GDPR / Privacy Rights

Last updated: 15.11.2025

At Spayo, we respect your privacy and your right to control your personal data.
Residents of the EU, EEA, Switzerland, the United Kingdom, California, and many other jurisdictions have specific legal rights regarding how their personal information is collected, used, stored, and deleted.

This page explains your rights and provides a simple method to submit a privacy request.

1. Your Privacy Rights

Depending on your region, you may have the following rights:

(A) Right of Access (Art. 15 GDPR)

You can request a copy of the personal data we hold about you, including account information, saved designs, and usage logs.

(B) Right to Deletion / “Right to Be Forgotten” (Art. 17 GDPR)

You can ask us to permanently delete:

  • your Spayo account
  • your saved AI-generated images
  • your referral history
  • your browsing data (if stored)
  • any other personal information tied to your account

(C) Right to Rectification (Art. 16)

You may request correction of inaccurate information (e.g., email address).

(D) Right to Data Portability (Art. 20 GDPR)

You may ask for an export of your data in a structured, commonly used format.

(E) Right to Restrict Processing (Art. 18)

You can request temporary restriction of data processing in specific cases.

(F) Right to Withdraw Consent

If processing is based on consent (e.g., marketing emails), you can withdraw at any time.

(G) Right to Object (Art. 21)

You may object to certain forms of data processing.

(H) CCPA/CPRA Rights (California)

California residents additionally may:

  • opt-out of data “sharing” for advertising
  • request that personal information not be used for marketing purposes

You can opt-out here:
Do Not Sell or Share My Personal Information

2. What Data Can You Request?

You may request access or deletion of:

  • Account data (email, signup date, profile preferences)
  • Saved AI-generated images (Gallery)
  • Referral data (invites sent, tokens earned)
  • Transaction records (token purchases via Stripe)*
  • Customer support messages
  • Consent logs (cookies, marketing preferences)
  • System logs associated with your account

*Note: Spayo does not store full payment card numbers.
Stripe acts as the payment processor and stores billing details securely.

3. How to Submit a Data Request

You may submit a privacy request using any of the following methods:

Method 1 — Online Form (Recommended)

Use our secure form here:
👉 https://www.spayo.xyz/about/contact

Choose “Privacy / GDPR Request” from the dropdown.

Method 2 — Email (Manual Request)

Send an email to:
📩 [email protected]
Subject: GDPR Data Request

Include:

  • The email address associated with your Spayo account
  • Whether you request Access, Deletion, Correction, Restriction, or Portability
  • Any additional details we should know

For security, we may require verification (e.g., confirmation link to your email).

4. How Long Does It Take?

We respond within:

  • 30 days – Standard GDPR timeframe
  • 45 days – If your request is complex or requires extra verification
  • 10 days (California) – Acknowledgement of CCPA/CPRA requests

We will keep you updated if additional time is required.

5. What Happens When Your Account Is Deleted

If you request deletion:

✔ Your account is permanently removed

✔ All stored AI-generated images (Gallery) are deleted

✔ Referral history is deleted

✔ Any analytics associated with your user ID is anonymized

✔ Emails, preferences, tokens, and settings are deleted

✘ Payment history cannot be erased from Stripe (legal requirement)

✘ Backups may retain data for a short time before auto-purge

Deletion is irreversible.
If you return to Spayo, you will need to create a new account.

6. Will Deleting My Data Affect My Tokens?

Yes.
If you request a full deletion:

  • All unused tokens will be erased
  • All saved designs will be erased
  • All referral bonuses will be removed

We cannot restore deleted tokens or designs.

7. Verification Requirements

To protect your data, we may ask for:

  • confirmation via your account email,
  • confirmation link, or
  • additional verification if something appears suspicious.

We never require:

  • ID photos,
  • passport scans,
  • or sensitive documents.

8. Special Notes for AI Image Processing

Spayo processes images using Google Gemini API.

  • Your original uploaded photo is sent only for processing, not for training AI.
  • Google does not use your data to improve its AI models.
  • Google retains temporary logs for security (≈48h image retention + ≈55 days system logs), then auto-deletes them.
  • Original uploaded images are not stored by Spayo.
  • Only the AI-generated results are saved in your user Gallery.

This ensures:
✔ high privacy
✔ full GDPR & Swiss FADP compliance
✔ no biometric profiling
✔ no AI training on user content

9. Contact Details of the Data Controller

Data Controller:
Krasen Markov
Feldweg 8
8574 Lengwil
Switzerland

Email: [email protected]

If you are in the EU, you may also contact your local Data Protection Authority.

10. Updates to This Page

We may update this page occasionally to remain compliant with:

  • GDPR
  • Swiss nFADP
  • CCPA/CPRA
  • UK-GDPR
  • Other privacy regulations

Changes will be posted with a new “Last Updated” date.