Privacy Policy

1. Information We Collect

We collect several types of information depending on how you interact with our Site:

1.1 Photos You Upload

When you use our AI portrait generation service, you upload one or more photographs. These photos are transmitted to our servers and processed by our AI system to generate royal-style portraits. We store uploaded photos securely and use them solely for the purpose of generating your portrait(s). Photos are not shared with third parties except as necessary for AI processing (see Section 4).

1.2 Order Information

When you make a purchase, we collect information necessary to process your order, including:

• Email address (collected during Stripe checkout)
• Billing information (processed and stored by Stripe; we do not store full payment card details)
• Shipping address (for physical print and canvas orders only)
• Order details (product type, size, amount paid)

1.3 Device and Usage Information

When you visit the Site, we automatically collect certain information about your device and browsing activity, including:

• IP address and approximate geographic location
• Browser type and version, operating system
• Device type (desktop, mobile, tablet) and screen resolution
• Referring website or source
• Pages visited, time spent on pages, click behavior
• Session recordings and heatmap data (via Hotjar)

1.4 Session Information

We use anonymous sessions to allow you to use the Site without creating an account. A unique session identifier is stored in a cookie on your browser and linked to your uploads, generations, and orders. No personal information is required to start a session.

2. How We Use Your Information

We use the information we collect to:

• Provide the service: Process your uploaded photos through our AI system to generate portraits, deliver digital downloads, and fulfill physical print/canvas orders.
• Process payments: Complete transactions securely through Stripe and maintain order records.
• Communicate with you: Send order confirmations, download links, shipping updates, and respond to support inquiries via email (powered by Klaviyo).
• Improve the service: Analyze usage patterns, identify issues, and optimize the user experience using analytics tools.
• Marketing: With your consent, send promotional emails about new features, templates, or offers. You can unsubscribe at any time.
• Prevent fraud and abuse: Monitor for unauthorized access, automated abuse, or attempts to circumvent our security measures.

3. Photo Data Handling

We take the handling of your uploaded photos seriously. Here is how we treat your photo data:

• Purpose limitation: Uploaded photos are used solely for generating AI portraits. We do not use your photos for training AI models, selling to third parties, or any purpose other than fulfilling your portrait request.
• AI processing: Your photos are sent to our AI provider (Google) for portrait generation. The AI provider processes the images in real time and does not retain them after generation is complete.
• Storage: Uploaded photos are stored securely in our cloud infrastructure (Supabase Storage) with encryption at rest (AES-256), encrypted transport (TLS), and access controls. Only your session can access your uploads.
• No biometric templates: We do not extract, generate, or store face geometry, faceprints, or biometric identifier templates from uploaded photos. The AI processing is performed transiently in-memory by our AI provider on the photograph itself; no biometric data structure is retained by us or by the AI provider.
• Early deletion: You may request immediate deletion of your photos and generated portraits at any time by contacting us at help@turnmeroyal.com.

3.1 Retention Schedule for Uploaded Photos

• Failed or abandoned generation attempts: original photo uploads are automatically deleted within 90 days of the failed or abandoned attempt.
• Successful generations you have purchased: retained for as long as you maintain access to your account, so that you can re-download your portraits at any time.
• Successful generations you have not purchased: retained for up to 12 months from the generation date, after which they may be deleted.
• Immediate deletion on request: contact help@turnmeroyal.com to request deletion at any time.

4. Third-Party Services

We share your information with the following third-party service providers, each for a specific purpose:

Payment Processing

• Stripe — Processes all payments. Stripe receives your email, billing details, and payment card information. Stripe's privacy policy: stripe.com/privacy

Data Storage

• Supabase — Hosts our database and file storage (uploaded photos, generated images, session data, order records). Data is stored in secure cloud infrastructure with encryption at rest.
• Vercel — Hosts our website application. Processes web requests and may log IP addresses and request metadata.

AI Processing

• Google — Primary AI provider. Processes your uploaded photos to generate AI portraits. Photos are transmitted securely and processed in real time. Google does not retain your images after processing per Google's API terms.
• OpenRouter — Used as a fallback AI provider when our primary provider is unavailable or rate-limited. Photos are transmitted to OpenRouter only when a fallback is triggered. OpenRouter does not retain images after processing.

Email Communications

• Klaviyo — Sends transactional emails (order confirmations, download links) and marketing emails (with your consent). Klaviyo receives your email address and order information. Klaviyo's privacy policy: klaviyo.com/legal/privacy

Analytics and Tracking

• Google Tag Manager (GTM) — Manages analytics and marketing tags on our Site. GTM may load additional scripts from Google Analytics and other providers.
• Meta Pixel (Facebook) — Tracks conversions and enables retargeting advertising on Meta platforms (Facebook, Instagram). Collects browsing behavior and purchase events.
• Mixpanel — Tracks user interactions and events (e.g., photo uploads, generations, purchases) to help us understand usage patterns and improve the service.
• Hotjar — Records anonymized session replays and generates heatmaps to help us understand how users interact with our Site. Hotjar does not collect personal information from form fields.
• Meta Conversions API (CAPI) — In addition to the Meta Pixel, we transmit purchase confirmation and key conversion events to Meta server-side. We transmit hashed email addresses and order details for ad-attribution purposes. We do not transmit uploaded photos.

Error Monitoring

• Sentry — Captures application error events and crash data, which may include IP addresses, request URLs, browser/device metadata, and error stack traces. Sentry does not capture uploaded photos or authentication tokens.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Session identifier cookie (tmr_session) that allows you to use the Site without creating an account. This cookie is necessary for the service to function.
• Analytics cookies: Placed by Google Analytics, Mixpanel, and Hotjar to collect anonymized usage data and improve the service.
• Marketing cookies: Placed by Meta Pixel and Google to enable targeted advertising and measure ad campaign effectiveness.

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent the Site from functioning properly. Disabling analytics and marketing cookies will not affect core functionality but will limit our ability to improve the service and show you relevant advertisements.

6. Behavioral Advertising

We use your personal information to provide you with targeted advertisements or marketing communications that we believe may be of interest to you. This is done through the following mechanisms:

• Meta (Facebook/Instagram): We use Meta Pixel to track actions on our Site (such as viewing a preview or completing a purchase) and create custom audiences for advertising on Meta platforms.
• Google Ads: We may use Google advertising services via GTM to display retargeting ads to visitors who have interacted with our Site.

You can opt out of targeted advertising by adjusting your preferences on these platforms:

• Facebook: facebook.com/settings/?tab=ads
• Google: adssettings.google.com
• Digital Advertising Alliance: optout.aboutads.info

7. Data Retention

We retain your data for the following periods:

• Order records: Retained for as long as necessary for accounting, tax, and legal compliance purposes (typically 7 years).
• Session data: Anonymous session records are retained for 12 months, after which they are purged.
• Email and marketing data: Retained until you unsubscribe or request deletion.
• Analytics data: Retained according to each analytics provider's retention policies (typically 14–26 months).

8. Your Rights

We provide these rights to every user worldwide, regardless of which country or U.S. state you live in. These commitments meet or exceed the requirements of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and comparable privacy laws in Colorado, Connecticut, Illinois, Montana, Oregon, Texas, Utah, Virginia, Washington, the UK, Canada, and other jurisdictions:

• Right to know / access: Request information about what personal data we hold about you, including a copy of that data.
• Right to delete / erasure: Request deletion of your personal data, including uploaded photographs and generated portraits.
• Right to correct / rectification: Request correction of inaccurate personal data we hold.
• Right to data portability: Request your data in a structured, commonly used, machine-readable format.
• Right to object / restrict processing: Object to or request that we limit how we process your data, including for direct marketing.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time.
• Your photos are never sold or shared: We do not sell, lease, trade, or share your uploaded photographs or generated portraits with any third party for marketing, AI training, or commercial purposes. The only third party that ever receives your photos is the AI provider used to generate your portrait (Google, or OpenRouter as fallback), strictly for transient processing as described in Section 4 — and that provider does not retain your images after processing.
• No sale of personal information: We do not sell, lease, trade, or otherwise profit from your personal information.
• Limited ad-attribution sharing (with opt-out): Like most consumer websites, to measure advertising effectiveness and serve relevant ads, we transmit non-photo events (such as pageviews, purchase confirmations, and hashed email addresses) to our advertising partners (Meta, Google) via tools described in Section 4. You can opt out at any time using the platform opt-out links in Section 6.
• Non-discrimination: We will not deny service, change pricing, or otherwise penalize you for exercising any of these rights.
• Unsubscribe: Opt out of marketing emails using the link in any email we send, or by emailing us.

To exercise any of these rights, email help@turnmeroyal.com. We respond to verifiable requests within 30 days. Residents of the EU, EEA, and UK additionally have the right to lodge a complaint with their local data protection authority.

Biometric data notice (Illinois BIPA and similar state laws):

Our AI generates royal-style portraits from photos you upload. The computer-vision processing on facial features is performed transiently and in-memory by our AI provider (Google); we do not retain a biometric template, faceprint, or face geometry vector. Original photographs are stored only for the purposes and retention periods stated in Section 3 above, and we do not sell, lease, trade, or otherwise profit from biometric information. By uploading a photo containing a face, you acknowledge this notice and provide written consent to this processing under the Illinois Biometric Information Privacy Act (740 ILCS 14) and any comparable biometric privacy law in your state of residence (including Texas CUBI and Washington's biometric privacy statute).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/SSL), encryption at rest for stored data, access controls on file storage, and secure handling of payment information through Stripe (PCI DSS compliant). However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Children's Privacy

Our service is not directed to anyone under the age of 18. Per Section 4.1 of our Terms of Service, users must be at least 18 years of age (or the age of majority in their jurisdiction, if higher) to upload photographs or otherwise use the service. We do not knowingly collect personal information from individuals under 18. If you become aware that someone under 18 has provided us with personal data, please contact us at help@turnmeroyal.com and we will take steps to delete such information. This commitment is at least as protective as the United States Children's Online Privacy Protection Act (COPPA, under 13) and Article 8 of the EU General Data Protection Regulation (GDPR, under 16).

Note that uploading photographs that depict children is separately governed by Section 4 of our Terms of Service — adult uploaders must be the parent or legal guardian of every child depicted, or have written consent from each such parent or legal guardian.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States (where some of our service providers are located). We ensure that appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) where required under GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised “Last updated” date. We encourage you to review this page periodically. Your continued use of the Site after any changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Company: UAB “Madcom”
• Email: help@turnmeroyal.com
• Website: turnmeroyal.com