Privacy Policy

Palette Studio (“Palette,” “we,” “us”) operates the website at palettes.studio and provides AI-assisted personal style analysis. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

By creating an account, uploading a photo, or otherwise using the service, you agree to the practices described here. If you do not agree, please do not use the service.

Photographs and the analysis we generate from them are the most sensitive information we handle. We treat both as your private and confidential information at every stage:

• What we use them for, exclusively. Your photograph and your analysis output are used solely to (a) generate the personalised analysis and try-on imagery you requested, and (b) make that result available to you when you log into your account. That is the only purpose for which we process them.
• No advertising use, ever. We will not use your photograph, your analysis output, or any AI-generated imagery derived from your portrait for advertising, marketing collateral, social-media posts, testimonials, before-and-after content, promotional case studies, or any other promotional purpose, whether ours or a third party's.
• No model training. We do not use your photograph or output to train, fine-tune, or otherwise improve any artificial-intelligence model. Per the standard API policy of our AI processor (OpenAI), content submitted through their API is also not used to train their models.
• No public display. Your photograph and analysis result are never made publicly accessible, posted to social media, shown to other users, or surfaced in any gallery, leaderboard, or showcase.
• No sale or sharing for third-party purposes. We will not sell, rent, licence, or trade your photograph, your analysis output, or any other personal information about you. We share data only with the operational processors listed in Section 5, each strictly for the purpose of running the Service for you.
• How they are stored. Uploaded photographs are stored in a per-user private folder within our storage provider (Supabase). Access is restricted by row-level security so that, by default, only your account can read them. The bucket is not publicly listable.
• Where they are processed. To produce the analysis, your photograph is transmitted over a secure connection to our AI processor (OpenAI), which acts as a processor on our behalf and is contractually prohibited from using your content for its own purposes.
• Generated try-on imagery. The AI-generated images we create from your portrait are treated identically to your original photograph: stored alongside your analysis result, displayed only to you when you visit your results page, and never used for any purpose other than serving them back to you.
• Biometric data laws. We do not extract or store mathematical face-geometry templates of the kind regulated by Illinois' BIPA or similar biometric-privacy laws. The portrait is processed as an image. If you reside in a jurisdiction that imposes specific consent or notice requirements on biometric data and you believe our processing falls within those requirements, please contact us before uploading a photograph.
• Deleting your data. You can delete an uploaded photograph at any time by deleting the corresponding analysis result, or by deleting your entire account. When you delete an analysis result, both the photograph and the generated imagery for that result are removed. When you delete your account, all of your photographs, analyses, and generated imagery are removed within 30 days. See Section 7.

We use the information described above to:

• operate the service: create your account, run your analyses, display your results, and let you re-access them;
• process payments and prevent payment fraud;
• communicate with you about your account, purchases, password resets, and material changes to the service;
• protect the service against fraud, abuse, and excessive automated use (for example via rate limits and CAPTCHA);
• improve the service in aggregate (we do not use your portrait or analysis content for model training);
• comply with legal obligations, enforce our Terms of Service, and respond to lawful requests.

We do not sell your personal information. We share it only with the third-party processors we rely on to operate the service. Each is contractually bound to use the data only for the purposes we instruct.

We may also disclose information when required by law, in response to valid legal process, or when reasonably necessary to protect the safety, rights, or property of Palette, our users, or others.

If we are involved in a merger, acquisition, or asset sale, your information may be transferred to the successor entity, in which case we will notify you and your information will continue to be governed by a policy at least as protective as this one.

• Account data: for as long as your account exists. When you delete your account we delete your account record, profile, photos, jobs, and results within 30 days.
• Photos and analysis results: for as long as your account exists, or until you delete them. You can delete individual results or your entire account at any time.
• Purchase records: we retain transaction records (amount, date, bundle purchased, currency, but not card details) for at least the period required by applicable tax and accounting laws, typically five to seven years after the transaction.
• Logs and security data: server and security logs are retained on a rolling basis (typically 30 to 90 days) and then automatically purged.
• Support correspondence: retained for as long as we may reasonably need to address related inquiries, typically up to two years after the issue is resolved.

Depending on where you live, you may have some or all of the following rights:

• Access: obtain a copy of the personal information we hold about you.
• Correction: correct inaccurate information about you.
• Deletion: have your personal information erased. You can delete your entire account from your account settings, which immediately removes your profile, uploaded photos, jobs, and analysis results from our active systems. You can also request deletion by emailing privacy@palettes.studio.
• Portability: request a copy of your data in a portable, machine-readable format.
• Withdraw consent: where we rely on consent, withdraw it at any time (without affecting the lawfulness of processing before withdrawal).
• Object or restrict: object to certain processing or ask us to restrict it.
• Lodge a complaint: contact your local data-protection authority if you believe we have not handled your data appropriately.

To exercise any of these rights, contact us at privacy@palettes.studio. We will respond within the time required by applicable law (and in any event within 30 days). We may need to verify your identity before acting on your request.

We take reasonable technical and organisational measures to protect your personal information. These include encryption of data in transit (TLS), encryption of data at rest at our cloud providers, row-level security restricting database reads to the owning user, per-user folder isolation for stored photographs, signed time-limited URLs for media, rate-limiting and bot detection on authentication endpoints, and signature verification for payment webhooks. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

Our service providers operate data centres in several countries, including the United States, the European Union, and Singapore. When we transfer your personal information across borders we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms.

The service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, give you notice by email or through the service. Your continued use of the service after the changes take effect constitutes acceptance of the updated policy.

Questions about this Privacy Policy, or about how we handle your personal information, can be sent to:

privacy@palettes.studio