📜 Spayo – Privacy Policy

Last updated: 15.11.2025

1. Introduction

This Privacy Policy describes how Spayo (“we”, “us”, “our”) collects, uses, stores, and protects personal data when users access https://www.spayo.xyz or any related application services, including the AI-powered image transformation tool available at app.spayo.xyz.

Spayo is operated by:

Krasen Markov
Feldweg 8,
8574 Lengwil, Switzerland
Email: [email protected]
Contact form: https://www.spayo.xyz/about/contact

For purposes of the GDPR (EU/EEA), FADP (Switzerland), and other applicable data protection laws, I am the data controller.

By using Spayo, you agree to this Privacy Policy.

2. Categories of Personal Data We Process

We collect and process the following categories of data:

A. Account and Identification Data

Full Name
Email address
Language preferences
IP address (anonymized in analytics where applicable)

B. Uploaded Images & Generated Images

Original images uploaded by the user
- Sent to Google Gemini API only for processing
- Not stored by Spayo
AI-generated images (the results)
- Generated images are not stored automatically.
- They are only saved in Supabase if the user chooses to save them in the Gallery.
- Users may download images directly without saving them.
- Users may delete saved images from the Gallery at any time.

Spayo may process images that contain human faces for the purposes of visual enhancement and creative transformation. These images are not used for biometric identification and are not considered sensitive biometric data under GDPR Article 9.

C. Billing & Payment Data

Handled exclusively by Stripe, including:

Credit/debit card details
Billing address
Transaction identifiers
Subscription data
Fraud prevention information

We never store card numbers on our servers.

D. Technical & Usage Data

Device type
Browser type
Operating system
Timestamps, log files
Analytics data (Google Analytics)

E. Communication Data

Support messages
Emails sent to us
Future newsletters (opt-out anytime)

3. Purposes and Legal Bases (GDPR Art. 6)

We process personal data for the following purposes:

A. To provide account and platform functionality

To create and maintain user accounts
To deliver AI-generated image transformations
To store user-generated designs

Legal basis:

Art. 6(1)(b) GDPR – performance of a contract

B. To process payments and prevent fraud

Legal basis:

Art. 6(1)(b) – contract
Art. 6(1)(f) – legitimate interest (fraud prevention)

C. To send AI requests to Google Gemini

Processing of images is required to deliver the service.
Google does not use uploaded images or prompts for model training because business-tier paid usage applies.

Legal basis:

Art. 6(1)(b) – contract
Art. 6(1)(f) – legitimate interest in providing the service

D. To send newsletters and product updates

Legal basis:

Art. 6(1)(a) – consent (opt-in)
Art. 6(1)(f) – legitimate interest for existing customers (soft opt-in)

E. Analytics, performance, and security

Legal basis:

Art. 6(1)(f) – legitimate interest in improving service stability

F. Compliance with laws

Legal basis:

Art. 6(1)(c) – legal obligation

4. Image Processing & AI Usage

A. How images are processed

When a user uploads an image, it is:

Temporarily received by Spayo
Immediately forwarded to the Google Gemini API
Used only to generate the requested AI output
Discarded by Google after a short retention period
Not used for AI model training
Not accessible to Google employees except for security logging

B. Google’s handling of images

Based on Google’s policies for business API usage:

User data is not used to improve or train models
Temporary retention is limited (e.g., up to 48 hours for processing)
Security logs may persist up to ~55 days
Logs are not used for AI training

C. What we store

Only the generated images, not the originals
Stored in Supabase (Europe-region servers)
User may delete at any time from the Gallery

5. Data Retention

Data Type	Retention Period
Account data	Until account deletion
Generated images	Until user deletes them
Original uploaded images	Not stored
Payment data (Stripe)	According to Stripe’s retention obligations
Analytics data	According to GA default retention (e.g., 26 months)
Emails & support messages	Until resolved or deleted

If legally required, we may retain certain records longer.

6. Disclosure of Data to Third Parties

We do not sell personal data.

However, we work with these processors:

A. Google Cloud / Google Gemini API

Purpose: AI image processing
Location: Global infrastructure with EU safeguards
Safeguards:

Data Processing Addendum
Model-training opt-out (enabled via paid API use)
SCCs (Standard Contractual Clauses)

B. Supabase

Purpose: Database, authentication, file storage
Location: EU (region configured)
Safeguards:

DPA provided by Supabase
EU SCCs
ISO-grade security

C. Stripe

Purpose: Payment processing
Location: EU/US
Safeguards:

Stripe GDPR-compliant DPA
PCI-DSS Level 1 compliance
SCCs for transfers

D. Google Analytics

Purpose: Usage analytics
Safeguards: IP anonymization enabled.

No tracking pixels (Facebook, TikTok, etc.) are used yet.
If added, this policy will be updated.

7. International Data Transfers

Where data is transferred outside the EU/EEA or Switzerland, we rely on:

Adequacy decisions (e.g., Switzerland → EU mutual adequacy)
Standard Contractual Clauses (SCCs)
DPAs with Google, Stripe, Supabase
Supplementary measures where applicable

You may request copies of these documents.

8. Security Measures

We take appropriate organizational and technical measures, such as:

HTTPS encryption
Transport Layer Security (TLS)
Supabase row-level security policies
Strict access limitations (admin access only when necessary for maintenance, security, or fraud investigations)
Audit logging
Regular backups
Zero storage of original images
PCI-compliant payment processing (handled by Stripe)

9. Your Rights (GDPR & FADP)

Users have the following rights:

Right to access
Right to rectification
Right to erasure (“right to be forgotten”)
Right to restriction of processing
Right to data portability
Right to object
Right to withdraw consent
Right to lodge a complaint with a supervisory authority

For Switzerland:
You have equivalent rights under the Swiss Federal Act on Data Protection (FADP).

To exercise these rights, contact: [email protected]

10. CCPA / CPRA (California Residents)

If you are a California resident, you have:

Right to know what personal data we collect
Right to request deletion
Right to request correction
Right to opt out of “sale” or “sharing” of data
Right to non-discrimination

Spayo does not “sell” data under CCPA definitions.

To make a CCPA request, email: [email protected]

11. Children’s Privacy

Spayo is not intended for children under 16 years old.
We do not knowingly collect data from children.

12. Email Marketing & Notifications

We may send newsletters or product updates to users who:

Have expressly opted in, or
Are existing customers (soft opt-in)

You may unsubscribe anytime via the link in the email.

13. Cookies & Tracking Technologies

We currently use:

Essential cookies (required for authentication)
Preference cookies (language)
Analytics cookies (Google Analytics)

No marketing pixels are used at this time.
If added in the future, we will update this policy prior to activation.

14. Data Deletion

You may delete:

Your account
Any generated image
Any stored profile information

Deleting your account removes all Supabase-stored entries permanently, except data we are legally required to retain (e.g., Stripe billing records).

To prevent abuse of promotional tokens, we store a non-reversible hashed version of email addresses associated with deleted accounts. This data cannot identify a person and is used solely to ensure fair use of our promotional system.

15. Changes to the Privacy Policy

We may update this policy from time to time.
When changes are material, we will notify users via email or dashboard.

16. Contact

For privacy requests:

Email: [email protected]
Address: Feldweg 8, 8574 Lengwil, Switzerland
Contact form: https://www.spayo.xyz/about/contact