): API keys you choose to store for OpenAI or Google. Keys are encrypted at rest and only decrypted server-side at request time.
• Content: prompts, project metadata, builder settings, uploaded reference images, and generated images you produce.
• Usage data: request timestamps, generation logs (redacted prompt text, provider/model, token counts, estimated cost), credit ledger entries.
• Cookies: strictly-necessary session cookies issued by Supabase Auth for keeping you signed in. See the Cookie Policy.

3. Purposes and lawful bases

• Performing the contract (Art. 6(1)(b) GDPR): account creation, authentication, building prompts, generating and storing images, processing payments where applicable.
• Legal obligations (Art. 6(1)(c) GDPR): responding to lawful requests, retaining logs as required by applicable law, content moderation under the Digital Services Act.
• Legitimate interests (Art. 6(1)(f) GDPR): preventing abuse, securing the Service, troubleshooting, anti-fraud, basic analytics on aggregate usage.
• Consent (Art. 6(1)(a) GDPR): only where explicitly requested (e.g. optional marketing emails, if offered).

4. Recipients and third-party processors

We use the following sub-processors. Each is bound by a data processing agreement and processes data only for the purposes set out below.

• Supabase (database, authentication, storage): hosts your account, project, and metadata records. Data may be stored in the EU region.
• Hostinger (application hosting and persistent file storage for generated and uploaded images).
• OpenAI: when you generate images using OpenAI (platform key or your BYOK), prompt text and reference images are transmitted to OpenAI's API.
• Google (Gemini / NanoBanana): when you generate images using Google models, prompt text and reference images are transmitted to Google's API.

Provider sub-processors apply their own privacy terms. You are responsible for reviewing them, especially when you bring your own key.

5. International transfers

Where data is transferred outside the European Economic Area (for example to OpenAI or Google in the United States), transfers rely on the European Commission's adequacy decisions where available, or on Standard Contractual Clauses with supplementary measures.

6. Retention

• Account data: retained while your account is active. Account deletion soft-deletes for 30 days then irreversibly purges all personal data, files, and generation history.
• Generated and uploaded images: retained while associated with an active account or saved generation result; orphan files older than 7 days are removed by automated cleanup.
• AI generation logs: redacted plain-text logs in logs/ai are retained for 7 days by default.
• Moderation reports: retained while needed for review and for a reasonable period thereafter for audit (typically 12 months).

7. Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectify inaccurate data (Art. 16).
• Erasure / "right to be forgotten" (Art. 17).
• Restrict or object to processing (Art. 18 and 21).
• Data portability (Art. 20).
• Withdraw consent at any time where processing is based on consent (Art. 7).
• Lodge a complaint with your local supervisory authority (Art. 77).

You can export your data and delete your account at any time from your Settings page (Danger zone).

8. Security

We apply reasonable technical and organizational measures: TLS in transit, encrypted storage of provider keys, row-level security on all user-scoped tables, server-only service-role access, signed short-lived session cookies, principle-of-least-privilege admin surfaces, and a strict Content Security Policy on browser surfaces.

9. Children

The Service is not directed at children under the age of digital consent applicable in their country. We do not knowingly process data of children below this age.

10. Changes

We may update this Privacy Policy. Material changes will be communicated via the Service or by email.

11. Contact

For data-protection requests (access, rectification, erasure, objection, portability), use the in-app data export and account deletion controls in Settings, or contact the operator through the channel published on the Service. We will respond within one (1) month, as required by Art. 12(3) GDPR.