[Company Name]

Effective date: 8 July 2025

1. Who we are

Item

Details

Data Controller

[Company Name], company Nº [Company Number], [Company Address]

Trading name / website

creative-shot.com (and technical sub-domain imageone.iweb-dev.tech)

Contact for privacy matters

info@creative-shot.com

EU representative (Art 27 GDPR)

Appointed via DPO-as-a-Service, Tallinn, Estonia (details supplied on request)

Data Protection Officer (DPO)

Mr Sergii Kapshuk — reachable at the contact email above

2. Scope of this Policy

  • Applies to personal data collected through our website, customer portal and AI image-generation module (“Services”).
  • Does not cover third-party sites or payment processors (e.g., Stripe, PayPal); those controllers present their own policies during checkout.

3. What data we collect

Category

Examples

Source

Identity data

name, company, billing address, VAT number

account sign-up, checkout

Contact data

email address, telephone (optional)

account, support tickets

Account data

username, hashed password, credit balance

site backend

Transaction data

order ID, credit bundle purchased, amounts, VAT details

payment processor webhooks

Usage data

log-ins, image download history, prompts submitted, generated file IDs

server logs, database

Technical data

IP address, browser type, device, cookies, referral URL

cookies, analytics

Marketing preferences

opt-in/opt-out flags, newsletter clicks

email platform

We do not intentionally collect special-category data (Art 9 GDPR) or children’s data (under 18).

4. Why we process your data & lawful bases

Purpose

Lawful basis (Art 6 GDPR)

Key details

Create & administer your account

Contract (Art 6 1-b)

enable login, manage credits

Process payments & deliver digital content

Contract; legal obligation (tax)

exchange order details with PSPs; issue VAT invoices

Provide customer support

Contract; legitimate interest (service quality)

resolve tickets, re-supply files

Prevent fraud & misuse of AI model

Legitimate interest

monitor prompts/outputs, IP-based abuse throttling

Send transactional emails (receipts, expiry alerts)

Contract

essential service communications

Direct marketing (newsletter)

Consent; legitimate interest (B2B soft opt-in)

unsubscribe anytime via footer link

Analytics & performance

Consent (cookies); legitimate interest (aggregated stats)

Google Analytics 4 in cookieless mode where possible

Legal compliance

Legal obligation

bookkeeping (6 years), consumer law, dispute handling

5. Sharing & international transfers

Recipient / category

Purpose

Safeguard

Payment processors (Stripe, PayPal)

payment execution, fraud checks

PCI-DSS compliant, UK-US Data Privacy Framework

Cloud hosting (EU/EEA datacentres)

run servers & AI model

Standard Contractual Clauses (SCCs) if outside UK/EU

Email & CRM platform (EU server option)

newsletters, support

SCCs + ISO 27001

Analytics provider

site metrics

IP anonymisation; EU proxy

Competent authorities / courts

legal claims, tax audits

Only when legally compelled

We do not sell or rent your personal data.

6. Data retention

Dataset

Retention period

Customer account & order records

6 years after last transaction (UK tax)

Unused account (no orders)

24 months; then anonymised

Support tickets

3 years

AI prompts & outputs (linked to user ID)

12 months for abuse analysis; then detached & aggregated

Cookie identifiers

see Cookie Policy for lifespans

Back-ups are encrypted and purged on a rolling 30-day cycle.

7. Security measures

  • TLS 1.3 across all endpoints; HSTS preload.
  • Passwords hashed with bcrypt (cost 12).
  • Role-based staff access (least-privilege).
  • Annual penetration test & quarterly vulnerability scans.
  • Payment data kept exclusively by PSPs (tokenised).

8. Your GDPR/UK GDPR rights

Right

How to exercise

Access

Request a copy of personal data we hold.

Rectification

Correct inaccurate or incomplete info via dashboard or support.

Erasure (“right to be forgotten”)

Close your account; statutory records may be retained.

Restriction

Suspend processing while a dispute is resolved.

Portability

Export order history & prompts in JSON on request.

Object

Opt-out of analytics or direct marketing.

Complaint

UK residents: ICO (ico.org.uk). EU residents: local DPA.

We aim to respond within 30 days.

9. Automated decision-making & profiling

  • No fully automated decisions with legal or similar significant effect are made.
  • Basic fraud-score profiling (IP reputation, card BIN) is applied prior to accepting payments; manual review follows if flagged.

10. Cookies & tracking technologies

  • We use essential, performance, and marketing cookies. Full list, purposes and lifetimes are provided in our separate Cookie Policy.
  • First visit prompts a CMP banner (IAB TCF v2.2) allowing granular consent.

11. Third-party links

Our Site may link to stock photo blogs, social platforms or partner sites. Once you leave our domain, we have no control over their privacy practices; please review their policies.

12. Changes to this Policy

Version 1.0 published 8 July 2025. Future updates will appear on this page and, where material, emailed or shown in-dashboard 14 days before taking effect.

13. Contact us

For any privacy question or to exercise your rights:

Data Protection Officer
[Company Name]
[Company Address]
info@creative-shot.com

Last reviewed: 8 July 2025