Privacy Policy (GDPR) – Fotobot.ai
Effective Date: June 1, 2025
Data Controller: GumDock s.r.o., ID: 23673281, TAX ID: CZ23673281
Address: Rostoklaty 184, Rostoklaty, 28171, Czech Republic
Privacy Contact: [email protected]
Website: https://fotobot.ai
This Privacy Policy explains how we process personal data of users (“you”) of Fotobot.ai (“Service”) in compliance with the EU GDPR and related laws.
1. Data We Process
| Category | Examples |
|---|---|
| Identification & contact | E-mail, display name, billing details (if needed). |
| Account data | Login identifiers, subscription plan, credit balance, transaction history. |
| Technical data | IP address, device/browser identifiers, access logs, essential cookies, timestamps. |
| Support data | Content of support tickets and attachments. |
| User content & outputs | Uploaded photos, background prompts, generated images. (Not used for model training.) |
We do not intentionally process special-category data; please do not upload such data.
2. Purposes & Legal Bases
| Purpose | What we do | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account creation, credits, generation, hosting, interface. | Contract (Art. 6 (1)(b)) |
| Payments & accounting | Payment processing, invoices, tax compliance. | Legal obligation (Art. 6 (1)(c)) & Contract |
| Support & communication | Replies to enquiries, incident handling, service notices. | Contract / Legitimate interest (Art. 6 (1)(f)) |
| Security & misuse prevention | Logging, fraud detection, defence against attacks. | Legitimate interest |
| Service improvement & stats | Aggregated metrics, quality and stability analytics. | Legitimate interest (aggregated/anonymous) |
| Marketing (optional) | Newsletter or promotional e-mails. | Consent (Art. 6 (1)(a)) |
You may withdraw consent at any time (see “Your Rights”).
3. User Content & Outputs
- Used only to deliver the Service (processing, generation, storage, display, support).
- Not used to train our or third-party models.
- Your responsibility: upload only lawful content you own or are licensed to use.
- Content is not shared with other users by default.
4. Recipients & Processors
Personal data may be shared with processors strictly as needed:
| Category | Role |
|---|---|
| Stripe | Payment service provider – may act as our processor and separate controller for fraud prevention & legal duties. See Stripe Privacy Center and SCC safeguards. |
| Cloud hosting & infrastructure | Servers and storage to run the Service. |
| E-mail & notification services | Transactional e-mails, password reset, system alerts. |
| Support tools | Ticketing and incident management platforms. |
A full list of processors and processing locations is available on request.
5. International Transfers
Data are primarily stored in the EU/EEA. Where transfers outside the EU/EEA occur (e.g. Stripe’s US entities), we rely on Standard Contractual Clauses (SCCs) and supplementary safeguards as required by GDPR.
6. Retention Periods
| Data set | Typical retention |
|---|---|
| Account & operational data | As long as the Account exists. |
| Billing records | Up to 10 years (statutory). |
| Security logs | 12–24 months (need-based). |
| User content & outputs | Until Account deletion. |
Deletion: On Account deletion request, we erase production data within 30 days; backups overwrite in normal cycles. Some records (e.g. invoices) may be kept as required by law.
7. Cookies & Similar Tech
- Essential cookies: login session, security. Required for Service operation.
- Analytics/marketing cookies: used only with consent via the cookie banner. Without consent we do not place marketing or retargeting cookies.
You can modify preferences in the cookie banner or browser settings.
8. Data Security
We apply appropriate technical and organisational measures: HTTPS encryption, access controls, role separation, security logging, regular updates and backups. All processors are bound by confidentiality and GDPR-compliant agreements.
9. Your Rights
You may:
- Access your personal data.
- Rectify inaccurate or incomplete data.
- Erase data (“right to be forgotten”) in applicable cases.
- Restrict processing in lawful circumstances.
- Data portability for data processed under contract or consent.
- Object to processing based on legitimate interest or to direct marketing.
- Withdraw consent at any time.
Submit requests via [email protected]. We may verify your identity. We reply without undue delay, max 1 month (extendable by 2 months for complex cases).
You may lodge a complaint with the Czech Data Protection Authority (https://uoou.cz).
10. Children
The Service targets users 15 years +. Users younger than 15 require parental consent. We do not knowingly collect data from children without such consent.
11. Automated Decision-Making
The Service does not make decisions producing legal or similarly significant effects solely by automated processing. Image generation is automated but not a legal decision.
12. Export & Account Deletion
- Data export: available on request to [email protected] in common formats.
- Account deletion: request via e-mail; executed within 30 days.
- Back-ups erase data automatically in regular cycles after deletion.
13. Legal Requests
We may process or disclose data if required by law or a valid request from public authorities, to the minimal necessary extent.
14. Changes to This Policy
We may update this Policy (e.g. legal or process changes). We will inform you in advance of material changes (e-mail or in-app). The effective date will be updated.
15. Contact
For privacy questions or to exercise your rights, e-mail [email protected].