Privacy Policy

Imazify ("we," "us," or the "Service") is operated at imazify.com by a company incorporated in the Republic of Korea. We are committed to protecting your privacy and handling your personal data in compliance with applicable data protection laws, including the Korean Personal Information Protection Act ("PIPA"), the EU General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

Imazify is an AI-powered Amazon A+ Content and listing image generation SaaS. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

For the purposes of the GDPR, Imazify is the data controller responsible for your personal data. The Republic of Korea has been granted an adequacy decision by the European Commission (2021), facilitating lawful data transfers between the EU and Korea.

We collect the following categories of personal information:

Account Information: When you sign in via Google OAuth, we collect your name and email address. We do not collect or store passwords. The legal basis for this processing under the GDPR is contract performance (Article 6(1)(b)).

Product Images (User-Uploaded): You may upload product images to the Service for the purpose of AI-powered image generation. These images are stored in Supabase Storage (hosted on AWS infrastructure) and are associated with your account and projects.

AI-Generated Images: Images generated by our AI service are stored in Supabase Storage and linked to your projects. These images are created using the Google Gemini API based on your uploaded content.

Usage and Analytics Data: We collect analytics events including event type, page path, device information, browser type, operating system, country (derived from Vercel hosting headers), and a one-way hashed IP address. We do not store raw IP addresses. This processing is based on our legitimate interest in improving the Service (Article 6(1)(f) GDPR).

Payment Information: Payments are processed by LemonSqueezy, which acts as the Merchant of Record. Imazify does not directly collect, process, or store credit card numbers or financial account details. LemonSqueezy may collect your name, email address, billing address, and payment method details in accordance with their own privacy policy.

Cookies: We use strictly necessary cookies for authentication sessions and locale preferences. No analytics, advertising, or third-party tracking cookies are used. See the Cookies section below for details.

Under the CCPA/CPRA: The categories of personal information we collect include identifiers (name, email, hashed IP), commercial information (subscription history), internet or electronic network activity (usage analytics), and visual information (uploaded and generated images). We do not sell or share your personal information as defined under the CCPA/CPRA.

We use the information we collect for the following purposes:

• Service Delivery: Generating AI-powered Amazon A+ Content and listing images based on your uploaded product images and specifications.
• Account Management: Authenticating your identity, managing your account and subscription, and providing customer support.
• Service Improvement: Analyzing aggregated and anonymized usage data to maintain, improve, and optimize the Service.
• Communication: Sending essential service-related notices, security alerts, and updates about changes to the Service or this Privacy Policy.
• Legal Compliance: Fulfilling legal obligations, responding to lawful requests from public authorities, and protecting our rights.

We process your data under the following legal bases (GDPR): contract performance for core service functionality, legitimate interest for analytics and service improvement, legal obligation for compliance requirements, and consent where specifically obtained.

Important — AI and Your Data: Your uploaded product images are sent to the Google Gemini API solely for the purpose of generating images as requested by you. Your images are not used to train any AI models. Google may retain data sent via the Gemini API for up to 30 days for debugging and abuse prevention purposes, in accordance with Google's API terms of service.

Imazify does not sell, rent, or trade your personal information to any third party. We do not share your personal information for cross-context behavioral advertising. We engage the following trusted third-party service providers ("processors" under the GDPR) who process data on our behalf and are bound by contractual obligations to protect your data:

• Supabase (Database, Authentication & Storage): Stores your account information, project data, uploaded images, and AI-generated images. Supabase infrastructure is hosted on Amazon Web Services (AWS). A Data Processing Agreement (DPA) is in place with Supabase.
• Google Gemini API (AI Image Generation): Product images you upload are sent to Google's Gemini API for the sole purpose of generating listing images and A+ Content. Your personal information (name, email) is not transmitted to the Gemini API. Google may retain submitted data for up to 30 days for debugging purposes.
• LemonSqueezy (Payment Processing): Acts as the Merchant of Record for all subscription transactions. Your email address and billing information are shared with LemonSqueezy to process payments. LemonSqueezy handles payment data in accordance with PCI DSS standards.
• Vercel (Hosting): Hosts the Service and provides geographic headers (country-level) used for analytics. Vercel processes requests in accordance with their privacy policy and DPA.

We may also disclose your information if required to do so by law, regulation, or valid legal process, or if necessary to protect the rights, property, or safety of Imazify, our users, or the public.

Imazify implements industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• All data in transit is encrypted using HTTPS/TLS protocols.
• Data at rest is encrypted using AES-256 encryption within Supabase infrastructure.
• Database access is restricted through Row Level Security (RLS) policies, ensuring users can only access their own data.
• Authentication is handled via Google OAuth 2.0, eliminating password-related vulnerabilities.
• IP addresses are hashed using a one-way algorithm before storage, preventing identification of individual users from analytics data.
• Access to production systems is restricted to authorized personnel on a need-to-know basis.

While we strive to use commercially acceptable means to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) and the Korean Personal Information Protection Commission (PIPC) as required under PIPA. Affected individuals will be notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

Imazify uses only strictly necessary cookies that are essential for the operation of the Service. These cookies are exempt from consent requirements under applicable cookie laws (including the ePrivacy Directive) because the Service cannot function properly without them:

• Authentication Session Cookies: Managed by Supabase Auth, these cookies maintain your authenticated session and are essential for accessing the Service after login. They expire when your session ends or after the configured session timeout.
• Locale Preference Cookie: Stores your selected language preference (e.g., English or Korean) to ensure the Service displays in your chosen language across page navigations.

Imazify does not use any of the following:

• Analytics or performance cookies
• Advertising or marketing cookies
• Third-party tracking cookies
• Social media cookies

Because we only use strictly necessary cookies, no cookie consent banner is required. If we introduce non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms before deployment.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under the GDPR (EU/EEA Residents):

• Right of Access (Article 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to certain legal exceptions.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to Restrict Processing (Article 18): You may request that we limit how we process your data in certain circumstances.
• Right to Object (Article 21): You may object to processing based on legitimate interests, including processing for analytics purposes.

Under the CCPA/CPRA (California Residents):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

We do not sell or share personal information. Therefore, a "Do Not Sell or Share" opt-out is not applicable.

Under Korean PIPA:

• Right of Access: You may request access to your personal information.
• Right to Correction and Deletion: You may request correction or deletion of your personal information.
• Right to Data Portability: As of March 2025, you may request transmission of your personal data to yourself or a third party in a machine-readable format.
• Right to Suspend Processing: You may request suspension of the processing of your personal information.

To exercise any of these rights, please contact us at kr2idiots@gmail.com. We will respond to all verified requests within 30 days (or within the timeframe required by applicable law). We may request additional information to verify your identity before processing your request.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Account Data: Retained for the duration your account is active. If you deactivate your account, we may retain your data for a reasonable period to allow for reactivation.
• Uploaded Product Images: Retained for as long as the associated project exists. Deleting a project will remove all images associated with it. Deleting your account will remove all projects and images.
• AI-Generated Images: Retained for as long as the associated project exists, following the same deletion policy as uploaded images.
• Usage and Analytics Data: Retained in anonymized or aggregated form for service improvement purposes. Individual analytics records containing hashed IPs are retained for up to 12 months.
• Payment Records: Transaction records maintained by LemonSqueezy are subject to LemonSqueezy's retention policies and applicable financial record-keeping laws.
• Google Gemini API: Data submitted to the Google Gemini API may be retained by Google for up to 30 days for debugging and abuse prevention, in accordance with Google's API terms.

Account Deletion: When you request account deletion, we will permanently delete all your personal data, including uploaded images, generated images, project data, and account information within 30 days. Certain data may be retained beyond this period only where required by applicable law (e.g., financial record-keeping obligations). Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on the Service with a revised "Last Updated" date.
• Notify you via email to your registered email address or through a prominent notice within the Service at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of the Service and request account deletion.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

• Email: kr2idiots@gmail.com
• Service: imazify.com

Chief Privacy Officer (CPO): In accordance with Korean PIPA requirements, we have designated a Chief Privacy Officer responsible for overseeing data protection compliance. All privacy-related inquiries and requests should be directed to the email address above.

EU Representative: If you are located in the EU/EEA and wish to raise a concern, you may also contact your local data protection authority. As Korea has EU adequacy status, data transfers between the EU and Korea are facilitated without the need for additional transfer mechanisms.

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable law. In Korea, the relevant authority is the Personal Information Protection Commission (PIPC).